As part of the migration towards pass phrases instead of passwords, some users have been setup to have the ability to use both while testing on the systems. There was an issue with users who have both and one expires and exceeds the INACTIVE(5) value. The problem is if the expire dates are different for password and Phrase. For example, the user has both defined with the PSWDPHR Attribute. The expire dates are different between the two. If one expires and exceeds the INACTIVE time the next time they attempt a logon using the expired password or pass phrase they are suspended even if the other method (password or pass phrase) has not expired. If the user is mainly using their password instead of pass phrase (or vice versa), the user will see the warnings about the password due to expire but will not be warned about the pass phrase impending expiration. If the Pass Phrase expires and the user continues to use the password, the user is not "inactive", but if the user attempts to logon using the expired pass phrase, the ACID is suspended even if earlier in the day the user had logged on with the password.
So it is necessary to instruct Admins to remove the suspend and replace the expired pass phrase and instruct the user to change both in order to sync the expire dates, and going forward to always change both if prompted that either one is about to expire.
If after committing to pass phrases, to avoid confusing users that Admins when adding a pass phrase remove the users password to avoid requiring the user to maintain both. What syntax would remove the password? TSS REM(acid) PASSWORD ?
Release : 16.0
Component : CA Top Secret for z/OS
The ability to stop using passwords can be done at the user level, the facility level, or globally as follows:
User level – add the PHRASEONLY attribute to the acid via TSS ADD(acid) PHRASEONLY
Facility level – the PHRASEONLY facility control option: TSS MODIFY FAC(facname=PHRASEONLY) to set this dynamically and, to make the change permanent, add FAC(facname=PHRASEONLY) to the Top Secret parameter file. (To deactivate this, use FAC(facname=NOPHRASEONLY)
Globally - control option PHRASEONLY(ON). (To deactivate this, use TSS MODIFY PHRASEONLY(OFF), and, to make the change permanent, add PHRASEONLY(OFF) to the Top Secret parameter file.)