ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Implement AES 256 password encryption and ONEPWALG in ACF2

book

Article ID: 145633

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

The current ACF2 GSO PSWD option is set to "ONEPWALG = NO" and "PSWDENCT = AES1" .  What is the best order to change this to AES 256 encryption and using ONEPWALG?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

If you are on a system that does not share the ACF2 databases, the order is not critical.  The PSWD record can be changed to ONEPWALG and AES2 in any order at any time with no implications.  Changing back to AES1 will have no effect either.

On a shared database system, ONEPWALG should not be used till all systems are converted to the same PSWDENCT value in the PSWD record. The ACF2 documentation has this:

Note:
By default, CA ACF2 encrypts a password/password phrase with the current setting in PSWDENCT and the weaker algorithms. This encryption gives you time to convert all systems in a shared environment to the same algorithm. Doing so does not offer the full benefit of converting to an AES algorithm because the XDES password/password phrase is still saved.

When converting to AES256 encryption in a shared database environment, if only one LPAR has AES256 specified as the encryption algorithm, then all password changes should be made on the LPAR with AES256. If users change their passwords on an LPAR with a lower encryption method such as AES128 or XDES, the password(s) with a higher level of encryption and their TOD fields stored in the database will be zeroed out and only the AES128 or XDES password and TOD field will be updated. This will have varied results when implementing the AES256 encryption. We recommend either making all LPARs use AES256 encryption with NOONEPWALG, or ensuring users only change their passwords on the LPAR where the AES256 testing is taking place.

Additional Information

Warning:
Due to the required number of hashing iterations with AES 256 encryption, there is a noticeable increase in CPU consumption during System Entry Validation (LOGON), Password Verification, and Password/Pass Phrase changes. CP Assist for Cryptographic Functions (CPACF) is a set of cryptographic instructions providing improved performance. If available, CA ACF2 utilizes these instructions during AES 256 encryption processing.


PTF SI00732 has been published identifying this warning and will be kept current.

The following performance PTF's should be applied:
SO07365 - For CICS
SO01559 - For base ACF2
SO01560 - For base ACF2
SO01064 - For base ACF2 

Also, a PTF for a bug:
RO95192 - MINDAYS not enforced with AES2


The ACF2 documentation has this section on converting to AES 256:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/implement-aes-256-encryption.html