How to setup TPX for Passphrase in a ACF2 Environment
search cancel

How to setup TPX for Passphrase in a ACF2 Environment

book

Article ID: 17423

calendar_today

Updated On:

Products

TPX - Session Management

Issue/Introduction

Passphrase activation requires changes in TPX and also in the ESM.

This document covers steps needed to implement passphrase for TPX, in an ACF2 Environment.
Steps needed to activate passphrase in ACF2 is not covered here. See ACF2 - Manage Password Phrases

Environment

Release: 5.4

Component TPX for Z/Os

Resolution

NOTE: Turning on passphrase support inside ACF2 or MVS is beyond the scope of this document and is not covered.

TPX Setup of Passphrase in an ACF2 Environment

This document outlines what needs to be done to configure TPX, to allow a site to process passphrase signons when running with ACF2 security. Turning on passphrase support in ACF2 or MVS is beyond the scope of this document and is not covered.

After applying PTFs and APARs for TPX passphrase implementation in an ACF2 environment a site will need to:

  • Apply passphrase ACF2 APAR RO38461
  • Update the ACF2 SAMT Table with passphrase Messages
  • SMRT related parameters for allow passphrase signons.
  • Use panel TEN1003 for passphrase signons.

NOTE: Before making the SMRT changes to implement passphrase, we recommend backing up the production ADMIN1 and ADMIN2 files and/or the SMRT configuration within TPXADMIN.

Passphrase Related TPX 5.4 PTFs

Sites should consider installing all the following passphrase maintenance under TPX 5.4:

  • PTF RO84473 - ACF2PWPH OUT OF SEQUENCE ERROR MSGS
  • PTF RO66029 - PASSPHRASE S0C1 FREESLOT+1B0
  • PTF RO71425 - ONLY USERID AND PASSWORD SENT TO AFFINITY TPX
  • PTF RO72179 - VARIABLE SNVPSWDV NOT WORKING ON TEN0003 PANEL
  • PTF RO72995 - PREVENT S0C4 IN SECVNPW+6E6 R3=0 FROM UIDXPWPH
  • PTFs RO73376, RO73377 and RO73378 - UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT

Sites using German Panels should also apply:

  • PTF RO88547 - PASSPHRASE LOGON PANEL TGE1003 - GERMAN

ACF2 sites must apply Passphrase ACF2 APAR RO38461

CA ACF2 R15 (Z/OS) and CA ACF2 R14 (Z/OS) sites must apply ACF2 APAR RO38461 before attempting to use the TPX passphrase interface.

Update the ACF2 SAMT Table with Passphrase Messages

ACF2 sites have to add the new SAMT messages for ACF2 messages related to passphrases.

Use sample job ACF2PWPH (from the CB0VJCL file) to install ACF2 SAMT entries into the ADMIN1 VSAM file:

 

//INSTPWPH JOB (ACCT-INFO),'INSTALL PANELS',CLASS=A,REGION=0M
//*
//*===================================================================
//*                                                                  =
//*    INSTALL SAMT MSGS NEEDED FOR ACF2 PASSPHRASE SUPPORT          =
//*                                                                  =
//*    THIS JCL IS USED TO INSTALL THE SECURITY ACTION MESSAGES      =
//*    REQUIRED TO SUCCESSFULY USE PASSPHRASE WITH ACF2.             =
//*                                                                  =
//*===================================================================
//*     BEFORE SUBMITTING:                                           =
//*                                                                  =
//*         1. SUPPLY AN APPROPRIATE JOB CARD FOR THIS JOB.          =
//*         2. MODIFY THE SUBSTITUTION PARMS TO MEET YOUR            =
//*            SITES REQUIREMENTS ON THE "UNLOAD" PROC.              =
//*                                                                  =
//*===================================================================
//*                                                                  =
//UNLOAD   PROC IPREFIX='TPX.TPX54',    HLQ OF DIST LIBRARIES
//             VPREFIX='TPX'            HLQ OF VSAM FILES
//IDCAMS1  EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//AMSDUMP  DD SYSOUT=*
//DATVIN   DD DISP=SHR,DSN=&IPREFIX..CB0VDATV(ACF2PWPH)
//ADM1OUT DD DISP=SHR,DSN=&VPREFIX...ADMIN1
//         PEND
//XUNLOAD  EXEC UNLOAD
//IDCAMS.SYSIN  DD *
 REPRO INFILE(DATVIN) OUTFILE(ADM1OUT)
/*

 

Here are the new ACF2 SAMT table entries introduced with the passphrase APARs and/or PTFs:

Return Code/ Cursor Suppress Substitute

Message ID Action Position Message Message IDs

 

Return Code/                 Cursor      Suppress        Substitute
Message ID      Action     Position     Message         Message IDs
  #0000159         R        SNPSWDV         N
  #0000220         R        SNPSWDV         N
  #0001005         R        SNPSWDV         N
  #0001108         P        SNNPSWDV        N
  #0001142         R        SNPSWDV         N
  #0001044         R        SNPSWDV         N
  #0001163         R        SNPSWDV         N

 

Here are the new ACF2 Messages which are to be added to the ACF2 SAMT table:

  • ACF00159 NEW PASSWORD MATCHES A PREVIOUS PASSWORD - NONE SET
  • ACF00220 NEW PASSPHRASE ERROR - MATCHES A PREVIOUS PASSPHRASE - NONE SET
  • ACF01005 PASSPHRASE NOT MATCHED
  • ACF01108 PASSPHRASE FOR LOGONID HUSJOC2 HAS EXPIRED
  • ACF01142 NEW PASSWORD IS TOO SIMILAR TO OLD PASSWORD - NONE SET
  • ACF01044 PASSPHRASE NOT SET FOR LOGONID <acid>
  • ACF01163 NEW PASSPHRASE EQUALS OLD - NONE SET


SMRT Related configuration changes for Passphrase signons

  1. Ensure that the size for Slot Pool 5 for above the line storage is set to 208 bytes

    This required change was identified in the TPX 5.4 Release Notes.

    Once the passphrase APARs and or PTFs has been installed at a site then the default size for slot 5 above the 16M line has been raised from 200 to 208. This needs to be done regardless whether a site utilizes passphrases or not. This change accommodates the user control block (UID) increase for maintaining passphrases.



  2. Managing the case of Passwords and Passphrases

    When there is a need to address a mixed environment of upper case passwords and mixed case passphrases (where passwords are automatically set to upper case while passphrases are left in mixed case), then PTFs RO73376, RO73377 and RO73378 UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT are required.

    These PTFs affect the available fields within the SMRT and will modify how passwords and passphrases are handled by TPX:

    1. Without PTFs RO73376, RO73377 and RO73378 applied:

      Set "Y" in field "Allow Lower Case Pswds:" on the TEN0090 panel.

      Most passphrase sites use mixed case passwords. If your site plans to use mixed case passwords then set "Y" in field "Allow Lower Case Pswds:" on the SMRT TEN0090 panel:

    2. With PTFs RO73376, RO73377 and RO73378 applied:

      After these PTFs have been applied, field "Allow Lower Case Pswds:" will just be for passwords and not passphrases. The default is still "N".

      New Field "Upper Case Pswd Phrases" will be for passphrases only and defaults to "N".



  3. Set "Default LOGO" field to TEN1003

    The Default LOGO field on the SMRT TEN0108 panel is where a site configures the default signon panel to be used by TPX.

    The English TEN0003 signon panel allows a site to verify that a valid userid and password (of up to 8 characters) combination has been entered. TPX also supplies an English TEN1003 signon panel. The TEN1003 panel allows users to sign on with either passwords or passphrases which can be between 9 and 100 characters long.

    Either passphrases or Passwords can be entered on the TEN1003 panel. Only Passwords are entered on the TEN0003 panel.

    The TEN1003 panel allows users at a site to verify:

    • A valid userid and passphrase combination has been entered.
    • A valid userid, passphrase and optionally a new passphrase has been entered.
    • A valid userid and password combination has been entered.
    • A valid userid, password and optionally a new password has been entered.

A TPX site administrator should set the Default LOGO parameter to TEN1003 when they need to allow passphrase signon attempts:

 

A TPX site administrator may customize their local TEN1003 Signon Panel. Sites should customize the TEN1003 panel in another local library (non-SMPE TPX library) so that TPX maintenance doesn't accidently overwrite changes made by the local site. (For example, a site wants to put their company name on their version of the TPX TEN1003 panel.)

Many variables on the TEN1003 panel affect how the panel functions and what is displayed. Passphrase/New Passphrase variables allow 100 byte character fields. Each Phrase field is broken into two 50 byte fields.

The TEN1003 sign-on panel contains five specific signon related variables:

  • SNUSERV - Characters 1 through eight is for the userid
  • SNPSWDV - When 8 characters or less it is for a password. When there are 9 through 50 characters then it is for the first half of the passphrase
  • SNPSWDV2 - An optional 0 through 50 characters for the second half of the passphrase
  • SNNPSWDV - When 8 characters or less it is for a new password. When there are 9 through 50 characters then it is for the first half of the new passphrase
  • SNNPSWD2 - An optional 0 through 50 characters for the second half of the new passphrase

The sites must be careful when modifying fields on the TEN1003 panel. Variables having to do with passphrase fields can contain up to 50 characters. Any time either the SNPSWDV or SNNPSWDV fields are entered with less than nine characters causes the user to have a traditional password signon attempt. A passphrases signon attempt occurs when the passphrase is entered with a length between 9 and 100 characters in length.

A sample TEN1003 signon panel:

 

 

Additional Information

For more information on the TEN0003 and TEN1003 signon Panels, see the Password Verification section.

Powered by Wolken Software