How to setup TPX for Password Phrase ( passphrase ) in an ACF2 Environment ?
search cancel

How to setup TPX for Password Phrase ( passphrase ) in an ACF2 Environment ?

book

Article ID: 17423

calendar_today

Updated On:

Products

TPX - Session Management

Issue/Introduction

Passphrase activation requires changes in TPX and also in the ESM.

This document covers steps needed to implement passphrase for TPX, in an ACF2 Environment.
Steps needed to activate passphrase in ACF2 is not covered here. See ACF2 - Manage Password Phrases

Environment

Release: 5.4

Component TPX for Z/Os

Resolution

NOTE: Turning on Password Phrase support inside ACF2 or MVS is beyond the scope of this document and is not covered.

TPX Setup of Password Phrase in an ACF2 Environment

This document outlines what needs to be done to configure TPX, to allow a site to process Password Phrase signons when running with ACF2 security. Turning on Password Phrase support in ACF2 or MVS is beyond the scope of this document and is not covered.

After applying PTFs and APARs for TPX Password Phrase implementation in an ACF2 environment a site will need to:

  • Apply Password Phrase ACF2 APAR RO38461
  • Update the ACF2 SAMT Table with Password Phrase Messages
  • SMRT related parameters for allow Password Phrase signons.
  • Use panel TEN1003 for Password Phrase signons.

NOTE: Before making the SMRT changes to implement Password Phrase, we recommend backing up the production ADMIN1 and ADMIN2 files and/or the SMRT configuration within TPXADMIN.

Password Phrase Related TPX 5.4 PTFs

Sites should consider installing all the following Password Phrase maintenance under TPX 5.4:

  • PTF RO84473 - ACF2PWPH OUT OF SEQUENCE ERROR MSGS
  • PTF RO66029 - PASSWORD PHRASE S0C1 FREESLOT+1B0
  • PTF RO71425 - ONLY USERID AND PASSWORD SENT TO AFFINITY TPX
  • PTF RO72179 - VARIABLE SNVPSWDV NOT WORKING ON TEN0003 PANEL
  • PTF RO72995 - PREVENT S0C4 IN SECVNPW+6E6 R3=0 FROM UIDXPWPH
  • PTFs RO73376, RO73377 and RO73378 - UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT

Sites using German Panels should also apply:

  • PTF RO88547 - PASSWORD PHRASE LOGON PANEL TGE1003 - GERMAN

ACF2 sites must apply Password Phrase ACF2 APAR RO38461

CA ACF2 R15 (Z/OS) and CA ACF2 R14 (Z/OS) sites must apply ACF2 APAR RO38461 before attempting to use the TPX Password Phrase interface.

Update the ACF2 SAMT Table with Password Phrase Messages

ACF2 sites have to add the new SAMT messages for ACF2 messages related to Password Phrases.

Use sample job ACF2PWPH (from the CB0VJCL file) to install ACF2 SAMT entries into the ADMIN1 VSAM file:

 

//INSTPWPH JOB (ACCT-INFO),'INSTALL PANELS',CLASS=A,REGION=0M
//*
//*===================================================================
//*                                                                  =
//*    INSTALL SAMT MSGS NEEDED FOR ACF2 PASSWORD PHRASE SUPPORT     =
//*                                                                  =
//*    THIS JCL IS USED TO INSTALL THE SECURITY ACTION MESSAGES      =
//*    REQUIRED TO SUCCESSFULY USE PASSWORD PHRASES WITH ACF2.       =
//*                                                                  =
//*===================================================================
//*     BEFORE SUBMITTING:                                           =
//*                                                                  =
//*         1. SUPPLY AN APPROPRIATE JOB CARD FOR THIS JOB.          =
//*         2. MODIFY THE SUBSTITUTION PARMS TO MEET YOUR            =
//*            SITES REQUIREMENTS ON THE "UNLOAD" PROC.              =
//*                                                                  =
//*===================================================================
//*                                                                  =
//UNLOAD   PROC IPREFIX='TPX.TPX54',    HLQ OF DIST LIBRARIES
//             VPREFIX='TPX'            HLQ OF VSAM FILES
//IDCAMS1  EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//AMSDUMP  DD SYSOUT=*
//DATVIN   DD DISP=SHR,DSN=&IPREFIX..CB0VDATV(ACF2PWPH)
//ADM1OUT DD DISP=SHR,DSN=&VPREFIX...ADMIN1
//         PEND
//XUNLOAD  EXEC UNLOAD
//IDCAMS.SYSIN  DD *
 REPRO INFILE(DATVIN) OUTFILE(ADM1OUT)
/*

 

Here are the new ACF2 SAMT table entries introduced with the Password Phrase APARs and/or PTFs:

Return Code/ Cursor Suppress Substitute

Message ID Action Position Message Message IDs

 

Return Code/                 Cursor      Suppress        Substitute
Message ID      Action     Position     Message         Message IDs
  #0000159         R        SNPSWDV         N
  #0000220         R        SNPSWDV         N
  #0001005         R        SNPSWDV         N
  #0001108         P        SNNPSWDV        N
  #0001142         R        SNPSWDV         N
  #0001044         R        SNPSWDV         N
  #0001163         R        SNPSWDV         N 

 

Here are the new ACF2 Messages which are to be added to the ACF2 SAMT table:

  • ACF00159 NEW PASSWORD MATCHES A PREVIOUS PASSWORD - NONE SET
  • ACF00220 NEW PASSWORD PHRASE ERROR - MATCHES A PREVIOUS PASSWORD PHRASE - NONE SET
  • ACF01005 PASSWORD PHRASE NOT MATCHED
  • ACF01108 PASSWORD PHRASE FOR LOGONID HUSJOC2 HAS EXPIRED
  • ACF01142 NEW PASSWORD IS TOO SIMILAR TO OLD PASSWORD - NONE SET
  • ACF01044 PASSWORD PHRASE NOT SET FOR LOGONID <acid>
  • ACF01163 NEW PASSWORD PHRASE EQUALS OLD - NONE SET


SMRT Related configuration changes for Password Phrase signons

  1. Ensure that the size for Slot Pool 5 for above the line storage is set to 208 bytes

    This required change was identified in the TPX 5.4 Release Notes.

    Once the Password Phrase APARs and or PTFs has been installed at a site then the default size for slot 5 above the 16M line has been raised from 200 to 208. This needs to be done regardless whether a site utilizes Password Phrases or not. This change accommodates the user control block (UID) increase for maintaining password phrases.

    <Please see attached file for image>

    Figure 1

  2. Managing the case of Passwords and Password Phrases

    When there is a need to address a mixed environment of upper case passwords and mixed case password phrases (where passwords are automatically set to upper case while password phrases are left in mixed case), then PTFs RO73376, RO73377 and RO73378 UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT are required.

    These PTFs affect the available fields within the SMRT and will modify how passwords and password phrases are handled by TPX:

    1. Without PTFs RO73376, RO73377 and RO73378 applied:

      Set "Y" in field "Allow Lower Case Pswds:" on the TEN0090 panel.

      Most Password Phrase sites use mixed case passwords. If your site plans to use mixed case passwords then set "Y" in field "Allow Lower Case Pswds:" on the SMRT TEN0090 panel:

      <Please see attached file for image>

      Figure 2
    2. With PTFs RO73376, RO73377 and RO73378 applied:

      After these PTFs have been applied, field "Allow Lower Case Pswds:" will just be for passwords and not password phrases. The default is still "N".

      New Field "Upper Case Pswd Phrases" will be for password phrases only and defaults to "N".

      <Please see attached file for image>

      Figure 3

  3. Set "Default LOGO" field to TEN1003

    The Default LOGO field on the SMRT TEN0108 panel is where a site configures the default signon panel to be used by TPX.

    The English TEN0003 signon panel allows a site to verify that a valid userid and password (of up to 8 characters) combination has been entered. TPX also supplies an English TEN1003 signon panel. The TEN1003 panel allows users to sign on with either passwords or password phrases which can be between 9 and 100 characters long.

    Either Password Phrases or Passwords can be entered on the TEN1003 panel. Only Passwords are entered on the TEN0003 panel.

    The TEN1003 panel allows users at a site to verify:

    • A valid userid and password phrase combination has been entered.
    • A valid userid, password phrase and optionally a new password phrase has been entered.
    • A valid userid and password combination has been entered.
    • A valid userid, password and optionally a new password has been entered.

A TPX site administrator should set the Default LOGO parameter to TEN1003 when they need to allow password phrase signon attempts:

<Please see attached file for image>

Figure 4

A TPX site administrator may customize their local TEN1003 Signon Panel. Sites should customize the TEN1003 panel in another local library (non-SMPE TPX library) so that TPX maintenance doesn't accidently overwrite changes made by the local site. (For example, a site wants to put their company name on their version of the TPX TEN1003 panel.)

Many variables on the TEN1003 panel affect how the panel functions and what is displayed. Password Phrase/New Password Phrase variables allow 100 byte character fields. Each Phrase field is broken into two 50 byte fields.

The TEN1003 sign-on panel contains five specific signon related variables:

  • SNUSERV - Characters 1 through eight is for the userid
  • SNPSWDV - When 8 characters or less it is for a password. When there are 9 through 50 characters then it is for the first half of the Password Phrase
  • SNPSWDV2 - An optional 0 through 50 characters for the second half of the Password Phrase
  • SNNPSWDV - When 8 characters or less it is for a new password. When there are 9 through 50 characters then it is for the first half of the new Password Phrase
  • SNNPSWD2 - An optional 0 through 50 characters for the second half of the new Password Phrase

The sites must be careful when modifying fields on the TEN1003 panel. Variables having to do with password phrase fields can contain up to 50 characters. Any time either the SNPSWDV or SNNPSWDV fields are entered with less than nine characters causes the user to have a traditional password signon attempt. A Password Phrases signon attempt occurs when the password phrase is entered with a length between 9 and 100 characters in length.

A sample TEN1003 signon panel:

<Please see attached file for image>

Figure 5

 

Additional Information

For more information on the TEN0003 and TEN1003 signon Panels, see the Password Verification section in Programming Guide: TPX Programming/Modifying panels/Password Verification.

Attachments

1558709288379000017423_sktwi1f5rjvs16rfa.gif get_app
1558709286568000017423_sktwi1f5rjvs16rf9.gif get_app
1558709284523000017423_sktwi1f5rjvs16rf8.gif get_app
1558709282586000017423_sktwi1f5rjvs16rf7.gif get_app
1558709280699000017423_sktwi1f5rjvs16rf6.gif get_app