How to setup TPX for Passphrase in a RACF Environment
search cancel

How to setup TPX for Passphrase in a RACF Environment

book

Article ID: 17459

calendar_today

Updated On:

Products

TPX - Session Management

Issue/Introduction

TPX support for Passphrase in a RACF Environment.

 

 

 

Environment

Release: 5.4
Component: TPX for Z/OS

Resolution

NOTE: Turning on passphrase support in RACF or MVS is beyond the scope of this document and is not covered.

TPX Setup of Passphrase in a RACF Environment

This document outlines what needs to be done to configure TPX to allow a site to process passphrase signons when running with RACF security.
Turning on passphrase support inside RACF or MVS is beyond the scope of this document and is not covered.

After applying PTFs and APARs for TPX passphrase implementation in an RACF environment a site will need to:

  • Set SMRT related parameters for allow passphrase signons.
  • Use panel TEN1003 for passphrase signons.

    NOTE: Before making the SMRT changes to implement passphrase, we recommend backing up the production ADMIN1 and ADMIN2 files and/or the SMRT configuration within TPXADMIN.

Passphrase Related TPX 5.4 PTFs

Sites should consider installing all the following passphrase maintenance under TPX 5.4:

  • PTF RO84473 - ACF2PWPH OUT OF SEQUENCE ERROR MSGS
  • PTF RO66029 - PASSPHRASE S0C1 FREESLOT+1B0
  • PTF RO71425 - ONLY USERID AND PASSWORD SENT TO AFFINITY TPX
  • PTF RO72179 - VARIABLE SNVPSWDV NOT WORKING ON TEN0003 PANEL
  • PTF RO72995 - PREVENT S0C4 IN SECVNPW+6E6 R3=0 FROM UIDXPWPH
  • PTFs RO73376, RO73377 and RO73378 - UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT

    Sites using German Panels should also apply:
  • PTF RO88547 - PASSPHRASE LOGON PANEL TGE1003 - GERMAN


SMRT Related configuration changes for passphrase Signons

  1. RACF sites MUST configure TPX to use the SAF security, not RACF.

    Set Parameter "Security System:" to "SAF" (SMRT option 9) in the TEN0090 panel:

    • Note that SAMT must match with Security System.
    • After changing the "Security System", TPX must be restarted to pick up the new configuration.


  2. Ensure that the size for Slot Pool 5 for above the line storage is set to 208 bytes

    This required change was identified in the TPX 5.4 Release Notes.

    Once the passphrase APARs and or PTFs has been installed at a site
    - verify that default size for slot 5 above the 16M line (SMRT option 3) is set to 208 and not 200.

    This needs to be done regardless whether a site utilizes passphrases or not.
    This change accommodates the user control block (UID) increase for maintaining passphrases.



  3. Managing the case of Passwords and Passphrases

     When there is a need to address a mixed environment of upper case passwords and mixed case passphrases
    (where passwords are automatically set to upper case while passphrases are left in mixed case),
    then;
    PTFs RO73376, RO73377 and RO73378 UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT are required.

    These PTFs affect the available fields within the SMRT and will modify how passwords and passphrases are handled by TPX:

    1. Without PTFs RO73376, RO73377 and RO73378 applied:

      Set "Y" in field "Allow Lower Case Pswds:" on the TEN0090 panel.

      Most passphrase sites use mixed case passwords.
      If your site plans to use mixed case passwords then set "Y" in field "Allow Lower Case Pswds:" on the SMRT (TEN0090 panel:



    2. With PTFs RO73376, RO73377 and RO73378 applied:

      After these PTFs have been applied, field "Allow Lower Case Pswds:" will just be for passwords and not passphrases. The default is still "N".

      New Field "Upper Case Pswd Phrases" will be for passphrases only and defaults to "N".


  4. Set "Default LOGO" field to TEN1003

    The Default LOGO field on the SMRT TEN0108 panel is where a site configures the default signon panel to be used by TPX.

    The English TEN0003 signon panel allows a site to verify that a valid userid and password (of up to 8 characters) combination has been entered.
    TPX also supplies an English TEN1003 signon panel.
    The TEN1003 panel allows users to sign on with either passwords or passphrases which can be between 9 and 100 characters long.

    Either Passphrases or Passwords can be entered on the TEN1003 panel. Only Passwords are entered on the TEN0003 panel.

    The TEN1003 panel allows users at a site to verify:

    • A valid userid and passphrase combination has been entered.
    • A valid userid, passphrase and optionally a new passphrase has been entered.
    • A valid userid and password combination has been entered.
    • A valid userid, password and optionally a new password has been entered.

In the SMRT option 8 "Operational Parameters", a TPX site administrator should set the Default LOGO parameter to TEN1003 when they need to allow passphrase signon attempts:

A TPX site administrator may customize their local TEN1003 Signon Panel.
Sites should customize the TEN1003 panel in another local library (non-SMPE TPX library) so that TPX maintenance doesn't accidentally
overwrite changes made by the local site.
(For example, if a site wants to put their company name on their version of the TPX TEN1003 panel.)

Many variables on the TEN1003 panel affect how the panel functions and what is displayed.
Passphrase/New passphrase variables allow 100 byte character fields.
Each Phrase field is broken into two 50 byte fields.

The TEN1003 sign-on panel contains five specific signon related variables:

  • SNUSERV - Characters 1 through eight is for the userid
  • SNPSWDV - When 8 characters or less it is for a password. When there are 9 through 50 characters then it is for the first half of the passphrase
  • SNPSWDV2 - An optional 0 through 50 characters for the second half of the passphrase
  • SNNPSWDV - When 8 characters or less it is for a new password. When there are 9 through 50 characters then it is for the first half of the new passphrase
  • SNNPSWD2 - An optional 0 through 50 characters for the second half of the new passphrase


The sites must be careful when modifying fields on the TEN1003 panel.
Variables having to do with passphrase fields can contain up to 50 characters.
Any time either the SNPSWDV or SNNPSWDV fields are entered with less than nine characters will cause the user
   to have a traditional password signon attempt.
A passphrases signon attempt occurs when the passphrase is entered with a length between 9 and 100 characters in length.

A sample TEN1003 signon panel:


Additional Information:

For more information on the TEN0003 and TEN1003 signon Panels,
see the Password Verification section in the TPX Session Manager 5.4 documentation.




Powered by Wolken Software