How to setup TPX for Password Phrase in a RACF Environment
book
Article ID: 17459
calendar_today
Updated On:
Products
TPX - Session Management
Issue/Introduction
TPX support for Password Phrase in a RACF Environment.
Environment
Release: 5.4 Component: TPX for Z/OS
Resolution
NOTE: Turning on password phrase support in RACF or MVS is beyond the scope of this document and is not covered.
TPX Setup of Password Phrase in a RACF Environment
This document outlines what needs to be done to configure TPX to allow a site to process Password Phrase signons when running with RACF security. Turning on password phrase support inside RACF or MVS is beyond the scope of this document and is not covered.
After applying PTFs and APARs for TPX Password Phrase implementation in an RACF environment a site will need to:
Set SMRT related parameters for allow Password Phrase signons.
Use panel TEN1003 for Password Phrase signons.
NOTE: Before making the SMRT changes to implement Password Phrase, we recommend backing up the production ADMIN1 and ADMIN2 files and/or the SMRT configuration within TPXADMIN.
Password Phrase Related TPX 5.4 PTFs
Sites should consider installing all the following Password Phrase maintenance under TPX 5.4:
PTF RO88547 - PASSWORD PHRASE LOGON PANEL TGE1003 - GERMAN
SMRT Related configuration changes for Password Phrase Signons
RACF sites MUST configure TPX to use the SAF security, not RACF.
Set Parameter "Security System:" to "SAF" (SMRT option 9) in the TEN0090 panel:
Note that SAMT must match with Security System.
After changing the "Security System", TPX must be restarted to pick up the new configuration.
Ensure that the size for Slot Pool 5 for above the line storage is set to 208 bytes
This required change was identified in the TPX 5.4 Release Notes.
Once the Password Phrase APARs and or PTFs has been installed at a site - verify that default size for slot 5 above the 16M line (SMRT option 3) is set to 208 and not 200. This needs to be done regardless whether a site utilizes Password Phrases or not. This change accommodates the user control block (UID) increase for maintaining password phrases.
Managing the case of Passwords and Password Phrases
When there is a need to address a mixed environment of upper case passwords and mixed case password phrases (where passwords are automatically set to upper case while password phrases are left in mixed case), then; PTFs RO73376, RO73377 and RO73378 UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT are required.
These PTFs affect the available fields within the SMRT and will modify how passwords and password phrases are handled by TPX:
Without PTFs RO73376, RO73377 and RO73378 applied:
Set "Y" in field "Allow Lower Case Pswds:" on the TEN0090 panel.
Most Password Phrase sites use mixed case passwords. If your site plans to use mixed case passwords then set "Y" in field "Allow Lower Case Pswds:" on the SMRT (TEN0090 panel:
With PTFs RO73376, RO73377 and RO73378 applied:
After these PTFs have been applied, field "Allow Lower Case Pswds:" will just be for passwords and not password phrases. The default is still "N".
New Field "Upper Case Pswd Phrases" will be for password phrases only and defaults to "N".
Set "Default LOGO" field to TEN1003
The Default LOGO field on the SMRT TEN0108 panel is where a site configures the default signon panel to be used by TPX.
The English TEN0003 signon panel allows a site to verify that a valid userid and password (of up to 8 characters) combination has been entered. TPX also supplies an English TEN1003 signon panel. The TEN1003 panel allows users to sign on with either passwords or password phrases which can be between 9 and 100 characters long.
Either Password Phrases or Passwords can be entered on the TEN1003 panel. Only Passwords are entered on the TEN0003 panel.
The TEN1003 panel allows users at a site to verify:
A valid userid and password phrase combination has been entered.
A valid userid, password phrase and optionally a new password phrase has been entered.
A valid userid and password combination has been entered.
A valid userid, password and optionally a new password has been entered.
In the SMRT option 8 "Operational Parameters", a TPX site administrator should set the Default LOGO parameter to TEN1003 when they need to allow password phrase signon attempts:
A TPX site administrator may customize their local TEN1003 Signon Panel. Sites should customize the TEN1003 panel in another local library (non-SMPE TPX library) so that TPX maintenance doesn't accidentally overwrite changes made by the local site. (For example, if a site wants to put their company name on their version of the TPX TEN1003 panel.)
Many variables on the TEN1003 panel affect how the panel functions and what is displayed. Password Phrase/New Password Phrase variables allow 100 byte character fields. Each Phrase field is broken into two 50 byte fields.
The TEN1003 sign-on panel contains five specific signon related variables:
SNUSERV - Characters 1 through eight is for the userid
SNPSWDV - When 8 characters or less it is for a password. When there are 9 through 50 characters then it is for the first half of the Password Phrase
SNPSWDV2 - An optional 0 through 50 characters for the second half of the Password Phrase
SNNPSWDV - When 8 characters or less it is for a new password. When there are 9 through 50 characters then it is for the first half of the new Password Phrase
SNNPSWD2 - An optional 0 through 50 characters for the second half of the new Password Phrase
The sites must be careful when modifying fields on the TEN1003 panel. Variables having to do with password phrase fields can contain up to 50 characters. Any time either the SNPSWDV or SNNPSWDV fields are entered with less than nine characters will cause the user to have a traditional password signon attempt. A Password Phrases signon attempt occurs when the password phrase is entered with a length between 9 and 100 characters in length.
A sample TEN1003 signon panel:
Additional Information:
For more information on the TEN0003 and TEN1003 signon Panels, see the Password Verificationsection in the TPX Session Manager 5.4 documentation.