How to setup TPX for Password Phrase in a RACF Environment
search cancel

How to setup TPX for Password Phrase in a RACF Environment

book

Article ID: 17459

calendar_today

Updated On:

Products

TPX - Session Management

Issue/Introduction

TPX support for Password Phrase in a RACF Environment.

 

 

 

Environment

Release: 5.4
Component: TPX for Z/OS

Resolution

NOTE: Turning on password phrase support in RACF or MVS is beyond the scope of this document and is not covered.

TPX Setup of Password Phrase in a RACF Environment

This document outlines what needs to be done to configure TPX to allow a site to process Password Phrase signons when running with RACF security.
Turning on password phrase support inside RACF or MVS is beyond the scope of this document and is not covered.

After applying PTFs and APARs for TPX Password Phrase implementation in an RACF environment a site will need to:

  • Set SMRT related parameters for allow Password Phrase signons.
  • Use panel TEN1003 for Password Phrase signons.

    NOTE: Before making the SMRT changes to implement Password Phrase, we recommend backing up the production ADMIN1 and ADMIN2 files and/or the SMRT configuration within TPXADMIN.

Password Phrase Related TPX 5.4 PTFs

Sites should consider installing all the following Password Phrase maintenance under TPX 5.4:

  • PTF RO84473 - ACF2PWPH OUT OF SEQUENCE ERROR MSGS
  • PTF RO66029 - PASSWORD PHRASE S0C1 FREESLOT+1B0
  • PTF RO71425 - ONLY USERID AND PASSWORD SENT TO AFFINITY TPX
  • PTF RO72179 - VARIABLE SNVPSWDV NOT WORKING ON TEN0003 PANEL
  • PTF RO72995 - PREVENT S0C4 IN SECVNPW+6E6 R3=0 FROM UIDXPWPH
  • PTFs RO73376, RO73377 and RO73378 - UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT

    Sites using German Panels should also apply:
  • PTF RO88547 - PASSWORD PHRASE LOGON PANEL TGE1003 - GERMAN


SMRT Related configuration changes for Password Phrase Signons

  1. RACF sites MUST configure TPX to use the SAF security, not RACF.

    Set Parameter "Security System:" to "SAF" (SMRT option 9) in the TEN0090 panel:

    • Note that SAMT must match with Security System.
    • After changing the "Security System", TPX must be restarted to pick up the new configuration.


  2. Ensure that the size for Slot Pool 5 for above the line storage is set to 208 bytes

    This required change was identified in the TPX 5.4 Release Notes.

    Once the Password Phrase APARs and or PTFs has been installed at a site
    - verify that default size for slot 5 above the 16M line (SMRT option 3) is set to 208 and not 200.

    This needs to be done regardless whether a site utilizes Password Phrases or not.

    This change accommodates the user control block (UID) increase for maintaining password phrases.



  3. Managing the case of Passwords and Password Phrases

    When there is a need to address a mixed environment of upper case passwords and mixed case password phrases
    (where passwords are automatically set to upper case while password phrases are left in mixed case),
    then;
    PTFs RO73376, RO73377 and RO73378 UPPER CASE PSWD IN PWSD PHRASE ENVIRONMENT are required.

    These PTFs affect the available fields within the SMRT and will modify how passwords and password phrases are handled by TPX:

    1. Without PTFs RO73376, RO73377 and RO73378 applied:

      Set "Y" in field "Allow Lower Case Pswds:" on the TEN0090 panel.

      Most Password Phrase sites use mixed case passwords.
      If your site plans to use mixed case passwords then set "Y" in field "Allow Lower Case Pswds:" on the SMRT (TEN0090 panel:



    2. With PTFs RO73376, RO73377 and RO73378 applied:

      After these PTFs have been applied, field "Allow Lower Case Pswds:" will just be for passwords and not password phrases. The default is still "N".

      New Field "Upper Case Pswd Phrases" will be for password phrases only and defaults to "N".


  4. Set "Default LOGO" field to TEN1003

    The Default LOGO field on the SMRT TEN0108 panel is where a site configures the default signon panel to be used by TPX.

    The English TEN0003 signon panel allows a site to verify that a valid userid and password (of up to 8 characters) combination has been entered.
    TPX also supplies an English TEN1003 signon panel.
    The TEN1003 panel allows users to sign on with either passwords or password phrases which can be between 9 and 100 characters long.

    Either Password Phrases or Passwords can be entered on the TEN1003 panel. Only Passwords are entered on the TEN0003 panel.

    The TEN1003 panel allows users at a site to verify:

    • A valid userid and password phrase combination has been entered.
    • A valid userid, password phrase and optionally a new password phrase has been entered.
    • A valid userid and password combination has been entered.
    • A valid userid, password and optionally a new password has been entered.

In the SMRT option 8 "Operational Parameters", a TPX site administrator should set the Default LOGO parameter to TEN1003 when they need to allow password phrase signon attempts:

A TPX site administrator may customize their local TEN1003 Signon Panel.
Sites should customize the TEN1003 panel in another local library (non-SMPE TPX library) so that TPX maintenance doesn't accidentally
overwrite changes made by the local site.
(For example, if a site wants to put their company name on their version of the TPX TEN1003 panel.)

Many variables on the TEN1003 panel affect how the panel functions and what is displayed.
Password Phrase/New Password Phrase variables allow 100 byte character fields.
Each Phrase field is broken into two 50 byte fields.

The TEN1003 sign-on panel contains five specific signon related variables:

  • SNUSERV - Characters 1 through eight is for the userid
  • SNPSWDV - When 8 characters or less it is for a password. When there are 9 through 50 characters then it is for the first half of the Password Phrase
  • SNPSWDV2 - An optional 0 through 50 characters for the second half of the Password Phrase
  • SNNPSWDV - When 8 characters or less it is for a new password. When there are 9 through 50 characters then it is for the first half of the new Password Phrase
  • SNNPSWD2 - An optional 0 through 50 characters for the second half of the new Password Phrase


The sites must be careful when modifying fields on the TEN1003 panel.
Variables having to do with password phrase fields can contain up to 50 characters.
Any time either the SNPSWDV or SNNPSWDV fields are entered with less than nine characters will cause the user
   to have a traditional password signon attempt.
A Password Phrases signon attempt occurs when the password phrase is entered with a length between 9 and 100 characters in length.

A sample TEN1003 signon panel:


Additional Information:

For more information on the TEN0003 and TEN1003 signon Panels,
see the Password Verification section in the TPX Session Manager 5.4 documentation.