How to convert ACF password encryption to AES256 encryption
Article ID: 187522
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
LDAP SERVER FOR Z/OS
PAM CLIENT FOR LINUX ON MAINFRAME
WEB ADMINISTRATOR FOR TOP SECRET
Issue/Introduction
Considering switching ACF2 to AES256 bit encryption for passwords and I have a few questions:
1. How do we implement, is it by command?
2. How do we fallback, is it by command?
3. Assuming we have switched, how do we list with userids are not using AES256?
4. Is there a command to force the encryption of a userid with AES256? Presumably, we can do this for a number of userids in batch.
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
Ensure all the performance PTF's are applied.
SO07365 - For CICS
SO07365 - For CICS
SO01064 - For base ACF2
SO01559 - For base ACF2
SO01560 - For base ACF2
SO03889
SO01559 - For base ACF2
SO01560 - For base ACF2
SO03889
SO04781
SO05420
SO06277
RO95192 - MINDAYS not enforced with AES2
Implement password encryption by updating PSWD GSO record. Please refer to the documentation for implementing aes256 encryption.
Implement AES 256 Encryption
In the GSO PSWD record, there are options for PSWDENCT to update to AES2:
TSO ACF
SET CONTROL(GSO)
CHANGE PSWD PSWDENCT(option)
F ACF2,REFRESH(PSWD)
As always, changes to the PSWD record only take effect when a user changes their password.
2. How do we fallback, is it by command?
Change the PSWDENCT to another level, passwords will be updated to the new encryption level when a user changes their password
3. Assuming we have switched, how do we list with userids are not using AES256?
After a period of that is longer then MAXDAYS is set to, check to make sure all ids are compliant. To do this run the ACFRPTSL report and check for PSWA2TOD that is set to zeros.
4. Is there a command to force the encryption of a userid with AES256? Presumably, we can do this for a number of userids in batch.
Those ids can be individually converted to AES2 with the command
Change logonid PWCNVRT
SO05420
SO06277
RO95192 - MINDAYS not enforced with AES2
Implement password encryption by updating PSWD GSO record. Please refer to the documentation for implementing aes256 encryption.
Implement AES 256 Encryption
In the GSO PSWD record, there are options for PSWDENCT to update to AES2:
TSO ACF
SET CONTROL(GSO)
CHANGE PSWD PSWDENCT(option)
F ACF2,REFRESH(PSWD)
As always, changes to the PSWD record only take effect when a user changes their password.
2. How do we fallback, is it by command?
Change the PSWDENCT to another level, passwords will be updated to the new encryption level when a user changes their password
3. Assuming we have switched, how do we list with userids are not using AES256?
After a period of that is longer then MAXDAYS is set to, check to make sure all ids are compliant. To do this run the ACFRPTSL report and check for PSWA2TOD that is set to zeros.
4. Is there a command to force the encryption of a userid with AES256? Presumably, we can do this for a number of userids in batch.
Those ids can be individually converted to AES2 with the command
Change logonid PWCNVRT
Feedback
Yes
No
Powered by
