search cancel

How to convert ACF password encryption to AES256 encryption

book

Article ID: 187522

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Considering switching ACF2 to AES256 bit encryption for passwords and I have a few questions:

1. How do we implement, is it by command?

2. How do we fallback, is it by command?

3. Assuming we have switched, how do we list with userids are not using AES256?

4. Is there a command to force the encryption of a userid with AES256? Presumably, we can do this for a number of userids in batch.

regards,

Alex

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Ensure all the performance PTF's are applied.

SO07365 - For CICS
SO01064 - For base ACF2
SO01559 - For base ACF2
SO01560 - For base ACF2
SO03889
SO04781
SO05420
SO06277


RO95192 - MINDAYS not enforced with AES2

Implement password encryption by updating PSWD GSO record. Please refer to the documentation for implementing aes256 encryption.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/implement-aes-256-encryption.html#toccontentbroadcomtechdocsusencamainframesoftwaresecuritycaacf2forzos160administratingadministerrecordshtmlAdministerRecords

In the GSO PSWD record, there are options for PSWDENCT to update to AES2:
TSO ACF
SET CONTROL(GSO)
CHANGE PSWD PSWDENCT(option)
F ACF2,REFRESH(PSWD)

As always, changes to the PSWD record only take effect when a user changes their password.

2. How do we fallback, is it by command?
Change the PSWDENCT to another level, passwords will be updated to the new encryption level when a user changes their password

3. Assuming we have switched, how do we list with userids are not using AES256?
After a period of that is longer then MAXDAYS is set to, check to make sure all ids are compliant. To do this run the ACFRPTSL report and check for PSWA2TOD that is set to zeros.

4. Is there a command to force the encryption of a userid with AES256? Presumably, we can do this for a number of userids in batch.
Those ids can be individually converted to AES2 with the command
Change logonid PWCNVRT