Ensure all the performance PTF's are applied.
SO07365 - For CICS
SO01064 - For base ACF2
SO01559 - For base ACF2
SO01560 - For base ACF2
RO95192 - MINDAYS not enforced with AES2
Implement password encryption by updating PSWD GSO record. Please refer to the documentation for implementing aes256 encryption.
In the GSO PSWD record, there are options for PSWDENCT to update to AES2:
CHANGE PSWD PSWDENCT(option)
As always, changes to the PSWD record only take effect when a user changes their password.
2. How do we fallback, is it by command?
Change the PSWDENCT to another level, passwords will be updated to the new encryption level when a user changes their password
3. Assuming we have switched, how do we list with userids are not using AES256?
After a period of that is longer then MAXDAYS is set to, check to make sure all ids are compliant. To do this run the ACFRPTSL report and check for PSWA2TOD that is set to zeros.
4. Is there a command to force the encryption of a userid with AES256? Presumably, we can do this for a number of userids in batch.
Those ids can be individually converted to AES2 with the command
Change logonid PWCNVRT