If multiple LPARs share the ACF2 database but have different GSO PSWD records, do all LPARs need to have to have PSWDENCT(AES2) and ONEPWALG specified when they share an ACF2 database? Will having mismatched settings cause a logon issue?

Having mismatched PSWDENCT() and ONEPWALG settings in the GSO PSWD record will not cause any logon issues nor prevent users from logging onto a system. The ACF2 logon process is not impacted by a mismatch of these settings.

 

When migrating to AES256 password encryption for the first time on any LPAR, it is recommended to specify NOONEPWALG field of the GSO PSWD record. With NOONEPWALG set, ACF2 encrypts a password/password phrase with the current setting in PSWDENCT and the weaker algorithms. This makes it possible to quickly drop to a lower encryption level (AES1 or DES) should performance issues occur as AES256 is notoriously CPU intensive.

 

It is recommended to use the same settings across LPARs that share the ACF2 database as failure to do so may impede the migration process. For example, if only one LPAR has AES256 specified as the encryption algorithm, then all password changes should be made on the LPAR with AES256. If users change their passwords on an LPAR with a lower encryption method such as AES128 or XDES, the password(s) with a higher level of encryption and their TOD fields stored in the database will be zeroed out and only the AES128 or XDES password and TOD field will be updated. For this reason, either have all LPARs use AES256 encryption with NOONEPWALG, or ensure users only change their passwords on the LPAR where the AES256 testing is taking place.

 

Additional documentation can be found in:
Implement AES 256 Encryption
Password Maintenance and Support (PSWD)