How should we set up ACF2 PSWD AES2 Encryption on a shared database?
Article ID: 187587
Updated On:
Products
ACF2
ACF2 - z/OS
Issue/Introduction
What about a shared database environment? Do both systems have to be upgraded?
Resolution
In a shared environment system administrators will want to specify NOONEPWALG field of the GSO PSWD record. This will specify one or more encryption algorithms to save password/password phrase changes.
By default, CA ACF2 encrypts a password/password phrase with the current setting in PSWDENCT and the weaker algorithms. This encryption gives you time to convert all systems in a shared environment to the same algorithm. Doing so does not offer the full benefit of converting to an AES algorithm because the XDES password/password phrase is still saved.
When converting to AES256 encryption in a shared database environment, if only one LPAR has AES256 specified as the encryption algorithm, then all password changes should be made on the LPAR with AES256. If users change their passwords on an LPAR with a lower encryption method such as AES128 or XDES, the password(s) with a higher level of encryption and their TOD fields stored in the database will be zeroed out and only the AES128 or XDES password and TOD field will be updated. This will have varied results when implementing the AES256 encryption. We recommend either making all LPARs use AES256 encryption with NOONEPWALG, or ensuring users only change their passwords on the LPAR where the AES256 testing is taking place.
The following describes the available settings. Choose the setting that works best for your environment.
ONEPWALG
Saves password/password phrase changes under a single algorithm. Once ONEPWALG is set, the next password/password phrase change encrypts under the current value that is specified in the PSWDENCT and clears out the other values and TOD stamps for those values. All systems sharing logonid or infostorage databases must be able to evaluate passwords/password phrases encrypted with the PSWDENCT value.
Do not set ONEPWALG if you are using VM Database Synchronization. VM does not support the AES algorithms.
Do not set ONEPWALG unless all systems that are sharing the logonid or infostorage databases are running with the same PSWDENCT value
Saves password/password phrase changes under a single algorithm. Once ONEPWALG is set, the next password/password phrase change encrypts under the current value that is specified in the PSWDENCT and clears out the other values and TOD stamps for those values. All systems sharing logonid or infostorage databases must be able to evaluate passwords/password phrases encrypted with the PSWDENCT value.
Do not set ONEPWALG if you are using VM Database Synchronization. VM does not support the AES algorithms.
Do not set ONEPWALG unless all systems that are sharing the logonid or infostorage databases are running with the same PSWDENCT value
NOONEPWALG
Saves password/password phrase changes under multiple algorithms; newly set algorithm plus any weaker algorithms.
Saves password/password phrase changes under multiple algorithms; newly set algorithm plus any weaker algorithms.
Additional Information
Examples:
If NOONEPWALG is set and PSWDENCT is set to AES2, CA ACF2 saves the password/password phrase that is encrypted under AES 256, AES 128, and XDES
If NOONEPWALG is set and PSWDENCT is set to AES1, CA ACF2 saves the password/password phrase that is encrypted under AES 128 and XDES. This option makes it easier to transition from one algorithm to another, especially in a shared database environment
See documentation for Implement AES 256 Encryption.
Feedback
Yes
No
Powered by
