What PTFs are needed for ACF2 PSWD encryption for AES 256?
Article ID: 187589
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 - z/OS
ACF2 - MISC
Issue/Introduction
PTFs are needed for ACF2 PSWD encryption for AES2 256 and to address performance issues.
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
The PTFs published for PSWD encryption to AES 256 include:
SO01064, SO01559 and SO01560 added the following improvements:
The use of PSWDENCT(AES2) in the GSO PSWD record incurs more processing overhead at Signon than other encryption methods.
This apar/PTF addresses two different issues.
1. If NOONEPWALG is set in the GSO PSWD record, multiple password encryption formats are kept internally. In an effort to
improve performance with NOONEPWALG in effect, the current setting of the GSO PSWD PSWDENCT will be used for
password validation at Signon, enabling a site to regress to AES1 or XDES if the AES2 validations are too expensive to tolerate.
2. Improve throughput for a full password validation signon by reducing Database I/O and ENQUEUEs to the ACF2 LOGONIDS
Database. If NOSTATS is set on the MUSASS address space LOGONID, or BYPSTATS is set on the GSO OPTS record, the
ACF2 SYSPLEX Coupling Facility will be referenced for the LOGONID record rather than the LOGONIDS database during signon processing.
This apar/PTF addresses two different issues.
1. If NOONEPWALG is set in the GSO PSWD record, multiple password encryption formats are kept internally. In an effort to
improve performance with NOONEPWALG in effect, the current setting of the GSO PSWD PSWDENCT will be used for
password validation at Signon, enabling a site to regress to AES1 or XDES if the AES2 validations are too expensive to tolerate.
2. Improve throughput for a full password validation signon by reducing Database I/O and ENQUEUEs to the ACF2 LOGONIDS
Database. If NOSTATS is set on the MUSASS address space LOGONID, or BYPSTATS is set on the GSO OPTS record, the
ACF2 SYSPLEX Coupling Facility will be referenced for the LOGONID record rather than the LOGONIDS database during signon processing.
SO03889, SO04781, SO05420 and SO06277 added the following improvements:
1. Added an internal password cache, using AES256 encryption, to alleviate performance issues with using AES256 with passwords.
Recommended PTFs for AES2 Password Encryption:
SO07365 - For CICS
SO06277
SO05420
SO04781
SO04776 - For base ACF2
SO03889
SO01560 - For base ACF2
SO01559 - For base ACF2
SO01064 - For base ACF2
SO06277
SO05420
SO04781
SO04776 - For base ACF2
SO03889
SO01560 - For base ACF2
SO01559 - For base ACF2
SO01064 - For base ACF2
SO10255
SO15033 - For base ACF2
SO16044
RO95192 - MINDAYS not enforced with AES2
RO97779
RO97780
SO15033 - For base ACF2
SO16044
RO95192 - MINDAYS not enforced with AES2
RO97779
RO97780
Feedback
Yes
No
Powered by
