ACF2 PSWCNVRT command on LID that has PSWD-TOD=U'00/00/00'

book

Article ID: 206329

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

What circumstances allow an ACF2 LID to be created without populating PSWD-TOD? Would there be any impact to a LID with a zeroed out PSWD-TOD if a PWCNVRT command was issued?

Resolution

For a logonid to be created without populating PSWD-TOD, first check to see if the LID has RESTRICT or STC listed. Both of these options allow for a LID to be created and used without specifying a password.

There is an also an option in the ACF2 GSO PSWD record called NOPSWDREQ that specifies a password is not required when a logonid is inserted. When inserting a LID with this option, the PSWD-TOD will be zeroed out until the user logs in for the first time to create their password. 

The LID effectively does not have a password and therefore the password would never have to be changed unless someone uses it to login and creates a password at the time of login. After normal system entry validation occurs, the PSWD-TOD field will be filled out and either GSO PSWD options like PSWDMAX or LIDREC fields like MAXDAYS will take effect.

If you issue a PWCNVRT to an id that has a zeroed out PSWD-TOD, the TOD of the encryption level you are using is updated (PSWA2TOD for AES256). The implication of this is any GSO PSWD fields related to password expiration will then take effect as the TOD field is no longer zero. 

Even though there is no password, ACF2 will perform encryption on the password field and update the PSWA2TOD. At the time of normal system entry validation, the affected LID is prompted to enter a password and will be unable to login as the system now believes the ID has a password.