Passwords CPF'd between AES and DES encrypted systems fail in Top Secret


Article ID: 209936


Updated On:


Top Secret


Enabled  AES password encryption in Top Secret on a couple systems and others remained running with DES encryption.

When users change their password on a DES system and then try to logon to the AES system (password changes are propagated via CPF), the signon fails due to an invalid password.  




Release : 16.0

Component : CA Top Secret for z/OS


The password that gets propagated from a Top Secret DES encrypted system is DES encrypted (and vice versa).

When the Top Secret AES encrypted system receives a password:

1. If its already AES encrypted, Top Secret will save the password as is to the security file.

2. If its not AES encrypted, Top Secret will encrypt the password to an encrypted AES password.  If already DES encrypted it will still be AES encrypted.

So when the user signs on, the password they enter doesn't match the password on the Top Secret AES encrypted system.

Options to get around the problem:

1. Backout and go back to DES encryption. Restore from a previous backup before the AES encryption and do a forward recovery without the password changes. All users that changed their passwords would need their passwords reset. 

2. Have all systems switch to AES encryption.