Passwords CPF'd between AES and DES encrypted systems fail in Top Secret

book

Article ID: 209936

calendar_today

Updated On:

Products

CA Top Secret

Issue/Introduction

Enabled  AES password encryption in Top Secret on a couple systems and others remained running with DES encryption.

When users change their password on a DES system and then try to logon to the AES system (password changes are propagated via CPF), the signon fails due to an invalid password.  

 

 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

The password that gets propagated from a Top Secret DES encrypted system is DES encrypted (and vice versa).

When the Top Secret AES encrypted system receives a password:

1. If its already AES encrypted, Top Secret will save the password as is to the security file.

2. If its not AES encrypted, Top Secret will encrypt the password to an encrypted AES password.  If already DES encrypted it will still be AES encrypted.

So when the user signs on, the password they enter doesn't match the password on the Top Secret AES encrypted system.

Options to get around the problem:

1. Backout and go back to DES encryption. Restore from a previous backup before the AES encryption and do a forward recovery without the password changes. All users that changed their passwords would need their passwords reset. 

2. Have all systems switch to AES encryption.