Top Secret AES encryption turned on and propagated password changes to Top Secret DES encrypted systems corrupt passwords.


Article ID: 209936


Updated On:


CA Top Secret


Turned on AES password encryption in Top Secret on 2 systems.

Users who changed their password on a Top Secret DES password encrypted system and that password gets propagated to a Top Secret AES password encrypted system corrupts the password.

The signon to the Top Secret AES password encrypted systems for these users fail with invalid password.


Release : 16.0

Component : CA Top Secret for z/OS


The password that gets propagated from a Top Secret DES encrypted system is DES encrypted.

When the Top Secret AES encrypted system receives a password:

1. If its already AES encrypted, Top Secret will save the password as is to the security file.

2. If its not AES encrypted, Top Secret encrypt the encrypted DES password to an encrypted AES password.

So when the user signs on, the password they enter doesnt match the password on the Top Secret AES encrypted system.

Options to get around the problem:

1. Backout and go back to DES encryption. Restore from a previous backup before the AES encryption and do a forward recovery without the password changes. All users that changed their passwords would need their passwords reset. 

2. Have all systems switch to AES encryption.