search cancel

Top Secret Transition from password to password phrases

book

Article ID: 215298

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

transition to passphrases and remove/inactivate passwords.

At present all ACIDS have passwords,  how can passwords be transformed to passphrases.

 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

To get started forcing users to sign on exclusively with password phrases.

Issue

TSS MODIFY STATUS and make sure NEW_PASSWORD(Active) is set

TSS9661I        CA Top Secret FEATURES Status
  MAX_ACID_SIZE(0512K)
  RDT2BYTE(Active)
  NEW_PASSWORD(Active)
  VSAM_DIGICERT(Active)
  AES_ENCRYPTION(Inactive)
  LARGE_VSAM_RECORD(Inactive)
  EXPAND_COUNTER(Inactive)

 TSS9661I        CA Top Secret PHRASE   Status

 NEWPHRASE(MIN=09,MAX=100,WARN=03,MINDAYS=00,SC=00,MA=00,MN=00)  PSWDPHRASE(ON )                                        NPPTHRESH(02)
 PPEXP(030)                 PPHIST(03)  

Make sure the following TSS r16 maintenance is applied:

RO99167: LOGON FAILURES / INCORRECT ENFORCEMENT OF PHRASEONLY

 RO98804: STC LOOPS WHEN ACID HAS PHRASE BUT NO PASSWORD

RO98297: ADD SUPPORT FOR USERS WITH PASS PHRASE ONLY
***NOTE***  PE: YES   CORRECTED BY:  RO98795 RO99287

Make sure the acids you are going to force to use password phrases have a phrase.

To find this, have an SCA with DATA(PASS) admin authority run TSSCFILE with
TSS LIST(ACIDS) DATA(PASS).

This will not list the acids password or phrase, but if the acid has a PHRASE, record id 3001 will be present in the output for that acid.

If the acid does not have a phrase, a security administrator will need to add one.
TSS ADD(acid) PHRASE(xxxxxxxxxxx,,EXP)

There are 3 ways to implement forcing users to sign on exclusively with password phrases.

 Choose the method that best fits your site.

1) Adding the PHRASEONLY attribute to users as needed.

2) Using the PHRASEONLY suboption of FACILITY to enforce control by facility.

3) Globally enforcing password phrase signons by activating the PHRASEONLY control option.

 What happens if you apply "PHRASEONLY" to a set of IDs that currently use passwords? Will they get "ENTER NEW PHRASE" when their password expires?

Answer:

No. If the ID has PHRASEONLY, they will not be able to signon with a password. If they try to use a password, they will get:
TSS7100E 223 J=job A=acid T=termina F=facility - Signon Requires a Phrase TSS7189E Signon for Acid Requires a Phrase
If they do not already have a phrase, a security administrator will need to add one and expire it, forcing the user to change it at the next logon. TSS ADD(acid) PHRASE(xxxxxxxxxxx,,EXP)

You will have to issue the following command each user that
 will be using password phrases to assign them an initial password phrase.

 TSS ADDTO(userid) PHRASE(temporarypwphrase72,,exp)

 You could run a TSS LIST(ACIDS) DATA(NAMES) in a batch job and use the output
 as input for a user that would generate a:

 TSS ADDTO(userid) PHRASE(temporarypwphrase72,,exp)

 for all the users, then run them in a batch job.