Migration from passwords to pass phrases in Top Secret

book

Article ID: 220962

calendar_today

Updated On:

Products

CA Top Secret

Issue/Introduction

How to enable users to sign on with their existing password and replace their password with a passphrase? And, without getting the admin (SCA) involved? 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Currently the functionality to enable "users to sign on with their existing password and change it to a phrase" does not exist.

A Top Secret Administrator must assign the PHRASE to ACIDs. An SCA is recommended since an SCA has scope over everyone on the security file.  

However, it can be automated as follows:  
1) Create a dataset of the acids via: 
TSSCFILE TSS LIST(ACIDS) DATA(BASIC)

2) Create a TSSCFILE utility program to read the file and generate TSS commands:  
A. to change/expire the PASSWORD, 
B. to add the PHRASEONLY attribute: TSS ADD(acid) PHRASEONLY, and 
C. to add/change a PHRASE keyword. Set it to expire to force users to change phrase: TSS ADD(acid) PHRASE("change this phrase",,EXP)

3) Set up the passphrase control options to site's standards:
NEWPHRASE(MIN=14,MAX=nnn,WARN=nn,MINDAYS=nn,etc)
PSWDPHRASE(ON ) - set to ON when ready to allow all users to use phrases. 
NPPTHRESH(nn)
PPEXP(nnn)
PPHIST(nn)