Passphrase support with Gen 8.6 CICS TCP/IP Listener
search cancel

Passphrase support with Gen 8.6 CICS TCP/IP Listener

book

Article ID: 268339

calendar_today

Updated On:

Products

Gen - Host Encyclopedia Gen - Workstation Toolset Gen - Run Time Distributed Gen

Issue/Introduction

The Gen 8.6 Gen Example : Passphrase and Encryption cookbook article is really helpful, but we are using Gen 8.6 CICS TCP/IP Direct Connect (CICS Multi Socket Server Listener) without a Client Manager (CM).

  1. Is Passphrase support available in Gen when using CICS TCP/IP Sockets Listeners without a CM?
  2. Is a cookbook available for Passphrase using CICS TCP/IP Sockets Listeners?
  3. Can CICS TCP/IP Sockets Listeners use both Password and Passphrase for the same user id, so you can choose which one to use logging on?
  4. If not for TCP/IP, can a token be used for Passphrase? If so, is there any cookbook for that?

Environment

Release: Gen Complete + latest PTFs (8.6.3)

Resolution

In summary, a Client Manager (CM) is required to use the Passphrase feature which supports 200 characters. The CM can be used in conjunction with a CICS Sockets Listener (TISRVLIS) or Multi-Sockets Listener (TISRVMSL).
This Gen EDGE Community thread covers related changes to z/OS security exits to support the CM Passphrase feature: Now Available: 200 character passwords in Client Manager (Password Phrases)
(the corresponding z/OS PTFs are entitled "PASSPHRASE SUPPORT WHEN USING THE CLIENT MANAGER FOR CICS").
To use Passphrase make sure the TIRSLEXT exit does not do the Verify Password (see the info in the TIRSLEXT exit). Rather allow the Listener to start the Server passing the request and have the verification done in Server Security Exit TIRSECVZ. 
Relevant doc. page: Set up Security when Using Gen Direct Connect for CICS


To answer the specific questions:
Q1. Is the Passphrase feature available in Gen using TCP/IP Direct Connect?
A1. Not without using a Client Manager (CM) as per above. To request the Passphrase feature for a pure TCP/IP connection scenario without using a CM please raise a new idea on the Ideas Community under Category "Gen".

Q2. Is a cookbook available for the Passphrase feature using TCP/IP Direct Connect?
A2. No

Q3. Can TCP/IP Direct Connect use both Password and Passphrase for the same user id, so you can choose which one to use logging on?
A3. No, not yet implemented but it would be either one or the other and not both together.

Q4. If not for TCP/IP, can I use the token for Passphrase? If so, any cookbook for that?
A4. Yes, the token could be used for the Passphrase. Using the token requires implementing WRSECTOKEN() from WREXITN.c and need to use SecurityUsedEnhanced. The maximum length could be 64 bytes for the token and it would be sent as binary data, hence not translated at the server side.
NOTE: With Passphrase support, the limit is 200 bytes and the Passphrase is also translated appropriately on the server side for verification.
Relevant doc. pages for use of a token:
Security in Distributed Processing > Client Security Processing
Windows C User Exits > Windows GUI Client User Exits > WRSECTOKEN - Client Security Token User Exit (Windows)
Example of token use for Kerberos: Gen client/server applications support for Kerberos