Can we use the RACF PASSASIS bit to assist with our migration to mixed case passwords in RACF with TPX?
search cancel

Can we use the RACF PASSASIS bit to assist with our migration to mixed case passwords in RACF with TPX?

book

Article ID: 32531

calendar_today

Updated On:

Products

TPX - Session Management Vman Session Management for z/OS

Issue/Introduction

We will implement MIXEDCASE password in RACF. But I have a question about the RACF PASSASIS profile bit.

 1) RACF MIXEDCASE option is NOT active

 2) "Allow Lower Case Pswds:" is set to YES in SMRT

 3) problem, now users have to enter their passwords in uppercase in TPX to be able to logon. Nevertheless, without using TPX, TSO logon screen still accept mixed-case passwords and allow to logon even when password is entered in lower-case (of course, because, RACF mixedcase is inactive).

In RACF, the PASSASIS bit should be set to 1 only when a user changes his password in a MIXEDCASE password environment.  If the PASSASIS bit is off in the user's profile and the password does not match the current password in the user's profile, RACF will fold the password to uppercase and again compare to the current password provided MIXEDCASE PASSWORD support is enabled in SETROPTS. 

Is it possible to continue to enter the password in lowercase in TPX until PASSASIS RACF profile bit is set to 1?    

I am aware of TPX recommendation "the user will have to explicitly enter the current password in UPPER case" in article TPX SMRT setting 'Allow Lower Case Pswds' Y - Mixed Case Support, but I wondered if I missed something.

 

 

Environment

Release: NVINAM00200-5.4-TPX-Session Management-Access Management package
Component:

Resolution

The PASSASIS bit in RACF is not something that TPX can use because by the time RACF is contacted by TPX for the USERID signon, the password has already been worked on in TPX.

From SMRT field level help:  Allow Lower Case Pswds - Specifies whether or not TPX will change all characters in the password, new password and lock word fields to upper case before sending to security.

So... 

with Allow Lower Case Pswds: N (default) 

  • TPX will convert the password entered by the user to uppercase before passing it to security.  The password is stored in security in uppercase.

with Allow Lower Case Pswds: Y

  • TPX will send the password to security exactly as entered by the user. 

 

If you want to allow users to continue to enter their password in lower/mixed case, set Allow Lower Case Pswds in TPX to N until the time that you make the change in RACF when you will change this back to Y at the same time as the RACF change. 

As you are aware, once you make the change to allow mixed case in RACF  and TPX, the users will need to explicitly enter their password in upper case to match what is stored in RACF until they enter a new password in mixed case.

Powered by Wolken Software