At the moment we are successfully using the XCOM SEND JOB functionality and supplying the appropriate USERID and PASSWORD for use by the remote XCOM to successfully use the REMOTE JOB SUBMIT PROCESS, providing those credentials to JES via the JOB CARD.

Now, in testing, we have enhanced that same SEND JOB functionality to supply USERID and PASSPHRASE instead; 

From an XCOM point of view everything is working fine;  The new credentials are being passed correctly to JES for the REMOTE JOB SUBMIT.
However, we can see that JES is not handling the PASSPHRASE correctly and is treating it as a PASSWORD which does not match the USERID credentials in RACF.

Hence we see errors:
IAT6131 ... IS INVALID PASSWORD
IAT6130 ERROR IN PROCESSING JOB CARD

We believe that with the above scenario we should now start using SURROGATE processing for the REMOTE JOB SUBMIT associated with the remote XCOM USERID rather than the credentials being passed/used/failing in the JOB CARD. SECURITY=RACF is on both the sending and receiving XCOM regions and our RACF Administrator notes:
===
I’ve done some testing and it looks like the JES USER= PASSWORD= submit process only supports 8 x character passwords which makes sense as PASSWORD is only referenced as (up to) 8 x characters entries. I suspect if you are migrating to passphrases, you need to start using SURROGAT processing which is what it does by default if the password is not correct.
I can’t find any documentation confirming this but the testing does seem to indicate it and there is no such parameter USER= & PASSPHRASE=
What needs to be done so XCOM only inserts the USER= parameter into the JOB CARD (and omits the PASSWORD all together) ?
This would trigger SURROGAT processing straight away.
====

Is there anyway to stop XCOM inserting the PASSWORD= parameter in the JOB CARD?

Also there are XCOM configuration parameters related to SURROGATE processing SURCHK and SURCLS.
Does the inclusion of those in either the sending XCOM region or the receiving XCOM region influence JES behaviour so that it goes straight to SURROGATE processing and does not even try and validate the PASSPHRASE provided on the JOB CARD ? 

XCOM™ Data Transport® for z/OS

XCOM is working as designed in providing both USER and PASSWORD. It cannot be changed without impacting other users and this would be an architectural change to a fundamental product feature.
The z/OS 3.1 JCL Reference indicates that PASSWORD should be able to accept both an 8-character password as well as up to a 100-character password phrase (passphrase), but how to enable or disable this support for JES needs to be checked.
z/OS 3.1.0 > z/OS MVS JCL Reference > JOB statement > PASSWORD parameter > Subparameter definition

The SURCHK and SURCLS parameters only impact how XCOM validates what it is putting in the JOB CARD and have no influence/impact on JES processing.

Parameters to initiate a SEND JOB transfer