New password not passed to affinity region if switch is done in pre-security function of CA TPX signon/off exit TPXUSNF.


Article ID: 4754


Updated On:


CA TPX - Session Management TPX- PACKAGE CA Vman Session Management for z/OS TPX SESSION MANAGEMENT


We are using the signon/off exit (SNSF) to allow users to override their affinity region when they sign on.  This allows them to sign on to multiple different TPX regions from different emulator windows.

Recently, we implemented a change to our exit logic to initiate the switch to the user's affinity region (or the region they specified at sign-on) in the pre-security function.  The reason we did this is to position ourselves to use pass tickets and/or tokens for authentication instead of a password.  If we were to allow authentication to take place in the initial region, the pass ticket or token would be expired and the logon to the affinity region (or other destination region) would fail.  Note that not all users will use pass tickets or tokens so we need to be able to continue to support passwords.

The issue we are now experiencing is that when the user attempts to change his/her password, only the new password is passed to the destination region.  I was able to confirm this by using the logon exit (LOGN) to capture the user data passed to the destination region.  The logon fails with an invalid password message. 

Is there a way to force the region to pass both the password and new password field to the destination region?



Release: NVINAM00200-5.4-TPX-Session Management-Access Management package


Set SMRT Security Parameter - Propagate Password: Y 


The described problem matches one of the criteria defined in field level help: 

Propagate Pswd Change - Specifies that when a user logs on to TPX using a new password and then uses the affinity feature to access sessions in another TPX system, both the old and the new passwords are passed to the latter, rather than just the new password. 

Note: This option should be used only in the following situations: 
- If the affinity pass is done in the pre-security call point of the signon/signoff exit. 
- If the two TPX regions involved run on systems with independent password data sets.