Implementing Password Phrase with ACF2
search cancel

Implementing Password Phrase with ACF2

book

Article ID: 48022

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

This document covers details on implementing password phrases in a z/OS environment including TSO, MCS Console and CICS considerations.

Resolution

 

Implementing Password Phrase


Set up the desired password phrase restrictions/options using the ACF2 GSO PWPHRASE record. This record is similar to the GSO PSWD record (for 1-8 char passwords).

When the GSO PWPHRASE record is set to specify ALLOW, the next IPL or start of ACF2 will activate this support or to activate this support immediately issue the REFRESH console command.

Sample commands:

SET C(GSO)
CHA PWPHRASE ALLOW
F ACF2,REFRESH(PWPHRASE)

To allow the use of Password phrase in TSO set the GSO TSO record to specify PWPHRASE, then the next IPL or start of ACF2 will activate this support or to activate this support immediately issue the REFRESH console command.

Sample commands:

SET C(GSO)
CHA TSO PWPHRASE
F ACF2,REFRESH(TSO)

To see the options in effect, issue the SHOW PSWD command (from TSO) and the password phrase settings will be shown under "PASSWORD PHRASE (PWP) OPTIONS IN EFFECT". Issue the SHOW TSO command (from TSO) and check the "PASSWORD PHRASE LOGON=YES|NO" setting.

After implementing the use of Password Phrases, users can still use passwords. To globally force password phrases only, the PWPONLY option in the GSO PWPHRASE record must be turned on. The default is NOPWPONLY.  To force password phrases only by user, the PWPONLY option on the logonid can be used.

Password Phrase Settings


Passphrase settings are global settings and all options can be found in ACF2 documentation section Password Phrase Record (PWPHRASE).

Some settings can be assigned to individual users on the logonid record. These options can be found in ACF2 documentation section Manage Password Phrases.

For example, passphrases can be enabled for selected logonids using the PWPALLOW|NOPWPALLOW setting on the logonid record. This allows users to have passphrases even if the GSO PWPHRASE record specifies NOALLOW.

Sample commands to allow a single user to use a passphrase:

SET LID
CHANGE logonid PWPALLOW

Note:

  1. The NOPWPALLOW setting will not deny use of a passphrase if the GSO PWPHRASE record specifies ALLOW.
  2. The PWPALLOW setting will not override the NOPWPHRASE specification on the GSO TSO record. The TSO Setting PWPHRASE MUST be set for TSO usage of Password Phrase.
  3. Details on the LOGONID Password Phrase PWPALLOW|NOPWPALLOW parameter can be found in the ACF2 documentation in section Logonid Record Fields.

Setting a user's passphrase - PWPHRASE User Profile Records


The PWPHRASE USER profile record is used to retain user password phrase control information and history. These records are in the INFOSTG database and are not part of the logonid record.
 
            PWP-EXP|NOPWP-EXP
            PWP-HST(0|nn)  **
            PWP-MAXD(0|nnn)
            PWP-MIND(0|nnn)
            PWP-TOD(date)  **
            PWPA1TOD(date) **
            PWPA2TOD(date) **
            PWPHRASE(password phrase)
 
Fields marked ** are managed internally by ACF2 and cannot be modified by the ACF command.

When implementing Password Phrase, an administrator must set the user's first Password Phrase. From that point moving forward the end users can change their password phrase. The only other option is for the end user to set their own first Password Phrase using the TSO ACF command processor (if allowed).

Sample commands to set a passphrase:

SET LID
CHANGE logonid PWPHRASE(Your choice of password phrase)

or

SET P(USER) DIV(PWPHRASE)
INSERT logonid PWPHRASE(Your choice of password phrase)

TSO Notes

  • For TSO logons with password phrase the GSO PWPHRASE record should specify ALLOW and the GSO TSO PWPHRASE must be set for TSO logon. The logonid field PWPALLOW is not required for TSO logon.

  • All password phrases must be entered in single quotes for TSO logon, except when a phrase does not include embedded spaces. Otherwise, they will be confused with other TSO logon parameters such as RECONNECT or FSCREEN.

  • The logonid setting PWPALLOW|NOPWPALLOW does not pertain to TSO signons. If GSO TSO PWPHRASE and GSO PWPHRASE ALLOW is set TSO users will receive the ACF82006 prompt for password or password phrase regardless of the logonid PWPALLOW|NOPWPALLOW. The logonid PWPALLOW|NOPWPALLOW overrides the GSO PWPHRASE NOALLOW for other environments except for TSO.

CICS Notes

  • ACF2/CICS CTS 4.2 support maintenance and CICS/TS 4.2 or above is required.

  • To use Password phrases in CICS the ACF2/CICS SIGNON parameter TRANONL=CESL|tranid must be specified to identify the transaction code designated as a sign-on request with a password or a password phrase. CESL-Specifies the standard CICS-supplied transaction ID that designates a sign-on request with a password or password phrase.
  • Quick signon is not allowed for Password phrases.

  • Password Phrases are mixed case, for CICS(CTS) "Each terminal must be capable of mixed-case data entry. This is controlled by the UCTRAN definition within the TYPETERM CICS RDO definition used for terminal autoinstall processing or by the UCTRAN definition for TERMINAL...". Please see 
  • Broadcom recommends the following choices when considering the use of a different case translation option (NOUCTRAN or TRANIDONLY):

    PASSWORD and PWPHRASE support in uppercase:

    TYPETERM and PROFILE records are irrelevant. Assemble ACFAEUSC without setting PCTL to PCTLV, code GSO PSWD option NOPSWDMIXD. ACFAEUSC runs pseudo conversational, all PASSWORDs and PWPHRASEs are translated to uppercase by CICS. ACF2 option SIGNON QUICK=YES is fully supported.

    PASSWORD and PWPHRASE support in mixed case with uppercase TYPETERM in conversational mode:

    Set TYPETERM UCTRAN to YES. No PROFILE records are required. Set ACFAEUSC flag byte PCTL to PCTLV. Set GSO PSWD option to PSWDMIXD.Instructions are in the comments of CAI.CAX1MAC1(ACFAEUSC) to make this customization. Note the IBM signon program DFHSNP is conversational. When ACFAEUSC runs conversational, PASSWORDs and PWPHRASEs are not translated to uppercase by CICS before seen by ACFAEUSC unless entered as part of a quick signon. ACF2PARM option SIGNON QUICK=NO is recommended because any PASSWORD or PWPHRASE entered as part of a quick signon is uppercased by CICS.

    PASSWORD and PWPHRASE support in mixed case with mixed case TYPETERM and multiple PROFILE records:

    Set TYPETERM UCTRAN(NO) or UCTRAN(TRANID). Point the transaction definitions for CESN, CESL, CSGM at a PROFILE record which specifies UCTRAN(NO). Do not set ACFAEUSC flag byte PCTL to PCTLV, code GSO PSWD option PSWDMIXD. ACFAEUSC runs pseudo-conversational. PASSWORDs and PWPHRASEs do not get translated to uppercase by CICS before seen by ACFAEUSC, ACF2 CICS option SIGNON QUICK=YES handles mixed case PASSWORDs and PWPHRASE. This approach is recommended for sites which want to implement mixed case PASSWORDs and PWPHRASEsphrases.

    PASSWORD and PWPHRASE support in mixed case with uppercase TYPETERM in pseudo conversational mode:

    The system and client data integrity exposures inherent in this approach render it not advised. The site would have to allow SPI'SET TERMINAL' commands by the terminal default user. Both approaches run a risk of leaving the terminal in mixed case mode running client applications which cannot handle mixed case input.

    The situation can also be mitigated by setting the TYPETERM to NOUCTRAN or TRANIDONLY, and customizing ACFAEUSC to all exits from the program. However, doing so requires the default logon id allowed SET access to the SPI(TERMINAL) resource, opening the possibility of unwanted modifications to that resource. For this reason, this solution is not advised.

  • Details on the ACF2/CICS Password Phrase parameter can be found in the CICS Interface Parameters in section SIGNON-Sign-on Control Options and How to Control Signon Transactions in ACF2.

MCS Console Notes

  • ACF2 does not govern how the phrase is to be specified when logging onto the MCS console and ACF2 does not receive control from an MCS console if single quotes are not specified around the phrase. The logon attempt is stopped before any security call is made to authenticate the user with a passphrase.

  • IBM APAR (OA54790) is required for password phrase support for MCS consoles.

Miscellaneous Notes

  1. Password phrases may be used for user authentication with applications that support password phrases. You may have a password and a password phrase defined to your Logonid. Password phrases are not required to be specified.

  2. You can authenticate passwords for applications that support only passwords. However, passwords and password phrases are mutually exclusive for authentication. You may authenticate using only one, a password or password phrase, but not both, during a single authentication process for applications that support both passwords and password phrases.

  3. If the password of password phrase is expired, the user will be prompted to enter a new password or new password phrase depending on what is entered(password or password phrase) and what is expired. For example, if a password is expired and then at the 'ACF82006 ACF2, ENTER PASSWORD OR PASSWORD PHRASE -' prompt a password phrase is entered, the user will not receive the 'ACF01017 PASSWORD FOR LOGONID logonid HAS EXPIRED'.  PSWD-EXP expires the password and PWP-EXP expires the password phrase.

  4. The logonid PWPALLOW|NOPWPALLOW overrides the GSO PWPHRASE NOALLOW for other environments except for TSO.

 

 

Additional Information