This document covers details on implementing password phrases in a z/OS environment including TSO, MCS Console and CICS considerations.
Set up the desired password phrase restrictions/options using the ACF2 GSO PWPHRASE record. This record is similar to the GSO PSWD record (for 1-8 char passwords).
When the GSO PWPHRASE record is set to specify ALLOW, the next IPL or start of ACF2 will activate this support or to activate this support immediately issue the REFRESH console command.
Sample commands:
SET C(GSO)
CHA PWPHRASE ALLOW
F ACF2,REFRESH(PWPHRASE)
To allow the use of Password phrase in TSO set the GSO TSO record to specify PWPHRASE, then the next IPL or start of ACF2 will activate this support or to activate this support immediately issue the REFRESH console command.
Sample commands:
SET C(GSO)
CHA TSO PWPHRASE
F ACF2,REFRESH(TSO)
To see the options in effect, issue the SHOW PSWD command (from TSO) and the password phrase settings will be shown under "PASSWORD PHRASE (PWP) OPTIONS IN EFFECT". Issue the SHOW TSO command (from TSO) and check the "PASSWORD PHRASE LOGON=YES|NO" setting.
After implementing the use of Password Phrases, users can still use passwords. To globally force password phrases only, the PWPONLY option in the GSO PWPHRASE record must be turned on. The default is NOPWPONLY. To force password phrases only by user, the PWPONLY option on the logonid can be used.
Passphrase settings are global settings and all options can be found in ACF2 documentation section Password Phrase Record (PWPHRASE).
Some settings can be assigned to individual users on the logonid record. These options can be found in ACF2 documentation section Manage Password Phrases.
For example, passphrases can be enabled for selected logonids using the PWPALLOW|NOPWPALLOW setting on the logonid record. This allows users to have passphrases even if the GSO PWPHRASE record specifies NOALLOW.
Sample commands to allow a single user to use a passphrase:
SET LID
CHANGE logonid PWPALLOW
Note:
The PWPHRASE USER profile record is used to retain user password phrase control information and history. These records are in the INFOSTG database and are not part of the logonid record.
PWP-EXP|NOPWP-EXP
PWP-HST(0|nn) **
PWP-MAXD(0|nnn)
PWP-MIND(0|nnn)
PWP-TOD(date) **
PWPA1TOD(date) **
PWPA2TOD(date) **
PWPHRASE(password phrase)
Fields marked ** are managed internally by ACF2 and cannot be modified by the ACF command.
When implementing Password Phrase, an administrator must set the user's first Password Phrase. From that point moving forward the end users can change their password phrase. The only other option is for the end user to set their own first Password Phrase using the TSO ACF command processor (if allowed).
Sample commands to set a passphrase:
SET LID
CHANGE logonid PWPHRASE(Your choice of password phrase)
or
SET P(USER) DIV(PWPHRASE)
INSERT logonid PWPHRASE(Your choice of password phrase)
Broadcom recommends the following choices when considering the use of a different case translation option (NOUCTRAN or TRANIDONLY):
PASSWORD and PWPHRASE support in uppercase:
TYPETERM and PROFILE records are irrelevant. Assemble ACFAEUSC without setting PCTL to PCTLV, code GSO PSWD option NOPSWDMIXD. ACFAEUSC runs pseudo conversational, all PASSWORDs and PWPHRASEs are translated to uppercase by CICS. ACF2 option SIGNON QUICK=YES is fully supported.
PASSWORD and PWPHRASE support in mixed case with uppercase TYPETERM in conversational mode:
Set TYPETERM UCTRAN to YES. No PROFILE records are required. Set ACFAEUSC flag byte PCTL to PCTLV. Set GSO PSWD option to PSWDMIXD.Instructions are in the comments of CAI.CAX1MAC1(ACFAEUSC) to make this customization. Note the IBM signon program DFHSNP is conversational. When ACFAEUSC runs conversational, PASSWORDs and PWPHRASEs are not translated to uppercase by CICS before seen by ACFAEUSC unless entered as part of a quick signon. ACF2PARM option SIGNON QUICK=NO is recommended because any PASSWORD or PWPHRASE entered as part of a quick signon is uppercased by CICS.
PASSWORD and PWPHRASE support in mixed case with mixed case TYPETERM and multiple PROFILE records:
Set TYPETERM UCTRAN(NO) or UCTRAN(TRANID). Point the transaction definitions for CESN, CESL, CSGM at a PROFILE record which specifies UCTRAN(NO). Do not set ACFAEUSC flag byte PCTL to PCTLV, code GSO PSWD option PSWDMIXD. ACFAEUSC runs pseudo-conversational. PASSWORDs and PWPHRASEs do not get translated to uppercase by CICS before seen by ACFAEUSC, ACF2 CICS option SIGNON QUICK=YES handles mixed case PASSWORDs and PWPHRASE. This approach is recommended for sites which want to implement mixed case PASSWORDs and PWPHRASEsphrases.
PASSWORD and PWPHRASE support in mixed case with uppercase TYPETERM in pseudo conversational mode:
The system and client data integrity exposures inherent in this approach render it not advised. The site would have to allow SPI'SET TERMINAL' commands by the terminal default user. Both approaches run a risk of leaving the terminal in mixed case mode running client applications which cannot handle mixed case input.
The situation can also be mitigated by setting the TYPETERM to NOUCTRAN or TRANIDONLY, and customizing ACFAEUSC to all exits from the program. However, doing so requires the default logon id allowed SET access to the SPI(TERMINAL) resource, opening the possibility of unwanted modifications to that resource. For this reason, this solution is not advised.
Details on the ACF2/CICS Password Phrase parameter can be found in the CICS Interface Parameters in section SIGNON-Sign-on Control Options and How to Control Signon Transactions in ACF2.