We are trying to implement mixed case password support, have turned on (in GSO PSWD record) PSWDMIXD, PSWDLC, PSWDUC, and have refreshed GSO. It still does not work. What is missing? What else is needed?
search cancel

We are trying to implement mixed case password support, have turned on (in GSO PSWD record) PSWDMIXD, PSWDLC, PSWDUC, and have refreshed GSO. It still does not work. What is missing? What else is needed?

book

Article ID: 52850

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

There are several things that come into play to support mixed case (or lower case) passwords.

The CA ACF2 GSO PSWD record must specify PSWDMIXD. Additional options like PSWDLC and/or PSWDUC can enforce site requirements to include at least one lower case or upper case character. After making any GSO PSWD record changes, you must refresh the GSO PSWD record by issuing: F ACF2,REFRESH(PSWD)

The LID record for the logonid needing to use a mixed case password cannot have PSWD-UPP specified.

The @CFDE for the PASSWORD field, in the ACFCFDE member of the CA ACF2 provided CAIMAC library, must specify STATUS=LOWERCSE to allow lower case passwords. This was introduced with release 6.5 of CA ACF2.

 

Environment

Release:
Component: ACF2MS

Resolution

Verify that the CA ACF2 GSO PSWD record specifies PSWDMIXD by issuing SHOW STATE and review the password options in effect.

Verify that the logonid does not have PSWD-UPP specified.

It is common for sites to have site defined updates for the PASSWORD field in their ACFFDR customization USERMOD (UM99901). Sites need to ensure that when they update any CA ACF2 provided logonid record field (specified in the CAX1MAC0 library member ACFCFDE) that they do not inadvertently omit any new parameters introduced with new releases.

For example, the pre release 6.5 @CFDE entry for the PASSWORD field (in member ACFFDE) had:

@CFDE  PASSWORD,LIDNPSWD,xxxx,ALTER=SECURITY+ACCOUNT+USER,     TS77317X
              FLAGS=NEVER,PRTN=5,VRTN1=05,PROMPT=YES,          TS77317X
              CBPROC=YES                                       TS77317

The release 6.5 version has:

@CFDE  PASSWORD,LIDNPSWD,xxxx,ALTER=SECURITY+ACCOUNT+USER,     TS77317X
              FLAGS=NEVER,PRTN=5,VRTN1=05,PROMPT=YES,          TS77317X
              CBPROC=YES,STATUS=LOWERCSE                       TA4699G

And release 12.0 version has:

@CFDE  PASSWORD,LIDNPSWD,xxxx,ALTER=SECURITY+ACCOUNT+USER,     TS77317X
              FLAGS=NEVER+SPECIAL,PRTN=5,VRTN1=05,             TA7122HX
              PROMPT=YES,CBPROC=YES,STATUS=LOWERCSE            TA7122H

Make sure that site defined changes to the PASSWORD field (if any) retains the STATUS=LOWERCSE parameter. This can be verified by reviewing the assembly listing after applying USERMOD UM99901. If this parameter was omitted, then lower case passwords cannot be used.

Powered by Wolken Software