CPFing between CA Top Secret r15 with AES 128 password encryption to r16 with AES 256 password encryption

Document ID : KB000015951
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

How CA Top Secret handles CPFing between CA Top Secret r15 with AES 128 password encryption to r16 with AES 256 password encryption.

Question:

I am getting ready to format a new data base and implement CA Top Secret R16 in our systems programmer test LPAR. The CA Top Secret administrators would like me to format the new database using AES256ENCRYPT.

We do not share Top Secret data bases, but we do use Command Propagation Facility between our LPARs. The other LPARs are still running CA Top Secret R15.

When a user defined to multiple LPARs changes their password on the R16 LPAR using AES256ENCRYPT will the other systems be able to properly change the user's password on the opther LPARs via CPF?

Is there any TSS R15 preconditioning maintenance required? I am current with maintenance in our TSS R15 and TSS R16 environments.

Answer:

When CPFing between TSS r15 and r16 using AES 256 password encryption:

If you are going to enable Control Option AESENC(256) in a phased implementation (with other LPARs) and leverage CPF, you should apply TSS r16 fix RO90186 to resolve the following:

When a user changes their password at sign-on on a remote system and CPF is leveraged to send the password change to the other system running with the AESENC(256) security file, the password change will fail with a password verification error.

An administrative CA Top Secret replace command can be issued to change the password. After the password is demonstratively updated on the AESENC(256) file, all subsequent changes from CPF will work.