Handling of userid's without password after added Passphrase support to CA XCOM

Document ID : KB000008656
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

CA XCOM added support for PASSPHRASE’s earlier this year with fix RO94308. By supporting PASSPHRASE up to 100 characters in length, user identification can be more secure due to having authentication codes that are more difficult to compromise.

This exposed a problem with the use of credentials or userid’s without a PASSWORD defined, causing the transfers to fail with various error messages and symptoms. Here are some of those messages:

   XCOMM0464E PASSWORD MISSING. REQUIRED FOR SAF PROCESSING

   XCOMM0466E LPASS REQUIRED WHEN LUSER IS SPECIFIED

   IRR013I VERIFICATION FAILED. INVALID PASSWORD GIVEN.

   *ACF01006 A PASSWORD IS NOT ALLOWED FOR LOGONID

   *ACF01007 A PASSWORD IS REQUIRED FOR LOGONID

 

Environment:
XCOM r12, ACF2
Resolution:

Fix RO97661 was written to address the problems with userid’s without passwords not being handled correctly. In addition to fix RO98396 to address the LPASS parameter from being ignored.

The fixes addressed the problems described, but in the process of addressing the problem it was determined that if using ACF2 for your security you may encounter transfer failures with message “ACF01006 A PASSWORD IS NOT ALLOWED FOR LOGONID” or “ACF01007 A PASSWORD IS REQUIRED FOR LOGONID.”

The reason for the transfer failure is due to having defined the userid in ACF2 with the RESTRICT attribute. In this case the user initiated a transfer to z/OS and specified a password in their configuration for a userid that was defined with the RESTRICT attribute. To address that failure you will need to review ACF2 Knowledge Document TEC543964 and/or contact ACF2 support for details on the attribute.

To address the transfer failure you may:

1) Remove the PASSWORD specifications for USERIDs which are defined as RESTRICTED to ACF2. (This may also require that the restricted USERIDs have access to the resource as outlined in ACF2 KD TEC543964.

2) The USERIDs could be modified to remove the RESTRICTED attribute, and PASSWORDs generated and updated accordingly. Note that with this option, the passwords can be set not to expire.