This document describes the steps required to set up ACF2 to use mixed case passwords for logon processes and also describes what is, and is not, supported. It also includes other important considerations.
There is a global setting for all LOGONIDS which states that mixed case passwords CAN be used.
(Note: It does not state that mixed case passwords MUST be used.)
It is the PSWDMIXD parameter of the GSO(PSWD) record.
It is set by the following commands:
CHANGE PSWD PSWDMIXD
PSWDMIXD | NOPSWDMIXD
Specifies passwords are case sensitive. The default is NOPSWDMIXD.
PSWDMIXD is a global setting for all LOGONIDS. Once PSWDMIXD is turned on, existing (current) passwords are not affected. That is, they can be entered at logon time in any combination of upper and lower case characters, and they will always be uppercased before password validation is performed. Once a user has changed his password while PSWDMIXD is on, his password becomes case sensitive at logon time. If PSWDMIXD is turned off, his password remains case-sensitive until a new password is set while PSWDMIXD is on. There is a new field in the LOGONID record called PSWD-MIX to indicate that the current password is case-sensitive. This field cannot be changed by an administrator. The global PSWDMIXD setting may be overridden for an individual by specifying PSWD-UPP in his LOGONID record. This is especially useful if you have LOGONIDS that are only used in applications that cannot process mixed case password.
Considerations For Mixed Case Passwords
There are several important things to consider before setting PSWDMIXD on. In order to use PSWDMIXD, you need to be sure that all applications that perform password validation can support it. Some applications may upper-case the password before it is passed to CA ACF2. If an application does not support mixed-case password validation and PSWDMIXD is on, then the users of the application must type their passwords in upper-case when changing them.
PSWDMIXD can be turned off for individual LOGONIDS. Set PSWD-UPP in the LOGONID to specify that, for this user, new passwords are upper-case only and are not case-sensitive.
Supported Password Validations Using PSWDMIXD
Note: CA ACF2 r8 or above is required. This list includes requirements that are necessary for a given type of password validation.
- TSO logon
- JES2 batch jobs wi th //*PASSWORD card or PASSWORD= on the JOB card
- JES3 batch jobs with //*PASSWORD card or PASSWORD= on the JOB card
- CA ACF2 password prompt on console (in response to messageACF79341 OPERATOR FUNCTION: ENTER PASSWORD ). On the reply, the password must be entered in single quotes if it is a mixed case password.
- CA ACF2 /CICS logon and password re-verify (due to VERIFY keyword on a resource rule or an idle timeout prompt) requests.
- RACROUTE REQUEST=VERIFY or VERIFYX calls via SAF.
Unsupported Password Validations Using PSWDMIXD
- Console logon - any password that is used for console logon must contain only uppercase characters.
- CA ACF2 /IMS logon using the /SIGN command.
- CA ACF2/IMS password re-verification.
CA ACF2 CICS Considerations
If you plan to use mixed-case passwords with CA ACF2 CICS, there are some important things to take into consideration. Each terminal must be capable of mixed-case data entry. This is controlled using the UCTRAN definition (Upper Case TRANslation) within the TYPETERM CICS RDO definition used for terminal autoinstall processing or by the UCTRAN definition for TERMINAL CICS RDO definitions.
In addition, the signon transaction itself must have UCTRAN(NO), (which is the default), specified in the PROFILE CICS RDO definition associated with it. See the CICS Resource Definition Guide or the CICS Information Center for additional information. Failure to properly set these CICS options may result in CICS automatically upper-casing all input data.
Consider the method of signon used. The CA ACF2 CICS ACFAEUSC sample signon program does not uppercase the password, thus the entry case of the password is preserved. If, however, you are using CICS-provided facilities for signon, you have to identify which you use in your environment and consider their impact. For example, it appears that the EXEC CICS SIGNON command preserves entry case of password data, but it also appears that the OCO (Object Code Only) IBM-supplied DFHSNP signon program does not, altering the case of the password, forcing it to be upper case. As both functions are IBM controlled and are distributed in OCO format, they are, in theory, susceptible to changes by IBM maintenance or by new IBM product releases.
Consider the impact of any terminal-related changes on your applications. Legacy application systems may assume that all input terminal data is upper cased and application failures and, in a worse case scenario, application corruption or outages could result if mixed-case data is introduced. Investigate your installation's current terminal autoinstall configuration and determine the UCTRAN option that is set for autoinstalled terminals. Consider also any hard coded terminal definitions that may exist. It is important to remember that UCTRAN relates to ALL input to the terminal and not just passwords. (UCTRAN= Upper Case Translation)
CA ACF2 IMS Considerations
CA ACF2/IMS password re-verify is not supported due to native IMS restrictions. Password re-verification may be performed due to idle timeout or because of resource rules that contain the keyword VERIFY. For this reason, it is not advisable to use mixed-case passwords if CA ACF2/IMS is being used.
If only sign-on validation is needed, the /FOR SIGN sign-on method must be used when logging on with a mixed-case password. Use the sample SIGNFMT format definition from CA-ACF2 for IMS.
DDB Password Sync Considerations
If you are using ACF2 Distributed Data Base Password Synchronization, make sure all nodes within the DDB environment use the same setting - either all PSWDMIXD or all NOPSWDMIXD. If PSWDMIXD is used, all nodes in the DDB environment must be running CA ACF2 r8 or later.
Shared LOGONIDS Database
If you are sharing the LOGONID database with other z/OS systems, then all the systems must use the same setting - either all PSWDMIXD or all NOPSWDMIXD. If PSWDMIXD is used, all systems must be running CA ACF2 r8 or later.
Note: If you are using Database Synchronization to share LOGONIDS with a z/VM system protected by CA ACF2 Security for VM, you cannot use PSWDMIXD at this time.
Routing Batch Jobs
When routing batch jobs that contain a mixed-case password in the JCL, the execution node must be running CA-ACF2 release 8.0 or above and have PSWDMIXD on.
When PSWDMIXD is turned on, the mixed-case password is used to generate the Kerberos keys for users defined with KERB User Profile records or Local Principals.
When PSWDMIXD is turned on, the mixed-case password will not be propagated using CA- LDAP Directory Services ( LDS) unless the PSWDASIS option is defined for the LDAP.suffix record (PSWDASIS is the default).
(See the full description of the LDS LDAP record in the CA ACF2 Administrators Guide chapter 24 LDAP Directory Services (LDS).)