Implementing Mixed Case Password On A CA Top Secret Security File Formatted Without NEWPWBLOCK

Document ID : KB000027262
Last Modified Date : 14/02/2018
Show Technical Document Details

Questions:

How do you setup CA Top Secret Mixed Case Password Support?

Answer:

The following document discusses implementing the Mixed Case Password on a CA Top Secret Security File formatted without NEWBLOCK.

Requirements to activate CA Top Secret Mixed Case Password Support:

  • z/OS 1.7 and above is required for Mixed Case Password Support. Older releases of z/OS do not support it.
  • CA Top Secret r9 and above. If the Security File is shared, the other sharing system must also be upgraded to r9 or higher and Mixed Case Password Support must be activated on all systems simultaneously.
  • A CA Top Secret r9 or above formatted Security File must be used. Older versions of the Security File cannot be used.
  • CA Top Secret r9 Security File needs to be formatted with new TSSMAINT NEWPWBLOCK control card.
  • CA Top Secret Control Options NEWPW parameter 'MC' must be set.
    Example : NEWPW(MC)

Steps to activate CA Top Secret Mixed Case Password Support:

  1. Prior to activating mixed case support (MC), verify that your Security File is not already a NEWPWBLOCK formatted Security File. Issue a TSS MODIFY(STATUS(BASE)) and look for :

    NEW_PASSWORD(ACTIVE).

    If the output indicates NEW_PASSWORD(INACTIVE), the Security File was not formatted for mixed case support.

    Example of TSS MODIFY(STATUS(BASE)) output with a non NEWPWBLOCK formatted Security File active:

    TSS9661I eTrust CA-Top Secret FEATURES Status
    MAX_ACID_SIZE(0512K)
    RDT2BYTE(Active)
    NEW_PASSWORD(Inactive)
    VSAM_SDT(Active)

    If the output indicates NEW_PASSWORD(ACTIVE), the Security File was formatted for mixed case support. Please skip steps 2 - 9 in this document and proceed to step 10.

    Example of TSS MODIFY(STATUS(BASE)) output with a NEWPWBLOCK formatted Security File active:

    TSS9661I eTrust CA-Top Secret FEATURES Status
    MAX_ACID_SIZE(0512K)
    RDT2BYTE(Active)
    NEW_PASSWORD(Active)
    VSAM_SDT(Active)

  2. Run the CA Top Secret utility TSSFAR with a control statement of SFSTATS against the older CA Top Secret Security File. Sample JCL can be found in member TSSFAR which resides in the CA Top Secret SAMPJCL library.

    SFSTATS will produce a statistical report about your old Security File which will be used to format your new Security File.

    For further information about TSSFAR, please see the CA Top Secret Troubleshooting Guide.

  3. Gather the following statistics from the TSSFAR STSTATS output

    1. Last available acid number:        nn,nnn
    2. Volume entries allocated:          n,nnn  % Used nnn       % Deleted nnn
    3. RES Blocks allocated:                 20  % Used nnn       % Deleted nnn
    4. PIE Blocks allocated:                 84  % Used nnn       % Deleted nnn
    5. SDT Blocks allocated:                 25  % Used nnn
  4. Modify sample JCL member SECDUMMY, which resides in the CA Top Secret SAMPJCL library. It contains control cards for sample JCL member TSSMAIND which also resides in the CA Top Secret SAMPJCL library.

    TSSMAIND is used to calculate the ***MINIMUM*** number of blocks required to format the new CA Top Secret Security File.

    1. ACCESSORS=????? - The value specified for this control card cannot be lower than the "Last available acid number"'. If the 'Acid index entries allocated' is near the 'Acid index entries defined:' OR your site will be adding a large number of new acids, now is a good time to increase the number of ACCESSOR=?????? to a larger number.
    2. VOLUMES=????? - This value cannot be lower than the 'Used' 'Volume entries allocated'.
    3. BLOCKSIZE=???? - Please see your CA Top Secret Installation Guide for the optimal BLOCKSIZE for your version of CA Top Secret.
    4. RESBLOCKS=????? - This value cannot be lower than the 'Used' 'RES Blocks allocated'.
    5. SDTBLOCKS=????? - This value cannot be lower than the 'Used' 'SDT Blocks allocated'.
    6. PIEBLOCKS=????? - This value cannot be lower than the 'Used' 'PIE Blocks allocated.'
    7. MAXACIDSIZE=???? - This value controls the maximum acid size. 256 through 512 can be specified.

    Note: The above control statement may also be specified as in stream control cards for TSSMAIND.

    For further information about the TSSMAINT program, please see the CA Top Secret Installation Guide.

  5. Modify sample JCL member TSSMAINS, which resides in the CA Top Secret SAMPJCL library. This JCL is used to format the new Security File.

    1. Insert a valid JOBCARD.
    2. Tailor the proc statement to meet your site standards.
    3. Edit the parameters in the CA Top Secret SAMPJCL members SECPARMS and SECPRIM to match what you specified for the TSSMAIND job in step #3. Make sure the BLOCKS parameter matches what the TSSMAIND output displayed.
    4. Optionally, the file can be allocated using a CYL allocation unit instead of BLOCKS. To do this:

      1. Remove the "BLOCKS" PROC variable.
      2. Uncomment the "CYLS" PROC variable
      3. On the SECFILE DD statement, specify "SPACE(CYL)" parm.
      4. Use the number of blocks obtained from running TSSMAIND to calculate the number of required cylinders. Use the following formula:

        #CYLS = #BLOCKS / (BLKS_PER_TRK * TRKS_PER_CYL)
    For further information about the TSSMAINT program, please see the CA Top Secret Installation Guide.

 

  • Issue 'TSS MODIFY(BACKUP)' from TSO or CICS. You may also issue a 'F TSS,BACKUP' from the console to take a backup of the currently active Security File.

  • Modify the TSSXTEND member, which resides in the CA Top Secret SAMPJCL library. TSSXTEND is used to copy the ***BACKUP*** Security File to the newly formatted Security File.

    1. Insert a valid JOBCARD.
    2. CAN ONLY BE RUN BY THE MSCA!!!
    3. Tailor the JCL to meet your site standards
    4. The OLDKEY and NEWKEY fields must be 16-character hexadecimal values; there can be no embedded commas or spaces. Comments cannot be added to these fields.

      1. If you wish to have a new encryption key :

        1. To specify a new encryption key on the Security File, enter a new key on the NEWKEY control card.
        2. Modify and run the TSSKEY member with the new encryption key to store it in the CA Top Secret CAILIB Install Library. TSSKEY resides in the CA Top Secret SAMPJCL library.

          Note: The encryption key MUST match on the Security File and CAILIB; otherwise CA Top Secret will not initialize.
    5. Specify the NEWPWBLOCK control card.

    Example:
    //jobname JOB USER=msca only //EXTEND EXEC PGM=TSSXTEND //MAINTOUT DD SYSOUT=A //SECFOLD DD DSN=name.of.backup.security.file,DISP=SHR //SECFNEW DD DSN=name.of.new.security.file,DISP=SHR //MAINTIN DD * COPY SECURITY OLDKEY=???????????????? ENCRYPTION KEY OF OLD FILE NEWKEY=???????????????? ENCRYPTION KEY OF NEW FILE NEWPWBLOCK  /* 
    For further information about the TSSXTEND program, please see the CA Top Secret Installation Guide.

  • Submit the TSSXTEND JCL. A RC 0 is expected.

  • Update the CA Top Secret proc SECFILE DD statement with the new Security File location.

  • Add 'MC' to the NEWPW control options in the CA Top Secret parameter file.

    Example:
    NEWPW(MC)

  • Issue a 'P TSS' on the console to do a temporary shutdown CA Top Secret.

  • When prompted, enter a userid and password.

  • Reply with 'T' for a temporary shutdown.

  • Issue a 'S TSS' to restart CA Top Secret.

  • Issue a TSS MODIFY(STATUS(BASE)) and look for :

    NEW_PASSWORD(ACTIVE)

    To confirm that Mixed Case Password Support is available on the Security File.

  • Issue a TSS MODIFY STATUS(PASSWORD) and look for 'MC' in the NEWPW control option to confirm that the Mixed Case Password Support is active.
  • z/OS Resource Managers Which Support Mixed Case Passwords:

    • Mixed-case passwords. Resource managers which support mixed-case passwords include:
      • z/OS V1R7
        • TSO/E
        • Console logon
        • JOB statements
        • z/OS UNIX functions
      • CICS Transaction Server 3.1
      • CICS Transaction Server 2.3 (with PTF)
      • CICS Transaction Server 2.2 (with PTF)
      • z/OS V1R7 Communications Server
        • FTP server
        • rshd
        • rexecd
        • RXSERVET
        • TN3270 server (for RestrictAppl and Unformated System Services (USS) functions)
        • telnet server
        • LPD server
      • DB2 V7 (with APAR PK23736)
      • DB2 V8 (with APAR PK23736)
      • DB2 V9
      • RMF Performance Monitoring Java Technology Edition

    Implementation Considerations:

    Applications residing on Mixed Case Password Support active system will be checked at signon time using mixed case passwords stored on the Security File. If an application uppercases passwords before passing to CA Top Secret, a potential mismatch will result.

    CA Top Secret will perform mixed case password processing only when the NEWPW(MC) option is active AND the current password was changed when NEWPW(MC) was active.

    If NEWPW(MC) is not active OR the current password was changed when NEWPW(MC) was not active, password checking will not be case sensitive.