Implementing Password Phrase with ACF2

Document ID : KB000048022
Last Modified Date : 09/08/2018
Show Technical Document Details
Introduction:
This document covers details on implementing password phrase in a z/OS environment including TSO and CICS considerations.
 
Instructions:
Implementing Password Phrase
Set up your desired password phrase restrictions/options using the ACF2 GSO PWPHRASE record. This record is similar to the GSO PSWD record (for 1-8 char passwords). These are all documented in the ACF2 Administrator Guide, Chapter 14 (GSO Records) under PWPHRASE.
When you set the GSO PWPHRASE record to specify ALLOW, then the next IPL or start of ACF2 will activate this support or to activate this support immediately issue the console command: F ACF2,REFRESH(PWPHRASE)
To allow use of Password phrase in TSO set the GSO TSO record to specify PWPHRASE, then the next IPL or start of ACF2 will activate this support or to activate this support immediately issue the console command:
F ACF2,REFRESH(TSO)
To see the options in effect, issue the SHOW STATE command (from TSO) and the password phrase settings will be shown under "PASSWORD PHRASE (PWP) OPTIONS IN EFFECT:". Issue the SHOW TSO command (from TSO) and check the "PASSWORD PHRASE LOGON=YES|NO" setting.
Password Phrase Settings
 
LOGONID PWPALLOW|NOPWPALLOW
       This field overrides the NOALLOW specification on the GSO PWPHRASE
       record BUT NOT the GSO TSO NOPWPHRASE.
 
GSO TSO PWPHRASE|NOPWPHRASE
       TSO Setting MUST be set for TSO usage of Password Phrase.
 
GSO PWPHRASE ALLOW|NOALLOW    ** Global setting except for TSO
            ALPHA(0|nnn)
            CMD-CHG|NOCMD-CHG 
            HISTORY(0|nn)
            LID|NOLID
            MAXDAYS(100|nnn) 
            MAXLEN(100|nnn)
            MINDAYS(0|nnn)
            MINLEN(9|nnn)
            MINWORD(1|nnn)
            NUMERIC(0|nnn)
            REPCHAR(null|0|nn)
            SPECIAL(0|nnn)
            SPECLIST()
            TEMP-AGE|NOTEMP-AGE
            WARNDAYS(1|nnn)
 
Details on the LOGONID Password Phrase PWPALLOW|NOPWPALLOW parameter can be found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 3: Maintaining Logonid Records in section 'Logonid Record Fields'.
Details on the GSO PWPHRASE Password Phrase ALLOW|NOALLOW parameter can be found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 14: Maintaining Global System Options Records in section 'Password Phrase
Record (PWPHRASE)'.

Password Phrase PWPHRASE Profile Records
The PWPHRASE segment of the USER profile is used to retain user password phrase control information and history.
 
            PWP-EXP|NOPWP-EXP
            PWP-HST(0|nn) **
            PWP-MAXD(0|nnn)
            PWP-TOD(date) **
            PWPA1TOD(date) **
            PWPHRASE(password phrase)
 
** Note: This field is managed internally by CA ACF2 and cannot be modified by the ACF command.
Password Phrase Related Informational Logonid Fields
PSWD-DAT Specifies the date of the last invalid password or password phrase attempt.
PWP-VIO(count) Specifies the number of password phrase violations that occurred on PSWD-DAT.
TSO Notes:
  • If your logonid has the PWPALLOW option on but the GSO PWPHRASE record has NOALLOW, you will not be able to use a password phrase for TSO logon unless the GSO TSO PWPHRASE is set.
  • All password phrases must be entered in single quotes for TSO logon. Otherwise, they will be confused with other TSO logon parameters such as
    RECONNECT or FSCREEN.
  • See Misc Note 7
Details on the GSO TSO Password Phrase PWPHRASE|NOPWPHRASE parameter can be found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 14: Maintaining Global System Options Records in section 'Time-Sharing Options and Defaults (TSO)'.
CICS Notes:
  • ACF2/CICS CTS 4.2 support maintenance and CICS/TS 4.2 or above is required.
  • To use Password phrases in CICS the ACF2/CICS SIGNON parameter TRANONL=CESL|tranid must be specified to identify the transaction code designated as a sign-on request with a password or a password phrase. CESL-Specifies the standard CICS-supplied transaction ID that designates a sign-on request with a password or password phrase.
  • Password Phrases are mixed case, for CICS(CTS) "Each terminal must be capable of mixed-case data entry. This is controlled by the UCTRAN definition within the TYPETERM CICS RDO definition used for terminal autoinstall processing or by the UCTRAN definition for TERMINAL..."
    Quick signon is not allowed for Password phrases.
Details on the ACF2/CICS Password Phrase parameter can be found in the r15 CA ACF2 for z/OS CICS Support Guide, Chapter 5: CICS Interface Parameters in section 'SIGNON-Sign-on Control Options'.
Misc Notes:
 
1. When implementing Password Phrase an administrator must set user's first Password Phrase, from that point moving forward the end users can change their password phrase. The only other option is for the end user to set their own first Password Phrase using the TSO ACF command processor (if allowed). The syntax needed for Password Phrase change by Security administrator from TSO ACF Prompt:
 
SET LID
Change Logonid PWPHRASE(Your choice of password phrase)
Example:
Change ABCDE01 PWPHRASE(Hello world welcome to CA)                            
  PWPHRASE / ABCDE01 LAST CHANGED BY ABCDE01ON 08/09/18-08:41         
                       PWP-HST(0) PWP-TOD(08/09/18-08:41)              
                       PWPA1TOD(08/09/18-08:41) PWPA2TOD(00/00/00-00:00)

 
2. After implementing the use of Password Phrases there is no way to prevent user's from utilizing passwords except by having an administrator change all user's passwords to an unknown value.
Password phrases may be used for user authentication with applications that support password phrases. You may have both a password and a password phrase defined to your Logonid. Password phrases are not required to be specified.

3. Password phrases may be used for user authentication with applications that support password phrases. You may have a password and a password phrase defined to your Logonid. Password phrases are not required to be specified.

4. You can authenticate passwords for applications that support only passwords. However, passwords and password phrases are mutually exclusive for authentication. You may authenticate using only one, a password or password phrase, but not both, during a single authentication process for applications that support both passwords and password phrases.

5. If the password of password phrase is expired, the user will be prompted to enter a new password or new password phrase depending on what is entered(password or password phrase) and what is expired. For example, if a password is expired and then at the 'ACF82006 ACF2, ENTER PASSWORD OR PASSWORD PHRASE -' prompt a password phrase is entered, the user will not receive the 'ACF01017 PASSWORD FOR LOGONID logonid HAS EXPIRED'.

6. The logonid PWPALLOW|NOPWPALLOW does not pertain to TSO signons. If GSO TSO PWPHRASE and GSO PWPHRASE ALLOW is set TSO users will receive the ACF82006 prompt for password or password phrase regardless of the logonid PWPALLOW|NOPWPALLOW.

7. The logonid PWPALLOW|NOPWPALLOW overrides the GSO PWPHRASE NOALLOW for other environments except for TSO.