NEWPW control options not taking effect

Document ID : KB000014419
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Explanation why NEWPW control options dont take effect.

Question:

NEWPW control options getting reset to defaults or not taking effect.

Example:

NEWPW(MIN=8,RS,TS,FN,FA,WARN=7,ID,NR=1,MINDAYS=15)
NEWPW(MASK=A???????,MC,LC,UC,SW)

The Second Line of NEWPW are new control options that we just defined.

When I issue the TSS MODIFY command to verify the new control options, here is what displays:

TSS9661I CA Top Secret PASSWORD Status
NEWPW(MIN=08,MAX=008,WARN=07,MINDAYS=15,MASK=A???????,SW,MC,UC,LC)
HPBPW(004) MSUSPEND(YES) NPWRTHRESH(2)
PWEXP(060) PWHIST(36) PTHRESH(002)
PWVIEW(NO)
PWVERIFY(NO) PWADMIN(NO)
AESENC(256)
Doc states the following: 

******************************************************************** 
Important! If you change one of the options, you must also respecify other active options (except MIN, MAX, WARN, and MINDAYS), even if the options are not being changed; otherwise, the product deactivates the options. Before setting the options, we recommend gaining a clear understanding of the types of regulatory compliance laws and regulations to which your site is subject. 
******************************************************************* 

In other words, if you specify a second NEWPW, some on setting will fallback to their defaults. 

So what you will have to do is, for the first NEWPW, you should use the setting that dont reset which are MIN,MAX,WARN and MINDAYS. 

For the second NEWPW, specify the setting that get reset. 

Example: 
NEWPW(MIN=8,WARN=7,MINDAYS=15) 
NEWPW(MASK=A???????,ID,RS,TS,FN,FA,MC,LC,UC,SW,NR=1) 

RS,TS,FN,FA,ID and NR are not being set even though they are set in the first NEWPW control options statement.

Answer:

CA Top Secret documents the following:

********************************************************************
Important! If you change one of the options, you must also respecify other active options (except MIN, MAX, WARN, and MINDAYS), even if the options are not being changed; otherwise, the product deactivates the options. Before setting the options, we recommend gaining a clear understanding of the types of regulatory compliance laws and regulations to which your site is subject.
*******************************************************************

at the following link.

In other words, if you specify a second NEWPW, some on setting will fallback to their defaults.

So what you will have to do is, for the first NEWPW, you should use the setting that dont reset which are MIN,MAX,WARN and MINDAYS.

For the second NEWPW, specify the setting that get reset.

Example:
NEWPW(MIN=8,WARN=7,MINDAYS=15)
NEWPW(MASK=A???????,ID,RS,TS,FN,FA,MC,LC,UC,SW,NR=1)

NEWPW control options are documented at the following link:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/sing/specifying-control-options-to-modify-your-security-environment/newpwrestrict-password-alterations