SOLVE:Access Session Management and Password Phrases

Document ID : KB000010638
Last Modified Date : 21/02/2019
Show Technical Document Details
Introduction:

Password phrases are 9 to 100 character strings that are used in place of passwords. External security managers RACF, CA Top Secret and CA ACF2 support password phrases. Maintenance is now available for CA's Session Manager SOLVE:Access with MAI and EASINET that provides password phrase support.

 

Apart from password fields being longer the use of existing passwords is not impacted by these changes. 

Environment:
z/OS
Instructions:

The SOLVE:Access PTF’s RO94136, RO94140, RO94141, RO94145, RO94149, RO94150, RO94151, RO94161, SO00814, SO04009 and SO07080 to correct a problem using &LOGON with phrases,  update SOLVE Management Services and Multiple Application Interface to accept password phrases in all circumstances where passwords are used. This includes logon, password change, terminal lock and MAI user verification.

An example of the $NMSXCTL Security file used to set parameter values for the NMSAF Security Exit which is compatible for usage with SEC=PARTSAF is attached to this document.

 

Configuration

In order to implement password phrases the SOLVE region must be configured to accept mixed case passwords and use a security setting that supports password phrase validation. The RUNSYSIN control member  must specify XOPT=PWMIX and SEC=NMSAF. SEC=PARTSAF is not supported for password phrases.

 

Logon

The SOLVE logon panel is changed to have a single password field of 100 characters. Data entered longer than 8 characters will be treated as a phrase.

 

Password change

The password change panel password and new password fields are changed to be two fields that total 100 characters.

 

MAI User Verification

The MAI User Verification panel password field is changed to be two fields that total 100 characters.

 

Security processing

The NMSAF and NMSAFF security options are modified to request verification with the PHRASE operand when appropriate. User written exits will need to be modified detect phrases and use the PHRASE operand on RACROUTE calls if applicable. Word 6 of the logon parameter list now points at a 100 character field that may contain a password or pass phrase.

 

&SECCALL Verb

The PWD and NEWPWD operands of the &SECCALL verb now accept up to 100 character input. The values for PWD and NEWPWD must be consistent in specifying passwords or password phrases.      

 

VTAM Logon Data

An application such as EASINET may be passing userid and password as bind user data to achieve single signon to the SOLVE:Access region. In order to achieve the same effect when using a password phrase then the /PARMS LOGONUSRDATA parameter group needs to be updated to specify PHR in order to accept phrases. Otherwise the first word of the phrase will be treated as a password and the remaining data as a menu option. When the PHR setting is used the password phrase must be blank padded to 100 characters if a menu option is specified.

 

&USERPW and MAI session scripting

The &USERPW system variable used in MAI scripting returns the password or password phrase entered when the user logged on. Session scripting procedures will need to change according to the requirements of the application being accessed. Implementation of passtickets and use of the PASSTICKET operand on DEFLOGON statements should be considered for those applications that do not support password phrases.   

 

EASINET Network Solicitor

EASINET is a facility for customization of 3270 network access. It provides for custom logon panels and can provide single signon capability through user verification and passing logon data containing an already verified password.

  

The &SECCALL CHECK function can now be used to verify a user with a password phrase. However, many applications may not support a password phrase in session bind data. SOLVE and NetMaster products require a configuration change to accept password phrases (See VTAM Logon Data above).     

 

PTFs RO94160, RO94157, RO94152 provide a subsystem for user verification with a password phrase and subsequent passticket generation for a nominated application.  A sample $EASIPHR procedure that uses this subsystem is also provided. The sample demonstrates using multiple fields to accept password phrases as input and using the subsystem to verify the user and password phrase. The subsystem generates a passticket for the SOLVE region. The passticket value is then specified on the &LOGON verb used to pass the session. The distributed $ACINIT is updated to contain an example of the PASSPHR subsystem definition.

Additional Information:

Note: Procedure $EASIPHR is an example only and is not intended for production use. 

See also KB000011684 for potential changes needed to Easinet

SPECIAL SITUATION FOR APPLICATIONS NOT SUPPORTING PASSPHRASE: 
In some environments it may be necessary implement the 8 characters passticket to allow login to application that does not support passphrase. 

The original passphrase support was an EASINET implementation using a SUBSYS to verify a passphrase and return a passticket for the application. The sample easinet proc was shipped as $EASIPHR that is located in the  hlq.CC16SAMP. This contains a subroutine at label .VERPHR that calls the subsystem. 

As supplied, this example only works for the local SOLVE region. 
The  ACB name for other applications would need to determined. 

The sample contains some comments about how that might work using SHOW DEFLOGON, but it is likely simpler to hard code the relevant application name. 

Please not that the use of Passticket on DEFLOGON is not supported in any way in Easinet. 
 

File Attachments:
$NMSXCTL.TXT