In the GSO PSWD record, there are options:
PSWDENCT( XDES | AES1 | AES2 )
The default, XDES, will work the same as CA ACF2 r12.0 and before. By selecting AES1, added in CA ACF2 r14.0, this will use the AES-CMAC encryption method with 128-bit keys. AES is a symmetric block cipher used to protect sensitive data. A block cipher is a method of encrypting text where a cryptographic key and algorithm are applied to a block of data. AES is one of the preferred and most secure encryption algorithms available. CA ACF2 r16.0 added AES with 256-bit encryption using the keyword AES2.
CHANGE PSWD PSWDENCT(option)
As always, changes to the PSWD record only take effect when a user changes their password.
To support AES passwords and password phrases, new fields on the logonid record, PSWDAES1, PSWA1TOD and PSWA1VAL have been added to the CA ACF2 ACFCFDE DSECT. A new field on the user profile PWPHRASE record PWPA1TOD has been added. In addition, new fields MLATODA1 and MLAPSWDA1 have been added to the CA ACF2 @MLID definition and MLAREC DSECT. The addition of these new fields expands the size/length of the CA ACF2 mini lid area.
ACF2 r16.0 also added option:
Saves password/password phrase changes under a single algorithm. Once ONEPWALG is set, the next password/password phrase change encrypts under the current value that is specified in the PSWDENCT and clears out the other values and TOD stamps for those values. All systems sharing logonid or infostorage databases must be able to evaluate passwords/password phrases encrypted with the PSWDENCT
For more information on all these options, see the Administrator Guide,
the GSO PSWD record.
Note: If DDB password synchronization is being used, AES1 and AES2 is not supported. XDES must be used.