Password Phrase Record (PWPHRASE)

Password phrases may be used for user authentication with applications that support password phrases. You may have a password and a password phrase defined to your Logonid. Password phrases are not required to be specified. You can authenticate passwords for applications that support only passwords. However, passwords and password phrases are mutually exclusive for authentication. You may authenticate using only one, a password or password phrase, but not both, during a single authentication process for applications that support both passwords and password phrases.
acf2src16
The GSO PWPHRASE record allows you to set the following global password phrase options and controls.
Password phrases may be used for user authentication with applications that support password phrases. You may have a password and a password phrase defined to your Logonid. Password phrases are not required to be specified. You can authenticate passwords for applications that support only passwords. However, passwords and password phrases are mutually exclusive for authentication. You may authenticate using only one, a password or password phrase, but not both, during a single authentication process for applications that support both passwords and password phrases.
The following lists the record format and field descriptions for the PWPHRASE GSO record:
PWPHRASE ALLOW|
NOALLOW
ALPHA(
0
|
nnn
)
CMD-CHG
|NOCMD-CHG HISTORY(
0
|
nn
) LID|
NOLID
MAXDAYS(
100
|
nnn
) MAXLEN(
100
|
nnn
) MINDAYS(
0
|
nnn
) MINLEN(
9
|
nnn
) MINWORD(
1
|
nnn
) NUMERIC(
0
|
nnn
) PWPLC|
NOPWPLC
PWPONLY|
NOPWPONLY
PWPUC|
NOPWPUC
REPCHAR(
null
|0|
nn
) SPECIAL(
0
|
nnn
) SPECLIST()
TEMP-AGE
|NOTEMP-AGE WARNDAYS(
1
|
nnn
)
  • ALLOW|
    NOALLOW
    Specifies whether all users on the system are allowed to authenticate using a password phrase. The default is NOALLOW, which indicates that authentication with a password phrase is not allowed. NOALLOW is mutually exclusive with PWPONLY.
    The NOALLOW option may be overridden by specifying the PWPALLOW option on the Logonid. The ALLOW option designates that all users in the system can use a password phrase regardless of the NOPWPALLOW option specified on the Logonid. For more information, see PWPALLOW option in the Logonid Record Field Descriptions section.
    Do not set NOALLOW if Logonids exist with PWPONLY on.
  • ALPHA(
    0
    |
    nnn
    )
    Specifies the minimum number of alphabetic characters (a-z or A-Z) required in a new password phrase. Valid values are 0 - 100. The default is 0, which indicates that CA ACF2 will not validate the password phrase for alphabetic characters.
    Changes to this parameter take effect at the next password phrase change of the user.
  • CMD-CHG
    |NOCMD-CHG
    Specifies if password phrase changes are allowed with the ACF CHANGE command. The default is CMD-CHG, which permits password phrase changes through the ACF CHANGE command.
    This option does not affect administrators who are changing the password phrases of other users. It does, however, affect administrators changing their own password phrases. The purpose of the CMD-CHG option is to require users to change their password phrases only at system entry.
  • HISTORY(
    0
    |
    nn
    )
    Specifies the number of previous password phrases to be checked to prevent reuse of a password phrase. Valid values are 0- 32. A value of either 0 or 1 indicates that no previous password phrases are checked; only the current password phrase is checked (the default is 0).
    For example, specifying HISTORY(2) indicates that the current password phrase and the previous password phrase are checked. HISTORY(32) indicates that the current password phrase and the last 31 previous password phrases are checked.
  • LID|
    NOLID
    Specifies that a logonid cannot be contained in any part of a new password phrase. The default is NOLID, which indicates that CA ACF2 will not check for a logonid in a new password phrase.
    Before the password phrase is compared to the logonid, it is temporarily upper-cased. Changes to this parameter take effect at the next password phrase change of the user.
  • MAXDAYS(
    0
    |
    nnn
    )
    Specifies the global value for the maximum number of days permitted between password phrase changes before the password phrase expires. This is based on the date specified in the PWP-TOD field in the User PWPHRASE Profile record. Valid values are 0-255. The default is 0, indicating that there is no value set, in which case, the value in the PWP-MAXD field of the User PWPHRASE Profile record will be used for validations.
    Any non-zero value in the PWP-MAXD field of the User PWPHRASE Profile record will override this value for validations.
  • MAXLEN(
    100
    |
    nnn
    )
    Specifies the global maximum number of characters allowed in a new password phrase. Valid values are 9-100. The default is 100.
  • MINDAYS(
    0
    |
    nnn
    )
    Specifies the global value for the minimum number of days that must elapse before a password phrase can be changed. Valid values are 0-254. The default is 0, indicating that there is no value set.
  • MINLEN(
    9
    |
    nnn
    )
    Specifies the global minimum number of characters required in a new password phrase. Valid values are 9-100. The default is 9.
  • MINWORD(
    1
    |
    nnn
    )
    Specifies the global minimum number of words required in a new password phrase. Words are delimited by one or more spaces (x'40'). Valid values are 1-50. The default is 1.
    Changes to this parameter take effect at the next password phrase change.
  • NUMERIC(
    0
    |
    nnn
    )
    Specifies the minimum number of numeric characters (0-9) required in a new password phrase. Valid values are 0 - 100. The default is 0, which indicates that CA ACF2 will not validate the new password phrase for numeric characters.
    Changes to this parameter take effect at the next password phrase change of the user.
  • PWPLC|
    NOPWPLC
    Specifies that at least one character (a-z) is required in a
    new
    password phrase. The default is NOPWPLC, which indicates that CA ACF2 does not validate the password phrase that contains only lowercase characters.
  • PWPONLY|
    NOPWPONLY
    When PWPONLY is on, users must logon using a password phrase. Passwords will no longer be allowed. When PWPONLY is on:
    • Logonids with the SECURITY attribute can still logon using a password.
    • Logonids with the PWPORPWD attribute can still logon using a password.
    • PassTickets will still be allowed.
    • Multi-factor logon credentials for CA Advanced Authentication Mainframe or IBM Multi-Factor Authentication will still be allowed.
    PWPONLY is mutually exclusive with NOALLOW. NOPWPONLY is the default.
    • Do not set PWPONLY on unless all users have a valid password phrase. Make sure the GSO TSO record specifies PWPHRASE so that password phrases can be used during TSO logon.
    • Once PWPONLY is turned on, users will not be able to log onto any applications that do not support password phrases.
  • PWPUC|
    NOPWPUC
    Specifies that at least one character (A-Z) is required in a
    new
    password phrase. The default is NOPWPUC, which indicates that CA ACF2 does not validate the password phrase that contains only uppercase characters.
  • REPCHAR(
    null
    |0|
    nn
    )
    Specifies the number of consecutively repeating pairs of characters allowed in a new password phrase. Valid values are 0-99. The default is null-specified as REPCHAR(), which indicates that
    CA ACF2
    will not validate the new password phrase for consecutively repeating pairs of characters. A value of 0 indicates that the new password phrase cannot contain any consecutively repeating pairs of characters, for example, RABIT. A value of 1 indicates that a new password phrase can contain up to one consecutively repeating pair of characters, for example RABIT, RABBIT, but not RABBBIT). A valid new password phrase could be “The rabbit jumped” or “I need your help”. However,
    CA ACF2
    will not allow “The rabbbit jumped” since “bbb” is considered two consecutively repeating characters.
    Changes to this parameter take effect at the next password phrase change of the user.
  • SPECIAL(
    0
    |
    nnn
    )
    Specifies the minimum number of special characters required in a new password phrase. Special characters include: characters listed in the SPECLIST() field of this record, national characters (@ # $), and blanks (spaces). Valid values are 0-100. The default is 0, which indicates that no special characters are required. For example, when SPECIAL(3) is specified, a valid password phrase must contain at least three special characters, such as: “reading and writing are great skills” and “jane [email protected] is my email.”
    Changes to this parameter take effect at the next password phrase change of the user.
  • SPECLIST()
    Specifies the list of valid, non-alphanumeric characters that may be contained in a new password phrase in addition to default alphanumeric (a z, A-Z, 0-9), national (@ # $) characters and blanks (spaces). If this field is not specified, the default is national characters and blanks. The following character values that may be specified in this field are:
    • Ampersand
      &
    • Asterisk
      *
    • Not sign
      ¬ (X'5F')
    • Colon
      :
    • Equal sign
      =
    • Exclamation point
      !
    • Hyphen
      -
    • Percent sign
      %
    • Period
      .
    • Question mark
      ?
    • Underscore
      _
    • Vertical line
      |
    Example:
    When SPECLIST(& * -) is specified, a valid password phrase can contain ampersand (&), asterisk (*), and hyphen (-) characters. The following are examples of valid password phrases: 'this is a NEW#PHRA', 'this is a NEW*PH&A' 'this is a 123#PHRA', 'this is a [email protected]', or 'this is a #NEWPHR'.
    Single and double quote marks are not permitted within new password phrases. Changes to this parameter take effect at the next password phrase change of the user.
    • TEMP-AGE
      |NOTEMP-AGE
      Specifies whether temporary password phrases will be included in the password phrase history. A "temporary password phrase" is a new password phrase that is immediately expired at the time it is set. The default is TEMP AGE, temporary password phrases will be aged.
    • WARNDAYS(
      1
      |
      nnn
      )
      Specifies the number of days a warning message is issued before the password phrase expires. On those days, the following message is displayed each time a user tries to access the system:
    • ACF01165 YOUR PASSWORD PHRASE WILL EXPIRE ON date
      Valid values are 0-255. The default is 1. If zero is specified, no warning message is issued.
You must issue the following command for the insert or change to the GSO PWPHRASE record to take effect.
CA ACF2
does not recognize the change until the GSO records are built at the next IPL of the system.
F ACF2,REFRESH(PWPHRASE)
Display the GSO PWPHRASE Password Phrase options defined to the system with the SHOW STATE and SHOW PSWDOPTS command.