ACFRPTPW - Invalid Password/Authority Log

acf2src
CA ACF2 journals each unsuccessful attempt to gain access to the system as well as the reason for the unsuccessful attempt. If a user has the LOGSHIFT privilege in his logonid record and gains entry to the system outside of the shift or time controls, the access is logged to SMF and reported on the ACFRPTPW report.
CA ACF2 security administrators should monitor this report for excessive invalid password violations, invalid submission paths for restricted logonids (logonids with the RESTRICT privilege), and similar potential problems.
Checking Authorizations
CA ACF2 checks whether the person submitting the utility is authorized to view or manipulate the input SMF data. If you specify RPTSCOPE in the GSO OPTS record, a user is restricted to the SMF record data that matches his or her privileges and restrictions. In the default case of NORPTSCOPE, no authorization checking is done.
For the ACFRPTPW report, the following privileges and restrictions of the user running the report are validated as part of the report processing when RPTSCOPE is specified: SECURITY, ACCOUNT, or AUDIT and the LID fields in the associated scope record. If the user has one of these attributes and the SMF record is in the scope of the user's logonid, the user can view the report.
Running the Report Using the ISPF Panel
You can use the ACFRPTPW ISPF panel to create your input for the report. The following parameters can be found on the ACFRPTPW ISPF panel.
  • TITLE
    Specifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If this character string is longer than 35 characters, only the first 35 characters are used.
  • LOGONID MASK
    Specifies invalid or logged data set accesses for a particular logonid or group of logonids. The default is all logonids.
  • TIME
    Specifies the desired format of the time stamp in report : M (default) displays HH.MM, S = HH.MM.SS or H = HH.MM.SS.TH.
  • OUTPUT LIST NAME: LIST ID
    Specifies the 1- to 8-character output list name. ISPF prefixes the name you specify with the user's prefix from his profile and the characters ACF2.ACFRPTPW. For example, if you specify TEST as the output list name, your output list data set name is
    dft-pfx
    .ACF2.ACFRPTPW.TEST.
  • SPECIFY INPUT DATA SET(S) FOR ACFRPTPW
    For an explanation of the options available, see Input and Output Files for Report Generators in Input and Output Files for Report Generators.
  • LOGSTREAM
    Indicates if LOGSTREAM SMF data needs to be retrieved. This parameter is available for z/OS1.9 and higher when the SNF data is being captured by a LGR LOGSTREAM structure. When Y is specified an ACFRPTAL is displayed to provide specific logstream parameters.
Running the Report Using JCL
You can use JCL to run the ACFRPTPW utility. To run the ACFRPTPW report, see Using Sample JCL to Execute Reports. The following are the parameters for this report.
  • [MASK(
    ********
    |
    logonidmask
    )]
    Specifies an eight-character logonid mask that is compared against the logonid that was incorrectly used for system access. The default is all logonids.
Common Parameters
ACFRPTPW accepts the following parameters.
  • LINECNT
  • JOBMASK
  • TITLE
  • SDATE
  • EDATE
  • STIME
  • ETIME
  • SELECT
  • SYSID
  • HEX
  • COND
  • TIME
Input and Output Files
ACFRPTPW uses the standard SYSPRINT, SYSIN, and RECxxxxx files explained in Input and Output Files for Report Generators.
Sort Sequence
The recommended sort sequence for the ACFRPTPW report is by logonid (major), date, and then time. Perform this sorting using your own routine or modify the prototype JCL provided with CA ACF2.
Sample Output
The following is sample output for the ACFRPTPW report with the TIME default to HH.MM.
Part 1 of 2:
<acf> SECURITY - ACFRPTPW - INVALID PASSWORD/AUTHORITY LOG - PAGE 1 DATE 07/26/98 (98.308) TIME 23.13 LINECNT(58) DATE TIME LID JNAME SUBMIT'R SOURCE PROGRAM RC L CPU AUTH SECLABEL DEFAULTED 98.308 07/26 11.09 A10AU19 A10AU19 P-LOGON L32B 12 SYSB NO 98.308 07/26 13.34 A10AU19 A10AU19 P-LOGON L32B 12 SYSB NO 98.308 07/26 13.19 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.20 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.21 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.21 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.22 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.22 A10AU36 A10AU36 P-LOGON L321 13 SYSB NO 98.308 07/26 13.27 A10AU36 A10AU36 P-LOGON L321 17 SYSB NO 98.308 07/26 08.49 BABX A04L21B 4 SYSB NO 98.308 07/26 17.10 BAB BAB P-LOGON A04L21B 17 SYSB NO 98.308 07/26 08.22 BEAGLE BEAGLE P-LOGON T322 12 SYSB NO 98.308 07/26 22.57 BEAGLE BEAGLES2 TSGCICS T322 TSG127 12 SYSB NO 98.308 07/26 09.21 BISMO10 C111 4 SYSB NO 98.308 07/26 07.21 BPMEY C112 15 SYSB NO 98.308 07/26 09.14 BPMEY VM P-LOGON C112 4 SYSB NO 98.308 07/26 19.28 CICSXX1 BEAGLES2 TSGCICS T324 TSG357 12 SYSB NO 98.308 07/26 13.38 COLEEN U1133 15 SYSB NO 98.308 07/26 17.47 CQLRG A10L344 15 SYSB NO 98.308 07/26 17.47 CQLRG A10L344 12 SYSB NO 98.308 07/26 17.56 CQLRG A10L344 12 SYSB NO 98.308 07/26 17.56 CQLRG A10L344 12 SYSB NO 98.308 07/26 08.48 PAMM S151 4 SYSB NO 98.308 07/26 14.45 PAMM S151 4 SYSB NO 98.308 07/26 16.45 PAMM PAMM P-LOGON S151 4 SYSB NO 98.308 07/26 10.34 PAULA E1199 15 SYSB NO 98.308 07/26 14.33 PC4XR PC4XR P-LOGON S102 12 SYSB NO 98.308 07/26 15.57 PAULA TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 15.57 PAOLA TSGXX1 TSGCICS T757 TSG358 11 SYSB NO 98.308 07/26 15.59 JOHANA TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.36 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.36 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 04.215 08/02 16.06 M1ADMN USER01 M1ADMN A59L0902 + 104 XE59 PRJTS2 YES 04.215 08/02 16.06 M1ADMN USER01 M1ADMN A59L0902 + 104 XE59 PRJTS2 YES RC FIELD DESCRIPTIONS 4 LOGONID NOT FOUND 11 LOGONID SUSPENDED 12 PASSWORD NOT MATCHED 13 LOGONID SUSPENDED FOR PASSWORD VIOLATIONS 15 INVALID PASSWORD SYNTAX 17 PASSWORD EXPIRED 29 PSWD REVALIDATION; PSWD NOT MATCHED 104 NOT AUTHORIZED TO SECLABEL
Part 2 of 2:
<acf> SECURITY - ACFRPTPW - INVALID PASSWORD/AUTHORITY LOG - PAGE 2 DATE 07/26/98 (98.308) TIME 23.13 LINECNT(58) DATE TIME LID JNAME SUBMIT'R SOURCE PROGRAM RC L CPU AUTH SECLABEL DEFAULTED 98.308 07/26 16.36 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.36 PFQ82 TSGXX1 TSGCICS T757 TSG358 11 SYSB NO 98.308 07/26 16.45 PFQ82 TSGXX1 TSGCICS T757 TSG358 11 SYSB NO 98.308 07/26 16.45 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.45 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.46 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.46 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 23.02 RPMAC RPMAC P-LOGON T305 4 SYSB NO 98.308 07/26 23.03 RPMAC RPMAC P-LOGON T305 4 SYSB NO 98.308 07/26 08.34 WKNM5 WKNM5 P-LOGON S152 12 SYSB NO 98.308 07/26 09.41 WKNM5 WKNM5 P-LOGON S152 12 SYSB NO 98.308 07/26 10.24 WKNM5 WKNM5 P-LOGON S152 4 SYSB NO 98.308 07/26 15.15 WKNM5 WKNM5 P-LOGON S152 12 SYSB NO 98.308 07/26 12.07 WODAHS TSG32C TSG32C T707 TSSC 4 SYSB NO 04.215 08/02 16.06 M1ADMN USER01 M1ADMN A59L0902 + 104 XE59 PRJTS2 YES 04.215 08/02 16.06 M1ADMN USER01 M1ADMN A59L0902 + 104 XE59 PRJTS2 YES RC FIELD DESCRIPTIONS 4 LOGONID NOT FOUND 11 LOGONID SUSPENDED 12 PASSWORD NOT MATCHED 13 LOGONID SUSPENDED FOR PASSWORD VIOLATIONS 15 INVALID PASSWORD SYNTAX 17 PASSWORD EXPIRED 29 PSWD REVALIDATION; PSWD NOT MATCHED 104 NOT AUTHORIZED TO SECLABEL
Field Descriptions
  • APPLID
    The APPLID of the user attempting access.
  • AUTH
    The user authentication device attribute name, if applicable. If a user authentication exit denied access, the reason code field is prefixed with an asterisk (*).
  • CPU
    The SMF name of the CPU where job validation occurred.
  • DATE
    The Julian and Gregorian date when the job was validated. The format of this date is MM/DD or DD/MM based on the DATE option in the GSO OPTS infostorage record.
  • DFT
    • YES-The SECLABEL was defaulted by CA ACF2.
    • NO-The SECLABEL was not defaulted by CA ACF2.
  • JNAME
    The name of the job associated with the invalid system entry attempt.
  • L
    This access was an allowed access that generated a logging record, or the attempt to access the system was denied. An asterisk (*) indicates permitted and logged access. A blank indicates that access was denied.
  • LID
    The logonid under which the job was validated.
  • PROGRAM
    The name of the program that submitted the job using a restricted logonid. A plus (+) designates a saf logging. The program name in this field is the name of the load module that did the actual submission of the job and might not be the same as the program specified in the JCL EXEC statement. An asterisk (*) designates an authorized program.
  • PTIME
    The hh:mm timestamp value extracted from the passticket if a passticket evaluation was performed. The presence of this value does not prove that a passticket was supplied. This data will typically appear on password validation failure entries (when either a password or Passticket may have been supplied) and MON-LOG entries when a valid Passticket was supplied.
  • RC
    The reason code that explains why the access was denied or logged. The number corresponds to an CA ACF2 message number of the form ACF01xxx, where xxx is replaced by the reason code from the report, except for reason codes 47, 60, 61, 62, 63, 75, 76, 77, 78, 115, 116, 117, and 118 that corresponds to ACF00xxx messages. For example, if RC is 4 you would look up the ACF01004 message.
    Some common reason codes and the messages associated with them are shown in the following. A summary of the reason codes that might be printed at the end of the report are listed in the following, with a one line description of each reason code. For other reason code descriptions, see the applicable message codes, as mentioned in the preceeding paragraph.
    The following is a list reasons codes and the associated field description:
    Reason Code
    Message Text
    04
    LOGONID NOT FOUND
    05
    PASSWORD PHRASE NOT MATCHED
    06
    PASSWORD NOT ALLOWED FOR LOGONID
    07
    PASSWORD REQUIRED FOR LOGONID
    08
    UNAUTHORIZED INPUT SOURCE
    09
    LOGONID SUBMITTED BY INVALID PROGRAM
    10
    LOGONID CANCELED
    11
    LOGONID SUSPENDED
    12
    PASSWORD NOT MATCHED
    13
    LOGONID SUSPENDED FOR PASSWORD VIOLATIONS
    14
    LOGONID EXPIRED
    15
    INVALID PASSWORD SYNTAX
    17
    PASSWORD EXPIRED
    18
    OLD PSWD EXPIRED; INVALID SYNTAX FOR NEW
    19
    PASSWORD LESS THAN MINIMUM LENGTH
    20
    OLD PSWD EXPIRED; NEWPSWD TOO SHORT
    21
    PASSWORD EXPIRED AND CANNOT BE ALTERED
    22
    MUSASS LOGONID ALREADY IN USE
    23
    OLD PSWD EXPIRED; NEW PSWD SAME AS OLD
    25
    LOGONID IS NOT ACTIVE
    26
    ACCESS DENIED BY INSTALLATION EXIT
    29
    PSWD REVALIDATION; PSWD NOT MATCHED
    30
    STC LOGONID CANNOT BE USED FOR NORMAL ACCESS
    31
    LOGONID DOES NOT HAVE THE STC ATTRIBUTE
    32
    LOGONID/SOURCE COMBINATION NOT VALID
    33
    INVALID SYNTAX FOR NEW PASSWORD ON NJE JOB
    34
    NEW PASSWORD LESS THAN MIN LENGTH ON NJE JOB
    35
    SEVPRE OR SEVPOST EXIT FAILED REQUEST
    36
    BAD RETURN CODE FROM SEVPRE OR SEVPOST EXIT
    37
    NEW PASSWORD DENIED BY INSTALLATION EXIT
    38
    LOGONID INHERITANCE NOT ALLOWED FOR LOGNID
    39
    INVALID GROUPING STRUCTURE
    42
    NEW PASSWORD IS TOO SIMILAR TO OLD PASSWORD
    43
    NEW PASSWORD IS TOO LONG AND OLD PASSWORD EXPIRED
    44
    PASSWORD PHRASE NOT SET FOR LOGONID
    45
    NOT AUTHORIZED FOR ACCESS TO MUSASS
    46
    NOT AUTHORIZED TO APPL
    47
    NEW PSWD/PHRASE FAILED A GLOBAL SYSTEM OPTION REQUIREMENT
    48
    NEW PASSWORD CANNOT CONTAIN RESERVED WORD AND OLD PASSWORD EXPI
    49
    FDE FOR ACTIVE AUTH SUPPORT NOT LOCATED
    50
    NO AUTHEXIT LIST ENTRY FOUND FOR LIDFIELD
    51
    USER AUTH EXTENSION BLOCK NOT PASSED
    52
    RSB COULD NOT BE LOCATED FOR AUTH RECORD
    53
    INFO-STOR D/B NOT AVAILABLE
    54
    D/B FAILURE OCCURED FOR USER AUTH RECORD
    55
    ACCESS DENIED BY USER AUTH SUPPORT
    56
    USER AUTH DIALOG FACILITY NOT SUPPORTED
    57
    STORAGE GETMAIN/FREEMAIN ERROR
    60
    ZONE RECORD FOR LOGONID NOT FOUND
    61
    LOGON TIME NOT WITHIN SHIFT DEFINED FOR USER
    62
    ERROR IN SHIFT PROCESSING ROUTINES
    63
    SHIFT RECORD NOT FOUND
    64
    MESSAGE RETURNED BY IBM MFA
    65
    MESSAGE RETURNED BY CA AAM
    66
    CA AAM NEW PIN ACCEPTED
    67
    CA AAM ENTER NEW PIN
    68
    CA AAM NEW PIN REJECTED, RETRY LOGON
    69
    CA AAM FACTOR ACTIVE, AAM NOT ACTIVE
    70
    CA AAM RSA SERVER NOT ACTIVE
    71
    CA AAM UNKNOWN ERROR DETECTED
    72
    CA AAM PASSCODE NOT MATCHED
    73
    CA AAM ENTER NEXT TOKEN
    74
    CA AAM INVALID NEXT TOKEN, RETRY LOGON
    75
    DDB LOGONID ACQUISITION FAILED
    76
    LOGONID NOT FOUND FOR DDB ACQUISTION
    77
    DDB REMOTE LOGONID UPDATE FAILED
    78
    LOGONID NOT FOUND FOR DDB REMOTE UPDATE
    92
    OLD PSWD EXPIRED; NEW PSWD MUST HAVE NATL OR USER-DEFINED CHAR
    93
    OLD PSWD EXPIRED; NEW PSWD CANNOT HAVE VOWEL CHARACTERS
    95
    NO HALFWAY ENCRYPTED PASSWORD IS AVAILABLE FOR USERID
    96
    NO LOGONID GIVEN FOR PASSWORD EXTRACT CALL
    97
    JOB SUBMITTED ON NON-ACF2 SYSTEM AND NO DEFAULT LOGONID GIVEN
    98
    ACF2 NOT INITIALIZED
    99
    ERROR DURING PROCESSING
    100
    NOT AUTHORIZED FOR GROUP
    101
    DDB GET-UPDATE OF LOGONID FAILED
    102
    PASSWORD PHRASE NOT ALLOWED FOR LOGONID
    103
    OLD PSWD PHRASE EXPIRED; NEW PSWD PHRASE SAME AS OLD
    104
    NOT AUTHORIZED TO SECLABEL
    105
    NO ROOM IN DATABASE FOR REQUEST
    106
    ACF00ERU PROCESSING ERROR FOR LOGONID
    108
    PASSWORD PHRASE FOR LOGONID HAS EXPIRED
    115
    OLD PSWD EXPIRED; NEW PSWD CANNOT BE SAME AS LOGONID
    116
    OLD PSWD EXPIRED; NEW PSWD CANNOT BE ALL NUMERIC
    117
    OLD PSWD EXPIRED; NEW PSWD CONTAINS A RESERVED WORD PREFIX
    118
    OLD PSWD EXPIRED; NEW PSWD MATCHES A PREVIOUS PSWD
    120
    KERBEROS KEY NOT MATCHED
    124
    OLD PSWD EXPIRED; NEW PSWD HAS TOO MANY REPEATING CHARS
    125
    OLD PSWD EXPIRED; NEW PSWD MUST HAVE AT LEAST ONE NUM CHAR
    126
    OLD PSWD EXPIRED; NEW PSWD MUST HAVE AT LEAST ONE ALPHA CHAR
    127
    LOGONID RECORD DEQ FAILURE
    128
    INVALID SYNTAX FOR NEW PASSWORD; NONE SET
    129
    PASSWORD SUCCESSFULLY ALTERED
    130
    NEW PSWD LESS THAN MINIMUM LENGTH; NONE SET
    131
    NEW PASSWORD EQUALS OLD; NONE SET
    132
    NEW PASSWORD NOT ALLOWED
    135
    LOGONID SHIFT OVERIDDEN BY LOGSHIFT PRIV
    136
    NEW PSWD NOT SET; MINDAYS HAVE NOT PASSED
    139
    YOUR LOGONID WILL EXPIRE
    140
    YOUR PASSWORD AND LOGONID WILL EXPIRE
    142
    NEW PASSWORD IS TOO SIMILAR TO OLD PASSWORD - NONE SET
    143
    NEW PASSWORD IS TOO LONG - NONE SET
    161
    PASSWORD PHRASE SUCCESSFULLY ALTERED
    163
    NEW PASSWORD PHRASE EQUALS OLD
    164
    NEW PASSWORD PHRASE NOT ALLOWED
    166
    NEW PASSWORD PHRASE NOT SET; MINDAYS HAVE NOT PASSED
    167
    YOUR PASSWORD PHRASE AND LOGONID WILL EXPIRE
    200
    INVALID PASSWORD/AUTHORITY FOR ID
    220
    NEW PSWD/PSWD PHRASE IS INVALID
    254
    LOGONID HAS MON-LOG ATTRIBUTE
    255
    RETURN CODE FROM INSTALLATION NEWPXIT EXIT
    900
    KERBEROS KEY NOT MATCHED
    An asterisk (*) positioned before the reason code indicates a reason code of another product; it is not a CA ACF2 reason code. When an asterisk appears in this column, refer to the documentation for the issuing extended user authentication program specified in the AUTH column of this report.
    For more information about these and other reason codes, see Messages.
  • RSN
    A supplementary reason code associated with the main reason code (RC) that explains more specifically why the access was denied or logged.
    The RSN number corresponds to a more specific, supplementary reason (if one exists) in an CA ACF2 message of the form ACF00xxx or ACF01xxx.
    Not every logging will have a supplementary reason (RSN). For example, if RC is 4, but there is no RSN value, look up the ACF01004 message. However, if RC is 47 (i.e., “NEW PSWD OR PSWD PHRASE DOES NOT MEET SITE REQUIREMENTS”) and RSN is “7”, look up message ACF00047, which indicates for reason “7“ the specific reason why the password or password phrase is invalid, i.e., “NEW PSWD PHRASE CANNOT CONTAIN LOGONID”.
    A summary of the supplementary reason codes that might be printed at the end of the report are listed in the following, with a one line description of each reason code. For other supplementary reason code descriptions, see the applicable message codes, as mentioned in the preceding paragraph.
    • 1 - CANNOT CONTAIN LOGONID
    • 2 - CANNOT CONTAIN PART OF NAME
    • 3 - MUST HAVE AT LEAST ONE LOWERCASE CHARACTER
    • 4 - MUST HAVE AT LEAST ONE UPPERCASE CHARACTER
    • 5 - NEW PSWD PHRASE LESS THAN MINIMUM LENGTH
    • 6 - NEW PSWD PHRASE EXCEEDS MAXIMUM LENGTH
    • 7 - NEW PSWD PHRASE CANNOT CONTAIN LOGONID
    • 8 - NEW PSWD PHRASE DOES NOT CONTAIN MINIMUM NUMERIC CHARACTERS
    • 9 - NEW PSWD PHRASE DOES NOT CONTAIN MINIMUM ALPHABETIC CHARACTERS
    • 10 - NEW PSWD PHRASE CONTAINS TOO MANY REPEATING CHARACTER PAIRS
    • 11 - NEW PSWD PHRASE DOES NOT CONTAIN MINIMUM WORDS
    • 12 - NEW PSWD PHRASE DOES NOT CONTAIN MINIMUM SPECIAL CHARACTERS
    • 13 - NEW PSWD PHRASE CONTAINS INVALID CHARACTER(S)
    • 14 - NEW PSWD PHRASE MATCHES A PREVIOUS PSWD PHRASE
  • SECLABEL
    The security label of the user who is responsible for the SMF logging.
  • SOURCE
    The logical input source through which the job was submitted.
  • SUBMIT'R
    The logonid that submitted the job using an invalid logonid. The characters P- preceding the SUBMIT'R field indicates that the job was submitted from a started task and that the name is a started task logonid.
  • TIME
    The time when the job was validated. The validation date and time generally differ from the reader date and time by only a fraction of a second.