ACFRPTPW - Invalid Password/Authority Log
CA ACF2 journals each unsuccessful attempt to gain access to the system as well as the reason for the unsuccessful attempt. If a user has the LOGSHIFT privilege in his logonid record and gains entry to the system outside of the shift or time controls, the access is logged to SMF and reported on the ACFRPTPW report.
CA ACF2 security administrators should monitor this report for excessive invalid password violations, invalid submission paths for restricted logonids (logonids with the RESTRICT privilege), and similar potential problems.
CA ACF2 checks whether the person submitting the utility is authorized to view or manipulate the input SMF data. If you specify RPTSCOPE in the GSO OPTS record, a user is restricted to the SMF record data that matches his or her privileges and restrictions. In the default case of NORPTSCOPE, no authorization checking is done.
For the ACFRPTPW report, the following privileges and restrictions of the user running the report are validated as part of the report processing when RPTSCOPE is specified: SECURITY, ACCOUNT, or AUDIT and the LID fields in the associated scope record. If the user has one of these attributes and the SMF record is in the scope of the user's logonid, the user can view the report.
Running the Report Using the ISPF Panel
You can use the ACFRPTPW ISPF panel to create your input for the report. The following parameters can be found on the ACFRPTPW ISPF panel.
- TITLESpecifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If this character string is longer than 35 characters, only the first 35 characters are used.
- LOGONID MASKSpecifies invalid or logged data set accesses for a particular logonid or group of logonids. The default is all logonids.
- TIMESpecifies the desired format of the time stamp in report : M (default) displays HH.MM, S = HH.MM.SS or H = HH.MM.SS.TH.
- OUTPUT LIST NAME: LIST IDSpecifies the 1- to 8-character output list name. ISPF prefixes the name you specify with the user's prefix from his profile and the characters ACF2.ACFRPTPW. For example, if you specify TEST as the output list name, your output list data set name isdft-pfx.ACF2.ACFRPTPW.TEST.
- SPECIFY INPUT DATA SET(S) FOR ACFRPTPWFor an explanation of the options available, see Input and Output Files for Report Generators in Input and Output Files for Report Generators.
- LOGSTREAMIndicates if LOGSTREAM SMF data needs to be retrieved. This parameter is available for z/OS1.9 and higher when the SNF data is being captured by a LGR LOGSTREAM structure. When Y is specified an ACFRPTAL is displayed to provide specific logstream parameters.
Running the Report Using JCL
You can use JCL to run the ACFRPTPW utility. To run the ACFRPTPW report, see Using Sample JCL to Execute Reports. The following are the parameters for this report.
- [MASK(********|logonidmask)]Specifies an eight-character logonid mask that is compared against the logonid that was incorrectly used for system access. The default is all logonids.
ACFRPTPW accepts the following parameters.
Input and Output Files
ACFRPTPW uses the standard SYSPRINT, SYSIN, and RECxxxxx files explained in Input and Output Files for Report Generators.
The recommended sort sequence for the ACFRPTPW report is by logonid (major), date, and then time. Perform this sorting using your own routine or modify the prototype JCL provided with CA ACF2.
The following is sample output for the ACFRPTPW report with the TIME default to HH.MM.
Part 1 of 2:
<acf> SECURITY - ACFRPTPW - INVALID PASSWORD/AUTHORITY LOG - PAGE 1 DATE 07/26/98 (98.308) TIME 23.13 LINECNT(58) DATE TIME LID JNAME SUBMIT'R SOURCE PROGRAM RC L CPU AUTH SECLABEL DEFAULTED 98.308 07/26 11.09 A10AU19 A10AU19 P-LOGON L32B 12 SYSB NO 98.308 07/26 13.34 A10AU19 A10AU19 P-LOGON L32B 12 SYSB NO 98.308 07/26 13.19 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.20 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.21 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.21 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.22 A10AU36 A10AU36 P-LOGON L321 12 SYSB NO 98.308 07/26 13.22 A10AU36 A10AU36 P-LOGON L321 13 SYSB NO 98.308 07/26 13.27 A10AU36 A10AU36 P-LOGON L321 17 SYSB NO 98.308 07/26 08.49 BABX A04L21B 4 SYSB NO 98.308 07/26 17.10 BAB BAB P-LOGON A04L21B 17 SYSB NO 98.308 07/26 08.22 BEAGLE BEAGLE P-LOGON T322 12 SYSB NO 98.308 07/26 22.57 BEAGLE BEAGLES2 TSGCICS T322 TSG127 12 SYSB NO 98.308 07/26 09.21 BISMO10 C111 4 SYSB NO 98.308 07/26 07.21 BPMEY C112 15 SYSB NO 98.308 07/26 09.14 BPMEY VM P-LOGON C112 4 SYSB NO 98.308 07/26 19.28 CICSXX1 BEAGLES2 TSGCICS T324 TSG357 12 SYSB NO 98.308 07/26 13.38 COLEEN U1133 15 SYSB NO 98.308 07/26 17.47 CQLRG A10L344 15 SYSB NO 98.308 07/26 17.47 CQLRG A10L344 12 SYSB NO 98.308 07/26 17.56 CQLRG A10L344 12 SYSB NO 98.308 07/26 17.56 CQLRG A10L344 12 SYSB NO 98.308 07/26 08.48 PAMM S151 4 SYSB NO 98.308 07/26 14.45 PAMM S151 4 SYSB NO 98.308 07/26 16.45 PAMM PAMM P-LOGON S151 4 SYSB NO 98.308 07/26 10.34 PAULA E1199 15 SYSB NO 98.308 07/26 14.33 PC4XR PC4XR P-LOGON S102 12 SYSB NO 98.308 07/26 15.57 PAULA TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 15.57 PAOLA TSGXX1 TSGCICS T757 TSG358 11 SYSB NO 98.308 07/26 15.59 JOHANA TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.36 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.36 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 04.215 08/02 16.06 M1ADMN USER01 M1ADMN A59L0902 + 104 XE59 PRJTS2 YES 04.215 08/02 16.06 M1ADMN USER01 M1ADMN A59L0902 + 104 XE59 PRJTS2 YES RC FIELD DESCRIPTIONS 4 LOGONID NOT FOUND 11 LOGONID SUSPENDED 12 PASSWORD NOT MATCHED 13 LOGONID SUSPENDED FOR PASSWORD VIOLATIONS 15 INVALID PASSWORD SYNTAX 17 PASSWORD EXPIRED 29 PSWD REVALIDATION; PSWD NOT MATCHED 104 NOT AUTHORIZED TO SECLABEL
Part 2 of 2:
<acf> SECURITY - ACFRPTPW - INVALID PASSWORD/AUTHORITY LOG - PAGE 2 DATE 07/26/98 (98.308) TIME 23.13 LINECNT(58) DATE TIME LID JNAME SUBMIT'R SOURCE PROGRAM RC L CPU AUTH SECLABEL DEFAULTED 98.308 07/26 16.36 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.36 PFQ82 TSGXX1 TSGCICS T757 TSG358 11 SYSB NO 98.308 07/26 16.45 PFQ82 TSGXX1 TSGCICS T757 TSG358 11 SYSB NO 98.308 07/26 16.45 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.45 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.46 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 16.46 PFQ82 TSGXX1 REVERIFY T757 TSG358 29 SYSB NO 98.308 07/26 23.02 RPMAC RPMAC P-LOGON T305 4 SYSB NO 98.308 07/26 23.03 RPMAC RPMAC P-LOGON T305 4 SYSB NO 98.308 07/26 08.34 WKNM5 WKNM5 P-LOGON S152 12 SYSB NO 98.308 07/26 09.41 WKNM5 WKNM5 P-LOGON S152 12 SYSB NO 98.308 07/26 10.24 WKNM5 WKNM5 P-LOGON S152 4 SYSB NO 98.308 07/26 15.15 WKNM5 WKNM5 P-LOGON S152 12 SYSB NO 98.308 07/26 12.07 WODAHS TSG32C TSG32C T707 TSSC 4 SYSB NO 04.215 08/02 16.06 M1ADMN USER01 M1ADMN A59L0902 + 104 XE59 PRJTS2 YES 04.215 08/02 16.06 M1ADMN USER01 M1ADMN A59L0902 + 104 XE59 PRJTS2 YES RC FIELD DESCRIPTIONS 4 LOGONID NOT FOUND 11 LOGONID SUSPENDED 12 PASSWORD NOT MATCHED 13 LOGONID SUSPENDED FOR PASSWORD VIOLATIONS 15 INVALID PASSWORD SYNTAX 17 PASSWORD EXPIRED 29 PSWD REVALIDATION; PSWD NOT MATCHED 104 NOT AUTHORIZED TO SECLABEL
- APPLIDThe APPLID of the user attempting access.
- AUTHThe user authentication device attribute name, if applicable. If a user authentication exit denied access, the reason code field is prefixed with an asterisk (*).
- CPUThe SMF name of the CPU where job validation occurred.
- DATEThe Julian and Gregorian date when the job was validated. The format of this date is MM/DD or DD/MM based on the DATE option in the GSO OPTS infostorage record.
- YES-The SECLABEL was defaulted by CA ACF2.
- NO-The SECLABEL was not defaulted by CA ACF2.
- JNAMEThe name of the job associated with the invalid system entry attempt.
- LThis access was an allowed access that generated a logging record, or the attempt to access the system was denied. An asterisk (*) indicates permitted and logged access. A blank indicates that access was denied.
- LIDThe logonid under which the job was validated.
- PROGRAMThe name of the program that submitted the job using a restricted logonid. A plus (+) designates a saf logging. The program name in this field is the name of the load module that did the actual submission of the job and might not be the same as the program specified in the JCL EXEC statement. An asterisk (*) designates an authorized program.
- PTIMEThe hh:mm timestamp value extracted from the passticket if a passticket evaluation was performed. The presence of this value does not prove that a passticket was supplied. This data will typically appear on password validation failure entries (when either a password or Passticket may have been supplied) and MON-LOG entries when a valid Passticket was supplied.
- RCThe reason code that explains why the access was denied or logged. The number corresponds to an CA ACF2 message number of the form ACF01xxx, where xxx is replaced by the reason code from the report, except for reason codes 47, 60, 61, 62, 63, 75, 76, 77, 78, 115, 116, 117, and 118 that corresponds to ACF00xxx messages. For example, if RC is 4 you would look up the ACF01004 message.Some common reason codes and the messages associated with them are shown in the following. A summary of the reason codes that might be printed at the end of the report are listed in the following, with a one line description of each reason code. For other reason code descriptions, see the applicable message codes, as mentioned in the preceeding paragraph.The following is a list reasons codes and the associated field description:Reason CodeMessage Text04LOGONID NOT FOUND05PASSWORD PHRASE NOT MATCHED06PASSWORD NOT ALLOWED FOR LOGONID07PASSWORD REQUIRED FOR LOGONID08UNAUTHORIZED INPUT SOURCE09LOGONID SUBMITTED BY INVALID PROGRAM10LOGONID CANCELED11LOGONID SUSPENDED12PASSWORD NOT MATCHED13LOGONID SUSPENDED FOR PASSWORD VIOLATIONS14LOGONID EXPIRED15INVALID PASSWORD SYNTAX17PASSWORD EXPIRED18OLD PSWD EXPIRED; INVALID SYNTAX FOR NEW19PASSWORD LESS THAN MINIMUM LENGTH20OLD PSWD EXPIRED; NEWPSWD TOO SHORT21PASSWORD EXPIRED AND CANNOT BE ALTERED22MUSASS LOGONID ALREADY IN USE23OLD PSWD EXPIRED; NEW PSWD SAME AS OLD25LOGONID IS NOT ACTIVE26ACCESS DENIED BY INSTALLATION EXIT29PSWD REVALIDATION; PSWD NOT MATCHED30STC LOGONID CANNOT BE USED FOR NORMAL ACCESS31LOGONID DOES NOT HAVE THE STC ATTRIBUTE32LOGONID/SOURCE COMBINATION NOT VALID33INVALID SYNTAX FOR NEW PASSWORD ON NJE JOB34NEW PASSWORD LESS THAN MIN LENGTH ON NJE JOB35SEVPRE OR SEVPOST EXIT FAILED REQUEST36BAD RETURN CODE FROM SEVPRE OR SEVPOST EXIT37NEW PASSWORD DENIED BY INSTALLATION EXIT38LOGONID INHERITANCE NOT ALLOWED FOR LOGNID39INVALID GROUPING STRUCTURE42NEW PASSWORD IS TOO SIMILAR TO OLD PASSWORD43NEW PASSWORD IS TOO LONG AND OLD PASSWORD EXPIRED44PASSWORD PHRASE NOT SET FOR LOGONID45NOT AUTHORIZED FOR ACCESS TO MUSASS46NOT AUTHORIZED TO APPL47NEW PSWD/PHRASE FAILED A GLOBAL SYSTEM OPTION REQUIREMENT48NEW PASSWORD CANNOT CONTAIN RESERVED WORD AND OLD PASSWORD EXPI49FDE FOR ACTIVE AUTH SUPPORT NOT LOCATED50NO AUTHEXIT LIST ENTRY FOUND FOR LIDFIELD51USER AUTH EXTENSION BLOCK NOT PASSED52RSB COULD NOT BE LOCATED FOR AUTH RECORD53INFO-STOR D/B NOT AVAILABLE54D/B FAILURE OCCURED FOR USER AUTH RECORD55ACCESS DENIED BY USER AUTH SUPPORT56USER AUTH DIALOG FACILITY NOT SUPPORTED57STORAGE GETMAIN/FREEMAIN ERROR60ZONE RECORD FOR LOGONID NOT FOUND61LOGON TIME NOT WITHIN SHIFT DEFINED FOR USER62ERROR IN SHIFT PROCESSING ROUTINES63SHIFT RECORD NOT FOUND64MESSAGE RETURNED BY IBM MFA65MESSAGE RETURNED BY CA AAM66CA AAM NEW PIN ACCEPTED67CA AAM ENTER NEW PIN68CA AAM NEW PIN REJECTED, RETRY LOGON69CA AAM FACTOR ACTIVE, AAM NOT ACTIVE70CA AAM RSA SERVER NOT ACTIVE71CA AAM UNKNOWN ERROR DETECTED72CA AAM PASSCODE NOT MATCHED73CA AAM ENTER NEXT TOKEN74CA AAM INVALID NEXT TOKEN, RETRY LOGON75DDB LOGONID ACQUISITION FAILED76LOGONID NOT FOUND FOR DDB ACQUISTION77DDB REMOTE LOGONID UPDATE FAILED78LOGONID NOT FOUND FOR DDB REMOTE UPDATE92OLD PSWD EXPIRED; NEW PSWD MUST HAVE NATL OR USER-DEFINED CHAR93OLD PSWD EXPIRED; NEW PSWD CANNOT HAVE VOWEL CHARACTERS95NO HALFWAY ENCRYPTED PASSWORD IS AVAILABLE FOR USERID96NO LOGONID GIVEN FOR PASSWORD EXTRACT CALL97JOB SUBMITTED ON NON-ACF2 SYSTEM AND NO DEFAULT LOGONID GIVEN98ACF2 NOT INITIALIZED99ERROR DURING PROCESSING100NOT AUTHORIZED FOR GROUP101DDB GET-UPDATE OF LOGONID FAILED102PASSWORD PHRASE NOT ALLOWED FOR LOGONID103OLD PSWD PHRASE EXPIRED; NEW PSWD PHRASE SAME AS OLD104NOT AUTHORIZED TO SECLABEL105NO ROOM IN DATABASE FOR REQUEST106ACF00ERU PROCESSING ERROR FOR LOGONID108PASSWORD PHRASE FOR LOGONID HAS EXPIRED115OLD PSWD EXPIRED; NEW PSWD CANNOT BE SAME AS LOGONID116OLD PSWD EXPIRED; NEW PSWD CANNOT BE ALL NUMERIC117OLD PSWD EXPIRED; NEW PSWD CONTAINS A RESERVED WORD PREFIX118OLD PSWD EXPIRED; NEW PSWD MATCHES A PREVIOUS PSWD120KERBEROS KEY NOT MATCHED124OLD PSWD EXPIRED; NEW PSWD HAS TOO MANY REPEATING CHARS125OLD PSWD EXPIRED; NEW PSWD MUST HAVE AT LEAST ONE NUM CHAR126OLD PSWD EXPIRED; NEW PSWD MUST HAVE AT LEAST ONE ALPHA CHAR127LOGONID RECORD DEQ FAILURE128INVALID SYNTAX FOR NEW PASSWORD; NONE SET129PASSWORD SUCCESSFULLY ALTERED130NEW PSWD LESS THAN MINIMUM LENGTH; NONE SET131NEW PASSWORD EQUALS OLD; NONE SET132NEW PASSWORD NOT ALLOWED135LOGONID SHIFT OVERIDDEN BY LOGSHIFT PRIV136NEW PSWD NOT SET; MINDAYS HAVE NOT PASSED139YOUR LOGONID WILL EXPIRE140YOUR PASSWORD AND LOGONID WILL EXPIRE142NEW PASSWORD IS TOO SIMILAR TO OLD PASSWORD - NONE SET143NEW PASSWORD IS TOO LONG - NONE SET161PASSWORD PHRASE SUCCESSFULLY ALTERED163NEW PASSWORD PHRASE EQUALS OLD164NEW PASSWORD PHRASE NOT ALLOWED166NEW PASSWORD PHRASE NOT SET; MINDAYS HAVE NOT PASSED167YOUR PASSWORD PHRASE AND LOGONID WILL EXPIRE200INVALID PASSWORD/AUTHORITY FOR ID220NEW PSWD/PSWD PHRASE IS INVALID254LOGONID HAS MON-LOG ATTRIBUTE255RETURN CODE FROM INSTALLATION NEWPXIT EXIT900KERBEROS KEY NOT MATCHEDAn asterisk (*) positioned before the reason code indicates a reason code of another product; it is not a CA ACF2 reason code. When an asterisk appears in this column, refer to the documentation for the issuing extended user authentication program specified in the AUTH column of this report.For more information about these and other reason codes, see Messages.
- RSNA supplementary reason code associated with the main reason code (RC) that explains more specifically why the access was denied or logged.The RSN number corresponds to a more specific, supplementary reason (if one exists) in an CA ACF2 message of the form ACF00xxx or ACF01xxx.Not every logging will have a supplementary reason (RSN). For example, if RC is 4, but there is no RSN value, look up the ACF01004 message. However, if RC is 47 (i.e., “NEW PSWD OR PSWD PHRASE DOES NOT MEET SITE REQUIREMENTS”) and RSN is “7”, look up message ACF00047, which indicates for reason “7“ the specific reason why the password or password phrase is invalid, i.e., “NEW PSWD PHRASE CANNOT CONTAIN LOGONID”.A summary of the supplementary reason codes that might be printed at the end of the report are listed in the following, with a one line description of each reason code. For other supplementary reason code descriptions, see the applicable message codes, as mentioned in the preceding paragraph.
- 1 - CANNOT CONTAIN LOGONID
- 2 - CANNOT CONTAIN PART OF NAME
- 3 - MUST HAVE AT LEAST ONE LOWERCASE CHARACTER
- 4 - MUST HAVE AT LEAST ONE UPPERCASE CHARACTER
- 5 - NEW PSWD PHRASE LESS THAN MINIMUM LENGTH
- 6 - NEW PSWD PHRASE EXCEEDS MAXIMUM LENGTH
- 7 - NEW PSWD PHRASE CANNOT CONTAIN LOGONID
- 8 - NEW PSWD PHRASE DOES NOT CONTAIN MINIMUM NUMERIC CHARACTERS
- 9 - NEW PSWD PHRASE DOES NOT CONTAIN MINIMUM ALPHABETIC CHARACTERS
- 10 - NEW PSWD PHRASE CONTAINS TOO MANY REPEATING CHARACTER PAIRS
- 11 - NEW PSWD PHRASE DOES NOT CONTAIN MINIMUM WORDS
- 12 - NEW PSWD PHRASE DOES NOT CONTAIN MINIMUM SPECIAL CHARACTERS
- 13 - NEW PSWD PHRASE CONTAINS INVALID CHARACTER(S)
- 14 - NEW PSWD PHRASE MATCHES A PREVIOUS PSWD PHRASE
- SECLABELThe security label of the user who is responsible for the SMF logging.
- SOURCEThe logical input source through which the job was submitted.
- SUBMIT'RThe logonid that submitted the job using an invalid logonid. The characters P- preceding the SUBMIT'R field indicates that the job was submitted from a started task and that the name is a started task logonid.
- TIMEThe time when the job was validated. The validation date and time generally differ from the reader date and time by only a fraction of a second.