Step 2: Conditional Password Validation

Protecting Special Resources › AUTOLOG or XAUTOLOG Validation › Step 2: Conditional Password Validation

Step 2: Conditional Password Validation

After optional command limiting validation, CA ACF2 for VM validates conditional passwords for VM systems.

For XAUTOLOG: CA ACF2 for VM for checks if you entered the PROMPT or PASSWORD operands of the XAUTOLOG command. These operands are available to CP privilege class A, B, or G users on VM systems CA ACF2 for VM protects. They have the following definitions:
PROMPT: Prompts for the password of the target virtual machine being autologged.
CA ACF2 for VM issues a message, asking you for your password.
PASSWORD password: Requires the password (in clear text form on the command line) of the target virtual machine being autologged. CA ACF2 for VM rejects the PASSWORD option if password suppression is active. CA ACF2 for VM issues an error message telling you the XAUTOLOG command was rejected because the command format is not valid. CA ACF2 for VM does not log this invalid access attempt. It is regarded as a syntax error. Issue the XAUTOLOG command again, but use the PROMPT operand instead.

If you specify PROMPT or PASSWORD, CA ACF2 for VM validates the password, resulting in:

If you supplied the correct password, the validation continues to Step 3, Resource Rule Validation.
If you supplied an incorrect password, CA ACF2 for VM denies the AUTOLOG, displays a message telling you that the password was incorrect, and records this in the Invalid Password/Authority Log (ACFRPTPW).

If you do not specify the PROMPT or PASSWORD options in the XAUTOLOG command, CA ACF2 for VM determines if you must supply a password:

If the logonid of the target machine has the AUTONOPW privilege or if the logonid of the initiator machine has the AUTOALL privilege, you do not have to enter a password. The system entry process continues to Step 3, Resource Rule Validation.
However, if the AUTONOPW and AUTOALL conditions are not met,
CA ACF2 for VM issues a syntax error message to tell you that the XAUTOLOG failed and you must enter a password. CA ACF2 for VM does not log this invalid access attempt. It is treated as a syntax error. Reenter the XAUTOLOG command with the PROMPT or PASSWORD option.

For AUTOLOG

When CA ACF2 for VM requires a password, you must enter the password following a prompt. You can never enter the password on the command line. If you enter a password on the same line as the AUTOLOG command,
CA ACF2 for VM considers it console input data. Consider this example:

AUTOLOG target [console input data]

If you enter a password on the command line, it appears in clear text and passes to the target machine as a console command. When password suppression is not in effect, control returns to VM native and depends on the SET PASSWORD command. The SET command specifies that

You cannot enter the password on the command line. (This is the default mode when the system is IPLed.) Use the SET and AUTOLOG commands, SET PASSWORD AUTOLOG SEPARATE.
Enter:
```
AUTOLOG target [console input data]
```
You can enter the password on the command line. Use the SET and AUTOLOG commands, SET PASSWORD AUTOLOG INCLUDE.
Enter:
```
AUTOLOG target [password][console input data].
```