|
Record ID |
Fields |
|---|---|
|
PSWD |
MAXTRY(1|nnn) |
The PSWD VMO record defines logonid password options and controls.
Specifies the maximum number of attempts, including the initial password entry, allowed before the terminal session is canceled. The default is one. The maximum value is 255.
Specifies the minimum number of characters required in a new password. When CA ACF2 for VM is first installed, set MINPSWD to one to allow conversion of the passwords currently in the VM directory. You can raise the minimum at a later time. The old passwords remain valid until you change them or they expire. The default is one. The maximum value is eight.
Specifies the maximum number of invalid password attempts allowed in a single day before CA ACF2 for VM denies all accesses by this logonid. A security administrator can issue the ACFSERVE RESET logonid command to reduce the user's invalid password violation county by one. The default setting is 2. The maximum value is 32,767.
If you do not change the PASSLMT default of 2, a user can enter two invalid passwords and, on his third invalid password, CA ACF2 for VM suspends his logonid. The user can still enter a correct password on his third attempt and gain access to the system.
Important! CA ACF2 for VM does not reset the PSWD‑VIO count after a 24‑hour period. When a user's PSWD‑VIO count is greater than the PASSLMT,
CA ACF2 for VM denies access to the system. However, a security administrator can reset this count manually or use the ACFSERVE RESET command to reset the PSWD‑VIO count.
After a 24‑hour period, if a user's PSWD‑VIO count is less than PASSLMT, the PSWD‑VIO and PSWD‑DAT fields remain unchanged until a security administrator modifies them or the first password violation occurs on a new day. In the case of the first password violation, CA ACF2 for VM automatically sets the PSWD‑VIO count to one and sets PSWD‑DAT to the current date.
Specifies whether CA ACF2 for VM requires at least one alphabetic (a-z or A‑Z) character to be present in a new password. The default is NOPSWDALPH, which specifies that CA ACF2 for VM will not validate the new password for at least one alphabetic character.
Specifies whether you can enter a new password at logon. The default is PSWDALT-allow password alteration. You can also change the PASSWORD field of your logonid record with the ACF CHANGE command to change your password. To prevent such changes, redefine the PASSWORD field in the @CFDE macro of the CA ACF2 for VM Field Definition Record (ACFFDR). See the Installation Guide for further details on defining the logonid record.
Specifies whether you are forced to change the password at the next logon whenever someone other than yourself (such as a security administrator or account manager) changes the password. You should not use the NOPSWDALT and PSWDFRC operands together. If you set PSWDFRC, CA ACF2 for VM uses the PSWDALT option. The default is PSWDFRC.
Specifies whether users can enter new passwords that match previous passwords. CA ACF2 for VM remembers the user's last four passwords (the current password and the previous three). The default is NOPSWDHST, which specifies that password history is not checked.
Note: PSWDHST implements the support formerly found in the sample NEWPXIT. If PSWDHST is used, remove password history checking from NEWPXIT or remove NEWPXIT. If both are present, CA ACF2 for VM remembers only two passwords instead of four.
Note: See the PSWXHIST option (extended password history) if more than four remembered passwords are desired.
Specifies whether CA ACF2 for VM requires at least one lowercase (a-z) character in a new password. The default is, NOPSWDLC, CA ACF2 for VM does not require at least one lowercase (a-z) character in a new password.
Note: Changes to this parameter take effect at the next password change of the user.
Specifies whether CA ACF2 for VM will check if a new password matches the logonid. PSWDLID specifies that new passwords will be checked and rejected if they match the logonid. The default is NOPSWDLID, which specifies that passwords are not checked for logonid match.
Specifies the global value for the maximum number of days (based on the date specified in the PSWD-TOD field) permitted between password changes before the password expires. Any non-zero value in the LIDREC MAXDAYS field will override this value for validations. A zero in the LIDREC MAXDAYS field will also override this value if the LIDZMAX flag is also set in the LIDREC. PSWDMAX(0) specifies that there is no global value set; only the value in the LIDREC MAXDAYS field will be used for validations.
Specifies the global value for the minimum number of days that must elapse before a user can change his password. Any non-zero value in the LIDREC MINDAYS field will override this value for validations. A zero in the LIDREC MINDAYS field will also override this value if the LIDZMIN flag is also set in the LIDREC. PSWDMIN(0) specifies that there is no global value set, only the value in the LIDREC MINDAYS field will be used for validations.
Note: If there are currently non-zero values in the MAXDAYS and MINDAYS fields for a LIDREC and you would now like the global value to apply, you must do the following:
change lidrec maxdays(0) mindays(0)
If there is currently a zero value for either field and you want the zero to apply, you must set the LIDZMAX flag for the MAXDAYS zero value to apply and the LIDZMIN flag for the MINDAYS zero value to apply.
Specifies passwords are case sensitive. PSWDMIXD is a global setting for all logonids and goes into effect as passwords are changed. The default is NOPSWDMIXD.
Once PSWDMIXD is on, existing (current) passwords are not affected. That is, they can be entered in any combination of upper and lower case characters and they will always be uppercased before password validation is performed. Once a user has change their password while PSWDMIXD is on, their password becomes case sensitive. If PSWDMIXD is turned off, their password remains case-sensitive until they set a new password while NOPSWDMIXD is set. The PSWD-MIX field in the logonid record indicates that the current password is case-sensitive.
Note: Before setting PSWDMIXD on, read "Considerations for Mixed-Case Passwords" carefully.
Specifies whether users can change their passwords with the ACF CHANGE command. The default is NOPSWDNCH, which permits password changes through the ACF CHANGE command. This option does not affect administrators who are changing the passwords of other users. (It does affect administrators changing their own passwords.)
The purpose of the PSWDNCH option is to require users to change their passwords only at system entry. PSWDNCH can also be used with the NOPSWDALT option to require all password changes to be done by security administrators.
Specifies that CA ACF2 for VM requires at least one numeric (0‑9) character in a new password. The default is NOPSWDNMIC, which specifices that CA ACF2 for VM will not validate the new password for at least one numeric character.
Specifies whether CA ACF2 for VM will check if a new password is all numeric. PSWDNUM specifies that new passwords will be checked and rejected if they contain only numerics (digits 0‑9). The default is NOPSWDNUM, which specifies that passwords are not checked for all numeric characters.
Specifies that only n (0 to 4) number of consecutively repeated pairs of characters in a new password be allowed. The default is 0, which specifies that CA ACF2 for VM will not validate the new password for consecutively repeating pairs of characters.
For example, when PSWDPAIR(1) is specified, a new password can specify up to one consecutively repeating pair of characters. So a valid new password can be 'RABBIT, 'NEEDED', or 'NEWPSWD'. However, CA ACF2 for VM will disallow 'RABBBIT' for 'BBB' is considered as two consecutively repeating pairs of characters.
Note: PSWDPAIR(4) allows eight duplicate characters, for example 'AAAAAAAA'. This specification is the same as PSWDPAIR(0).
Specifies that CA ACF2 for VM will allow new password to contain non‑alphanumeric characters in addition to default password characters, which are alphanumeric (a‑z, A‑Z, 0‑9) and national (@ # $). There are 12 non‑alphanumeric characters it can specify. By default it specifies none.
The following are the supported non‑alphanumeric characters:
|
Character name |
Character |
Notes |
|---|---|---|
|
Asterisk |
* |
|
|
Ampersand |
& |
|
|
Carat |
^ |
|
|
Colon |
: |
|
|
Equal sign |
= |
|
|
Hyphen |
‑ |
|
|
Exclamation Mark |
! |
|
|
Period |
. |
|
|
Percentage |
% |
|
|
Question |
? |
|
|
Underscore |
_ |
|
|
Vertical Line |
| |
|
Note: The PSWDPLST cannot override the default characters, which are the alphanumeric and national characters.
Example: When PSWDPLST(& * ‑) is specified, a valid password can contain ampersand(&), asterisk(*), and hyphen(‑) characters. The following are examples of valid passwords:
'NEW$PWD', 'NEW*PS&D', '123$PSWD', 'NEWPSWD@' or '$NEW‑PSWD'
Note: While CA ACF2 for VM for VM and CA ACF2 for VM for z/OS and OS/390 support the special characters @, #, and $, these characters are special characters to VM. The # character is the default LINEND character. When this character is encountered in an input line, the line splits at that point. The @ is the default CHARDEL character. When this character is encountered in an input line, the previous character is deleted as if the @ was a destructive backspace. Because of this, do not use these two characters in a password that VM uses. The only way that you can use them is to place the ESCAPE character (by default, ") before the @ or #. The ESCAPE character causes the @ and # to be treated as standard characters instead of special characters.
Specifies whether a password contains a national or a user-defined character. The default is NOPSWDSPLT.
Note: If a user-defined character list, PSWDPLST, is not specified, then the new password can only contain characters from the national character set.
Example: When PSWDSPLT and PSWDPLST(& %) are specified, then a valid password must contain either a national or user-defined (& %) character. The following are examples of valid passwords:
'BIG&RED', 'BIG%RED', 'BIG$RED', or '456%RED'
Example: When PSWDSPLT and PSWDPLST() are specified, then a valid password must contain a national character. The following are examples of valid passwords:
'N$EWPASS', or 'NEWPAS$S'
Specifies whether users can enter new passwords that begin with a reserved word prefix. The default is NOPSWDRSV, which specifies that passwords are not checked for reserved word prefixes. The list of reserved prefixes is specified in the VMO RESWORD infostorage record.
Specifies whether CA ACF2 for VM requires at least one uppercase (A-Z) character in a new password. The default is NOPSWDUC, CA ACF2 for VM does not require at least one uppercase (A‑Z) character in a new password.
Note: Changes to this parameter take effect at the next password change of the user.
Specifies whether CA ACF2 for VM will validate if a new password can specify upper or lower cased vowel (A, E, I, O, U, a, e, i, o, u) characters. If NOPSWDVOWL is specified, vowels are not allowed. CA ACF2 for VM stores the password as uppercase. The default is PSWDVOWL.
Specifies that if an administrator is changing a password on behalf of another user and that password will be immediately expired, the password history will not be updated to include the temporary password that the administrator assigns.
Specifies that Extended Password History is to be used. This is an extension of password history, which is specified using the PSWDHST field. With PSWDHST, four previous passwords are checked against the new password. You can extend this support to check up to 64 previous passwords. The number of previous passwords is determined by the value in PSWXHST(nn). Note that PSWDHST still works the same when NOPSWXHIST is specified. The default is NOPSWXHIST, which specifies that extended password history is not active. When PSWXHIST is on, previous passwords are stored in a PROFILE(USER) DIV(PASSWORD) record in the INFOSTG database where the record name is the same as the logonid.
NOTE: If you currently use NEWPXIT to maintain password history, be aware of the following:
To help make this decision, let's look at an example: Suppose you have three user defined old password and TOD stamp fields in addition to the four provided by the original NEWPXIT code. That means you maintain seven old passwords altogether. If you set the VMO PSWD record to PSWXHIST PSWXHST(7) then seven old passwords will be maintained by CA ACF2 for VM. Note that PSWXHST(nn) could be set higher than 7 if desired. When a password is changed, NEWPXIT pushes down all the old passwords, updating the first four CA ACF2 for VM defined fields and the three user defined fields. PSWXHIST processing will leave the first four fields alone since they have already been updated by NEWPXIT, and it will save the rest of the passwords in the PROFILE(USER) DIV(PASSWORD) record for the logonid. After the user's password has been changed three times, the NEWPXIT user defined fields and the PROFILE(USER) DIV(PASSWORD) record fields will be in sync. Once this has been accomplished for all logonids with passwords, NEWPXIT can safely be removed.
The number of previous passwords to be retained when PSWXHIST is specified. A value of 0 or a value between 5 and 64 is valid. Values 1, 2, 3 and 4 are not valid because the password history that is maintained using PSWDHST keeps the first four previous passwords. If less than five previous passwords need to be retained, then specify PSWDHST NOPSWXHIST PSWXHST(0). The default is 0.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|