Valid on z/OS and z/VM.
Use the NEWPW control option to set restrictions on creating a new password. The restrictions apply to the following users:
NEWPW restrictions do not apply when an administrative ACID enters a new password with the TSS command. If no NEWPW control option is set in the parameter file when CA Top Secret starts, the NEWPW control option defaults to the following settings:
NEWPW(MIN=04,MAX=008,WARN=03,MINDAYS=01,NR=0,ID,TS,RS)
The option has the following format:
TSS MODIFY NEWPW ([FA],[FN],[ID],[MASK=mask],[MC],[MAX=n],[MIN=n],
[MINDAYS=nn],[NM],[NO],[NR=n],[NU],[NV],[RN],[RS],[RT],[SC],
[SW],[TS],[LC],[UC],[WARN=nn])
By default, passwords can contain the following components:
Use the following options to construct your site's local password standards:
Important! If you change one of the options, you must also respecify other active options (except MIN, MAX, WARN, and MINDAYS), even if the options are not being changed; otherwise, the product deactivates the options.
Forces specification of at least one alphabetic character in a new password. When MC is also set, lowercase and uppercase alphabetic characters can be used.
Forces specification of at least one numeric character in a new password.
Prevents a user from specifying a new password that:
For example, a user with a USERNAME field value of "Percy Snorthammer" is prohibited from entering new passwords like SNORT or PERC56 (Percy's ACID). When MC is also set, SnoRT and pERc56 are prohibited.
Allows the security administrator to create a mask to dictate the type of character that is accepted for each position in a password. CA Top Secret applies this mask to user-initiated and randomly generated password changes. The following character types are used in the mask:
An entry of MASK=vnvn could generate password A5I6.
If more than one of the options MASK, NM, and NV are specified, the mask takes the value of the rightmost option.
When MC is also set, the alphabetic mask characters a, c, v, and x are satisfied by an uppercase or lowercase letter. For example, "a" and "A" are considered vowels.
Specifies the maximum password length.
Note: This entry can be set only when the security file has been copied by TSSXTEND with the option NEWPWBLOCK.
Minimum: Set by the MIN=n option
Maximum: 8 bytes
Default: 8 (If NEWPW is specified again and MAX is omitted, the previous value of MAX is preserved.)
Selects the minimum length of a password or the mask used to generate random passwords.
Range: 1 to 8
Default: 4 (If NEWPW is specified again and MIN is omitted, the previous value of MIN is preserved.)
Indicates that passwords are processed in mixed-case format. This entry can be set only when the security file has been copied by TSSXTEND with the option NEWPWBLOCK. z/OS 1.7 or higher is required to use mixed-case passwords during system entry validation.
Note: Applications that do not support mixed-case passwords convert the password to uppercase, which can cause a password verification failure. If an application does not support mixed-case passwords, use the MULTIPW attribute of the FACILITY control option to allow a different password to be specified for that facility. Any passwords for that facility must be specified in uppercase. For more information about using the MULTIPW keyword, see the CA Top Secret Command Functions Guide.
Sets the number of days after a password has been changed that users cannot change their password again. To have no limitation on how frequently a password can be changed, specify MINDAYS=00.
Range: 00 through 99
Default: 01 (If NEWPW is respecified and MINDAYS is omitted, the previous value of MINDAYS is preserved.)
Note: MINDAYS is applicable only for user ACIDs and does not apply when administrative ACIDs change their password at signon. MINDAYS is not applicable to users who have a non-expiring password.
Indicates that a new password can contain only numbers. NM is the equivalent of MASK=NNNNNNNN. If MASK, NM, or NV is specified in NEWPW, only the rightmost option is in effect.
Indicates that only the MIN= and MINDAYS= suboptions apply to new passwords. WARN= remains in effect.
Specifies the number of pairs of repeating characters allowed in a new password. NR or NR=0 indicates that no characters can be repeated.
When MC is also set, an alphabetic character (in uppercase or lowercase) is considered a repetition. For example, rABbiT contains a repetition of “B” despite the change in case.
Default: If NR is specified without =n, the default is NR=0. Omitting NR triggers a default NR value that matches the setting for MAX. For example, if you specify MAX=8 but omit NR, the product generates a default setting of NR=8, which allows eight pairs of repeating characters in a new password.
Prevents non-administrative users from changing their passwords.
Note: PWADMIN(YES) is not applicable to the NU setting.
Indicates that vowels cannot appear in a new password. NV is the equivalent of MASK=XXXXXXXX. If options MASK, NM, and NV are specified, only the rightmost option is in effect. If MC is also set, NV is satisfied by any lowercase or uppercase nonvowel.
Specifies that CA Top Secret randomly generates a password for users whose password expires (if the FACILITY control option contains RNDPW). If the NEWPW option does not have RN set, a user can still specify a random password by typing RANDOM in the new password field at logon.
Note: If the FACILITY control option does not contain RNDPW, CA Top Secret ignores this RN option. Additionally, STC and BATCH facilities do not support this feature.
Random password generation is always uppercase, regardless of whether MC is set.
Note: PWADMIN(YES) is not applicable to the RN setting.
Prevents the user from specifying a new password whose initial characters match one of the password prefix entries in the restricted password (RPW) list. When MC is set, the product checks the RPW list for uppercase and original mixed-case formats of the prefix.
Prevents the user from specifying a new password that contains any string that matches an entry from the restricted password (RPW) list. The restriction applies regardless of where the string occurs within the password. When MC is set, the product checks the RPW list for uppercase and original mixed-case formats of the string.
Specifies that all new passwords must have at least one character selected from the PASSCHAR list. If a list is not defined, this option is ignored. This option is global. Implementing this option is the administrator's responsibility.
Note: Some applications or operating systems might not accept special character in passwords.
Specifies that the new password must contain a special character ($, @, #) between the first and last position. The following examples show samples of this type of password:
BIG$RED, I$AM@ME
Prevents users from specifying a password that is too similar to the previous password. If any of the following conditions exist, a new password is considered to be too similar:
New passwords that are identical to previous passwords are always rejected, regardless of the NEWPW setting. When MC is set, both password history checking and TS processing test for mixed-case and uppercase equivalents.
Specifies that the new password must contain at least one lowercase letter.
Note: Before you set this option, the MC option must be specified
Specifies that the new password must contain at least one uppercase letter. Before you set this option, the MC option must be specified.
Specifies the number of days leading up to expiration during which users receive warnings that their passwords or ACIDs are about to expire.
Example: WARN=3 specifies that a user receives a warning during each of the last 3 days before expiration occurs.
Default: 3 (If you respecify NEWPW and omit WARN, the product preserves the previous value of WARN.)
Example: Deny Password Use Based on a PGMR String
This example prevents a user from specifying a new password that contains one of the entries in the restricted password list. The entry can be any string that occurs within the password.
TSS MODIFY NEWPW(MIN=04,MAX=008,WARN=03,MINDAYS=01,NR=0,ID,TS,RT)
For this example, the restricted password list contains the entry PGMR. Later, a user needs a password change and tries to use the password STARPGMR; however, PGMR exists in the restricted password list, making the password unacceptable. If the ACID tries 12PGMR34 as the new password, the same rejection occurs.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|