All users, except those defined with an CA Top Secret password of NOPW (no password), must enter a correct password at logon before they can access TSO.
TSO logon password verification is always active, even during the CA Top Secret implementation stages. However, if the CA Top Secret address space is inactive, password verification is controlled by the value assigned to the DOWN control option.
CA Top Secret performs password verification for:
MVS performs normal TSO UADS password verification for:
When a user reconnects to TSO after losing an ACF/VTAM terminal, CA Top Secret validates the userid, the password, and the terminal being used.
Note: For non‑TSO/E environments, the password will not be honored with the LOGON command if enforced password prompting is in effect.
Split‑word passwords should generally not be used if your site uses TSO LOGON Reconnect. If you require split‑word processing, you must disable LOGON Reconnect by setting the TSO LOGON Reconnect interval to 0.
Provided that the CA Top Secret user attribute TSOMPW has not been set to support UADS multiple passwords, the following rules outline which password should be entered at logon:
The PROMPT and NOPROMPT settings discussed in this section apply to TSO/E users who use the TSO/E Logon Panels and supply their password in the indicated field.
The desired method of password entry must be defined in the CA Top Secret Parameter File by the PROMPT operand of the FACILITY control option. There are two settings:
The default is NOPROMPT, which allows TSO users to enter their passwords with the LOGON command.
If the FACILITY(TSO=PROMPT) feature is in effect and a TSO user enters his password with the LOGON command, CA Top Secret locks the user's terminal for approximately ten seconds, issues a message stating that passwords should not be entered with the userid, then prompts the user for a password.
The delay in LOGON execution time, followed by the required reentry of the password, are designed to discourage users from entering their passwords with the LOGON command.
When FACILITY(TSO=PROMPT) is active, a TSO user must log on in the following manner:
LOGON acid
Your CA Top Secret ACID.
CA Top Secret displays the password prompt.
If the FACILITY(TSO=NOPROMPT) feature is in effect:
The format for LOGON is:
LOGON acid/password
By default, CA Top Secret does not support UADS structures that allow users to have multiple passwords. Using the CA Top Secret attribute, TSOMPW, administrators can make multiple password support available on a user‑by‑user basis.
The TSOMPW attribute can be added to a user ACID or a profile ACID.
This example indicates that CA Top Secret will support multiple passwords for USER01:
TSS ADDTO(USER01) TSOMPW
Note: This attribute is not honored for ACIDs whose Security Records contain TSO logon data fields. It is also not valid for Security Control Administrators, that is MSCAs, SCAs, LSCAs, ZCAs, VCAs, and DCAs.
If the TSOMPW attribute has been added to a user or a profile, the user must enter his CA Top Secret password first. After entering his CA Top Secret password, the user is asked to enter their UADS passwords.
CA suggests that the UADS password be changed to represent a function. That way, a TSO user logs on to a particular function indicated by the UADS password.
Provided that the “No Password Change” (NOPWCHG) attribute has not been associated with a TSO user and the “New Password” (NEWPW) control option is not set to NU, users can change their passwords during any LOGON session.
Note: If your password expires, CA Top Secret automatically prompt (or have TSO/E prompt) users for a new password.
Passwords are valid for the interval of time set by the CA Top Secret PASSWORD attribute. When a password is about to expire, CA Top Secret warns the user:
If desired, the user may enter his new password (or RANDOM) at the time this message is displayed or wait until the expiration date; either way, CA Top Secret will force the user to supply a new password.
If you are running TSO/E, and random password generation is not being used, the following events occur on the password expiration date.
To make password reverification mandatory, security administrators can use the NPWR suboption of the FACILITY control option. With the NPWR suboption in place, users who specify their own new passwords will be forced to reenter the new password. If the user tries two times (or the number of times indicated by the NPWRTHRESH control option) and cannot reenter the matching password, CA Top Secret issues a TSS7111E message, telling the user that his new password change is invalid.
If you are not running TSO/E, and random password generation is not being used, the following events occur on the password expiration date:
Takes advantage of the CA Top Secret voluntary reverification option (newpassword must match newpassword)
Circumvents the voluntary reverification option.
To make password reverification mandatory, security administrators can use the NPWR suboption of the FACILITY control option. With the NPWR suboption in place, users who specify their own new passwords will be forced to reenter the new password. If the user tries two times (or the number of times indicated by the NPWRTHRESH control option) and cannot reenter the matching password, CA Top Secret issues a TSS7111E message, telling the user that his new password change is invalid.
TSO supports random generation of passwords. Automatic generation of random passwords is provided only if NEWPW(RN) is set. A random password is generated at the first logon with an expired password.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|