APPC password expiration management

APPC password expiration management (PEM) with CICS® provides receive support for an APPC architected sign-on transaction.

Stabilization notice: Support for APPC PEM is stabilized. The PEM server does not support password phrases. To support authentication with password phrases when using CICS Transaction Gateway, you must migrate from APPC to IP interconnectivity (IPIC) and change your application code to use a current External Security Interface (ESI) API such as CICS_VerifyPassword and CICS_ChangePassword as described in the CICS Transaction Gateway for Multiplatforms product documentation.
Note: In the information about APPC PEM, sign-on is used in the sense defined in the APPC architecture, which is different from the meaning used elsewhere in CICS documentation.

What APPC PEM does

APPC PEM with CICS provides receive support for an APPC architected sign-on transaction that verifies user ID, password pairs, and processes requests for a password change by:
  • Identifying a user and authenticating that user's identification
  • Notifying specific users during the authentication process that their passwords have expired
  • Letting users change their passwords when (or before) the passwords expire
  • Telling users how long their current passwords will remain valid
  • Providing information about unauthorized attempts to access the system using a particular user identifier

Benefits of APPC PEM

APPC PEM has the following benefits:
  • It enables users to update passwords on APPC links.

    This can be particularly useful in the case of expired passwords. On APPC links that do not support APPC PEM, when users' passwords expire on remote systems, they are unable to update them from their own systems. The only alternative on a non-APPC PEM system is to log on directly to the remote system using a non-APPC link, such as an LU2 3270-emulation session, to update the password.

  • It provides APPC users with additional information regarding their sign-on status; for example, the date and time at which they last signed on.
  • It informs users whether their userid is revoked, or the password has expired, when they provide the correct password or PassTicket.

Sample program

You might find it useful to copy and modify an example program. For your guidance, a sample program is shipped in library CICSTS56.CICS.SDFHSAMP. The program is DFH$SNPW, the PEM sample program for Windows NT.