Activating passwordpreprompt support

To provide additional security to the installation by requiring the user to provide both the user ID and password before allowing any additional access, follow these steps:

Set the PASSWORDPREPROMPT parameter, on the LOGON statement in the SYS1.PARMLIB member of IKJTSOxx, to ON.
Use the MVS™ SET IKJTSO=xx or TSO/E PARMLIB UPDATE(xx) command to update the system setting.

This forces the user to provide both the user ID and the password before further processing can occur. If either item is incorrect, then message

USERID OR PASSWORD IS INCORRECT OR NOT
AUTHORIZED

is issued. If a passticket is used in place of a password it will be accepted, but the user's password will not be able to be changed during this logon.

Note: TSO/E Logon Exits may need to be updated before activating PASSWORDPREPROMPT. Exit processing that affects the TSO/E user ID or password may not work as expected.

Note: Once activated, users defined to UADS and not RACF will not be able to log on unless RACF is not active.

Note:

This note is applicable to z/OS V2R4 and earlier releases of TSO/E if the applicable PTF for APAR OA59926 has been installed.

If the VERIFYAPPL parameter on the LOGON statement of the active IKJTSOxx parmlib member is ON, and if PASSWORD PREPROMPT determines that it is necessary to issue a RACROUTE REQUEST=VERIFY during the logon preprompt processing, an APPL= parameter (specifying the application name) is added to the RACROUTE request. If RACF determines that the user entered a valid userid and password credential, but the user is not permitted to the specified APPL, preprompt terminates with messages IKJ56420I and IKJ56418I issued to the user, and with an ICH408I message issued to the console to identify the user and application to which the user is not permitted.