VERIFY PHRASE

Description

Use the VERIFY PHRASE command to check that a password or password phrase matches the password or password phrase recorded by an ESM for a user ID. The command returns the values recorded by the ESM for the password or password phrase. This process is called password verification.

Attention: To ensure that passwords are not revealed in system or transaction dumps, clear the password or password phrase fields on the EXEC CICS commands that have a password or password phrase option as soon as possible after use.

A user ID can have both a standard password and a password phrase. If the length of the phrase as specified by PHRASELEN is between 1 and 8 characters, it is treated as a standard password and the ESM checks that the PHRASE value matches the password recorded by the ESM for the user ID. If the length is between 9 and 100 characters, it is treated as a password phrase and the ESM checks that the PHRASE value matches the password phrase recorded for the user ID.

Although the expiry interval is the same for passwords and password phrases, because they are changed independently, there are separate values for the CHANGETIME and DAYSLEFT options. The values returned for these two parameters depend on whether a valid password or a password phrase is used in the VERIFY PHRASE command.

Unlike the EXEC CICS SIGNON command, the VERIFY PHRASE command does not depend upon the principal facility; therefore, it can be issued in non-terminal environments such as web applications.

CICS enforces a full verification request at the first time each day that a user ID is used to log on to the CICS region or is verified through a VERIFY PASSWORD or VERIFY PHRASE command. The full verification request records the date and time of last access for the user ID, and writes user statistics. A full verification is also made if an incorrect password or password phrase is entered, and in the next successful request. In other cases, the command request uses a fastpath method to verify the password or password phrase. For details of the SAF interfaces used, see CICS security control points.

Options

CHANGETIME(data-area)

Returns the date and time the password or password phrase was last changed, in ABSTIME units.

When the ESM is RACF®, the time is shown as midnight.

If the supplied password or password phrase is successfully verified but has expired or is not set in the external security manager, CHANGETIME has no meaning and is shown as -2.

DAYSLEFT(data-area)

Returns the number of days from now until the password or password phrase expires, in a halfword binary field.

If a user has a password or password phrase that does not expire, DAYSLEFT has no meaning and is shown as -1.

If the supplied password or password phrase is successfully verified but has expired or is not set in the external security manager, DAYSLEFT has no meaning and is shown as -2.

ESMREASON(data-area)

Returns the reason code, in a fullword binary field, that CICS receives from the ESM.

If the ESM is RACF, this field is the RACF reason code.

The ESM does not always return response and reason codes to CICS. Make sure that you check the EIBRESP and EIBRESP2 values returned by this command in addition to checking the ESMRESP and ESMREASON values.

ESMRESP(data-area)

Returns the response code, in a fullword binary field, that CICS receives from the ESM.

If the ESM is RACF, this field is the RACF return code.

The ESM does not always return response and reason codes to CICS. Make sure that you check the EIBRESP and EIBRESP2 values returned by this command in addition to checking the ESMRESP and ESMREASON values.

EXPIRYTIME(data-area)

Returns the date and time the password will expire, in ABSTIME units.

When the ESM is RACF, the time is shown as midnight. If a user has a password or password phrase that does not expire, EXPIRYTIME has no meaning and is shown as -1.

If the supplied password or password phrase is successfully verified but has expired or is not set in the external security manager, EXPIRYTIME has no meaning and is shown as -2.

INVALIDCOUNT(data-area)

Returns the number of times, in a halfword binary field, that an invalid password or password phrase was entered for this user.

LASTUSETIME(data-area)

Returns the data and time this user ID was last accessed, in ABSTIME units.

PHRASE(data-area)

Specifies a 1- to 8-character password or a 9- to 100-character password phrase required by the ESM. The other data is not returned if the phrase is not valid.

If the ESM does not allow mixed case passwords, the 1- to 8-character password is converted to uppercase.

PHRASELEN(data-value)

Specifies the length of the password or password phrase as a fullword binary value.

USERID(data-value)

Specifies the user ID associated with the password or password phrase that to be checked.

The user ID supplied is converted to uppercase.

Conditions

16 INVREQ

RESP2 values:

13

The ESM has issued an unknown return code in ESMRESP.

18

The CICS ESM interface is not initialized.

29

The ESM is not responding.

32

The USERID field contains a blank character in an invalid position.

Default action: terminate the task abnormally.

22 LENGERR

RESP2 values:

1

PHRASELEN was out-of-range.

70 NOTAUTH

RESP2 values:

1

The PHRASE field is blank.

2

The supplied password or password phrase is wrong. If the ESM is RACF, the revoke count maintained by RACF is incremented.

However, if ESM RESP = 24, the revoke count is not incremented.

3

A new password or password phrase is required.

17

The USERID is not authorized to use the application.

19

The user ID is revoked.

20

The user's connection to their default group has been revoked.

ESM RESP values:

24

The RACROUTE REQUEST=VERIFY(X) was failed by an ICHRIX01 installation exit routine.

Default action: terminate the task abnormally.

69 USERIDERR

RESP2 values:

8

The user ID is not known to the ESM.

Default action: terminate the task abnormally.