A fix is available
APAR status
Closed as new function.
Error description
New Function
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: * * All z/OS 2.2 (HBB77A0) and above * * environments. * **************************************************************** * PROBLEM DESCRIPTION: * * New Function - Password phrase support * * for MCS consoles. * **************************************************************** * RECOMMENDATION: * * Apply the appropriate PTF. * **************************************************************** New Function - Password phrase support for MCS consoles.
Problem conclusion
Temporary fix
Comments
z/OS MCS operator console support is being enhanced to support the use of password phrases to authenticate a user ID when logging on as a z/OS operator. This will supplement the existing support for standard (maximum of eight-characters) passwords. Because a console password phrase can provide an exponentially greater number of possible combinations of characters than a standard password, the use of console password phrases can improve system security and enhance usability. A console password phrase is a character string consisting of letters, numbers, and special characters including blanks. Syntax rules for z/OS MCS operator console password phrases: - When specified, console password phrases must be enclosed within single quotation marks (e.g., 'Fred Loves Wilma') but the quotation marks are not part of the password phrase. - Maximum length: 45 characters (excludes enclosing quotes) - If a single quotation mark is intended to be part of the password phrase (e.g. Fred's), you must not double up the quotation mark (e.g., The phrase 'Fred's house Rocks' would be correct. Enclosing single quotes are required and not doubled up.). - Any additional syntax rules as specified by your security product. For the z/OS Security Server rules, see Security Server RACF Security Administrator's Guide (SA23-2289) Chapter 3, heading Assigning password phrases. By default, z/OS will continue to use the existing eight- character password support. If you want to allow an operator to log on using a console password phrase, the security administrator must enable this feature. When the security profile MVS.CONSOLE.PASSWORDPHRASE.CHECK is defined in the OPERCMDS class in the security product, MCS operator password phrase support is enabled. To return to only using the eight- character password support, the profile MVS.CONSOLE.PASSWORDPHRASE.CHECK must be deleted from the security product. The use of console password phrases is determined when a console becomes active or is placed in standby mode. If the password state is changed in the security product while the console is active, the previous password state will continue to be used by that console until the console is reactivated. There are several ways to reactivate a console so the new password state is used: - Place the console in standby mode (VARY CN(*),STANDBY) and remove from STANDBY state by pressing the enter key. - Vary the console offline (VARY CN(cnname),OFFLINE) and then back online (VARY CN(cnname),ONLINE). Note that the online request must be made from another active console. - Re-IPL the system. - Note that SMCS consoles do not support standby so must be logged off and then reconnected to z/OS. - Note that on an MCS console, just issuing the LOGOFF command and then re-logging on with the LOGON command is NOT sufficient to change the password state. While requiring consoles to go through these state changes may seem cumbersome, it is expected that the migration to to console password phrases is going to be performed only once. This support allows the change to be made without an IPL. When requesting a new console password phrase, the operator must verify the new password phrase (called a verification password phrase) by specifying the new password phrase again. The verification password phrase must match exactly (including the enclosing quotes) the new password phrase. For operator logon processing, if your installation wishes to permit console password phrases in addition to passwords, your security administrator can enable this. When the security profile MVS.CONSOLE.PASSWORDPHRASE.CHECK is defined in the OPERCMDS class, password phrases are enabled. After enabling console password phrases, active consoles need to be recycled to pick up the setting. If the console is not recycled, the 8-character password processing remains in effect for that console. There are several ways to recycle the console so the new password state is used. - Place the console in standby mode (VARY CN(*),STANDBY) and then take the console out of standby mode by pressing the enter key on the console. - Vary the console offline (VARY CN(cnname),OFFLINE) and then back online (VARY CN(cnname),ONLINE). Note that the online request must be made from another active console. - Re-IPL the system. - Note that SMCS consoles do not support standby so must be logged off and then reconnected to z/OS. Note that during the process of an operator logging on, z/OS may issue messages referring to passwords. In these messages, passwords mean either passwords (8-byte variety) or password phrases. ____________________________________________________________ The following publications will be modified for this support... z/OS MVS Data Areas Volume 1 (ABE-IAR) (GA32-0935) z/OS MVS Installation Exits (SA23-1381) z/OS MVS Planning Operations (SA23-1390) z/OS MVS System Commands (SA38-0666) z/OS MVS System Messages Volume 7 (IEB-IEE) (SA38-0674) _____________________________________________________________ z/OS MVS Data Areas Volume 1 (ABE-IAR) (GA32-0935) _____________________________________________________________ : CNZMYLGN heading information : Function: : | If console password phrases are enabled, the discriminator | field CnzLgnOpndPType will contain X'FF' (Cnz_LgnOpndPP) and | the password area mapped by field CnzLgnPPCurrPhrase and | CnzLgnPPNewPhrase will be zero (X'00'). : CNZMYLGN mapping Table 1. Structure CNZ_TLGNSTR Offset Offset Dec Hex Type Len Name(Dim) 0 (0) STRUCTURE 0 CNZ_TLGNSTR 0 (0) CHARACTER 5 CNZLGNSTRKEYWORDLOGON 5 (5) CHARACTER 1 6 (6) CHARACTER 120 CNZLGNSTROPERAND 6 (6) CHARACTER 8 CNZLGNOPNDUSERID | 14 (E) BITSTRING 1 CNZLGNOPNDPTYPE | X'40' Password phrases are not enabled | X'FF' Passphrase phrases are enabled | 15 (F) CHARACTER 110 CNZLGNOPNDUNION | 15 (F) CHARACTER 98 CNZLGNOPND 15 (F) CHARACTER 8 CNZLGNOPNDKEYWORDPASSWORD 23 (17) CHARACTER 1 24 (18) CHARACTER 26 CNZLGNOPNDPASSWORD 50 (32) CHARACTER 1 51 (33) CHARACTER 11 CNZLGNOPNDKEYWORDOLDNEWNEW 62 (3E) CHARACTER 18 80 (50) CHARACTER 5 CNZLGNOPNDKEYWORDGROUP 85 (55) CHARACTER 1 86 (56) CHARACTER 8 CNZLGNOPNDGROUP 94 (5E) CHARACTER 1 95 (5F) CHARACTER 8 CNZLGNOPNDKEYWORDSECLABEL 103 (67) CHARACTER 1 104 (68) CHARACTER 8 CNZLGNOPNDSECLABEL 112 (70) CHARACTER 1 CNZLGNOPNDTRAILINGBLANK | 15 (F) CHARACTER 110 CNZLGNPP | 15 (F) CHARACTER 47 CNZLGNPPCURRPHRASE | 62 (3E) CHARACTER 47 CNZLGNPPNEWPHRASE | 109 (6D) CHARACTER 8 CNZLGNPPGROUP | 117 (75) CHARACTER 8 CNZLGNPPSECLABEL | 117 (75) X'40' 0 CNZ_LGNOPNDPW "64" Password | phrases are not enabled | 117 (75) X'FF' 0 CNZ_LGNOPNDPP "255" Passphrase | phrases are enabled 126 (7E) X'7E' 0 CNZ_TLGNSTR_LEN "*-CNZ_tLgnStr" Table 2. Cross Reference for CNZMYLGN Name Offset Hex Tag ____________________________________________________________ | CNZ_LGNOPNDPP 75 FF | CNZ_LGNOPNDPW 75 40 CNZ_TLGNSTR 0 CNZ_TLGNSTR_LEN 7E 7E | CNZLGNOPND F CNZLGNOPNDGROUP 56 CNZLGNOPNDKEYWORDGROUP 50 CNZLGNOPNDKEYWORDOLDNEWNEW 33 CNZLGNOPNDKEYWORDPASSWORD F CNZLGNOPNDKEYWORDSECLABEL 5F CNZLGNOPNDPASSWORD 18 | CNZLGNOPNDPTYPE E CNZLGNOPNDSECLABEL 68 CNZLGNOPNDTRAILINGBLANK 70 | CNZLGNOPNDUNION F CNZLGNOPNDUSERID 6 | CNZLGNPP F | CNZLGNPPCURRPHRASE F | CNZLGNPPGROUP 6D | CNZLGNPPNEWPHRASE 3E | CNZLGNPPSECLABEL 75 CNZLGNSTRKEYWORDLOGON 0 CNZLGNSTROPERAND 6 __________________________________________________________ z/OS MVS Installation Exits (SA23-1381) __________________________________________________________ : Chapter 46. MVS Command Installation Exit Exit Routine Processing Programming Considerations : | The LOGON command has been architected such that all keywords | and keyword values appear in the same position when the LOGON | command is issued. There are two formats of the command | depending on if console password phrases are permitted or not. | | A discriminator is provided so you can determine which format | is being used. All LOGON commands are issued as if they were | issued from a typical console that is 80 columns wide. For the | architected LOGON mapping, see CNZMYLGN in z/OS MVS Data | Areas. | | When the discriminator value (CNZLGNOPNDPTYPE) is '40'x, use | (CNZ_LGNOPNDPW) to map LOGON information when password | phrases are not enabled. | | When the discriminator value (CNZLGNOPNDPTYPE) is 'FF'x, use | (CNZ_LGNOPNDPP) to map LOGON information when password | phrases are enabled. | | Note that the system does not substitute text for system | symbols specified in the LOGON command. ____________________________________________________________ z/OS MVS System Commands (SA38-0666) ____________________________________________________________ Chapter 1. System operations Starting, loading, and initializing the system Logging on to the system (new 3rd paragraph) | The security administrator can enable Consoles password | phrase support on a system by defining a security profile to | cover the MVS.CONSOLE.PASSWORDPHRASE.CHECK resource in | the OPERCMDS class. There is no authority access checking | from a userid perspective. The Consoles function checks for | the existence of the profile, and if the profile exists, the | new LOGON panel display is revealed which will allow for | either the new password phrase input or the standard eight | (8) character password. Chapter 4. MVS system commands reference LOGON command LOGON Syntax Complete syntax for the LOGON prompt follows the message: 8-character password prompt: IEE187I ENTER LOGON PARAMETERS LOGON {userid} PASSWORD {password} GROUP [racfgroup] SECLABEL [label] | Password phrase prompt: | | IEE187I ENTER LOGON PARAMETERS | LOGON {userid} PW {password} | GROUP [racfgroup] NEWPW [new password] | SECLABEL [label] VERPW [verification password] Parameters LOGON {userid} The panel displays the LOGON promot in a protected field. The userid is an 9-character field where you enter your operator userid. The userid parameter is required. PASSWORD {password} | When the security profile MVS.CONSOLE.PASSWORDPHRASE.CHECK | in not defined, the panel displays the PASSWORD prompt. The password is a 26-character field where you enter your password of up to 8 characters. The input to this field is not displayed. The password field allows you to change your password by using the old-password/new-password/new- password format. The password parameter is required. | PW {password-phrase} | If your security administrator has indicated password | phrases are permitted for z/OS operators (the security | profile MVS.CONSOLE.PASSWORDPHRASE.CHECK is defined), the | panel displays the PW prompt. The password is a field where | you enter your password (up to 8 characters, no enclosing | single quotation marks) or password phrase (enclosed within | single quotation marks). | | Syntax rules for console password phrases: | - Password phrases must be enclosed within single quotation | marks (for example, 'Fred Loves Wilma') but the quotation | marks are not part of the password phrase. | - Maximum length: 45 characters (not counting the enclosing | quotation marks). | - If a single quotation mark is intended to be part of the | password phrase (for example, Fred's), you must not double | up the quotation mark (for example, The phrase 'Fred's | house Rocks' would be correct while 'Fred''s house Rocks' | would not be correct. Enclosing single quotes are required | and not doubled up). | - Any additional syntax rules as specified by your security | product. For a/OS Security Server rules, see Security | Server RACF Security Administrator's Guide (SA23-2289) | Chapter 3, heading Assigning password phrases. | | Note: The PW password parameter is required if your security | administrator has indicated console password phrases | are required for z/OS operators. | | NEWPW {new password} | The panel displays the NEWPW prompt if your security | administrator has indicated password phrases are permitted | for z/OS operators (the security profile | MVS.CONSOLE.PASSWORDPHRASE.CHECK is defined). The new | password is a field where you enter your new password or | new password phrase. The syntax rules for the new | password are the same as the password or password phrase | descriptions above. When accepted by your security | product, this will become your new password or password | phrase. The new console password phrase is optional. | | VERPW | The panel displays the VERPW prompt in a protected field | if your security administrator has indicated password | phrases are permitted for z/OS operators (i.e., the | security profile MVS.CONSOLE.PASSWORDPHRASE.CHECK is | defined). The verification password is a field where you | enter the identical specification of what you specified | for the new password. The syntax rules for the | verification password phrase are the same as the password | or password phrase descriptions above. The verification | password parameter is required if the NEWPW new password | is non-blank. : Notes: 12. The following messages may be displayed on the operator console's instruction line (the line above the logon prompt): : | IEE187I ENTER LOGON PARAMETERS -NEW PASSWORD MUST BE | ENCLOSED IN QUOTES : | IEE187I ENTER LOGON PARAMETERS -PASSWORD MUST BE | ENCLOSED IN QUOTES : | IEE187I ENTER LOGON PARAMETERS -USERID/PASSWORD NOT | AUTHORIZED _______________________________________________________ z/OS MVS System Messages Volume 7 (IEB-IEE) (SA38-0674) _______________________________________________________ IEE186I : Module : | IEECVET4 : Routing code : | add "Note 6" (The message is not issued by a WTO/R macro) IEE187I ENTER LOGON PARAMETERS {text} Explanation text is one of the following: : | NEW PASSWORD MUST BE ENCLOSED IN QUOTES | PASSWORD MUST BE ENCLOSED IN QUOTES | USERID/PASSWORD NOT AUTHORIZED : in the message text: : | NEW PASSWORD MUST BE ENCLOSED IN QUOTES | The operator attempted to log on specifying a new password | that must be enclosed in single quotation marks. | | PASSWORD MUST BE ENCLOSED IN QUOTES | The operator attempted to log on specifying a password that | must be enclosed in quotation marks. | | USERID/PASSWORD NOT AUTHORIZED | The operator attempted to log on with a userid or password | that was not accepted by the security product. : Operator response : | NEW PASSWORD MUST BE ENCLOSED IN QUOTES | PASSWORD MUST BE ENCLOSED IN QUOTES | When specifying console password phrases, ensure they are | enclosed in single quotation marks. | USERID/PASSWORD NOT AUTHORIZED | Specify a valid userid and password combination. : IEE342I : Module : | Remove IEECVET4 : _________________________________________________________ The following locations will be updated with the text below... z/OS MVS Planning Operations (SA23-1390) Chapter 2. Defining console configuration Sections: Choosing how to define your console configuration (see below text) SMCS console considerations Providing security for SMCS consoles (see below text) Planning console security (see below text) Using RACF to control command authority and operator logon Using RACF to authorize console operators and command use (see below text) New text... | Consoles password phrase support becomes enabled on a system | when the security profile is defined. There is no authority | access checking from a userid perspective. | The Consoles function checks for the existence of the a | security profile in the OPERCMDS class to cover the | MVS.CONSOLE.PASSWORDPHRASE.CHECK resource. | For example, the following RACF command can be used to define | the profile... | | REDEFINE OPERCMDS (MVS.CONSOLE.PASSWORDPHRASE.CHECK) | | If the profile exists, the new LOGON panel display is | revealed which will allow for either the new password phrase | input or the standard eight (8) character passwords. | After enabling password phrases, active consoles need to be | recycled to pick up the setting. If the console is not | recycled, the 8-character password processing remains in | effect for that console. There are several ways to recycle | the console so the new password state is used: | - Place the console in standby mode (VARY CN(*),STANDBY) and | (VARY CN(*),STANDBY) and then take the console out of | standby mode by pressing the enter key on the console. | - Vary the console offline (VARY CN(cnname),OFFLINE) and then | back online (VARY CN(cnname),ONLINE). Note that the online | request must be made from another active console. | - Re-IPL the system. | | Note that SMCS consoles do not support standby, so they must | be logged off and then reconnected to z/OS. | | Note that during the process of an operator logging on, z/OS | may issue messages referring to passwords. In these messages, | passwords mean either passwords (8-byte variety) or password | phrases. ×**** PE19/10/23 FIX IN ERROR. SEE APAR OA58544 FOR DESCRIPTION ×**** PE19/10/18 FIX IN ERROR. SEE APAR OA58544 FOR DESCRIPTION
APAR Information
APAR number
OA54790
Reported component name
DIDOCS
Reported component ID
5752SC1C4
Reported release
7A0
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2018-01-25
Closed date
2018-09-20
Last modified date
2019-11-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA97482 UA97483
Modules/Macros
IEECVETE IEECVETF IEECVETD IEECVFTG IEECVETA IEECVFTA IEECVET6 IEE8103D IEECVET4 IEECV6CX CNZK1LOL IEECVET8 CNZMYLGN IEETDCM IEECVET1 IEE5403D IEAVMQWR IEE6903D IEEMB904 IEE0403D IEECVETU IEECVETV IEECVSCU IEECVETZ IEECVFTW IEE5103D IEECVSCR
| SA38066600 | SA23138100 | SA38067400 | GA32093500 | SA23139000 |
Fix information
Fixed component name
DIDOCS
Fixed component ID
5752SC1C4
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
27 November 2019