PM77494: RACF PASSWORD PHRASE SUPPORT FOR IMS V12

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• Provide an enhancement for RACF password phrase support
  in IMS V12.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All IMS V12 users using RACF terminal        *
  *                 security.                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: RACF password phrase support for        *
  *                      IMS V12.                                *
  ****************************************************************
  * RECOMMENDATION: INSTALL CORRECTIVE SERVICE FOR APAR/PTF      *
  ****************************************************************
  Support RACF password phrase for IMS V12.
  

Problem conclusion

Temporary fix

Comments

• Following parts have been modified.
  
  DFSICLZ0:  Add check for password phrase and handle it
             correctly.
  
  ICLI:      New flags to show password phrase has been
             used and also to show if the signoff was internal
             called.
  
  DFSICIO1:  Save the password phrase because it is mixed case
             and restore it after the command gets translated
             to upper case.
  
  DFSNCS40:  Add new function to extract parameters within
             quotes.
             Add check for password phrase and handle it
             correctly.
  
  DFSCNXA0:  Add code to support password phrase as input from
             VTAM logon data.  (Note: there is currently no
             support for NEWPW)
  
  DFSNCLS:   Add new function to extract password phrase.
  
  DFSRCFS0:  Add code to pass password phrase to RACF.
  
  DFSNCS10:  Add code to support password phrase.
  
  DFSSGNP:   Add code to be able to pass password phrase to
             user exits.
  
  DFSCAUT0 and DFSDASP0 have been modified to clear out new
             password phrase parms.
  
  NOTE: The IMS default MFS panels have not been changed to
  support password phrases.
  
  
  Documentation Changes:
  
  SC19301000 Commands, Volume 2: IMS Commands N-V
  
  Change following to the /SIGN command:
  
              |-ON----------|
  >>--/SIGN --|-------------|---userid--|A|---|----------------<>
              |-PASSPHRASE--|                 |
              |-PASSPHRASEQ-|                 |
              |-OFF---------------------------|
  
  A:
  
  |-|------------------|---|------------|--|---------------|---->
    |-USERD - userdesc-|   |-userpw-----|  |-APPL-applname-|
                           |-PassTicket-|
                           |-passphr----|
  
  >-|-------------------|--------------------------------------->
    |-GROUP - groupname-|
  
  
  >-|------------------|------------------------|--|----------|->
    |-NEWPW-|-nuserpw--|--|---------------------|  |-userdata-|
            |-npassphr-|  |-VERIFY-|-nuserpw--|-|
                                   |-npassphr-|
  
  
  For valid password phrases see:
  z/OS Security Server RACF System Programmer's Guide.
  
  
  Add following keywords to the /SIGN command:
  
  PASSPHRASE
  The /SIGN command will use RACF password phrases instead of
  passwords.  A RACF password phrase can be up to 100 bytes.
  IMS will use 100 bytes as password phrase and will remove
  leading and trailing blanks before passing it to RACF.
  RACF password phrases will be used for password, NEWPW and
  VERIFY.  RACF doesn't allow mixing passwords and password
  phrases.  For example, if PASSPHRASE is specified on /SIGN
  command, and if NEWPS or VERIFY are also specified,
  then they must specify password phrases for all keywords,
  or passwords (less than 9 characters) for all keywords.
  A blank is necessary after PASSPHRASE.  There must be a
  blank after the 100 character password phrase and the
  next keyword.  Note that a period within the 100 character
  will not end the /SIGN command.  If there is no additional
  keyword after the password phrase then the password phrase
  doesn't need to have trailing blanks.
  If a password phrase is less than 9 bytes, IMS will pass the
  password phrase as password to RACF.
  The PASSPHRASE keyword is most likely used together with
  MFS panels that fill the password phrase with trailing
  blanks.
  RACF password phrases are always mixed case.  It is not
  necessary to turn on mixed case password for password phrases.
  The IMS default MFS panels have not been changed to
  support password phrases.
  
  PASSPHRASEQ
  The /SIGN command will use RACF password phrases instead of
  passwords. The password phrase needs to start with a single
  quote and end with a single quote.  If a quote is part of the
  password phrase, two single quotes need to be specified.  IMS
  will remove the single quotes at the beginning and ending of
  the password phrase and also removes one single quote if there
  are two single quotes following each other. PASSPHRASEQ needs
  to have at least one blank before the single quote.  The
  password phrase can be up to 100 characters.  If the password
  phrase is less than 9 characters, IMS will pass it as a
  password to RACF.
  RACF doesn't allow mixing passwords and password
  phrases.  For example, if PASSPHRASE is specified on /SIGN
  command, and if NEWPS or VERIFY are also specified,
  then they must specify password phrases for all keywords,
  or passwords (less than 9 characters) for all keywords.
  RACF password phrases are always mixed case.  It is not
  necessary to turn on mixed case password for password phrases.
  
  
  passphr
  
  Is a 9 to 100 character password phrase that is associated
  with the user identification.
  If PASSPHRASE is specified then the password phrase must be
  100 characters.
  If PASSPHRASEQ is specified the password phrase must be
  enclosed in quotes.  If the password phrase consists of one
  or more quotes then two single quotes need to be specified
  for each quote in the password phrase.
  
  
  npassphr
  
  Is a 9 to 100 character password phrase that is associated
  with the user identification.
  If PASSPHRASE is specified then the password phrase must be
  100 characters.
  If PASSPHRASEQ is specified the password phrase must be
  enclosed in quotes.  If the password phrase consists of one
  or more quotes then two single quotes need to be specified
  for each quote in the password phrase.
  
  
  Add to the NEWPW keyword:
  
  If /SIGN PASSPHRASE is used then an up to 100 bytes password
  phrase is followed the keyword.
  
  If /SIGN PASSPHRASEQ is used then the password phrase
  must be within single quotes.
  
  Add to the VERIFY keyword:
  
  If /SIGN PASSPHRASE is used then an up to 100 bytes password
  phrase is followed the keyword.
  
  If /SIGN PASSPHRASEQ is used then the password phrase
  must be within single quotes.
  
  Aded the following under USERID.
  
  RACF password phrases can be used for USERID.
  
  Add following under Usage Notes:
  
  /SIGN command is enhanced to use password phrases.
  For definition of password phrases and valid phrases that
  can be defined, refer to the:
  z/OS Security Server RACF System Programmer's Guide.
  
  
  Add following samples to the /SIGN command:
  
  Example 4 for /SIGN command with RACF password phrase
  
  Entry ET:
  
  /SIGN PASSPHRASEQ IMSUS03 'this is my ''password'' now'
  
  Response ET:
  
  DFS3650I SESSION STATUS FOR IMS
  
  DATE: 06/07/13      TIME: 15:26:42
  NODE NAME:            L3270A
  USERID:               IMSUS03
  PRESET DESTINATION:
  
  CURRENT SESSION STATUS:
  
  NO OUTPUT SECURITY AVAILABLE
  
  Explanation: The user with user ID IMSUS03 and password phrase
  this is my 'password' now has successfully signed on to a
  static terminal.
  
  Example 5 for /SIGN command with RACF password phrase
  
  Entry ET:
  
  /SIGN PASSPHRASE IMSUS03 this is my 'password' now.
  
  Response ET:
  
  DFS3650I SESSION STATUS FOR IMS
  
  DATE: 06/07/13      TIME: 15:36:42
  NODE NAME:            L3270A
  USERID:               IMSUS03
  PRESET DESTINATION:
  
  CURRENT SESSION STATUS:
  
  NO OUTPUT SECURITY AVAILABLE
  
  Explanation: The user with user ID IMSUS03 and password phrase
  this is my 'password' now.
  has successfully signed on to a static terminal.  Note that
  the period is part of the password phrase in this example.
  Also no trailing blanks have been added in this example.
  
  
  Add following text to the /OPNDST command under UDATA:
  
  RACF password phrases are not supported with UDATA.
  
  
  
  
  GC19301900  Release Planning
  
  Add that IMS V12 will now support RACF password phrases.  The
  /SIGN command has been enhanced to support RACF password
  phrases.
  IMS also supports passwords phrases when passed by VTAM logon
  data but it's not possible to change the password phrase using
  VTAM logon data.
  The /OPN command doesn't support password phrases.
  
  Additional keywords:
  CMDSIG
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  PM85849 UK98070 UK98071

Modules/Macros

•    DFSCAUT0 DFSCNXA0 DFSDASP0 DFSICIO1 DFSICLZ0
  DFSNCS10 DFSNCS40 DFSRCFS0 DFSSGNP  ICLI
  

Fix information

• Fixed component name

  IMS V12

• Fixed component ID

  5635A0300

Applicable component levels

• R200 PSY UK98070

     UP13/10/02 P F310

• R202 PSY UK98071

     UP13/10/03 P F310

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.