IBM Support

Unable to change expired password using CA ACF2

Troubleshooting


Problem

You applied CICS Transaction Server maintenance and now you are unable to reset expired passwords when using the CICS Web interface. You are not prompted to change the password. You are using CA ACF2 for security.

Cause

Missing a CA ACF2 security fix TA5968F.

Note: This fix referenced in this item applied to earlier releases of CICS. This item contains some diagnosing information for CA ACF2 that can be useful on later releases..

Diagnosing The Problem

This problem occurs because an ACF2 administrator is manually expiring a user password so you could test the new CICS maintenance to verify that the user would get prompted to reset their passwords.

CICS works the following way:

  1. User logs on with a userid and password
  2. CICS issues an extract request and gets returned Passdate and Passint
  3. PASSDATE (date last changed) and PASSINT (password interval) are used to determine if the password is expired.

The password is expired if either one of the following is true:
  • PASSDATE is zero ( password reset by administrator)
  • OR the current date is after PASSDATE+PASSINT.

If the Administrator had manually reset the Password Expiration the following information is passed back to CICS for the EXTRACT request:

PASSDATE was 22 January and PASSINT was 60 days. The current date was within the limit so is not expired.

The password is compared to the one returned by the External Security Manager. If it matches, it is accepted.

The information returned indicates that the password is valid for another 50 days and the password supplied matches the one in the ESM. Based on this information, the password is accepted.

In ACF2, to expire the password you issue the following ACF2 command:

CHANGE CX0055 PSWD-EXP.

This sets a flag in the ACF2 profile that the password is expired and under all non-CWI logon methods requires the user to immediately enter a new password. If you set this user ID to have a password interval of one day, then the CICS Web interface would issue the password prompt as expected.

CICS extracts several fields from the ESM (LJDATE, LJTIME, REVOKECT, PASSDATE, PASSINT, PASSWORD). To check if the password has expired it is expecting PASSDATE to be zero or the current date to be greater than PASSDATE + PASSINT. When using RACF, PASSDATE is zero when the password has been reset by the administrator (and so expired automatically) or a revoked userid has been resumed.

ACF2 has a password expired bit to indicate that a password has been expired by means of an administrator command. This does not seem to affect the date last changed or the expiry interval. The bit is checked when you issue a VERIFY with PASSCHK=YES and an expired response is returned if the bit is on.

Resolving The Problem

CA ACF2 fix TA5968F applies to an earlier release of CICS, but the information in the diagnosing section can be useful for later releases.

[{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Security","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"5.1;4.2;4.1;3.2;3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICS TS CICS Transaction Server

Document Information

Modified date:
15 June 2018

UID

swg21082652