Modify password for user ID

Function

With the MODIFY-USER-PROTECTION command, users can define a password for their user ID, change this password or delete it. The password for a user ID is part of the user entry in the user catalog. The MODIFY-USER-PROTECTION command will only be executed if the user entry contains an appropriate authorization for the user ID (see output field PASSWORD-MGMT, SHOW-USER-ATTRIBUTES command).

Long passwords

In BS2000/OSD-BC V2.0 and above, users can define a “long password” to protect their user IDs. A long password is at least 9 and at most 32 characters long. The long password mechanism allows users to select passwords which are easy to remember while satisfying data protection requirements because of the large range of possible combinations.
When a 9 to 32-character password is entered, a hash algorithm converts the long password to an 8-byte password. The converted 8-byte password is stored in the system (encrypted as appropriate) for password checking purposes.

The following commands support the long password mechanism:

• ENTER-JOB and ENTER-PROCEDURE

• PRINT-DOCUMENT

• SET-LOGON-PARAMETERS

• SET-RFA-CONNECTION

• TRANSFER-FILE

In cases where the long password mechanism is not supported, the user must find out and enter the converted 8-byte password.

There are various ways to do this:

• The SDF-P subsystem is available on the local system: The converted password can be ascertained with the HASH-STRING builtin function. The function is called with the parameters STRING=‘<long_password>’ and LENGTH=8 (see also the “SDF-P” manual [34]). As the STRING parameter, unlike the password interface, is case-sensitive, the long password must be entered in upper case. With commands and statements (SDF interface), expression substitution can be used, i.e. the password operand can, for example, be specified as follows (see also the example on section "MODIFY-USER-PROTECTION"):

  PASSWORD='&(TO-C-LIT(HASH-STRING(STRING='lomg_password',LENGTH=8)))'

  If the SDF interface is not being used, an S variable is assigned the result of the builtin function and SHOW-VARIABLE is used to output the variable value as an X literal (as the converted string can also contain nonenterable characters). This variable value is entered as password (<x-string>) at the input interface.

• The SDF-P subsystem is not available on the local system:

  • If the local system has access to another system on which SDF-P is available, the converted 8-byte password can be ascertained with HASH-STRING as described above.

  • The converted 8-byte password can be requested from systems support staff (unless encryption is in force on the system).

  • The user ID in question can temporarily be assigned a “short” password.

• Whether SDF-P is present or not, with TRANSFER-FILE the name of an FT profile (FTAC authorization profile) can be specified instead of the LOGON authorization.

If the SECOS software product is installed, additional user-specific security checks can be set up for passwords. The default values for the minimum length and complexity of a password are set to *NONE (attributes not checked). If these attributes are changed to maximum values, in some cases it may be that the 8-byte password converted from a “long” password will fail to comply with security requirements. For that reason the minimum length should not be set to more than 6, and the minimum complexity should not be set to more than 2.

Restrictions

The following functions of the MODIFY-USER-PROTECTION command are only available if SECOS is used:

• A new password specified in the NEW-LOGON-PASSWORD operand can be specified a second time for verification purposes in the CONFIRM-NEW-PASSWORD operand.

• In the USER-IDENTIFICATION operand, it is possible to specify that password changes should be performed for the personal logon.

If SECOS is not available then only the default value can be specified for these operands.

Format

 Operands

LOGON-PASSWORD = *NONE / <c-string 1..8> / <c-string 9..32> / <x-string 1..16> / *SECRET
Old password for the user ID.
The long password mechanism is supported (<c-string 9..32>). A hash algorithm converts the long password to an 8-byte password which is used for password checking. See Function above for details of the long password mechanism.
The operand has the following special characteristics:

• The password entered is not logged.

• The input field is automatically blanked out in the guided dialog.

• In unguided dialog and foreground procedures, the entry *SECRET or ^, SDF provides a blanked out input field for inputting the password.

NEW-LOGON-PASSWORD = *NONE / <c-string 1..8> / <c-string 9..32> / <x-string 1..16> / *SECRET
New password for the user ID. The new password must not be the same as the previous password.
The long password mechanism is supported (<c-string 9..32>). A hash algorithm converts the long password to an 8-byte password which is used for password checking. See Function above for details of the long password mechanism.
The operand has the following special characteristics:

• The password entered is not logged.

• The input field is automatically blanked out in the guided dialog.

• In unguided dialog and foreground procedures, the entry *SECRET or ^, SDF provides a blanked out input field for inputting the password .

CONFIRM-NEW-PASSWORD = *NOT-SPECIFIED / *NONE / <c-string 1..8> / <c-string 9..32 / 
<x-string 1..16> / *SECRET
The operand is only available in conjunction with SECOS.
Allows a new password specified using the NEW-LOGON-PASSWORD operand to be checked. Entering the password twice is to avoid a password containing a typing error being assigned when password entry is nondisplaying.
If a value other than the default *NOT-SPECIFIED is entered, then it must be identical with the entry made for NEW-LOGON-PASSWORD, otherwise the command is rejected.
The CONFIRM-NEW-PASSWORD operand has the following special characteristics:

• The password entered is not logged.

• The input field is automatically blanked out in the guided dialog.

• In unguided dialog and foreground procedures, the entry *SECRET or ^, SDF provides a blanked out input field for inputting the password.

PUBSET =
Defines the catalog ID of the public volume set whose user catalog contains the entry for the user ID.

PUBSET = *HOME
Catalog ID of the home public volume set.

PUBSET = cat-id 1..4>
Catalog ID of a local public volume set whose user catalog contains an entry for the user ID.

USER-IDENTIFICATION = *STD / *PERSONAL-USER-ID
This operand is only available if SECOS is in use.
Specifies whether the password of the logon user ID or the password corresponding to the personal user ID (personal logon) is to be changed.

USER-IDENTIFICATION = *STD
The password corresponding to the logon user ID is changed.

If the command is called during the updating of the logon password then *STD designates the following user ID:

• following the output of message SRM3204, the logon user ID

• following the output of message SRM3207, the personal user ID

USER-IDENTIFICATION = *PERSONAL-USER-ID
The password corresponding to the personal user ID is modified. If no personal logon has been performed then the password corresponding to the logon ID is modified.

Return codes

Notes

• In the log (SYSOUT), passwords are overwritten with the letter P.

• For a nonexistent password (equivalent to the default value *NONE) the system uses binary zeros (X’00 00 00 00 00 00 00 00’). Binary zeros used as passwords are not encrypted, however.

• If the system parameter ENCRYPT=Y is set, the system encrypts all passwords except for those consisting of binary zeros (if the default value *NONE is specified). 

Example

Allocating a long password:

/mod-user-prot logon-pass='short#12',new='special password of $rudi!'

Finding out the converted, 8-byte password for use at an interface which does not support the long password mechanism. SET-VARIABLE (alias = STV) copies the password to variable A, and then SHOW-VARIABLE (alias = SHV) displays the variable in the form of an X literal (as it may include nontypable characters):

/stv a=hash-string(string='SPECIAL PASSWORD OF $RUDI!',LENGTH=8)
/shv a,inf=*par(value=*x-lit)

A = X'E611BB422CDB4FA5

When using the builtin TO-X-LITERAL function, the password can also be transferred into a variable as an X literal (in the example: PASS):

/stv pass=to-x-lit(string=
               hash-string(string='SPECIAL PASSWORD OF $RUDI!',length=8))
/shv pass

PASS = X'E611BB422CDB4FA5'

The converted, 8-byte password typically needs to be specified in TRANSFER-FILE commands. Here are various ways of specifying it:

/transfer-file ... password=x'e611bb422cdb4fa5'.....—————————————————— (1)
/transfer-file ... password=&(pass)..... ————————————————————————————— (2)
/transfer-file ... password=&(to-x-lit(string=a)).....———————————————— (3)
/transfer-file ... password=&(to-x-lit(string=hash-string(
             string='SPECIAL PASSWORD OF $RUDI!',length=8))).....————— (4)