Yes. To confirm: (1) Passphrases are completely separate from passwords. You can't use one to set the other. (2) A passphrase must be defined by an administrator for each user, before they can use passphrases.
A simple solution would be to randomly generate a passphrase for each user in your pilot group, and ask the users to contact service desk to reset it. You could use Carla to generate the commands
CKGRACF USER userid PWSET RANDOM PHRASEIf it's not feasible to use your service desk this way, then you need a process to generate and store passphrases, and then either batch mail them out, or make them accessible to the users individually.
Here's what I did:
Define a custom field for a 2-way-encrypted passphrase, with appropriate FIELD controls. [I'd probably investigate enveloping if I were doing it now]
Download 5 books from Project Gutenberg as a source of readable phrases.
Write some rexx to loop through each user and:
Randomly select a phrase from a random book, and process it to meet the default passphrase requirements;
Encrypt the passphrase and store it in the custom field in the user's profile;
Issue the ALU command to set the passphrase.
Write a simple ISPF/Rexx utility to allow the users to retrieve their initial passphrase, when logged on to TSO using password.
Later on, we had a need to store all users' emails in RACF (in another custom field). So storing the passphrase was no longer necessary, as we could generate and send emails in the process.
Hopefully this will give you some ideas, and allow you to come up with something better.
------------------------------
Pete Buckley
Mainframe Tech Specialist
AXA
------------------------------
Original Message:
Sent: Thu July 15, 2021 10:02 AM
From: Jim Elliott
Subject: z/OS Password to Passphrase migration
I am looking for thoughts or suggestions on converting users from passwords to passphrases. From what I've found users can't use their passwords to reset a passphrase. I'm not too excited about the idea of creating thousands of temporary passphrases for every user and sending them out to them individually, was wondering if there are any solutions to assist with this type of rollout?
------------------------------
Jim Elliott
Senior IT Consultant, GlassHouse Systems Inc.
------------------------------