UCF STIG Viewer Logo

ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223505 ACF2-ES-000880 SV-223505r695435_rule High
Description
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000074-GPOS-00042
STIG Date
IBM z/OS ACF2 Security Technical Implementation Guide 2022-06-22

Details

Check Text ( C-25178r695434_chk )
From an ACF command screen enter:
SET CONTROL(GSO)
LIST PSWD

If the "GSO PSWD" record option "PSWDENCT" is set to "XDES" or null, this is a finding.

SET MSYSID(-)

LIST PSWD

For CA-ACF2 R16 and above:

If option "NOONEPWALG" is specified, and there is no transition plan with a definite completion date filed with the ISSM, this is a finding.
Fix Text (F-25166r504601_fix)
Evaluate the impact associated with implementation of the control option.

Develop a plan of action to implement the control option as specified below:

Configure the "GSO PSWD" record option "PSWDENCT" to "AES1".

For CA-ACF2 Release16 and above:

Configure "GSO PSWD" record option "PSWDENCT" to "AES1" or "AES2".

Configure the "GSO PSWD" to "ONEPWALG".

Note: If you are using VM Database Synchronization you cannot use “ONEPWALG”. VM does not support the AES algorithms.

Develop a transition plan with a definite completion date for z/VM; file with the ISSM.

If all systems that are sharing the logonid or infostorage databases are not running with the same “PSWDENCT” value you cannot use “ONEPWALG”.

Develop a transition plan that contains a definite completion date to migrate all logonid and infostorage databases to one “PSWDENCT” value; file with the ISSM.

Consult the CA-ACF2 administration guide for converting to "AES1" or "AES2" and using "ONEPWALG".