If you are considering a 'recourse' to falling back on the previous
encryption selection, use NOONEPWALG.
If your consideration is to move forward with AES2 and not concerned
with falling back to XDES, use ONEPWALG. There is no recourse to falling back.
Here is why.
PSWDENCT controls the manner in which passwords/password phrases
are encrypted and stored within the logonid record in the logonid database.
The following describes the PSWDENCT settings that are available:
◦PSWDENCT(XDES|AES1|AES2)
◾XDES - specifies the XDES algorithm that CA ACF2 uses for password/password phrase encryption processing.
◾AES1 - specifies AES-CMAC using AES 128.
◾AES2 - specifies AES-CMAC using AES 256.
◾Default: XDES. Entering a null value () specifies the default.
By default, CA ACF2 encrypts a password/password phrase with the current setting
in PSWDENCT and the weaker algorithms.
Specify one or more encryption algorithms to save password/password phrase changes.
To do so, use the ONEPWALG|NOONEPWALG field of the GSO PSWD record.
NOTE:
-------
Do not set ONEPWALG unless all systems that are sharing the logonid or infostorage
databases are running with the same PSWDENCT value.
◦NOONEPWALG
Saves password/password phrase changes under multiple algorithms; newly set algorithm plus any weaker algorithms.
◾If NOONEPWALG is set and PSWDENCT is set to AES2, CA ACF2 saves the
password/password phrase that is encrypted under AES 256, AES 128, and XDES
◾If NOONEPWALG is set and PSWDENCT is set to AES1, CA ACF2 saves the
password/password phrase that is encrypted under AES 128 and XDES.
This option makes it easier to transition from one algorithm to another, especially in a shared database environment
For additional details- Review: Implement AES 256 Encryption - CA ACF2™ for z/OS - 16.0 - CA Technologies Documentation