Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Maintaining Data Set Passwords z/OS DFSMSdfp Utilities SC23-6864-00 |
|
IEHPROGM can be used to maintain non-VSAM password entries in the PASSWORD data set and to alter the protection status of DASD data sets in the data set control block (DSCB). This topic also explains why data set passwords provide poor security and why IBM recommends z/OS Security Server (RACF). A data set can have one of three types of password protection, as indicated in the DSCB for DASD data sets and in the tape label for tape data sets. The possible types of data set password protection are:
If a system data set is password protected and a problem occurs on the data set, maintenance personnel must be provided with the password in order to access the data set and resolve the problem. A data set can have one or more passwords assigned to it; each password has an entry in the PASSWORD data set. A password assigned to a data set can allow read and write access, or only read access to the data set. Figure 1 shows the relationship between the protection status of data set ABC and the type of access allowed by the passwords assigned to the data set. Passwords ABLE and BAKER are assigned to data set ABC. If no password protection is set in the DSCB or tape label, data set ABC can be read or written without a password. If read/write protection is set in the DSCB or tape label, data set ABC can be read with either password ABLE or BAKER and can be written with password ABLE. If read-without-password protection is set in the DSCB or tape label, data set ABC can be read without a password and can be written with password ABLE; password BAKER is never needed. Figure 1. Relationship between
the Protection Status of a Data Set and Its Passwords
Before IEHPROGM is used to maintain data set passwords, the PASSWORD
data set must reside on the system residence volume. IEHPROGM can
then be used to:
Each entry in the PASSWORD data set contains the name of the protected data set, the password, the protection mode of the password, an access counter, and 77 bytes of optional user data. The protection mode of the password defines the type of access allowed by the password and whether the password is a control password or secondary password. The initial password, added to the PASSWORD data set for a particular data set, is marked in the entry as the control password for that data set. The second and subsequent passwords added for the same data set are marked as secondary passwords. For DASD data sets, IEHPROGM updates the protection status in the
DSCB when a control password entry is added, replaced, or deleted.
This permits setting and resetting the protection status of an existing
DASD data set at the same time its passwords are added, replaced,
or deleted. IEHPROGM automatically alters the protection status of
a data set in the DSCB if the following conditions are met:
For tape data sets, IEHPROGM cannot update the protection status in the tape label when a password entry is added, replaced, or deleted. Protection status in a tape label must be set with JCL. Passwords to be added, replaced, deleted, or listed can be specified on utility control statements or can be entered by the console operator. IEHPROGM issues a message to the console operator when a password on a utility control statement is either missing or invalid. The message contains the job name, step name, and utility control statement name and identifies the particular password that is missing or invalid. Two invalid passwords are allowed per password entry on each utility control statement before the request is ignored; a total of five invalid passwords is allowed for the password entries on all the utility control statements in a job step before the step is canceled. Related reading:
|
Copyright IBM Corporation 1990, 2014
|