RECREATE

The RECREATE subcommand can be used to set a limited number of fields in user profiles that cannot be set by RACF commands. Unlike the FIELD command, which also provides the functionality to set fields in a USER profile, the USER RECREATE command is subject to scope checking for the target USER profile.

The RECREATE subcommand has the following syntax: 
RECREATE [NOPROPGAGATE] [options]
options
Any number of RECREATE subcommand options; see Table 1. See also Table 1.
NOPROPAGATE
Keyword to tell RRSF not to propagate to remote RACF databases.
Table 1. Options for CKGRACF USER RECREATE
Option Description
ENCRYPTED_PASSWORD[('xxxx...xx'x,
['yyyy...yy'x])]		 Encrypted password with a length of 8 characters or 16 hexadecimal digits, optionally followed by a password extension that can have up to 40 characters or 80 hexadecimal digits. When no password and password extension values are specified, a random password value is determined. If KDFAES is active, the associated password extension value is determined.
ENCRYPTED_PHRASE[('xxxx...xx'x,
['yyyy...yy'x])]		 Encrypted password phrase that can have up to 100 characters or 200 hexadecimal digits, optionally followed by a password phrase extension that can have up to 40 characters or 80 hexadecimal digits. When no password phrase and password phrase extension values are specified, a random password phrase value is determined. If KDFAES is active, the associated password phrase extension value is determined.
LJDATE('yydddF'x) Last-use date, with a length of 3 characters or 6 hexadecimal digits.
LJTIME('hhmmsscc'x) Last-use time, with a length of 4 characters or 8 hexadecimal digits.
PASSASIS('nn'x) Password mixed case, with a length of 1 character or 2 hexadecimal digits.
PASSDATE('yydddF'x) Password change date, with a length of 3 characters or 6 hexadecimal digits.
PHRDATE('yydddF'x) Password phrase change date, with a length of 3 characters or 6 hexadecimal digits.
REVOKECT('nn'x) Revoke counter, with a length of 1 character or 2 hexadecimal digits.
TUPT('xxxx...xx'x) TSO UPT data, with up to 255 characters or 510 hexadecimal digits.
Each value in a RECREATE option can be specified as a string; quotes and conversions are allowed. The value is assigned to the fields that the option indicates.
  • With an ENCRYPTED_PASSWORD option, the first value, if any, is assigned to the PASSWORD field and the second value, if any, is assigned to the PWDX field.
    If no password and password extension values are specified, a random password is assigned to the PASSWORD field. If KDFAES is active, the associated password extension is assigned to the PWDX field.
  • With an ENCRYPTED_PHRASE option, the first value, if any, is assigned to the PHRASE field and the second value, if any, is assigned to the PHRASEX field.
    If no password phrase and password phrase extension values are specified, a random password phrase is assigned to the PHRASE field. If KDFAES is active, the associated password phrase extension is assigned to the PHRASEX field.
  • With ENCRYPTED_PASSWORD and ENCRYPTED_PHRASE options, the user's PROTECTED attribute, if any, is removed.
For more information about the PASSWORD, PHRASE, PWDX, and PHRASEX fields, see RACF field descriptions.

Each RECREATE option requires an exact specification of the fields in a format that matches the RACF internal representation of the field values. For instance, the LJDATE, PASSDATE, and PHRDATE fields each have a packed decimal value. The only supported way of specifying such a value is via its hexadecimal representation as 'yydddF'x. For LJDATE, PASSDATE, and PHRDATE, the first character (2 hex digits) specifies the year value, while ddd specifies the Julian date. The "F" at the end represents the sign: "F" is defined for Packed Decimal to represent a positive number. A year character between '71'x and '00'x denotes a year in the 20th century, while a year character between '01'x and '70'x denotes a year in the 21st century. For example, '71'x denotes 1971, '00'x denotes 2000, and '01'x denotes 2001.

The lengths specified in the descriptions of Table 1 must match the lengths of the values supplied in the corresponding options. Otherwise, an error message is issued.

More than one option can be specified in a single RECREATE subcommand, but each option can be specified at most once. The assignments are applied to the fields that are indicated by each of the options in turn. If an error occurs with one of the assignments, the other assignments are still processed and might change the profile.

Warning: If an invalid value is assigned to a field, problems can occur.

Note:
  1. Assigning a value to the TUPT field creates a TSO segment if the profile does not have one yet.
  2. If the LJDATE field is set to an invalid date, RACF might abend when the user attempts to log on or when a LISTUSER command is executed.
  3. Changing the PASSDATE or PHRDATE field while running RRSF causes the last use date/time and the last connect date/time to be updated to a time dependent on the response time of RRSF.
  4. In principle, ENCRYPTED_PASSWORD and ENCRYPTED_PHRASE parameters can in principle be supplied by values of NEWLIST TYPE=RACF fields PASSWORD, PHRASE, PWDX, and PHRASEX. But only if this newlist is run with a RACF database and not with an UNLOAD; in order not to expose passwords and password phrases, UNLOADs contain asterisks instead of encrypted passwords and password phrases.
  5. On a system that does not support KDFAES:
    • Do not assign a password to a user that has a KDFAES-encrypted password.
    • Do not assign a password phrase to a user that has a KDFAES-encrypted password phrase.
    Newlist RACF reports such a user to have a nonempty PWDX or PHRASEX field value, respectively.
  6. It is not allowed to apply USER RECREATE commands to user IDs that have a last-use time which is set either with an ALTUSER or CKGRACF command or through using the user ID. USER RECREATE commands are intended to be applied only to user IDs that have never been used.