New-password-phrase exit (ICHPWX11)
A password phrase is an alternative to a password that allows a longer length and a larger character set. RACF® supports password phrases from 9 to 100 characters in length, made up of mixed case letters, numbers, and special characters, including blanks. When the new-password-phrase exit (ICHPWX11) is present and allows it, the password phrase can be 9–100 characters. When ICHPWX11 is not present, the password phrase must be 14–100 characters.
- Maximum length: 100 characters
- Minimum length:
- 9 characters, when the encryption algorithm is KDFAES or ICHPWX11 is present and allows the new value
- 14 characters, when ICHPWX11 is not present and the encryption algorithm is not KDFAES
- The user ID (as sequential uppercase characters or sequential lower case characters) is not part of the password phrase
- At least 2 alphabetic characters are specified (A - Z, a - z)
- At least 2 non-alphabetic characters are specified (numerics, punctuation, special characters, blanks)
- No more than 2 consecutive characters are identical
RACROUTE REQUEST=VERIFY processing and the ADDUSER, ALTUSER, PASSWORD, and PHRASE commands invoke the installation-supplied new-password-phrase processing exit. The exit gains control when a new password phrase is processed, and can examine the value specified for the password phrase and enforce installation rules in addition to the RACF rules. For example, while RACF does not allow the user ID to be part of the password phrase, the exit could perform more complex tests to also disallow the company name, the names of months, and the current year in the password phrase.
The use of the new-password-phrase exit augments the RACF rules, but cannot override them. Be sure that the exit and the RACF rules do not contradict each other. For example, if the exit requires that password phrases contain all alphabetic characters, users will not be able to create new password phrases because RACF requires at least two non-alphabetic characters.
The interval value specified on the PASSWORD command applies to both passwords and password phrases. It is processed by the new password exit, ICHPWX01, and is not passed to this exit
- If the password phrase was changed by a RACF command, and the command is propagated to another node by automatic command direction, the new-password-phrase exit is invoked on that node.
- If the password phrase was changed by other means (at logon, or by a RACROUTE or ICHEINTY invocation), and the password phrase change is propagated to another node by automatic password direction or password synchronization, the new-password-phrase exit is not invoked on that node.