Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
New-password-phrase exit (ICHPWX11) z/OS Security Server RACF System Programmer's Guide SA23-2287-00 |
|
A password phrase is an alternative to a password that allows a longer length and a larger character set. RACF® supports password phrases from 9 to 100 characters in length, made up of mixed case letters, numbers, and special characters, including blanks. When the new-password-phrase exit (ICHPWX11) is present and allows it, the password phrase can be 9–100 characters. When ICHPWX11 is not present, the password phrase must be 14–100 characters. RACF enforces a basic set
of rules for password phrases:
RACROUTE REQUEST=VERIFY processing and the ADDUSER, ALTUSER, PASSWORD, and PHRASE commands invoke the installation-supplied new-password-phrase processing exit. The exit gains control when a new password phrase is processed, and can examine the value specified for the password phrase and enforce installation rules in addition to the RACF rules. For example, while RACF does not allow the user ID to be part of the password phrase, the exit could perform more complex tests to also disallow the company name, the names of months, and the current year in the password phrase. The use of the new-password-phrase exit augments the RACF rules, but cannot override them. Be sure that the exit and the RACF rules do not contradict each other. For example, if the exit requires that password phrases contain all alphabetic characters, users will not be able to create new password phrases because RACF requires at least two non-alphabetic characters. The interval value specified on the PASSWORD command applies to both passwords and password phrases. It is processed by the new password exit, ICHPWX01, and is not passed to this exit In a remote sharing environment, if password synchronization or
automatic password direction is active, and a password phrase is changed,
the new-password-phrase exit is always invoked on the node where the
initial password phrase change is made. When RACF automatically updates the
password phrase on other nodes, the new-password-phrase exit might
or might not be invoked:
|
Copyright IBM Corporation 1990, 2014
|