Authorized applications, such as servers, can invoke the R_dcekey callable service (IRRSDK00) to enable z/OS® DCE to retrieve or set a DCE password (a key), or to retrieve an LDAP bind password. The following functions are supported:

• Retrieve a DCE password from a user profile's DCE segment. (The password is decrypted using the key that was stored in the user's DCE segment when the password was encrypted.)
• Set the DCE password in a user profile's DCE segment. (The password is encrypted using the key stored in the DCE.PASSWORD.KEY profile in the KEYSMSTR class.)
• Retrieve the LDAP bind password from the PROXY segment of a general resource profile in the LDAPBIND class or from the IRR.PROXY.DEFAULTS profile in the FACILITY class. (The password is decrypted using the key that was stored in the profile's PROXY segment when the password was encrypted, for example when the RDEFINE or RALTER PROXY command was issued.)

For detailed information about invoking the R_dcekey callable service, see z/OS Security Server RACF Callable Services.

For callers not running in system key or supervisor state, all of the following conditions must be met:

• The caller must be running in a clean environment. (For more information, see Maintaining a clean environment in BASIC or ENHANCED mode.)
• The caller's user ID or group must be authorized for at least READ authority to either one of the following FACILITY class profiles:
  • BPX.SERVER
  • IRR.RDCEKEY

When authorizing applications using the BPX.SERVER resource, the caller is defined as the user ID associated with the ACEE of the address space. When authorizing applications using the IRR.RDCEKEY resource, the caller is defined as the user ID associated with the ACEE of the current TCB or, if no ACEE is associated with the current TCB, then the ACEE associated with the address space is used to locate the user ID.