Steps for disabling enveloping and deleting existing envelopes

Perform the following steps to remove existing password envelopes and password phrase envelopes from user profiles, and disable enveloping.

Delete the IRR.RADMIN.EXTRACT.* resource in the FACILITY class and refresh the FACILITY class. This prevents applications that use the R_admin callable service (IRRSEQ00) from retrieving envelopes.
Example:
```
RDELETE FACILITY IRR.RADMIN.EXTRACT.*
SETROPTS RACLIST(FACILITY) REFRESH
```
______________________________________________________________________
Alter the PASS*.ENVELOPE profile to update the UACC to NONE (if not already specified) and remove all access authorizations. Then, refresh the RACFEVNT class. This step disallows password and password phrase enveloping for all users.
Examples:
```
RALTER RACFEVNT PASS*.ENVELOPE UACC(NONE)
PERMIT PASS*.ENVELOPE CLASS(RACFEVNT) RESET

SETROPTS RACLIST(RACFEVNT) REFRESH
```
______________________________________________________________________
Determine the current change interval for passwords and password phrases by inspecting the password processing options listed in the output of the SETROPTS LIST command.
Sample output:
```
PASSWORD PROCESSING OPTIONS:
PASSWORD CHANGE INTERVAL IS 180 DAYS.
```
______________________________________________________________________
Choose the length of your interim period (for instance, 240 days) to allow the change interval to elapse while the RACFEVNT class continues to remain active. Consider a time period long enough to maximize the number of users who will be active.
During this period, user passwords and password phrases will expire and the users who log on will be forced to change them to new values. Because you disallowed enveloping for all users in Step 2, RACF® will not envelope the new values and will systematically delete existing envelopes.

______________________________________________________________________
(Optional) Before the end of your interim period, gauge your progress by running the IRRDBU00 utility (see Using the RACF database unload utility (IRRDBU00)) to report on users who still have envelopes. (Envelopes will remain for users who are inactive during your interim period.) Revise the length of your interim period if needed.
______________________________________________________________________
At the end of your interim period, disable enveloping for passwords and password phrases by deleting the PASS*.ENVELOPE profile and refreshing the RACFEVNT class.
```
RDELETE RACFEVNT PASS*.ENVELOPE
SETROPTS RACLIST(RACFEVNT) REFRESH
```
______________________________________________________________________
If you do not need the RACFEVNT class for LDAP event notification (see LDAP event notification), deactivate the RACFEVNT class and remove any RACLISTed profiles for the RACFEVNT class.
```
SETROPTS NOCLASSACT(RACFEVNT) NORACLIST(RACFEVNT)
```
______________________________________________________________________
Delete the RACF key ring you created for enveloping. Also, delete any unneeded certificates you created for enveloping.
Example:
```
RACDCERT ID(RACFSUB) DELRING(IRR.PWENV.KEYRING)
```
______________________________________________________________________

When you are finished, you have disabled enveloping for both passwords and password phrases in a manner that allowed RACF to systematically delete existing envelopes. If some users were inactive during your interim period, their envelopes still remain.