Perform the following steps to remove existing password envelopes
and password phrase envelopes from user profiles, and disable enveloping.
- Delete the IRR.RADMIN.EXTRACT.* resource in the FACILITY class
and refresh the FACILITY class. This prevents applications that use
the R_admin callable service (IRRSEQ00) from retrieving
envelopes.
Example:
RDELETE FACILITY IRR.RADMIN.EXTRACT.*
SETROPTS RACLIST(FACILITY) REFRESH
______________________________________________________________________
- Alter the PASS*.ENVELOPE profile to update the UACC
to NONE (if not already specified) and remove all access authorizations.
Then, refresh the RACFEVNT class. This step disallows password and
password phrase enveloping for all users.
Examples:
RALTER RACFEVNT PASS*.ENVELOPE UACC(NONE)
PERMIT PASS*.ENVELOPE CLASS(RACFEVNT) RESET
SETROPTS RACLIST(RACFEVNT) REFRESH
______________________________________________________________________
- Determine the current change interval for passwords and password
phrases by inspecting the password processing options listed in the
output of the SETROPTS LIST command.
Sample output:
PASSWORD PROCESSING OPTIONS:
PASSWORD CHANGE INTERVAL IS 180 DAYS.
______________________________________________________________________
- Choose the length of your interim period (for instance, 240 days)
to allow the change interval to elapse while the RACFEVNT class continues
to remain active. Consider a time period long enough to maximize the
number of users who will be active.
During this period, user passwords
and password phrases will expire and the users who log on will be
forced to change them to new values. Because you disallowed enveloping
for all users in Step 2, RACF® will
not envelope the new values and will systematically delete existing
envelopes.
______________________________________________________________________
- (Optional) Before the end of your interim period, gauge your progress
by running the IRRDBU00 utility (see Using the RACF database unload utility (IRRDBU00))
to report on users who still have envelopes. (Envelopes will remain
for users who are inactive during your interim period.) Revise the
length of your interim period if needed.
______________________________________________________________________
- At the end of your interim period, disable enveloping for passwords
and password phrases by deleting the PASS*.ENVELOPE
profile and refreshing the RACFEVNT class.
RDELETE RACFEVNT PASS*.ENVELOPE
SETROPTS RACLIST(RACFEVNT) REFRESH
______________________________________________________________________
- If you do not need the RACFEVNT class for LDAP event notification
(see LDAP event notification), deactivate the RACFEVNT class
and remove any RACLISTed profiles for the RACFEVNT class.
SETROPTS NOCLASSACT(RACFEVNT) NORACLIST(RACFEVNT)
______________________________________________________________________
- Delete the RACF key ring
you created for enveloping. Also, delete any unneeded certificates
you created for enveloping.
Example:
RACDCERT ID(RACFSUB) DELRING(IRR.PWENV.KEYRING)
______________________________________________________________________
When you are finished, you have disabled enveloping for both passwords
and password phrases in a manner that allowed RACF to systematically delete existing envelopes.
If some users were inactive during your interim period, their envelopes
still remain.