Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Specifying the encryption method for user passwords z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
By default, RACF® uses the data encryption standard (DES) algorithm to encrypt passwords and operator identification card (OIDCARD) data. If you want to use the ICHDEX01 exit routine to store the passwords
and OIDCARD data in a masked form, use one of the following methods
to override the DES algorithm:
RACF performs two different
encoding functions:
Encoding means that, given data in clear text and given an encryption key (which RACF constructs), the equivalent data is produced in encrypted form. RACF provides a "one-way" encoding. That is, data encrypted by RACF can only be decoded if the data is already known. For additional details, see z/OS Security Server RACF System Programmer's Guide. Comparison means that, given a password (or OIDCARD data) as entered by a user (in clear text form) and given a password (or OIDCARD data) as stored in the RACF database in encoded form, an indication as to whether they are equal or not is returned. RACF performs password comparison
in the following way:
By encoding the user-entered data against both the DES algorithm and the masking algorithm, RACF allows the use of existing masked passwords and OIDCARD data until they can be replaced by the DES forms. For compatibility with previous versions of RACF, a dummy ICHDEX01 exit routine is supplied with RACF. You should delete the dummy exit routine on all systems that share the RACF database after all of these systems have been converted to a version of RACF that supports the DES algorithm. |
Copyright IBM Corporation 1990, 2014
|