z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Specifying the encryption method for user passwords

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

By default, RACF® uses the data encryption standard (DES) algorithm to encrypt passwords and operator identification card (OIDCARD) data.

If you want to use the ICHDEX01 exit routine to store the passwords and OIDCARD data in a masked form, use one of the following methods to override the DES algorithm:
  • Use MLPA to cause RACF to find the exit. This is the recommended method because you only need to do it once.
  • Create SMP/E USERMOD to claim ownership of ICHDEX01 and move it to LPALIB. This is not recommended because you need to perform this operation with each installation.
RACF performs two different encoding functions:
  • Password/OIDCARD data encoding
  • Password/OIDCARD data comparison

Encoding means that, given data in clear text and given an encryption key (which RACF constructs), the equivalent data is produced in encrypted form. RACF provides a "one-way" encoding. That is, data encrypted by RACF can only be decoded if the data is already known. For additional details, see z/OS Security Server RACF System Programmer's Guide.

Comparison means that, given a password (or OIDCARD data) as entered by a user (in clear text form) and given a password (or OIDCARD data) as stored in the RACF database in encoded form, an indication as to whether they are equal or not is returned.

RACF performs password comparison in the following way:
  • RACF encrypts the user-entered data using the DES algorithm and compares it against the stored version. If they are equal, RACF returns to the caller with an "equal" indication.
  • RACF encodes the user-entered data using the current masking algorithm and compares it against the stored version. If they are equal, RACF returns to the caller with an "equal" indication.

By encoding the user-entered data against both the DES algorithm and the masking algorithm, RACF allows the use of existing masked passwords and OIDCARD data until they can be replaced by the DES forms.

For compatibility with previous versions of RACF, a dummy ICHDEX01 exit routine is supplied with RACF. You should delete the dummy exit routine on all systems that share the RACF database after all of these systems have been converted to a version of RACF that supports the DES algorithm.

Parent topic: Specifying RACF options

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014