RACF® can be configured to save user passwords and password phrases so that an authorized application can recover them in clear text. This ability can be restricted to a subset of your users and can be further limited to only passwords or password phrases.

When an eligible user's password or password phrase is changed, the new value is encrypted under a public key within a key ring associated with the user ID of the RACF subsystem address space. The encrypted value is then stored in the user's profile. When an application requests the password or password phrase, RACF decrypts the value, and then encrypts it in PKCS #7 format for recipients whose digital certificates have been placed on the same RACF key ring. An authorized application can then decrypt the password envelope or password phrase envelope using the recipient's private key.

The R_Admin callable service (IRRSEQ00) provides the interface by which an application can retrieve an envelope. See z/OS Security Server RACF Callable Services for interface documentation, including a description of the envelope structure.

For the most part, new passwords and new password phrases are enveloped for an eligible user, with the following exceptions: