The new-password exit must be named ICHPWX01.
This exit can run in the RACF® subsystem
address space, and considerations discussed in Exits running in the RACF subsystem address space apply.
This exit must be reentrant. It can have any RMODE but should use
AMODE(31) or AMODE(ANY) as the AMODE for the best use of virtual storage
and best RACF performance.
When called from RACROUTE REQUEST=VERIFY processing, this exit
is invoked in supervisor state, under protection key 0.
When called from the ALTUSER or PASSWORD commands:
- If the command originates from a TSO user, the exit is invoked
in problem state, under protection key 8, in an APF-authorized environment.
- If the command is a directed command, the exit is invoked in supervisor
state, under protection key 0.
- If the command originates from the operator's console, the exit
is invoked in problem state, under protection key 2, in an APF-authorized
environment.
- If the command was issued under another task, the invocation state
depends on the attributes of that task.
The ICHPWX01 routine is invoked in the following ways:
- Through RACROUTE REQUEST=VERIFY processing. If you specify
a new password, REQUEST=VERIFY performs the following functions:
- Invokes ICHRIX01 (if ICHRIX01 is present in the system)
- Validates the new password for correct alphanumeric syntax and
compliance with the installation's syntax rules
- Invokes ICHPWX01 (if ICHPWX01 is present in the system)
- Through the ALTUSER command. After parsing and checking
the user's authorization:
- If you specify the PASSWORD keyword with NOEXPIRED, ALTUSER validates
the new password against the installation's syntax rules and invokes
ICHPWX01.
- If you specify the PASSWORD keyword with a password value and
do not specify NOEXPIRED, ALTUSER invokes ICHPWX01. The syntax rules
do not apply. The user is required to change the password at the next
logon or start of a job.
- If you specify the PASSWORD operand without a value and do not
specify NOEXPIRED, the password defaults to that of the user's default
group. In that case, ICHPWX01 is not invoked. The user is required
to change the password at the next logon or start of a job.
- Through the PASSWORD command. If you specify the PASSWORD
or INTERVAL keywords and the conditions listed below are met, PASSWORD
invokes ICHPWX01 after parsing and checking the user's authorization:
- The new password differs from the current password.
- The new password differs from the previous passwords, if the password-history
option is active.
- The new password obeys all of the installation's syntax rules.
z/OS Security Server RACF Data Areas contains
a mapping of the exit parameter list, PWXP, which is mapped by macro
ICHPWXP in SYS1.MODGEN.
Table 1 shows which fields
are available to the exit when the exit is called from the different RACF components.
Table 1. Fields available
during ICHPWX01 processing| OFFSET (Decimal) |
PARAMETER (Address) |
REQUEST= VERIFY |
ALTUSER |
PASSWORD |
|---|
| 0 |
Length |
X |
X |
X |
| 4 |
Caller |
X |
X |
X |
| 8 |
Command-processor parameter list |
— |
X |
X |
| 12 |
NEWPASS |
X |
X |
O |
| 16 |
INTERVAL |
— |
— |
O |
| 20 |
User ID |
X |
X |
X |
| 24 |
Work area |
X |
— |
— |
| 28 |
Current password |
X |
— |
O¹ |
| 32 |
Password last change date |
X |
— |
O¹ |
| 36 |
ACEE |
X² |
X |
X |
| 40 |
Group name |
O |
— |
— |
| 44 |
Installation data |
O |
— |
— |
| 48 |
Password history |
X |
— |
O¹ |
| 52 |
Flag byte |
X |
— |
— |
| 56 |
Password last change date |
X |
— |
X |
- X
- means the field is always available.
- O
- means the field might be available.
- —
- means the field is never available.
Note: - Available only if NEWPASS is available.
- Although available, the ACEE might not be fully initialized.
|
z/OS Security Server RACF System Programmer's Guide
Copyright IBM Corporation 1990, 2014