Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Password and password phrase envelope retrieval z/OS Security Server RACF Callable Services SA23-2293-00 |
||||||||||||||||
RACF® can be configured to create password or password phrase envelopes for eligible users. An envelope resides within a user's profile, and contains an encrypted version of the user's current password or password phrase. The password or password phrase can be recovered in clear text by authorized processes (for example, a password synchronization application). The ADMN_XTR_PWENV function code of R_admin retrieves an encrypted password envelope. The ADMN_XTR_PPENV function code of R_admin retrieves an encrypted password phrase envelope. The ADMN_XTR_PWENV function code and the ADMN_XTR_PPENV function code of R_admin provide the only interfaces by which you can retrieve an encrypted envelope. An encrypted envelope is not returned as part of an R_admin extract function against a user profile, although there is a boolean field that indicates the existence of an envelope for that user. Neither RACROUTE REQUEST=EXTRACT nor ICHEINTY LOCATE returns an envelope field in a usable form. Password and password phrase envelope retrieval requires the RACF subsystem address space to be running. It is limited to supervisor state callers, and, in addition, requires access to a FACILITY class profile. For a description of the RACF password and password phrase enveloping function, see z/OS Security Server RACF Security Administrator's Guide. The input parameter list format is the same as for the user-related update functions. See Table 1 for more information. For envelope retrieval, the input parameter list is simply used to identify the target user ID for the retrieval, therefore, no segment/field information is required. The following table is the mapping of the output message block
returned by R_admin for the ADMN_XTR_PWENV and ADMN_XTR_PPENV
function codes. The output storage is obtained in the subpool specified
by the caller in the Out_message_subpool parameter.
|
Copyright IBM Corporation 1990, 2014
|