RACF® can be configured to create password or password phrase envelopes for eligible users. An envelope resides within a user's profile, and contains an encrypted version of the user's current password or password phrase. The password or password phrase can be recovered in clear text by authorized processes (for example, a password synchronization application).

The ADMN_XTR_PWENV function code of R_admin retrieves an encrypted password envelope. The ADMN_XTR_PPENV function code of R_admin retrieves an encrypted password phrase envelope. The ADMN_XTR_PWENV function code and the ADMN_XTR_PPENV function code of R_admin provide the only interfaces by which you can retrieve an encrypted envelope. An encrypted envelope is not returned as part of an R_admin extract function against a user profile, although there is a boolean field that indicates the existence of an envelope for that user. Neither RACROUTE REQUEST=EXTRACT nor ICHEINTY LOCATE returns an envelope field in a usable form. Password and password phrase envelope retrieval requires the RACF subsystem address space to be running. It is limited to supervisor state callers, and, in addition, requires access to a FACILITY class profile.

For a description of the RACF password and password phrase enveloping function, see z/OS Security Server RACF Security Administrator's Guide. The input parameter list format is the same as for the user-related update functions. See Table 1 for more information. For envelope retrieval, the input parameter list is simply used to identify the target user ID for the retrieval, therefore, no segment/field information is required.