There are two password authentication exit routines, ICHDEX01 and ICHDEX11. The RACF® manager calls ICHDEX01 whenever it is necessary to store or compare encrypted password, password phrase, or OIDCARD data in a user profile. RACROUTE REQUEST=EXTRACT processing calls ICHDEX01 when TYPE=ENCRYPT,ENCRYPT=(...,INST) is specified for BRANCH=NO. When BRANCH=YES is specified, RACROUTE processing calls ICHDEX11. ICHDEX01 and ICHDEX11 perform equivalent function.

See Password authentication options for more information on password authentication options.

To use an installation-provided method of user verification, set the return code in the ICHDEX01 exit to 0. As a result, RACF uses the encoding routine coded in the exit. You should also provide an ICHDEX11 exit to perform the same function.

To use the masking algorithm as the only means of logon checking, set the return code in the ICHDEX01 exit to 4. You should also provide an ICHDEX11 exit that sets the same return code.

To use only the RACF DES algorithm for checking user IDs, set the return code in the ICHDEX01 exit to 8. You should also provide an ICHDEX11 exit that sets the same return code. This might be the method you want to use if your installation is a new user of RACF and has never used the masking algorithm.

If you do not provide an ICHDEX01 exit and activate it as described in Installing the exit routine, RACF uses the two-step method of checking described in The two-step method of password authentication. When you install the RACF component of the Security Server, the ICHDEX01 exit is not active and the two-step method of checking is used.

When using the two-step method of checking, there is an extremely remote possibility that the RACF DES-encoded form of one user's password is identical to the masked form of another user's password. As long as your installation uses the two-step method of checking, your installation might have an exposure. To avoid this possibility, after all the users at your installation have been RACF DES-encoded using the two-step verification and conversion process, provide an ICHDEX01 exit that sets the return code to 8. This return code directs RACF to use only the RACF DES algorithm for logon checking. You should also provide an ICHDEX11 exit that sets the same return code.

RACF provides a version of ICHDEX01 that unconditionally returns with a return code of 4 to force RACF to use the masking algorithm. The RACF-provided version of ICHDEX01 is shipped in SYS1.LINKLIB, where it is not found during initialization. As a result, the DES algorithm, using the two-step method of checking, is the default.

If you use the RACF-provided version of ICHDEX01, you can also use it as the ICHDEX11 exit. You must create the appropriate module in the link pack area.