The two-step method of password authentication

RACF® provides a two-step method of authentication for passwords, password phrases, and OIDCARD data, originally intended to allow installations to migrate from the masking algorithm to the DES algorithm. The two-step method is used when RACF cannot find an ICHDEX01 exit in the link pack area.

Each time a user logs on and enters a password, password phrase, or OIDCARD, RACF performs the two-step method of authentication as follows:

RACF first compares the results of the DES algorithm to the encoded form of the password, password phrase, or OIDCARD stored on the database. If there is no match, the second step is performed.
RACF compares the results of the masking algorithm to the encoded form of the password, password phrase, or OIDCARD stored on the database.

Note:

If two or more systems share the RACF database, they must all use the same password authentication algorithm. If you do not ensure that the systems use the same algorithm, RACF might not be able to recognize valid passwords, and users might not be able to log on.
If you use an installation application or add-on product that passes or synchronizes encrypted or masked password data between two RACF databases, you should ensure that all systems using the databases are using the same algorithm.
You can use the RACF remote sharing facility to synchronize passwords between RACF databases, even if the systems using the databases do not use the same password authentication algorithm.
Guideline: A network is only as secure as its weakest point of entry. Use the DES authentication algorithm on all systems in an RRSF network, to reduce the risk of compromising a password that can be used on multiple systems.

For further information on ICHDEX01, see Password authentication exits.