RACF® provides a two-step
method of authentication for passwords, password phrases, and OIDCARD
data, originally intended to allow installations to migrate from the
masking algorithm to the DES algorithm. The two-step method is used
when RACF cannot find an ICHDEX01
exit in the link pack area.
Each time a user logs on and enters a password, password phrase,
or OIDCARD, RACF performs the
two-step method of authentication as follows:
- RACF first compares the
results of the DES algorithm to the encoded form of the password,
password phrase, or OIDCARD stored on the database. If there is no
match, the second step is performed.
- RACF compares the results
of the masking algorithm to the encoded form of the password, password
phrase, or OIDCARD stored on the database.
Note: - If two or more systems share the RACF database,
they must all use the same password authentication algorithm. If you
do not ensure that the systems use the same algorithm, RACF might not be able to recognize valid passwords,
and users might not be able to log on.
- If you use an installation application or add-on product that
passes or synchronizes encrypted or masked password data between two RACF databases, you should ensure
that all systems using the databases are using the same algorithm.
- You can use the RACF remote sharing facility to synchronize
passwords between RACF databases,
even if the systems using the databases do not use the same password
authentication algorithm.
Guideline: A network is only as secure as its weakest point
of entry. Use the DES authentication algorithm on all systems in an
RRSF network, to reduce the risk of compromising a password that can
be used on multiple systems.
For further information on ICHDEX01, see Password authentication exits.