The PASSWORD.ENVELOPE and PASSPHRASE.ENVELOPE resources in the
RACFEVNT class control whether new passwords and password phrases
are enveloped for a given user. You can optionally control both password
and password phrase enveloping using a single generic profile, such
as PASS*.ENVELOPE. If the user whose password or
password phrase is changed has at least READ access to the appropriate
resource, then the new password or password phrase is enveloped. Thus,
you can use these resources to selectively authorize users whose passwords
or password phrases will be enveloped. For example, you can exclude
sensitive user IDs from both password and password phrase enveloping
by authorizing those IDs to the PASS*.ENVELOPE resource
with access level NONE.
Restrictions:
- An enveloped password or password phrase is not displayed in the
user's LISTUSER output. (The lines PASSWORD ENVELOPED=YES and PHRASE
ENVELOPED=YES in the LISTUSER output indicates when a password
or password phrase envelope is present. See z/OS Security Server RACF Command Language Reference for
LISTUSER details.)
- An enveloped password or password phrase is not unloaded by the
database unload (IRRDBU00) utility. (Certain fields in the output
indicate that a password or password phrase envelope is present. See z/OS Security Server RACF Macros and Interfaces for
details about IRRDBU00 output records.)
- No SMF records are created as a result of failed access checks
to resources in the RACFEVNT class. You can set audit options in the
resource profiles to log successes, and thus maintain a history of
whose passwords and password phrases are enveloped.
- If the user fails verification (when the RACROUTE REQUEST=VERIFY
is executed during envelope processing), the user's new password or
password phrase is not enveloped, even when the password or
password phrase change is successful. One possible reason for a verification
failure (during envelope processing) is that the user is revoked at
the time that envelope processing occurs.
For example, if an administrator
uses the ALTUSER command to change the password of a revoked user
who is eligible for password enveloping, the user's password is changed
but the user's password is not enveloped. Even when the administrator
subsequently resumes the revoked user, the password is not enveloped.
To
envelope the password or password phrase of an eligible user who is
revoked, you must resume the user before the change, or resume the
user with the same ALTUSER command that changes the password or password
phrase.
Example (correct):
ALTUSER userid PASSWORD(new-password) PHRASE(new-password-phrase) RESUME
Example
(correct):ALTUSER userid RESUME
ALTUSER userid PASSWORD(new-password) PHRASE(new-password-phrase)
Example
(incorrect):
ALTUSER userid PASSWORD(new-password) PHRASE(new-password-phrase)
ALTUSER userid RESUME
When you use the correct
examples, the revoked user's new password and password phrase are
enveloped.