z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Resources that control enveloping

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

The PASSWORD.ENVELOPE and PASSPHRASE.ENVELOPE resources in the RACFEVNT class control whether new passwords and password phrases are enveloped for a given user. You can optionally control both password and password phrase enveloping using a single generic profile, such as PASS*.ENVELOPE. If the user whose password or password phrase is changed has at least READ access to the appropriate resource, then the new password or password phrase is enveloped. Thus, you can use these resources to selectively authorize users whose passwords or password phrases will be enveloped. For example, you can exclude sensitive user IDs from both password and password phrase enveloping by authorizing those IDs to the PASS*.ENVELOPE resource with access level NONE.

Restrictions:
  • An enveloped password or password phrase is not displayed in the user's LISTUSER output. (The lines PASSWORD ENVELOPED=YES and PHRASE ENVELOPED=YES in the LISTUSER output indicates when a password or password phrase envelope is present. See z/OS Security Server RACF Command Language Reference for LISTUSER details.)
  • An enveloped password or password phrase is not unloaded by the database unload (IRRDBU00) utility. (Certain fields in the output indicate that a password or password phrase envelope is present. See z/OS Security Server RACF Macros and Interfaces for details about IRRDBU00 output records.)
  • No SMF records are created as a result of failed access checks to resources in the RACFEVNT class. You can set audit options in the resource profiles to log successes, and thus maintain a history of whose passwords and password phrases are enveloped.
  • If the user fails verification (when the RACROUTE REQUEST=VERIFY is executed during envelope processing), the user's new password or password phrase is not enveloped, even when the password or password phrase change is successful. One possible reason for a verification failure (during envelope processing) is that the user is revoked at the time that envelope processing occurs.

    For example, if an administrator uses the ALTUSER command to change the password of a revoked user who is eligible for password enveloping, the user's password is changed but the user's password is not enveloped. Even when the administrator subsequently resumes the revoked user, the password is not enveloped.

    To envelope the password or password phrase of an eligible user who is revoked, you must resume the user before the change, or resume the user with the same ALTUSER command that changes the password or password phrase.

    Example (correct):
    ALTUSER userid PASSWORD(new-password) PHRASE(new-password-phrase) RESUME
    Example (correct):
    ALTUSER userid RESUME
ALTUSER userid PASSWORD(new-password) PHRASE(new-password-phrase)
    Example (incorrect):
    ALTUSER userid PASSWORD(new-password) PHRASE(new-password-phrase)
ALTUSER userid RESUME

    When you use the correct examples, the revoked user's new password and password phrase are enveloped.

Parent topic: Overview of enveloping

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014