RACF_ENCRYPTION_ALGORITHM

Description:

The RACF_ENCRYPTION_ALGORITHM check verifies that the KDFAES algorithm is used for password protection.

Reason for check:

RACF_ENCRYPTION_ALGORITHM allows RACF® to verify that the KDFAES algorithm is used for password protection.

z/OS® releases the check applies to:

z/OS V2R1 and later.

Parameters accepted:

None

User override of IBM values:

The following sample shows the defaults for customizable values for this check. Use this sample to make permanent check customizations in an HZSPRMxx parmlib member used at IBM Health Checker for z/OS startup. If you just want a one-time only update to the check defaults, omit the first line (ADDREPLACE POLICY) and use the UPDATE statement on a MODIFY hzsproc command. Note that using non-POLICY UPDATEs in HZSPRMxx can lead to unexpected results and is therefore not recommended. End of change

ADDREPLACE POLICY[(policyname)] [STATEMENT(name)]
UPDATE
CHECK(IBMRACF,RACF_ENCRYPTION_ALGORITHM)
ACTIVE
SEVERITY(MED)
DATE('20140131')
REASON('Default values for RACF Encryption Algorithm.')
INTERVAL(24:00)

Debug support:

Verbose support:

Reference:

See z/OS Security Server RACF System Programmer's Guide and z/OS Security Server RACF Security Administrator's Guide.

Messages:

This check issues the following exception messages:

IRRH293E
IRRH295E
IRRH298E

See z/OS Security Server RACF Messages and Codes.

SECLABEL recommended for multilevel security users:

SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.

Output:

Output when KDFAES is not enabled and ICHDEX01 is not installed:

CHECK(IBMRACF,RACF_ENCRYPTION_ALGORITHM)
START TIME: 01/31/2014 09:44:29.892717
CHECK DATE: 20140131 CHECK SEVERITY: MEDIUM
* Medium Severity Exception *
IRRH293E KDFAES encryption is not enabled on this system.
* Medium Severity Exception *
IRRH295E The RACF_ENCRYPTION_ALGORITHM check has detected an exception. 
ICHDEX01 is not in use on END TIME: 01/31/2014 09:44:29.893680 STATUS: EXCEPTION-MED

Output when KDFAES is enabled and ICHDEX01 is not installed:

CHECK(IBMRACF,RACF_ENCRYPTION_ALGORITHM)
START TIME: 01/31/2014 09:44:29.892717
CHECK DATE: 20140131 CHECK SEVERITY: MEDIUM
IRRH294I KDFAES encryption is enabled on this system. If present, ICHDEX01 is used 
only for password IRRH299I No exceptions are detected.
END TIME: 01/31/2014 09:44:29.893680 STATUS: SUCCESSFUL

Output when KDFAES is enabled and ICHDEX01 is installed:

CHECK(IBMRACF,RACF_ENCRYPTION_ALGORITHM)
START TIME: 01/31/2014 09:44:29.892717
CHECK DATE: 20140131 CHECK SEVERITY: MEDIUM
IRRH294I KDFAES encryption is enabled on this system. If present, ICHDEX01 is used 
only for password IRRH296I ICHDEX01 is in use on this system.
ICHDEX01 Return Codes
Installation DES DES Installation DES DES
Only Only Only Only Only Only
(RC=00) (RC=04) (RC=08) (RC=12) (RC=16) (RC=OTHER)
------------ ------- ------- ------------- --------- ----------
NO YES NO NO NO NO
IRRH299I No exceptions are detected.
END TIME: 01/31/2014 09:44:29.893680 STATUS: SUCCESSFUL

Output when KDFAES is not enabled, and ICHDEX01 is installed.

CHECK(IBMRACF,RACF_ENCRYPTION_ALGORITHM)
START TIME: 01/31/2014 09:44:29.892717
CHECK DATE: 20140131 CHECK SEVERITY: MEDIUM
* Medium Severity Exception *
IRRH293E KDFAES encryption is not enabled on this system.
IRRH296I ICHDEX01 is in use on this system.
ICHDEX01 Return Codes
Installation Mask DES Installation DES then Other
Only Only Only Only Mask
(RC=0) (RC=04) (RC=08) (RC=12) (RC=16) (RC=OTHER)
------------ ------- ------- ------------- --------- ----------
NO NO YES NO NO NO
IRRH297I ICHDEX01 indicates that only DES encryption is in use.
END TIME: 01/31/2014 09:44:29.893680 STATUS: EXCEPTION-MED

Note: For performance reasons the RACF_ENCRYPTION_ALGORITHM check only detects selected calls made to ICHDEX01. If ICHDEX01 is present and the health check reports that no return codes were set, rerun the check.