Accommodate the removal of default passwords on RACF commands
Description
As of z/OS V2R2, the RACF commands ADDUSER, ALTUSER, and PASSWORD no longer set a default password for the target user ID. In previous releases, these commands used the user's default group name as the password by default.
Specifically,
the commands are changed as follows to remove the generation of default
passwords:
- Command ADDUSER defaults to PROTECTED when no password or phrase is specified.
- Commands ADDUSER, ALTUSER, and PASSWORD no longer set a default password for the target user ID.
Table 1 summarizes
the new RACF command behavior in z/OS V2R2.
Command | Condition | New behavior with z/OS V2R2 with APAR OA48667 applied |
---|---|---|
ADDUSER user | PASSWORD keyword is omitted. | The user is defined as a PROTECTED user, unless a PHRASE or OIDCARD value is specified. Also, message ICH01024I is issued, stating that the user is defined as PROTECTED. |
ADDUSER user PASSWORD | PASSWORD keyword is specified, but its value is omitted. | PASSWORD keyword is ignored with message ICH01025I and the user ID is defined as PROTECTED. |
ALTUSER user PASSWORD | PASSWORD keyword is specified, but its value is omitted. | PASSWORD keyword is ignored with message ICH21045I. |
PASSWORD USER(user) | INTERVAL|NOINTERVAL keyword is omitted. | USER keyword is ignored and message ICH08027I is issued. |
Notes:
- As in previous releases, when a new RACF database is initialized through the IRRMIN00 utility, the IBMUSER user ID is created with a password value of 'SYS1'
- In previous releases, if the ADDUSER command
was issued without the PASSWORD keyword:
- RACF common command exit (IRREVX01) received the ADDUSER command with the PASSWORD keyword, but without a value for PASSWORD. As of z/OS V2R2, the PASSWORD keyword is not passed to the exit.
- Type 80 record for the ALTUSER event code indicated that the PASSWORD keyword was specified. As of z/OS V2R2, the Type 80 record no longer indicates that the PASSWORD keyword was specified.
Table 2 provides more details about this migration action. Use this information to plan your changes to the system.
Element or feature: | Security Server. |
---|---|
When change was introduced: | z/OS V2R2 with APAR OA48667 applied. |
Applies to migration from: | z/OS V2R1 and z/OS V1R13 (with APAR OA48667 applied or without APAR OA47396 applied). |
Timing: | Before installing z/OS® V2R2. |
Is the migration action required? | Yes, if you rely on RACF to create a default password. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM® Health Checker for z/OS check: | None. |
Steps to take
Follow these steps:
- Identify any programs or jobs that issue RACF commands with the
following conditions:
- ADDUSER command that does not specify the PASSWORD keyword.
- ADDUSER and ALTUSER commands that specify the PASSWORD keyword, but omit an explicit password value.
- Programs that call the ADMN_RUN_COMD function of the R_admin SAF callable service (IRRSEQ00) on the ADDUSER, ALTUSER, or PASSWORD commands, as described here.
- Programs that call the ADMN_ADD_USER or ADMN_ALT_USER functions of the R_admin SAF callable service (IRRSEQ00) with input parameter lists that are functionally equivalent to the ADDUSER, ALTUSER, or PASSWORD commands, as described here.
- Depending on the condition listed above, either remove the command, change it to one that specifies an explicit password value, or leave it as-is and tolerate the change of behavior, as appropriate.
Example: Before
z/OS V2R2, the following ALTUSER command would
reset the password for user BECKYH to the user’s default group
name: ALTUSER BECKYH PASSWORD. In z/OS V2R2 with
OA48667 applied, the PASSWORD operand is ignored. To reset a password,
you must provide a temporary password explicitly: ALTUSER
BECKYH PASSWORD(TEMP1234).
Reference information
For more information, see z/OS Security Server RACF Command Language Reference.