z/OS Security Server RACF General User's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Automatic password direction

z/OS Security Server RACF General User's Guide
SA23-2298-00

Installations using automatic command direction can optionally use automatic password direction to maintain the synchronization of user passwords and password phrases between the same user IDs on different nodes. Automatic password direction does not require user ID associations. Instead, automatic password direction assumes that the same user IDs on different nodes belong to the same user.

For example, suppose your installation is using automatic password direction and you have the user ID CLAIRE on three different nodes: NODE1, NODE2, and NODE3. When you change your password on NODE1, a password synchronization request is automatically directed to be processed for CLAIRE on NODE2 and CLAIRE on NODE3. You will receive a TSO SEND message on NODE1 telling you whether the password synchronization request completed successfully or unsuccessfully.

In addition, depending on how automatic password direction is set up at your installation, the output from the password synchronization request is either discarded, sent to an administrator, or returned to you and appended in your RRSFLIST user data set. If automatic password direction is set up at your installation so that you receive this output and you do not have an RRSFLIST user data set, RACF® allocates one and adds the results. The RRSFLIST data set name is 'prefix.userid.RRSFLIST', where prefix is your TSO prefix at the time you changed your password. If prefix matches userid or if you specified PROFILE NOPREFIX via the TSO PROFILE command, the data set name used is 'userid.RRSFLIST'.

You are responsible for maintaining this data set. If your data set becomes full, the output is transmitted to your user ID. In order for RACF to append to your RRSFLIST user data set again, you must edit and delete some of the returned output in this data set.
Note:
  1. If your installation is using automatic password direction, do not establish peer user ID associations with password synchronization enabled between the same user IDs across multiple RRSF nodes. Doing so causes duplicate password synchronization requests. If you are not sure whether your installation is using automatic password direction, contact your RACF security administrator.
  2. You can use peer user ID associations with password synchronization enabled between user IDs that are not the same in environments with automatic password direction, because automatic password direction only synchronizes passwords and password phrases between the same user IDs on multiple RRSF nodes.
  3. Password synchronization and automatic password direction only synchronize passwords and password phrases for user IDs that are not revoked on the target system.

RRSF password synchronization requests run asynchronously; that is, the command issuer does not wait until the command completes processing, and results and output from the commands are returned as specified by the SET AUTOPWD command.

Figure 1 shows the format of output produced by automatic password direction. The format of the output is the same for both your RRSFLIST data set and for the output transmitted when your data set is full.

Figure 1. Automatic password direction: sample output
Password synchronization request issued at 15:03:58 on 02/28/98 was
processed at NODE2.TSOUSER on 02/28/98 at 15:04:00

 Request was propagated by automatic direction from NODE1.TSOUSER

 REQUEST ISSUED: From user TSOUSER at NODE1

 REQUEST OUTPUT:
 IRRC013I Password synchronized successfully for TSOUSER at NODE2 and
 TSOUSER at NODE1.
Parent topic: Changing how you are defined to RACF

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014