Evaluate your use of the ICHDEX01 exit routine

Description

Starting in z/OS V2R2, RACF no longer uses the masking algorithm (a weak form of encryption) by default to authenticate passwords and password phrases when the initial attempt using DES results in failure. To continue the use of masking, which is not recommended, your installation can do so only by using an ICHDEX01 (password authentication) exit routine. If no ICHDEX01 exit routine exists, RACF now uses only DES encryption for authentication.

The Key Derivation Function with AES (KDFAES) algorithm is the preferred method for authenticating passwords and password phrases. If your installation does not use KDFAES encryption, RACF performs authentication by using the DES algorithm, unless you supply an ICHDEX01 exit routine. In the ICHDEX01 exit routine, your installation can provide an encryption algorithm, or instruct RACF to use one of the following forms of authentication:
Return code 4
Use the masking algorithm.
Return code 8
Use the DES algorithm.
Return code 16
Attempt to use DES first. If DES processing fails, use masking. This was the default behavior before z/OS V2R2 if no ICHDEX01 exit routine was installed.

When the KDFAES algorithm is active, masking is never used, thus no migration action is needed. RACF continues to call ICHDEX01 to evaluate a legacy password, but no longer honors masking. When a password is changed under KDFAES, the ICHDEX01 exit is no longer called for that password.

If your installation uses KDFAES encryption, it is recommended that you remove the ICHDEX01 exit routine, if it is no longer needed. For example, if the exit routine was used previously to always pass return code 8 (DES only), you can achieve the same result in z/OS V2R2 by removing the exit routine.

If your installation uses DES encryption, and you suspect there might be masked passwords in your RACF database, and you need to avoid any application outages that would result from the change in the default behavior, you must install an ICHDEX01 exit that sets return code 16. IBM recommends, however, that you attempt to identify such passwords and change them so that they are encrypted using DES.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature: Security Server.
When change was introduced: z/OS V2R2.
Applies to migration from: z/OS V2R1 and z/OS V1R13.
Timing: Before the first IPL of z/OS V2R2.
Is the migration action required? Yes, if you have masked passwords in the RACF database.
Target system hardware requirements: None.
Target system software requirements: None.
Other system (coexistence or fallback) requirements: None.
Restrictions: None.
System impacts: None.
Related IBM® Health Checker for z/OS® check: The health check RACF_ENCRYPTION_ALGORITHM (provided in APAR OA45608) raises an exception if weaker (less secure than DES) encryption is allowed for logon passwords.

Steps to take

Check for the existence of the ICHDEX01 exit routine in your RACF configuration. If it is present, determine whether you still need it. If not, remove it.

Follow these steps:
  1. Check for the existence of the ICHDEX01 exit routine in your RACF configuration. During IPL, message ICH508I identifies the active exits. Check the message output for the presence of an ICHDEX01 exit routine. Or, run health check RACF_ENCRYPTION_ALGORITHM, which can detect return codes from an active ICHDEX01 exit routine.
  2. If an ICHDEX01 exit routine is present, determine whether you still need it. Be aware that the masking algorithm provides weaker protection, as compared to KDFAES or DES.
  3. Remove the exit routine if it is no longer needed. As an extra precaution, check for user profiles with old password change dates, which might indicate masked passwords. In these cases, you should either reset the password or delete it, rather than using the ICHDEX01 exit to preserve the usage of weak passwords. Use the RACF LISTUSER command to determine when passwords were last updated.
    Otherwise, if your installation uses DES encryption, and you suspect there might be masked passwords in your RACF database, and you need to avoid any application outages that would result from the change in the default behavior, you must install an ICHDEX01 exit routine that sets return code 16, which mimics the current default behavior. Here is an example of the exit code that you can use: 
    LA 15,16
BR 14
Note: IBM recommends that you use KDFAES encryption, rather than DES encryption or masking. KDFAES provides improved cryptographic strength in RACF password algorithm processing, and helps to protect RACF password data if a copy of a RACF database becomes inadvertently accessible. KDFAES encryption was introduced by APAR OA43999 for z/OS V1R12, V1R13, and V2R1, which is deactivated by default.

Reference information

For more information, see z/OS Security Server RACF System Programmer's Guide.

Parent topic: Security Server actions to perform before the first IPL of z/OS V2R2