Evaluate your use of the ICHDEX01 exit routine
Description
Starting in z/OS V2R2, RACF no longer uses the masking algorithm (a weak form of encryption) by default to authenticate passwords and password phrases when the initial attempt using DES results in failure. To continue the use of masking, which is not recommended, your installation can do so only by using an ICHDEX01 (password authentication) exit routine. If no ICHDEX01 exit routine exists, RACF now uses only DES encryption for authentication.
- Return code 4
- Use the masking algorithm.
- Return code 8
- Use the DES algorithm.
- Return code 16
- Attempt to use DES first. If DES processing fails, use masking. This was the default behavior before z/OS V2R2 if no ICHDEX01 exit routine was installed.
When the KDFAES algorithm is active, masking is never used, thus no migration action is needed. RACF continues to call ICHDEX01 to evaluate a legacy password, but no longer honors masking. When a password is changed under KDFAES, the ICHDEX01 exit is no longer called for that password.
If your installation uses KDFAES encryption, it is recommended that you remove the ICHDEX01 exit routine, if it is no longer needed. For example, if the exit routine was used previously to always pass return code 8 (DES only), you can achieve the same result in z/OS V2R2 by removing the exit routine.
If your installation uses DES encryption, and you suspect there might be masked passwords in your RACF database, and you need to avoid any application outages that would result from the change in the default behavior, you must install an ICHDEX01 exit that sets return code 16. IBM recommends, however, that you attempt to identify such passwords and change them so that they are encrypted using DES.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
Element or feature: | Security Server. |
---|---|
When change was introduced: | z/OS V2R2. |
Applies to migration from: | z/OS V2R1 and z/OS V1R13. |
Timing: | Before the first IPL of z/OS V2R2. |
Is the migration action required? | Yes, if you have masked passwords in the RACF database. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM® Health Checker for z/OS® check: | The health check RACF_ENCRYPTION_ALGORITHM (provided in APAR OA45608) raises an exception if weaker (less secure than DES) encryption is allowed for logon passwords. |
Steps to take
Check for the existence of the ICHDEX01 exit routine in your RACF configuration. If it is present, determine whether you still need it. If not, remove it.
- Check for the existence of the ICHDEX01 exit routine in your RACF configuration. During IPL, message ICH508I identifies the active exits. Check the message output for the presence of an ICHDEX01 exit routine. Or, run health check RACF_ENCRYPTION_ALGORITHM, which can detect return codes from an active ICHDEX01 exit routine.
- If an ICHDEX01 exit routine is present, determine whether you still need it. Be aware that the masking algorithm provides weaker protection, as compared to KDFAES or DES.
- Remove the exit routine if it is no longer needed. As an extra
precaution, check for user profiles with old password change dates,
which might indicate masked passwords. In these cases, you should
either reset the password or delete it, rather than using the ICHDEX01
exit to preserve the usage of weak passwords. Use the RACF LISTUSER command
to determine when passwords were last updated.Otherwise, if your installation uses DES encryption, and you suspect there might be masked passwords in your RACF database, and you need to avoid any application outages that would result from the change in the default behavior, you must install an ICHDEX01 exit routine that sets return code 16, which mimics the current default behavior. Here is an example of the exit code that you can use:
LA 15,16 BR 14
Reference information
For more information, see z/OS Security Server RACF System Programmer's Guide.