Re: ICHDEX01 question

Thu, 05 Jan 2006 09:02:44 -0800 

On 1/5/2006 11:25 AM, [EMAIL PROTECTED] wrote:

Please explain.  The RACF sysprog guide says to put it in LPALIB so
RACF finds it during initialization.



When RACF first implemented DES, and created ICHDEX01, it used to ship a 
default ICHDEX01 in LPALIB so that installations would by default use 
the masking algorithm, and could optionally choose to use DES.



Many years ago (RACF 2.1) we changed the default to DES, and moved the 
exit into LINKLIB so it would NOT be used, and thus everyone would 
migrate to DES.



We expect that no one should be installing our version of that exit into 
LPALIB today, and since RACF 2.1 your system programmer should NOT have 
been applying that usermod.  The instructions you show below are for 
those users who decide to stay with masking, which we do not recommend. 
 They are NOT instructions that you should install the exit.



As documented, in the absence of the exit RACF will use a two-stage 
(DES, then masking) to compare passwords, and will store all new 
passwords using DES.


        Walt Farrell, CISSP
        z/OS Security Design, IBM



"Installing the Exit Routine

IBM provides an ICHDEX01 exit in SYS1.LINKLIB that causes RACF to use
the
masking algorithm to authenticate passwords. To use the ICHDEX01 exit
that IBM
provides, you must activate it by installing it in the link pack area
so that RACF
finds it during initialization. There are two methods you can use:

 - Use an IEALPAxx member in SYS1.PARMLIB to request that MVS load
ICHDEX01 from SYS1.LINKLIB as a temporary extension to the existing
link
pack area. Modify all your IEASYSxx members to specify that MVS should
use
this IEALPAxx member. See z/OS MVS Initialization and Tuning Guide for
information. See member RACPARM in SYS1.SAMPLIB for a sample IEALPAxx
member.

 - Create an SMP/E USERMOD to move ICHDEX01 into LPALIB."

We have a legacy usermod that moves it to LPALIB.  If I do nothing and
it stays in LINKLIB, what action does RACF default to?

Also, we are using masking.  What advantage would we gain using DES?
Are there any gotchas to conversion?  (Please consider that the site is
extremely risk averse.)

Thanks for the info!
-- Bruce



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html






















					Reply via email to