Perhaps one of the RACF folks can comment on what I am about to say.... I thought that there was a change to allow RACF to be able to extract the password now. (which would allow RACF to play better with LDAP repositories etc etc)
Although if you: * have the db * know the location of the password(s) * have a known ID on the system Then you might stand a better chance of reversing your way out of the encrypted value. Letting your security database out would generally come under the "big no no" category. Which I understand is the key to the claim of the Penetration Testing Manager. But if you take simple steps like keeping people from read access to your database.. seems like such an easy prevention step.. oh and things like keep APF authorization down to a controlled level. We do exist on a platform with good controls.. however it does require that we use them. Rob Schramm Sirius Computer Solutions ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
