On Sun, 9 Mar 2008 22:04:16 +0100, Wolfgang Schäfer <[EMAIL PROTECTED]> wrote: >I tried to run the ´sample´ IBM password copy utility (PWDCOPY on the IBM >RACF website) on z/OS 1.7 and z/OS 1.8. >The tool runs without errors, but the copied password could >not be used. Has anyone recently used this tool? Or has someone used an >alternative to copy passwords between RACF databases or users. > >In my case, userids are going to be renamed. Since this will be done using >´big bang´ it´s not a good idea to give everyone a new password, >transporting the old password would be a great help. > >I´ld really like to use something ´proven´ before I start to twiddle around >with RACROUTE EXTRACT requests :-)
First, as the PWDCOPY web page states, you should use RACF-L for any questions/comments about it. However, assuming you've configured your system to use DES encryption for RACF (the default), the other folks who responded here are correct: you can not use PWDCOPY to extract passwords if you're renaming the user ID. Nothing else will work if you're renaming, either, including RACROUTE REQUEST=EXTRACT, as RACF does not save the password, but rather saves an encrypted copy of the user ID. If the user ID changes, the encrypted value will never match. Your only choices: (1) Assign a new password to each renamed user. (2) Over time, capture the users' passwords in a form you can decrypt. Then, once you have them all captured (which will take awhile), rename the IDs and apply the passwords to the new IDs. You can accomplish approach 2 safely, and securely, using RACF password enveloping. However, you'll have to write some code to do it. This approach would have RACF store a cryptographically secure decryptable copy of each user's password as the user changes it. Then, after all the users have changed their passwords you can extract those saved passwords, decrypt them, and apply them to new user IDs via RACROUTE REQUEST=VERIFY or more easily via ICHEINTY. As you have to wait for the users to change their passwords, this will take awhile. You could, of course, enable the enveloping now, and then use the time while you're waiting for them to change their passwords to write your programs :-) An alternative implementation for approach 2: capture the passwords as users logon and store them somewhere. This may be simpler than using password enveloping, but is almost certainly less secure. For any further discussion on these approaches I suggest using RACF-L. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
