------------------<snip>------------------
Perhaps one of the RACF folks can comment on what I am about to say....
I thought that there was a change to allow RACF to be able to extract the
password now. (which would allow RACF to play better with LDAP
repositories etc etc)
That's correct. But it's a function that the administrator must enable, and
it has controls over who can use it. It's called password enveloping. When
enabled for a user (USER1), when that user changes his password then RACF
will keep a cryptographically secured, but decryptable, copy of the new
password in the RACF database as well as the normal non-decryptable copy.
The decryptable copy is encrypted using public key technology based on a
digital certificate that the administrator creates and adds to the RACF DB.
Thus the key is unique to that database and not known to anyone.
Via LDAP SDBM interfaces, another user (USER2) can request the password
envelope. RACF will check that USER2 is allowed to make that request, and
will then locate USER1's password envelope and decrypt the data. It will
then re-encrypt the password into a PKCS#7 package unique to USER2, using
USER2's public key (from another certificate provided by the administrator),
and via LDAP will send the package to USER2. USER2 then uses his private
key to decrypt data in the package.
I've simplified a bit, but that's the basic idea.
------------------------<unsnip>-------------------
Correct me if I'm wrong, Walt, but isn't the Kerboros mechanism a lot
safer if multiple sign-ons are needed?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
