Lindy Mayfield wrote:
What utility is used to password protect a dataset? That's one thing
I've never seen in over 20 years.
<snip>
I thought at one point that password protection was completely withdrawn
(not only for SMS and VSAM) but I find that it's still in the books.
From the JCL Reference:
12.38.2.3 Password Protection
For an SMS-managed data set (one with an assigned storage class), SMS
sets the password indicators in the VTOC and catalog but ignores the
indicators and does not use password protection for the data set. See
the DD SECMODEL parameter described on page 12.57.
Password protecting data sets requires the following:
* Data set names no longer than 17 characters. MVS retains in the
tape label only the rightmost 17 characters of the data set name.
Consequently, longer names could be identical in password checks.
* Volumes with IBM standard labels or ISO/ANSI/FIPS Version 3 labels.
* A password assigned in the PASSWORD data set. If a password is
not assigned, the system will abnormally terminate a job step when it
attempts to open the data set for output, if NOPWREAD is coded, or for
input or output, if PASSWORD is coded.
To create a password-protected data set following an existing
password-protected data set, code the password of the existing data set.
The password must be the same in both the existing and the new data set.
To password-protect a data set on a tape volume containing other data
sets, you must password-protect all the data sets on the volume and the
passwords must be the same for all data sets.
To password-protect an existing data set using PASSWORD or NOPWREAD,
open the data set for output the first time it is used during the job step.
PASSWORD
Indicates that a data set cannot be read, changed, deleted, or
written to unless the system operator or TSO/E user supplies the correct
password.
NOPWREAD
Indicates that a data set cannot be changed, deleted, or written to
unless the system operator or TSO/E user supplies the correct password.
No password is necessary for reading the data set.
From DFSMSdfp Utilities:
IEHPROGM can be used to maintain non-VSAM password entries in the
PASSWORD data set and to alter the protection status of DASD data sets
in the data set control block (DSCB). This topic also explains why data
set passwords provide poor security and why IBM recommends z/OS Security
Server (RACF).
A data set can have one of three types of password protection, as
indicated in the DSCB for DASD data sets and in the tape label for tape
data sets.
The possible types of data set password protection are:
* No protection, which means that no passwords are required to read
or write the data set.
* Read/write protection, which means that a password is required to
read or write the data set.
* Read-without-password protection, which means that a password is
required only to write the data set; the data set can be read without a
password.
If a system data set is password protected and a problem occurs on the
data set, maintenance personnel must be provided with the password in
order to access the data set and resolve the problem.
A data set can have one or more passwords assigned to it; each password
has an entry in the PASSWORD data set. A password assigned to a data set
can allow read and write access, or only read access to the data set.
Figure 97 shows the relationship between the protection status of data
set ABC and the type of access allowed by the passwords assigned to the
data set. Passwords ABLE and BAKER are assigned to data set ABC. If no
password protection is set in the DSCB or tape label, data set ABC can
be read or written without a password. If read/write protection is set
in the DSCB or tape label, data set ABC can be read with either password
ABLE or BAKER and can be written with password ABLE. If
read-without-password protection is set in the DSCB or tape label, data
set ABC can be read without a password and can be written with password
ABLE; password BAKER is never needed.
Before IEHPROGM is used to maintain data set passwords, the PASSWORD
data set must reside on the system residence volume. IEHPROGM can then
be used to:
* Add an entry to the PASSWORD data set.
* Replace an entry in the PASSWORD data set.
* Delete an entry from the PASSWORD data set.
* Provide a list of information from an entry in the PASSWORD data
set.
(There's more...but nobody rational uses password protection any more.)
--
John Eells
z/OS Technical Marketing
IBM Poughkeepsie
[EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
