Hi Jasi, Was ICHDEX01 implemented to continue to support masked passwords? You will need to identify and convert any masked passwords to DES before activating KDFAES. I recommend you remove the exit before proceeding with KDFAES activation to confirm all masked passwords have been addressed.
User profiles will increase in size with KDFAES encrypted passwords and password phrases. Ensure the RACF database has plenty of free space to handle the increase. Check APAR II14765 for any product incompatibilities or required upgrades. Older versions of CICS (pre-4.2) cannot handle KDFAES. Ensure the caching of RACF ACEEs using the IRRACEE class in VLF has been activated. After activating KDFAES, convert the passwords of all but a few SPECIAL users to KDFAES using ALTUSER PWCONVERT commands and verify the converted passwords work. Best to do this with the backup database offline. If all goes well, use IRRUT200 to copy/activate the primary database to the backup. By doing this, there's no need to force everyone to change their passwords. I wouldn't bother with copying the database to a test system. Do this on the system where the database resides during a system maintenance period. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.comm -----Original Message----- Date: Fri, 25 Apr 2025 19:11:31 +0000 From: Jasi Grewal <[email protected]> Subject: Enabling the KDFAES encryption algorithm for the RACF Database Greetings, We are planning to migrate to the KDFAES encryption algorithm for the RACF database and would like to know if you have followed a similar process. Please review the steps below and confirm if our assumptions are correct regarding the migration to KDFAES standards, or if we are missing any steps: - Request all teams to initiate the SMPE Fix Category using the following, and apply it to their respective products such as DB2, IMS, and CICS: IBM.Function.RACF.PasswordEncryption - Request application programmers to verify their application programs for any RACROUTE statements using TYPE=ENCRYPT or TYPE=EXTRACT. - Review RACF exits, especially ICHDEX01. - Enable the CPACF HMC feature. - Make a copy of your current RACF database. - Activate this copy on a test system. - On the test system, activate KDFAES with the command: SETR PASSWORD(ALGORITHM(KDFAES)) - If we experience issues, deactivate it using: SETR PASSWORD(NOALGORITHM) Concern: We would like to better understand the impact of the following IBM recommendation and explore ways to minimize disruption: “Perform a bulk password change, notifying users of their pending new password.”Additionally, please ensure the following actions are taken: - Activate KDFAES on the test system. - Remove ICHDEX01 if it is currently installed in your system. Looking forward to your feedback and confirmation. Thank You in advance,Best regards,Jasi Grewal. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
