Thank you, Bob, Rex, and Jack, for your response and feedback. Best Regards,Jasi Grewal. Jack,
The drawback to that approach is all the pre-existing passwords in the database - current, history, and non-expiring - are still in DES encrypted format and remain at risk to a brute force password cracking attack. In all the KDFAES implementation projects we've done, we have used ALTUSER PWCONVERT to immediately convert all passwords to KDFAES encryption. This does not, however, convert password phrases. The fallback is to activate the IRRUT200 backup that should have been take immediately prior to this event, which we've never had to do. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -----Original Message----- Date: Sun, 27 Apr 2025 22:34:54 +0100 From: Jack Zukt <[email protected]> Subject: Re: Enabling the KDFAES encryption algorithm for the RACF Database Hi We have implemented it for a while now. Activated KDFAES with SETR command and password expiration did the rest. Regards Jack On Fri, Apr 25, 2025, 20:12 Jasi Grewal < [email protected]> wrote: > Greetings, > > > We are planning to migrate to the KDFAES encryption algorithm for the RACF > database and would like to know if you have followed a similar process. > Please review the steps below and confirm if our assumptions are correct > regarding the migration to KDFAES standards, or if we are missing any steps: > > - > Request all teams to initiate the SMPE Fix Category using the following, > and apply it to their respective products such as DB2, IMS, and CICS: > IBM.Function.RACF.PasswordEncryption > > - > Request application programmers to verify their application programs for > any RACROUTE statements using TYPE=ENCRYPT or TYPE=EXTRACT. > > - > Review RACF exits, especially ICHDEX01. > > - > Enable the CPACF HMC feature. > > - > Make a copy of your current RACF database. > > - > Activate this copy on a test system. > > - > On the test system, activate KDFAES with the command: > SETR PASSWORD(ALGORITHM(KDFAES)) > > - > If we experience issues, deactivate it using: > SETR PASSWORD(NOALGORITHM) > > > Concern: > We would like to better understand the impact of the following IBM > recommendation and explore ways to minimize disruption: > > “Perform a bulk password change, notifying users of their pending new > password.”Additionally, please ensure the following actions are taken: > > > - > Activate KDFAES on the test system. > > - > Remove ICHDEX01 if it is currently installed in your system. > > > Looking forward to your feedback and confirmation. > Thank You in advance,Best regards,Jasi Grewal. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
