W dniu 2016-09-01 o 19:52, Tony Harminc pisze:
On 31 August 2016 at 17:12, R.S. <[email protected]> wrote:
I installed an exit from RACF downloads page.
I'm trying to use rule override.
The user TEST1 has READ access to CL(FACILITY) IRR.ICHPWX01.OVERRIDE
Changes were refreshed.
However during TSO logon the new password is rejected.
The password is compliant to the SETR rules.
The documentation for the RACF REXX ICHPWXn1 package says this:
"The ICHPWX01 sample is written so that by default, any AXREXX failure
results in an exit failure, because we can’t be sure your password
policy has been met, and the password change is rejected.
To address such a situation, if an AXREXX error is encountered when
trying to invoke the REXX exec, an override mechanism is checked."
I have not used this facility, but it sounds as though
IRR.ICHPWX01.OVERRIDE is checked only if there was a failure in
invoking the REXX component. If there is no failure, but the REXX
rejects the password, then you are out of luck.
In any case, I think it is a mistake to call this "rule override".
Regardless of the programming language(s), there is no way for an
ICHPWX01 exit to accept a password that the RACF rules have failed. In
the case of rule failure the exit will not even be called. There are
ways for a program that accepts logon-with-password-change (e.g. TSO,
CICS, UNIX, your own authorized app) to avoid rule checking, but there
is no straighforward way for you to externally force an existing
program to do this.
That would explain the issue. I don't have problems with neither AXR,
nor REXX component of the exit.
I should pay more attention to RTFM.
BTW: This is sandbox environment, but I got "catch 22". I swithed on
"STIG mode", which enables a lot of rules, (AFAIK) including requirement
for CAPS, mixed, $pecial and Num3r1c. And I ahve SETR (still) not in
mixed mode. So no password woudl satisfy both SETR settings and the exit
rules. Catch 22.
However this is another story, unrelated to the question I asked.
Regards
--
Radoslaw Skorupka
Lodz, Poland
---
Treść tej wiadomości może zawierać informacje prawnie chronione Banku
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is
intended solely for business use of the addressee. This e-mail may only be
received by the addressee and may not be disclosed to any third parties. If you
are not the intended addressee of this e-mail or the employee authorized to
forward it to the addressee, be advised that any dissemination, copying,
distribution or any other similar activity is legally prohibited and may be
punishable. If you received this e-mail by mistake please advise the sender
immediately by using the reply facility in your e-mail software and delete
permanently this e-mail including any copies of it either printed or saved to
hard drive.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
www.mBank.pl, e-mail: [email protected]
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru
Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88.
Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości
wpłacony) wynosi 168.955.696 złotych.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
