Re: RACF Tool PWDCOPY (ichwpin/ichpwout)
On Sun, 9 Mar 2008 22:04:16 +0100, Wolfgang Schäfer [EMAIL PROTECTED] wrote: I tried to run the ´sample´ IBM password copy utility (PWDCOPY on the IBM RACF website) on z/OS 1.7 and z/OS 1.8. The tool runs without errors, but the copied password could not be used. Has anyone recently used this tool? Or has someone used an alternative to copy passwords between RACF databases or users. In my case, userids are going to be renamed. Since this will be done using ´big bang´ it´s not a good idea to give everyone a new password, transporting the old password would be a great help. I´ld really like to use something ´proven´ before I start to twiddle around with RACROUTE EXTRACT requests :-) First, as the PWDCOPY web page states, you should use RACF-L for any questions/comments about it. However, assuming you've configured your system to use DES encryption for RACF (the default), the other folks who responded here are correct: you can not use PWDCOPY to extract passwords if you're renaming the user ID. Nothing else will work if you're renaming, either, including RACROUTE REQUEST=EXTRACT, as RACF does not save the password, but rather saves an encrypted copy of the user ID. If the user ID changes, the encrypted value will never match. Your only choices: (1) Assign a new password to each renamed user. (2) Over time, capture the users' passwords in a form you can decrypt. Then, once you have them all captured (which will take awhile), rename the IDs and apply the passwords to the new IDs. You can accomplish approach 2 safely, and securely, using RACF password enveloping. However, you'll have to write some code to do it. This approach would have RACF store a cryptographically secure decryptable copy of each user's password as the user changes it. Then, after all the users have changed their passwords you can extract those saved passwords, decrypt them, and apply them to new user IDs via RACROUTE REQUEST=VERIFY or more easily via ICHEINTY. As you have to wait for the users to change their passwords, this will take awhile. You could, of course, enable the enveloping now, and then use the time while you're waiting for them to change their passwords to write your programs :-) An alternative implementation for approach 2: capture the passwords as users logon and store them somewhere. This may be simpler than using password enveloping, but is almost certainly less secure. For any further discussion on these approaches I suggest using RACF-L. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Tool PWDCOPY (ichwpin/ichpwout)
Thanks to all who replied. This was very helpful. Even if the result turns out not to be what I like. Regards Wolfgang Schaefer -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
RACF Tool PWDCOPY (ichwpin/ichpwout)
Hello group, I tried to run the ´sample´ IBM password copy utility (PWDCOPY on the IBM RACF website) on z/OS 1.7 and z/OS 1.8. The tool runs without errors, but the copied password could not be used. Has anyone recently used this tool? Or has someone used an alternative to copy passwords between RACF databases or users. In my case, userids are going to be renamed. Since this will be done using ´big bang´ it´s not a good idea to give everyone a new password, transporting the old password would be a great help. I´ld really like to use something ´proven´ before I start to twiddle around with RACROUTE EXTRACT requests :-) Thanks for helping! Regards Wolfgang Schaefer And yes, I tried to subscribe (and search RACF-L), but the list server does not reply to me :-( ... so I hope I´ll find some help here. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SPAM: RACF Tool PWDCOPY (ichwpin/ichpwout)
--snip--- I tried to run the ´sample´ IBM password copy utility (PWDCOPY on the IBM RACF website) on z/OS 1.7 and z/OS 1.8. The tool runs without errors, but the copied password could not be used. Has anyone recently used this tool? Or has someone used an alternative to copy passwords between RACF databases or users. In my case, userids are going to be renamed. Since this will be done using ´big bang´ it´s not a good idea to give everyone a new password, transporting the old password would be a great help. I´ld really like to use something ´proven´ before I start to twiddle around with RACROUTE EXTRACT requests :-) unsnip--- IIRC, RACF uses a one-way function using the USERID as the key in encrypting the user-supplied password, then compares that result to the password in the database. So if you're trying to copy the password to a different userid, it's not likely to work. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Tool PWDCOPY (ichwpin/ichpwout)
On 9 Mar 2008 14:39:28 -0700, in bit.listserv.ibm-main (Message-ID:[EMAIL PROTECTED]) [EMAIL PROTECTED] (Wolfgang Schäfer) wrote: I tried to run the ´sample´ IBM password copy utility (PWDCOPY on the IBM RACF website) on z/OS 1.7 and z/OS 1.8. The tool runs without errors, but the copied password could not be used. snip In my case, userids are going to be renamed. Since this will be done using ´big bang´ it´s not a good idea to give everyone a new password, transporting the old password would be a great help. I´ld really like to use something ´proven´ before I start to twiddle around with RACROUTE EXTRACT requests :-) 1. Are both databases set to use the same encryption technique? 2. My reading of the documentation of the DES encryption is that the password is used as a key to encrypt the userid, and that is the value stored. Obviously, the same password will not encrypt a different userid to the same stored value. If my reading and memory are right, you can't take the password field from one userid and successfully use it for a different userid. 3. RACROUTE EXTRACT to read and write encrypted passwords isn't that difficult. I had written programs to do just that before PWDCOPY was available. -- I cannot receive mail at the address this was sent from. To reply directly, send to ar23hur at intergate dot com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Tool PWDCOPY (ichwpin/ichpwout)
Wolfgang Schäfer wrote: Hello group, I tried to run the ´sample´ IBM password copy utility (PWDCOPY on the IBM RACF website) on z/OS 1.7 and z/OS 1.8. The tool runs without errors, but the copied password could not be used. Has anyone recently used this tool? Or has someone used an alternative to copy passwords between RACF databases or users. In my case, userids are going to be renamed. Since this will be done using ´big bang´ it´s not a good idea to give everyone a new password, transporting the old password would be a great help. I´ld really like to use something ´proven´ before I start to twiddle around with RACROUTE EXTRACT requests :-) Thanks for helping! Regards Wolfgang Schaefer And yes, I tried to subscribe (and search RACF-L), but the list server does not reply to me :-( ... so I hope I´ll find some help here. Not going to work. I can't remember if what Rick stated is correct (user-id used as seed to encrypt the password) or if the password is used to encrypt the user-id. Either way what is stored in the RACF data base is something that is based on the user-id, the supplied password, and encryption method. So if you copy the encrypted password for the user-id jdoe to the user-id johndoe, johndoe will not be able to logon because johndoe was not used as part of the encryption process for the password, jdoe was. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html