Answers below
W dniu 25.04.2025 o 21:11, Jasi Grewal pisze:
Greetings,
We are planning to migrate to the KDFAES encryption algorithm for the RACF
database and would like to know if you have followed a similar process.
Many installations did it many years ago.
Please review the steps below and confirm if our assumptions are correct
regarding the migration to KDFAES standards, or if we are missing any steps:
-
Request all teams to initiate the SMPE Fix Category using the following, and
apply it to their respective products such as DB2, IMS, and CICS:
IBM.Function.RACF.PasswordEncryption
Is your software more or less up to date or very backlevel? Compare it
to the data of KDFAES introduction. In simple words: yes, you should
patch your software on regular basis, but for this case I'd be sure your
software stack is already prepared.
-
Request application programmers to verify their application programs for any
RACROUTE statements using TYPE=ENCRYPT or TYPE=EXTRACT.
Do you have any?
-
Review RACF exits, especially ICHDEX01.
Do you have this exit?
-
Enable the CPACF HMC feature.
You cannot. However you can check it.
-
Make a copy of your current RACF database.
Good idea. Everyday. Even if you don't plan any activity.
-
Activate this copy on a test system.
It is good idea to start on test system. Caution: enable it and *wait*
before activation on prod.
-
On the test system, activate KDFAES with the command:
SETR PASSWORD(ALGORITHM(KDFAES))
Yes, that's the command. In fact that's the only thing to do.
-
If we experience issues, deactivate it using:
SETR PASSWORD(NOALGORITHM)
Or restore RACF db from backup. You know how, do you? Or rather you'll
be guessing when the problem arise?
Concern:
We would like to better understand the impact of the following IBM
recommendation and explore ways to minimize disruption:
“Perform a bulk password change, notifying users of their pending new
password.”Additionally, please ensure the following actions are taken:
Explanation: after you enable KDFAES no user use it. All the passwords
are "legacy", which mean you would have for password change. Of every
user. If you don't want to wait, you can enforce password expiration and
then all active users will change passwords and the new passwords will
be KDFAES encrypted.
My advice:
Enable KDFAES on test system. Change your own password and few others.
Wait few days.
Enforce password change for the rest (ALU userid EXPIRE).
Watch you system logs for few days.
Wait few weeks.
Enable KDFAES on prod.
Change few passwords.
Wait few days.
Partially enforce few passwords at a time.
Finally enforce password change for the rest.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
