Hi Bob, Thank you for your feedback. You are right about that. However, at the time, those that decide on policy decided that only non-expiring passwords needed to be converted. The active userids would be converted at password expire time.
Regards Jack On Mon, Apr 28, 2025, 11:56 Robert S. Hansel <r.han...@rshconsulting.com> wrote: > Jack, > > The drawback to that approach is all the pre-existing passwords in the > database - current, history, and non-expiring - are still in DES encrypted > format and remain at risk to a brute force password cracking attack. In all > the KDFAES implementation projects we've done, we have used ALTUSER > PWCONVERT to immediately convert all passwords to KDFAES encryption. This > does not, however, convert password phrases. The fallback is to activate > the IRRUT200 backup that should have been take immediately prior to this > event, which we've never had to do. > > Regards, Bob > > Robert S. Hansel > Lead RACF Specialist > RSH Consulting, Inc. > 617-969-8211 > www.linkedin.com/in/roberthansel > www.rshconsulting.com > > -----Original Message----- > Date: Sun, 27 Apr 2025 22:34:54 +0100 > From: Jack Zukt <jzuk...@gmail.com> > Subject: Re: Enabling the KDFAES encryption algorithm for the RACF Database > > Hi > We have implemented it for a while now. Activated KDFAES with SETR command > and password expiration did the rest. > > Regards > Jack > > On Fri, Apr 25, 2025, 20:12 Jasi Grewal < > 0000040674ae00fc-dmarc-requ...@listserv.ua.edu> wrote: > > > Greetings, > > > > > > We are planning to migrate to the KDFAES encryption algorithm for the > RACF > > database and would like to know if you have followed a similar process. > > Please review the steps below and confirm if our assumptions are correct > > regarding the migration to KDFAES standards, or if we are missing any > steps: > > > > - > > Request all teams to initiate the SMPE Fix Category using the following, > > and apply it to their respective products such as DB2, IMS, and CICS: > > IBM.Function.RACF.PasswordEncryption > > > > - > > Request application programmers to verify their application programs for > > any RACROUTE statements using TYPE=ENCRYPT or TYPE=EXTRACT. > > > > - > > Review RACF exits, especially ICHDEX01. > > > > - > > Enable the CPACF HMC feature. > > > > - > > Make a copy of your current RACF database. > > > > - > > Activate this copy on a test system. > > > > - > > On the test system, activate KDFAES with the command: > > SETR PASSWORD(ALGORITHM(KDFAES)) > > > > - > > If we experience issues, deactivate it using: > > SETR PASSWORD(NOALGORITHM) > > > > > > Concern: > > We would like to better understand the impact of the following IBM > > recommendation and explore ways to minimize disruption: > > > > “Perform a bulk password change, notifying users of their pending new > > password.”Additionally, please ensure the following actions are taken: > > > > > > - > > Activate KDFAES on the test system. > > > > - > > Remove ICHDEX01 if it is currently installed in your system. > > > > > > Looking forward to your feedback and confirmation. > > Thank You in advance,Best regards,Jasi Grewal. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
