That was how we converted years ago. Activated KDFAES and let it stew for a few months until all the IDs that had cyclic password changes went thru, then ran a report showing all legacy passwords and forced them to change/did PWCONVERT on them.
Rex -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Jack Zukt Sent: Monday, April 28, 2025 3:15 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: Enabling the KDFAES encryption algorithm for the RACF Database Hi Bob, Thank you for your feedback. You are right about that. However, at the time, those that decide on policy decided that only non-expiring passwords needed to be converted. The active userids would be converted at password expire time. Regards Jack On Mon, Apr 28, 2025, 11:56 Robert S. Hansel <r.han...@rshconsulting.com> wrote: > Jack, > > The drawback to that approach is all the pre-existing passwords in the > database - current, history, and non-expiring - are still in DES > encrypted format and remain at risk to a brute force password cracking > attack. In all the KDFAES implementation projects we've done, we have > used ALTUSER PWCONVERT to immediately convert all passwords to KDFAES > encryption. This does not, however, convert password phrases. The > fallback is to activate the IRRUT200 backup that should have been take > immediately prior to this event, which we've never had to do. > > Regards, Bob > > Robert S. Hansel > Lead RACF Specialist > RSH Consulting, Inc. > 617-969-8211 > https://urldefense.com/v3/__http://www.linkedin.com/in/roberthansel__; > !!KjMRP1Ixj6eLE0Fj!pkBIkEYXCN5X8j7q1h1kwk9LSQEdKmtHHOytLaZ82B7HwtY__na > LHWhdFXGHXechinDON6bT0ufcwLCrr57uu4Qr0kIA6SlWHfHg$ > https://urldefense.com/v3/__http://www.rshconsulting.com__;!!KjMRP1Ixj > 6eLE0Fj!pkBIkEYXCN5X8j7q1h1kwk9LSQEdKmtHHOytLaZ82B7HwtY__naLHWhdFXGHXe > chinDON6bT0ufcwLCrr57uu4Qr0kIA6Tp3KcW8$ > > -----Original Message----- > Date: Sun, 27 Apr 2025 22:34:54 +0100 > From: Jack Zukt <jzuk...@gmail.com> > Subject: Re: Enabling the KDFAES encryption algorithm for the RACF > Database > > Hi > We have implemented it for a while now. Activated KDFAES with SETR > command and password expiration did the rest. > > Regards > Jack > > On Fri, Apr 25, 2025, 20:12 Jasi Grewal < > 0000040674ae00fc-dmarc-requ...@listserv.ua.edu> wrote: > > > Greetings, > > > > > > We are planning to migrate to the KDFAES encryption algorithm for > > the > RACF > > database and would like to know if you have followed a similar process. > > Please review the steps below and confirm if our assumptions are > > correct regarding the migration to KDFAES standards, or if we are > > missing any > steps: > > > > - > > Request all teams to initiate the SMPE Fix Category using the > > following, and apply it to their respective products such as DB2, IMS, and > > CICS: > > IBM.Function.RACF.PasswordEncryption > > > > - > > Request application programmers to verify their application programs > > for any RACROUTE statements using TYPE=ENCRYPT or TYPE=EXTRACT. > > > > - > > Review RACF exits, especially ICHDEX01. > > > > - > > Enable the CPACF HMC feature. > > > > - > > Make a copy of your current RACF database. > > > > - > > Activate this copy on a test system. > > > > - > > On the test system, activate KDFAES with the command: > > SETR PASSWORD(ALGORITHM(KDFAES)) > > > > - > > If we experience issues, deactivate it using: > > SETR PASSWORD(NOALGORITHM) > > > > > > Concern: > > We would like to better understand the impact of the following IBM > > recommendation and explore ways to minimize disruption: > > > > “Perform a bulk password change, notifying users of their pending > > new password.”Additionally, please ensure the following actions are taken: > > > > > > - > > Activate KDFAES on the test system. > > > > - > > Remove ICHDEX01 if it is currently installed in your system. > > > > > > Looking forward to your feedback and confirmation. > > Thank You in advance,Best regards,Jasi Grewal. > > > > -------------------------------------------------------------------- > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO > > IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
