Paul Gilmartin wrote: >>Not so that RACF will know, but so the application calling RACF will know. >>The application needs to know whether the user entered a password or password >>phrase so it can indicate that to RACF. (And, I suppose, so the application >>developers can decide when/whether to support password phrases.) >It could have been made compatible by merging the password and passphrase >tables and preserving both interfaces.
I am sorry, but IMHO no, it is not possible or very difficult to achieve. One reason is that the application logon screens and services needs to be totally rewritten. That only is a major shake-up. The vendors won't bite in this one. A quick RTFM and look in SYS1.MACLIB will show you handling and storing of "password" is absolutely different from "password phrase". In RACF Template, in the user basic template, there are fields for password, encryption method, last date of password change, how many passwords are stored, etc. All of this are repeated for password phrase. ... and there are two sets of tables for enveloping password and password phrase. So you have thus two different envelopes. AFAIK there is only one field applicable to both password and password phrase - password interval. Another field of note in the RACF Template is "User can fall back to password logon". The services handling the RACROUTE macros are getting keywords for password OR password phrase. The issuer of RACROUTE macros needs to specify password and/or password phrase. It is up to RACF to accept either password or password phrase. So, all the way to serve this one thing: "backward compatibility" until alternatives like MFA for example is the only standard or so. >>Additionally, password phrases get some strength from an increased number of >>characters supported, but primarily from increased length. The initial >>implementation required at least 14 characters for that reason, unless the >>installation wanted to provide an exit overriding that to a smaller value, 9 >>to 13. >Or that could have been 1 to 13, depending on how imprudent the admins. It may be possible, but I am sure that will require a major overhaul. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
