The Password Phrase Only ICHRIX02 Exit

Important!  APAR OA43999 (available on z/OS V1R12 and higher) provides phrase-only capability using the ALTUSER command.  This exit is not necessary when you have OA43999 installed.

Since the introduction of password phrases, all RACF users who are assigned a password phrase must also have a password. It may be desirable for some installations to restrict the use of passwords after enabling password phrases.

 

This sample ICHRIX02 'RACROUTE VERIFY post processing exit' allows an installation to enforce the use of password phrases and restrict the use of passwords.  Administrators can allow select users to logon with a password by permitting them READ access to the IRR.PASSWORD.ALLOWED resource in the FACILITY class. Password authentication attempts by users not permitted to this resource will fail as though the password is invalid. For example, if user RACFU01 does not have READ access to the resource and attempts to logon with a password via TSO, the logon will fail with the message:

 

IKJ56421I PASSWORD NOT AUTHORIZED FOR USERID

 

Additionally, the following messages will appear on the console:

ICH408I USER(RACFU01 ) GROUP(SYS1 ) NAME(TEST USER )
IRR.PASSWORD.ALLOWED CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(RACFU01 ) GROUP(SYS1 ) NAME(TEST USER )
LOGON/JOB INITIATION - INVALID PASSWORD ENTERED AT TERMINAL MF1LC11

 

The ICHRIX02 Password Phrase only exit sample is contained in the file:

  • ICHRIX02.TXT (32.3KB) Assembler source code for the ICHRIX02 sample exit

 

You must assemble ICHRIX02 and link-edit it into an APF-authorized library. This exit must be reentrant and is invoked in supervisor state, with protection key 0, with no locks held.   For documentation on RACF exits, see z/OS Security Server RACF System Programmer's Guide.  For details on the RACROUTE macro, see z/OS Security Server RACROUTE Macro Reference. For details on the ICHRIX02 parameter list see z/OS Security Server Data Areas.

 

We welcome your comments and questions on the ICHRIX02 Password Phrase only sample exit. Please direct them to the RACF-L mailing list. Subscription information for RACF-L can be found from the RACF-L Discussion List Page.


Disclaimers

 

This program contains code made available by IBM Corporation on an "AS-IS" basis. Any one receiving this program is considered to be licensed under IBM copyrights to use the IBM-provided code in any way he or she deems fit, including copying it and redistributing it, except that it may be neither sold nor incorporated within a product that is sold. No license under any IBM patents or patent applications is to be implied from this copyright license. The software is provided "as-is", and IBM disclaims all warranties, express or implied, including but not limited to implied warranties of merchantability or fitness for a particular purpose.

 

 


 

This page last updated November, 2014. 
 

Contact IBM

Browse z/OS