'Re: KDFAES: PWDCOPY utility'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: KDFAES: PWDCOPY utility
From:       Bogdan Belciu <belciu.bogdan () GMAIL ! COM>
Date:       2017-03-16 9:05:43
Message-ID: CADyF5zN3-T92sgj7fHxBZjvFrf8HyueqUCYzwpJZ9e3P8KQQkw () mail ! gmail ! com
[Download RAW message or body]

Hello Wermer,

I did that and I was using PWDCOPY.
*Run ICHPSOUT with PARM=DES* - this will force ICHPSOUT procedure to
encrypt to DES the passwords which are exported.

If the password is already DES encrypted for each of the entry/user you
will get first warning message:

"   PASSWORD CONTAINS NON ALPHANUMERIC CHARATERS IF MASKING ENCRYPTED -
WARNING" - this means the password was already DES and now is "double DES"
encrypted. Of course one already DES encrypted password will contain non
alphanumeric passwords.

Imediatelly for the same user will be the messager:
   "DATA HAS BEEN EXPORTED"

This is fine, this means that user had already a DES encrypted password.

If you use ICHPSOUT with PARM=DES for all the users you suspect to have
passwords masked (I did it for example for all users whhich had a psw date
prior to 1995) then for all users you will need to have a pair of these
messages.
If you noticed for one user ONLY the   "DATA HAS BEEN EXPORTED" message and
not the warning message this means that user has a MASKED password! It
means the user had a masked password which was converted successfully to
DES and no warning was issued.

This is how is done.
Of course, if you use ICHPSOUT with PARM=DES and 99% of the passwords were
already DES, the exported passwords are useless, if you inject them back to
RACF db with ICHPSIN they will not work ans they will be double-DES
encrypted. You just do this export to spot the masked passwords.



On Wed, Mar 15, 2017 at 2:42 PM, <Werner.Robertz@devk.de> wrote:

> Hello Group,
>
> We are planning to implement the KDFAES encryption algorithm and I am
> evaluating if there is any userid that has a password encrypted by masking
> algorithm.
>
> APAR OA43999 mentions utility PWDCOPY without any further description. We
> gave it a try and got the following messages for userid X01058:
>
> X01058   PASSWORD CONTAINS NON ALPHANUMERIC CHARATERS IF MASKING ENCRYPTED
> - WARNING
> X01058   DATA HAS BEEN EXPORTED
>
> Does anybody have experiences with PWDCOPY? Do these messages indicate
> that the password is DES encrypted?
>
> Any comments are appreciated
>
> Thanks
>
>
> Werner Robertz
> CC Mainframe & CS
> DEVK Versicherungen
> Riehler Str. 190
> 50735 Köln
> werner.robertz@devk.de
>
>
>
>
> Bitte denken Sie an die Umwelt. Müssen Sie diese E-Mail ausdrucken?
>



-- 
Best Regards,
Bogdan Belciu
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic