View Only
Expand all | Collapse all

Password encryption algorithm (ext sercurity)

Jump to Best Answer
  • 1.  Password encryption algorithm (ext sercurity)

    Posted May 24, 2017 08:57 AM

    We are using EXTERNAL security in IDMS and I would like to activate a stronger password encryption algorithm 'KDFAES' under RACF.This makes it much more difficult to crack passwords stored in the RACF Database. IBM Documentation Planning Considerations for Enabling KDFAES warns of potential impact on "applications" that perform password verifications. IBM Info APAR II14765 refers to a number of IBM products for which maintenance is required (eg IMS, CICS, etc ..). I assume that IDMS may also be potentially involved.

    Is there is any impact on our IDMS software? Perhaps you have already gained experience with other customers using the RACF option SETROPTS PASSWORD (ALGORITHM (KDFAES))?

  • 2.  Re: Password encryption algorithm (ext sercurity)
    Best Answer

    Broadcom Employee
    Posted May 24, 2017 09:57 AM

    Hi Jan,

       Probably this should be a support case, but IDMS when handling External security for RESTYPE=SGON does not know what the external security manager is so we cannot know what encryption it may use.  We do use RACROUTE because TSS and ACF2 support it, but always send the password as entered by the user at the terminal. 

      What RACF does with the password to validate it is not something IDMS knows.

      We don't see how this can affect IDMS using external security, but are curious about what changes you refer to that may need to be made in applications.