Hello.

I have a new task that it's to periodically rotate in RACF the password of users used out of Mainframe to connect to Db2. 

Some of that users are crítical and are used thousand of times in a second.

The password of that users have been put manually by the responsible of each user in the aplicattion out of mainframe.

Please, i would like to know how i can do this without stopping the service.

Other question. In the future, what is the best? Use of certificates instead users/passwords? A central vault where the users ask for the password? Are there any tool that can help in this task?

Thanks for your help.

I can give a general overview of what a company I worked at has done. It seemed to work pretty well. 

We had a centralized application password service - if you needed a connection to DB2, you had to go through the service to get the connection string. 

Every application had a "1" and "2" version of their userid. If "1" was the currently active user, we would change the password on the "2" version, and then push that to the connection string service, so new connections would start to use that userid. We would change the passwords every morning.

The downside was then that you had to call a service to get the userid/password, but we mitigated this some by caching it on the client.

Hope that gives you some ideas!