IBM Security Z Security

 View Only
  • 1.  Calling CKGRACF from REXX

    Posted Thu July 01, 2021 04:53 PM
    I've got a unique situation where I need to call program CKGRACF from REXX to execute the USER xx PWSET command. does anyone have any sample code or point me in the direction of any manuals related to this topic?

    Richard Burkhalter

  • 2.  RE: Calling CKGRACF from REXX

    Posted Wed July 07, 2021 12:20 PM
    Edited by Rob van Hoboken Mon August 02, 2021 05:41 AM
    There are 2 ways to call CKGRACF:

    If this program is in the linklist (and in the authorized command list in IKJTSOxx), you can just
    address "TSO" "CKGRACF USER xx PWSET"

    If SCKRLOAD is not part of linklist, you have to call CKGRACF

    Note, output of CKGRACF is sent to DD name SYSTERM (when allocated to a data set) or to the terminal (when SYSTERM is allocated to DA(*)).

    In some CKGRACF commands, you will find the output in SYSTERM to be different, depending on the presence of DD name  CKGPRINT (where the debug information for CKGRACF is written).  You need to figure out if your output is better when you add an

    address "TSO" "FREE FILE(CKGPRINT)"

    or an


    At a recent project I used this Rexx function to execute CKGRACF commands:

    /* reset password */
    call CKG_cmd "USER" target_id "PWSET PREVIOUS RESUME"
    resetResult = result


    /* Call CKGRACF to execute a command. */
    CKG_cmd: procedure expose g.
    address "TSO"
    g.!ckgracf1 || "CMD" arg(1) || g.!ckgracf2
    CKG_rc = rc
    return CKG_rc

    In the header I would set the 2 global values:

    /* Call via linklist: */
    g.!ckgracf1 = "CKGRACF " /* blank is mandatory */
    g.!ckgracf2 = ""
    /* In case CKGRACF is not in the linklist: */
    g.!ckgracf1 = "call 'ckr.sckrload(ckgracf)' '"
    g.!ckgracf2 = "'"

    Rob van Hoboken

  • 3.  RE: Calling CKGRACF from REXX

    Posted Wed July 14, 2021 01:28 PM
    Thanks, Rob! This is extremely helpful. I was able to successfully test my password change, but it's opened new hurdles...We use blockade to distribute the password change across all other lpars. the password propagated everywhere successfully, but the noexpire did not. Blockade is currently working with ALU xx PASSWORD() NOEXPIRE, but it's not comparing against the password history. CKGRACF would solve this problem, but if it's not distributing the NOEXPIRE, it's not a complete solution.

    I basically need to check against password history...a solution, if possible, would be to check password history, then issue the ALU command. I've looked in the Quick Reference manual for the correct syntax, but it doesn't go into depth. Does the ask parameter (or any other) allow for verifying the password against the password history without setting it?

    Richard Burkhalter

  • 4.  RE: Calling CKGRACF from REXX

    Posted Mon August 02, 2021 05:41 AM
    Edited by Rob van Hoboken Mon August 02, 2021 05:41 AM
    The ASK option in CKGRACF is part of dual authority and allows an arbitrary user to ask access to a resource or ask for an action.  This request does not execute (of course) but gets queued for approval or completion by  an (authorized) administrator.  ASK is different from REQ, in the sense that REQ executes the command when the resource has single authority and gets queued for approval when the resource has dual authority.  ASK is always queued for approval.  Also, ASK and REQ have different CKG.CMD resource values.

    Regarding NONEXPIRED from CKGRACF, have you enable APPL updates in RRSF?

    Rob van Hoboken