This applies to all kind of sensitive fields in the RACF database, like password, passphrases (although encrypted), certificate keys, etc.
CKGRACF is a zSecure command that can be used to set a password/phrase. These are hidden in the command output. But that is independent of the CKNDSN setting to hide/allow showing of the sensitive field-values for all the existing profiles.
If you look at the RACF templates, there is a flag that specifies if the field in the RACF database is considered "sensitive". zSecure hides these (and a few more) by default.
------------------------------
Guus Bonnes
------------------------------
Original Message:
Sent: Fri July 24, 2020 05:24 AM
From: Anji Stephens
Subject: CKNDSN profiles in XFACILIT
Thank you Guus. Just to confirm, do you mean sensitive fields like passwords when using CKGRACF?
------------------------------
Anji Stephens
IT Mainframe Security Consultant
Belmont Technologies Ltd
Original Message:
Sent: Fri July 24, 2020 04:37 AM
From: Guus Bonnes
Subject: CKNDSN profiles in XFACILIT
Update access is checked in the server to determine if this client is allowed to see sensitive fields, like passwords. Without update access, the sensitive field values are replaced by asterisks. This is somewhat poorly documented in the manuals. Because most users are not allowed to see sensitive fields (and the user did not explicitly ask for such access), insufficient access is not logged (SMF and ICH408I).
------------------------------
Guus Bonnes
Original Message:
Sent: Thu July 23, 2020 06:18 AM
From: Anji Stephens
Subject: CKNDSN profiles in XFACILIT
Having defined CKNDSN profiles with READ access, we have noticed in Access Monitor that there are some return code 8 when trying to get UPDATE access. We don't see any ICH408I messages and everything appears to be working fine. Can anyone explain this please?
Thanks
------------------------------
Anji Stephens
------------------------------