IBM Security Z Security

 View Only
Expand all | Collapse all

z/OS Password to Passphrase migration

  • 1.  z/OS Password to Passphrase migration

    Posted Thu July 15, 2021 10:02 AM

    I am looking for thoughts or suggestions on converting users from passwords to passphrases. From what I've found users can't use their passwords to reset a passphrase. I'm not too excited about the idea of creating thousands of temporary passphrases for every user and sending them out to them individually, was wondering if there are any solutions to assist with this type of rollout?

    Jim Elliott
    Senior IT Consultant, GlassHouse Systems Inc.

  • 2.  RE: z/OS Password to Passphrase migration

    Posted Tue July 20, 2021 04:43 AM
    Yes. To confirm: (1) Passphrases are completely separate from passwords. You can't use one to set the other. (2) A passphrase must be defined by an administrator for each user, before they can use passphrases.

    A simple solution would be to randomly generate a passphrase for each user in your pilot group, and ask the users to contact service desk to reset it. You could use Carla to generate the commands  CKGRACF USER userid PWSET RANDOM PHRASE

    If it's not feasible to use your service desk this way, then you need a process to generate and store passphrases, and then either batch mail them out, or make them accessible to the users individually.

    Here's what I did:
    Define a custom field for a 2-way-encrypted passphrase, with appropriate FIELD controls. [I'd probably investigate enveloping if I were doing it now]
    Download 5 books from Project Gutenberg as a source of readable phrases.
    Write some rexx to loop through each user and:
     Randomly select a phrase from a random book, and process it to meet the default passphrase requirements;
     Encrypt the passphrase and store it in the custom field in the user's profile;
     Issue the ALU command to set the passphrase.
    Write a simple ISPF/Rexx utility to allow the users to retrieve their initial passphrase, when logged on to TSO using password.

    Later on, we had a need to store all users' emails in RACF (in another custom field). So storing the passphrase was no longer necessary, as we could generate and send emails in the process. 

    Hopefully this will give you some ideas, and allow you to come up with something better.

    Pete Buckley
    Mainframe Tech Specialist