The RACINIT SVC and the ALTUSER and PASSWORD TSO commands invoke the ICHPWXOI routine. This exit can examine the intended new password and the new password change interval (if invoked from the
PASSWORD command). In the case of new password processing, the exit gains control when the following conditions are true:
• The new password is different from the current password.
• The new password is different from the previous passwords if the password history option is active.
• The new password obeys all of the installation's syntax rules.
On entry to the ICHPWXOI exit routine, register 1 contains the address of the following area:
Length address: points to a fullword containing the number of fullwords in this parameter list.
Caller address: points to a I-byte field containing the calling function identity:
X'OI' - RACINIT
X'02' - PASSWORD Command X'03' - ALTUSER Command
Note: If the caller is RACINIT, the ACEE control block might not be present.
CPPL address: points to the TSO command processor parameter list. This applies only to the PASSWORD and ALTUSER commands. If the TSO command processor parameter list is absent, the address is zero.
NEWP ASS address: points to an area of the following format:
Offset 0, length 1: Length of new password Offset 1, length 8: New password
If ENCRYPT = NO was specified, the password is treated as if it is already encrypted.
If a new password is not specified, the address is zero.
INTERV AL address: points to a 4-byte field containing the desired password interval from the PASSWORD command. If this interval is absent, the address is zero.
Userid address: points to an area of the following format:
Offset 0, length 1: Length of use rid Offset 1, length 8: Userid
Exit work area address: points to a fullword whose contents are either:
Zero, for ALTUSER and PASSWORD commands
The contents of the user work address that RACINIT processing passes to ICHRIXOI and ICHRIX02.
Current password address points to an area of the following format:
Offset 0, length 1: Length of current password Offset 1, length 8: Current password
If ENCRYPT = NO was specified, the password is treated as if it is already encrypted.
Password Last Change Date Address: points to a 3-byte area that contains the date of the last password change. The format of this area is:
where:
yyddds 'yy' is the year 'ddd' is the day
's' is the packed decimal sign.
ACEE address: points to the ACEE used. This address may not be available if the caller is RACINIT.
Group name address: points to a 9-byte structure containing a I-byte length field, followed by an 8-byte field containing the connect group name. .
Chapter 7. RACF Installation Exits 7-37
44 4
48 4
52 4
Installation data address: points to an area containing the installation
parameters. This address is only available when the caller is RACINIT and the INSTLN parameter was specified.
Password history address: points to an area containing the user's password hi1>tory. The passwords are in masked or encrypted format, with the oldest password first in the list. The format of the area is: a 2-byte count of the entries in the list, and for each entry a I-byte reserved field followed by an 8-byte field containing the encrypted password. The SETROPTS
PASSWORD(HISTORY(n)) option controls the number of past keywords that are kept.
Flag byte address: points to a I-byte field containing the form of the current and new passwords:
X'OO' Clear text form
X'Ol' - Encrypted form (IfENCRYPT=NO is specified on RACINIT, the password is treated as if it is already encrypted.)
This parameter is available only if the caller is RACINIT.
In all cases, if a parameter is not present, its address is zero.
The following table shows which fields are available to the exit when called from the different RACF components.
1. Nqt available if PASSCHK=NO was specified.
2. Available only if NEWPASS is available.
RACINIT
3. Although available, the ACEE might not befully initialized.
ALTUSER PASSWORD
-Return Codes - New Password Exit
When the password exit routine returns control, register 15 should contain one of the following return codes:
Hex (Decimal) 0(0)
4 (4)
8 (8)
C (12)
10 (16)
Meaning
The new password field and the interval value will be copied back into the calling function. Continue with processing.
The new password request is not accepted and is to be failed. RACINIT processing will terminate with a return code indicating an inv.alid new password. The AL TUSER command will ignore the request and continue processing. The PASSWORD command will terminate processing.
The interval value change request is not accepted and is to be failed. The PASSWORD command will terminate processing.
The new password request is not accepted and is to be failed. This return code is the same as return code 4 except that error messages issued by the ALTUSER and PASSWORD commands are suppressed if the exit itself has already issued an appropriate message.
The interval value change request is not accepted and is to be failed. This return code is the same as return code 8 except that error messages issued by the ALTUSER and PASSWORD commands are suppressed if the exit itself has already issued an appropriate message.
Note: If register 15 contains any other values, processing terminates with an ABEND.
Chapter 7. RACF Installation Exits 7-39