Rules Facility Guide › Chapter 6: Password Encryption Facility › Installing PEF › Installing REVERSE or FORWARD Encryption

Installing REVERSE or FORWARD Encryption

To implement REVERSE or FORWARD password encryption:

1. Make a backup copy of your current CP nucleus and the CA VM:Secure directory database disk (usually 1B0).
2. Log on to the user ID you use to create and maintain your CP nucleus.
3. Edit the VMXRPI CONFIG file and add an ENCRYPT record indicating the encryption method you want to use.

   Note: For more information about the ENCRYPT configuration file record, see VMXRPI Configuration File Reference.

4. Run the VMXCPG command and generate a new CP nucleus.

   Note: For more information about how to do this, see Step 6: Configuring and Generating the CA VM:Secure CP Component.

5. Put the resulting CP nucleus on the appropriate CP PARM disk so you can IPL that nucleus after you have the encrypted the directory.
6. Log on to VMANAGER.
7. Encrypt the LOGON and MDISK passwords in the VM:Secure directory database using the PENCRYPT utility:
   • PENCRYPT FORWARD converts plain text passwords or reversible encrypted passwords to forward encrypted passwords.
   • PENCRYPT REVERSE converts plain text passwords to reversible encrypted passwords.

   Note: For more information about the PENCRYPT utility, see the chapter "Utility Reference" in the Reference Guide.

   When you are ready to use PENCRYPT to encrypt the passwords, take the following steps:

   1. Make sure that all users are off the system and that no one is using CA VM:Secure. Use the QPCB and QLOCK commands to determine this.
   2. Reactivate any user IDs on hold.
   3. The PENCRYPT EXEC creates a USER DIRECT file from your current CA VM:Secure directory database disk. Every password in each directory entry is then encrypted, and the CP object directory is updated accordingly. At the end of this procedure, CA VM:Secure is automatically shut down.

   Important! At this point, no one can use CA VM:Secure passwords until you IPL with the CP nucleus that you generated in Step 4.

   1. If you are using the PASSWORD user exit, see the PEF comments and code in the sample exit and make the appropriate changes.
8. Shut down CP and IPL the new CP nucleus.
9. After you have restarted CA VM:Secure, put any reactivated user IDs back on hold.

   The Password Encryption Facility is installed.