Previous Topic: Installing Triple DES Password EncryptionNext Topic: Interfacing PEF with CA Mainframe VM Product Manager and CA VM:Schedule

Rules Facility GuideChapter 6: Password Encryption FacilityRemoving PEF

Removing PEF

If you use software products that reference the passwords stored in the CA VM:Secure directory database or in the CP object directory, you might need to remove PEF. You might also need to remove PEF if your site plans to use DIAGNOSE X’84’.

Password decryption is possible only if you used the PENCRYPT REVERSE command to install reversible encryption. If you used the FORWARD or DES3 operands of PENCRYPT to install forward encryption, you cannot decrypt the passwords; you will have to manually change all directory passwords.

To remove PEF, you must generate a new CP nucleus and decrypt the encrypted passwords.

Important! These changes require you to shut down and re-IPL both CA VM:Secure and your VM system.

Note: To facilitate removal, PENCRYPT produces type‑able passwords instead of unprintable characters.

To remove PEF

  1. Log on to VMANAGER.
  2. Make a backup copy of your current CP nucleus and the CA VM:Secure 1B0 directory database disk.
  3. Log on to the user ID you use to create and maintain your CP nucleus.
  4. Edit the VMXRPI CONFIG and remove the ENCRYPT encryption-name record where encryption-name is the encryption method you are currently using. If you are using triple DES encryption, also remove the DES3KEY record.
  5. Re-run the VMXCPG EXEC and generate a new CP nucleus.

    For more information about how to do this, see Step 6: Configuring and Generating the CA VM:Secure CP Component.

  6. Decrypt the passwords, as follows:

    If passwords are reversibly encrypted, take the following steps to decrypt them:

    1. Reactivate any user IDs on hold.
    2. Enter the following command: 
      pencrypt decrypt

      The PENCRYPT DECRYPT command creates a USER DIRECT file of your current directory. Every password in each directory entry is then decrypted and the CP object directory is updated accordingly. At the end of this procedure, CA VM:Secure is automatically shut down.

      Note: For information about the PENCRYPT utility, see the Reference Guide.

      Important! At this point no one can use passwords until you IPL with the CP nucleus that you created in Step 5.

    If the passwords are forward or triple DES encrypted, take the following steps to change the passwords to plain text:

    1. Reactivate any user IDs on hold.
    2. Run the VMXBKP01 utility to create a USER DIRECT file.
    3. Manually edit each USER record and MDISK record to insert plain text passwords.
    4. Run VMXGNR against the edited USER DIRECT file to re-create the CA VM:Secure 1B0 database files.

      Important! At this point no one can use passwords until you IPL with the CP nucleus that you created in Step 5.

  7. If you are using the PASSWORD user exit, see the PEF comments and code in the exit and make the appropriate changes to work with plain text passwords.
  8. Shut down CP and IPL the new CP nucleus.
  9. After you have restarted the program, put any reactivated user IDs back on hold.