02-03-2015 10:56 AM
Hi,
we use the FM RSEC_GENERATE_PASSWORD which in turn calls C-function RSEC_GEN_PASSWD for the password generation. Does anybody know FOR SURE whether the forbidden password patterns (maintained in exception table USR40) are considered by C-function RSEC_GEN_PASSWD or does it 'just' generate the password and we need to manually check the password with FM PASSWORD_FORMAL_CHECK after FM RSEC_GENERATE_PASSWORD call?
Thank you
Michal
02-03-2015 12:16 PM
Hi
1. RSEC_GENERATE_PASSWORD is doing 1000 loop with check FM PASSWORD_FORMAL_CHECK.
2. One of the parameters for RSEC_GENERATE_PASSWORD and PASSWORD_FORMAL_CHECK is SECURITY_POLICY.
You can use system default (set by parameters) or modified policy (SECPOL since EHP6).
3. RSEC_GEN_PASSWD have no arguments for any policy check.
So forbidden password patterns can't be effectively checked by RSEC_GEN_PASSWD.
Reards
Przemek
02-03-2015 12:16 PM
Hi
1. RSEC_GENERATE_PASSWORD is doing 1000 loop with check FM PASSWORD_FORMAL_CHECK.
2. One of the parameters for RSEC_GENERATE_PASSWORD and PASSWORD_FORMAL_CHECK is SECURITY_POLICY.
You can use system default (set by parameters) or modified policy (SECPOL since EHP6).
3. RSEC_GEN_PASSWD have no arguments for any policy check.
So forbidden password patterns can't be effectively checked by RSEC_GEN_PASSWD.
Reards
Przemek
02-03-2015 12:23 PM
Not by the FM itself. The policy is always checked in the kernel.
Since the FM itself is a kernel-call, all the usual security checks done by the kernel apply. Hence the rules defined in USR40 are definitely taken into account.
02-03-2015 12:50 PM
Hi Przemyslaw,
thank you, my bad - navigation index for RSEC_GENERATE_PASSWORD was not updated in my system and therefore the use of PASSWORD_FORMAL_CHECK within the loop in FM RSEC_GENERATE_PASSWORD itself was not found (and I missed it while briefly looking into the code).
Then my issue is solved as PASSWORD_FORMAL_CHECK is part of generating password logic in RSEC_GENERATE_PASSWORD.
Thank you
Michal