DirMaint Password Management: Configuration

Last Updated: 2000-01-07     (Subscribe to updates)

Before reporting a problem with DirMaint's password management, please check the following.

Symptom:

Using a DIRM PW? command results in negative numbers.

Resolution:

Issue a DIRM DUMP command. Check the following configuration entries:

  • PW_INTERVAL_FOR_GEN=
  • PW_INTERVAL_FOR_PRIV=
  • PW_INTERVAL_FOR_SET=
  • PW_WARN_MODE=
  • PW_LOCK_MODE=

Negative numbers in response to a DIRM PW? request indicate that your system is not using DirMaint's password monitoring capabilities, with the CONFIG* DATADVH file(s) still set to the IBM supplied defaults. The IBM supplied defaults are _GEN= 0 0, _PRIV= 0 0, _SET= null, _WARN_MODE= MANUAL, and _LOCK_MODE= MANUAL.

For _GEN and _PRIV, the first value is the number of days after making a password change before DirMaint begins sending password warning notices to that user. The second value is the number of days after making a password change before DirMaint will set the user's password to NOLOG. There is a customer tailorable exit routine, DVHXCP, to determine whether a userid is considered to be GEN or PRIV. Typical values might be: 28 35, 45 60, or 75 90, etc.

For _SET, the first value is the number of days after making the change before a GEN user must change the password, and the second value is the number of days after making the change before a PRIV user must change the password. This is usually a much shorter interval than the full _GEN or _PRIV values, typically 0 0, 1 0, 3 1, or 7 3, etc.

When a user changes the password using the PW command, the current date is stored in the directory as the effective change date, and the password is valid for the entire interval.

When an administrator sets the user's password, using either: ADD LIKE, CHNGID, or SETPW; a non-blank value for _SET will cause the password to be valid for a different period, usually much shorter. DirMaint accomplishes this by setting the effective change date to a date in the past, calculated as the difference between _GEN (2nd value) and _SET (1st value) for GEN users, or between _PRIV (2nd value) and _SET (2nd value) for PRIV users.

When using PW_WARN_MODE= AUTOMATIC, users should be changing their passwords before a DIRM PW? request results in negative numbers. When using PW_LOCK_MODE= AUTOMATIC, users will be NOLOGged before the numbers become negative. Negative numbers indicate that the PW_LOCK_MODE is set to MANUAL (the IBM supplied default, for safety), and that DIRM PWMON MONITOR / DIRM PWMON LOCKOUT requests have not been issued recently. In this case, it is expected to see a negative number of days until a password change is required.

The same symptom may also be caused by missing service for z/VM version 3 and VM/ESA customers. See: DVH15PWQ.


If you'd like to contact DirMaint development and support, you can

Thank you for visiting this web page. Please visit again next month and check out the latest news. (Or, subscribe to future updates.)