I have several versions of z/OS on my zD&T system, and I needed to go back to an earlier version. Unfortunately I cannot remember the passwords to my userids. I know the passwords were a combination of upper case, and lower case, and a few random numbers and punctuation; and it was good in that I didn’t write them down.
Fortunately, I have a standalone z/OS system which I can use to access the old system and reset the passwords.
These are the steps I took. I hope they work on other people’s systems. They may not, because of different configurations. You should have backups of both copies of your emergency RACF databases.
You should do no other security work while doing this change, because you might change the wrong RACF database.
Overview
On a z/OS system you can have two RACF databases configured, for example for recovery reasons.
I configured the RACF database as the backup on my emergency system, switched to use it, reset the password, switched the system back again.
I could then IPL the old system, and use the password I had specified. This may not work for all environments, but it works for me.
The steps
The old RACF database needs to be cataloged and made available in the emergency system.
- Mount the volume containing the old RACF database on the emergency system.
- Use ISPF 3.4, specify the database name, and volume, and use the C prefix command to catalog it. My old database name is SYS1.COLIN.Z24C.RACF.
- Change your RACF configuration see Plan B – REIPL with different data sets.
- Reipl
Logon to TSO with an authorised user such as IBMUSER
Issue the #RVARY command
This gave
ICH15013I RACF DATABASE STATUS:
ACTIVE USE NUM VOLUME DATASET
------ --- --- ------ -------
YES PRIM 1 B3CFG1 SYS1.COLIN.RACFDB.Z31B
NO BACK 1 *DEALLOC SYS1.COLIN.Z24C.RACF
Issue
#RVARY ACTIVE,DATASET(SYS1.COLIN.Z24C.RACF)
It gave me
*01 ICH702A ENTER PASSWORD TO ACTIVATE RACF JOB=RACF USER=START1
R 1 SUPPRESSED
ICH15013I RACF DATABASE STATUS:
ACTIVE USE NUM VOLUME DATASET
------ --- --- ------ -------
YES PRIM 1 B3CFG1 SYS1.COLIN.RACFDB.Z31B
YES BACK 1 CCPVOL SYS1.COLIN.Z24C.RACF
The password on my system was YES
Issue
#RVARY SWITCH
It prompts for the password again.
It gave
ICH15013I RACF DATABASE STATUS:
ACTIVE USE NUM VOLUME DATASET
------ --- --- ------ -------
YES PRIM 1 CCPVOL SYS1.COLIN.Z24C.RACF
NO BACK 1 *DEALLOC SYS1.COLIN.RACFDB.Z31B
Issue
#RVARY INACTIVE,DATASET(SYS1.COLIN.RACFDB.Z31B )
This gave me
ICH15013I RACF DATABASE STATUS:
ACTIVE USE NUM VOLUME DATASET
------ --- --- ------ -------
YES PRIM 1 CCPVOL SYS1.COLIN.Z24C.RACF
NO BACK 1 *DEALLOC SYS1.COLIN.RACFDB.Z31B
From an authorised TSO userid I issued
ALU IBMUSER PASSWORD(PASSW9RD)
I then “undid” all of the steps I had done before
- #RVARY ACTIVE,DATASET(SYS1.COLIN.RACFDB.Z31B )
- #RVARY SWITCH
- #RVARY INACTIVE,DATASET(SYS1.COLIN.Z24C.RACF)
- REIPL with your normal RACF datasets.
ColinPaice 