Replacing the Password Encryption and Decryption Scheme

If you alter your password encryption and decryption scheme, any encrypted passwords stored in the Sign-on Table (SNT) must be decrypted using the old scheme and then re-encrypted with the new scheme. A utility program called dfhpcryp.gnt is supplied to assist in this conversion.

The procedure for moving to a new encryption scheme is described below. In this procedure, you introduce your new encryption module to the system as dfhucryu.gnt. You then run the dfhpcryp.gnt utility, which uses the existing module (dfhucryp.gnt) and your new one to perform the conversion. When the conversion is complete, you replace the existing module with your new one.

Before you make any changes, take a backup copy of the following:

• The Resource Definition File (dfhdrdat and dfhdrdat.idx). This holds the SNT entries.
• The current encryption module (dfhucryp.gnt).

To run dfhpcryp.gnt:

1. Compile the new encryption module to .gnt.
   Note:

   Do not replace the existing dfhucryp.gnt at this stage. Your new module must only replace the existing dfhucryp.gnt after you have run the dfhpcryp.gnt utility to perform the conversion.

2. Rename your new encryption module to dfhucryu.gnt and copy it into the same directory as the existing dfhucryp.gnt.
3. Ensure that no part of MSS is active.
4. Run the dfhpcryp.gnt utility.
5. When dfhpcryp.gnt completes, remove dfhucryp.gnt and rename dfhucryu.gnt to dfhucryp.gnt.
6. Back up the modified Resource Definition File.

MSS is now ready to run with the new encryption and decryption scheme.

The backups taken during this process are important in case you want to return to the old encryption and decryption scheme for any reason.