This newsletter has on previous occasions covered the Password Validation Exit Point (QIBM_QSY_VLD_PASSWRD) which enables you to block password changes to do not conform to the password rules implemented by the exit program registered to this exit point. I have included links to a couple of articles explaining this exit point in more details, at the end of this article.
An important shortcoming of the QIBM_QSY_VLD_PASSWRD exit point is however the fact that it is only evoked when a user changes his or her own password using the Change Password (CHGPWD) command, the Change Password (QSYCHGPW) API or the System i Access dialogue box being displayed in case of an expired password. If instead a password is changed running the Change User Profile (CHGUSRPRF) or Create User Profile (CRTUSRPRF) command, this will circumvent the exit point and consequently deprive you of the control provided by the exit point in question.
To close this hole IBM introduced with release 5.4 IBM a new Check Password Exit Point (QIBM_QSY_CHK_PASSWRD). Contrary to the QIBM_QSY_VLD_PASSWRD exit point the new exit point does not allow you to actually block the password change, but instead registers the result of the exit program’s password check process to the system audit journal (QAUDJRN). You then have the option to interrogate the system audit journal to ensure that any password not conforming to your password composition rules goes undetected and deal with the culprit according to your company security policy.
Anyway, the check password exit program receives two parameters; one input parameter data structure containing information about the user profile and password being changed. This data structure’s format is identical to the one employed by the QIBM_QSY_VLD_PASSWRD exit point. The second parameter provides for the exit program’s return value; the value ‘0’ indicates that the new password passed the test successfully, the value ‘1’ that the test was not passed. Given that you have configured your system’s audit system values appropriately (see article link below) you can look up audit journal entries having journal code ‘T’ and entry type ‘CP’ to verify the outcome.