PASSWORD Parameter

Purpose

The PASSWORD parameter specifies a password to be used for accessing password-protected datasets in a job. It provides a security mechanism for protecting sensitive data from unauthorized access. This parameter is primarily used with RACF or other security systems in mainframe environments.

Syntax

JOB Statement Format

1
//jobname JOB parameters,PASSWORD=password

DD Statement Format

1
2
//ddname DD DSN=dataset-name,DISP=status,
//       PASSWORD=password

Parameter Value

password

• 1-8 character password that provides access to password-protected datasets
• The password must match the password assigned to the dataset or user
• Can contain alphanumeric and national characters ($, #, @)
• The password value is case-sensitive

Usage Scenarios

On JOB Statements

When specified on a JOB statement, the PASSWORD parameter typically works with the USER parameter to authenticate the user ID under which the job runs.

1
2
//PAYROLL JOB (ACCT#),'JOHN DOE',
//         USER=JSMITH,PASSWORD=SECRET42

This job will run under the user ID JSMITH with the password SECRET42 for authentication.

On DD Statements

When specified on a DD statement, the PASSWORD parameter provides access to password-protected datasets.

1
2
3
//STEP1   EXEC PGM=PAYROLL
//PAYFILE DD DSN=PAYROLL.MASTER,DISP=OLD,
//           PASSWORD=PAY1234

This DD statement accesses the password-protected dataset PAYROLL.MASTER using the password PAY1234.

Security Considerations

Password Exposure

Using the PASSWORD parameter in JCL has several security drawbacks:

• Passwords appear in clear text in JCL, creating a security risk
• JCL listings and job logs may expose passwords
• JCL libraries and source code management systems may store passwords unencrypted
• System operators and administrators may see passwords in job submissions

Modern Alternatives

Due to these security concerns, modern z/OS environments typically use:

Example Usage Patterns

Basic JOB Statement Authentication

1
2
//MYJOB   JOB (ACCT),'PROGRAMMER',
//         USER=USERID,PASSWORD=USERPW

Accessing a Password-Protected Dataset

1
2
3
4
5
6
//STEP1    EXEC PGM=IEBGENER
//SYSUT1    DD DSN=SECURE.DATA.SET,DISP=SHR,
//             PASSWORD=DATASEC1
//SYSUT2    DD SYSOUT=A
//SYSIN     DD DUMMY
//SYSPRINT  DD SYSOUT=A

Creating a Password-Protected Dataset

1
2
3
4
5
//STEP1    EXEC PGM=IEFBR14
//NEWDS     DD DSN=NEW.SECURE.DATA,DISP=(NEW,CATLG),
//             SPACE=(TRK,(10,5)),UNIT=SYSDA,
//             DCB=(RECFM=FB,LRECL=80,BLKSIZE=8000),
//             PASSWORD=NEWPW

This creates a new password-protected dataset with the password NEWPW.

Best Practices

1. Avoid using PASSWORD when possible - Use modern security alternatives like RACF instead
2. Store JCL in secure libraries with limited access if passwords must be included
3. Consider using stored procedures that don't expose passwords in JCL
4. Use submitted jobs facility to avoid password exposure
5. Implement job scheduling tools that can handle credentials securely
6. Regularly audit and rotate passwords if they must be used
7. Review security logs to monitor access to sensitive datasets

Legacy Support and Compatibility

The PASSWORD parameter is maintained primarily for backward compatibility with older applications and JCL. In modern z/OS environments:

• Most organizations have migrated to RACF or equivalent security products
• Password datasets (created with IEHPROGM) are rarely used for new applications
• The parameter may be restricted or deprecated in future releases
• Some installations may disable PASSWORD parameter functionality

Related Concepts

• JOB Statement - Where the PASSWORD parameter can be specified at the job level
• DD Statement - Where the PASSWORD parameter can be specified for dataset access
• USER Parameter - Often used in conjunction with PASSWORD
• DSN Parameter - Specifies the dataset that may be password-protected