On Wed, 11 Jul 2007 16:37:57 -0400, Thompson, Steve wrote: > >I know my userid and password. However, who (or what) converts it to >upper case in a z/OS environment? An I/O buffer trace between my >"terminal" and the host shows that they are all sent in lower case. But >my system is not using the new RACF function/feature (that accepts mixed >case). So who does the conversion? > >We know that it has to be done (fold to upper), because we have a >product that has a SAF interface. If you have its interface option set >to "ASIS" and then you do not give your userid in upper case to it, your >login will fail. Same is true of the password. > >So the mindset of auditors and security persons who do not know the >behind the scenes tech issues is just so much noise (my opinion). > Here, there seems to be some shortsightedness in the RACF design:
o If RACF is configured in the ASIS mode, all upstream facilities which accept passwords and make SAF calls to validate them must treat the passwords ASIS. o If RACF is configured in the CAPS mode, RACF should perform the folding; else it becomes the burden of every upstream facility to replicate the RACF option (or query RACF or RACF's PARMLIB entry) to determine whether to fold. Better for RACF to perform the folding if necessary and all upstream facilities to pass passwords ASIS to the SAF interface. The ugly scenario occurs when a site which has been operating in FOLD mode for decades chooses, motivated by an auditor's evaluation, to convert to ASIS mode. Then, all upstream folding utilities must be rewritten and users must learn to lean on the SHIFT key until they change their passwords to adapt. The same applies to userids. I believe there is no support for mixed case userids, but RACF should, as a courtesy, fold them also to avoid replication of code upstream and to allow for mixed case userids in some future era. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
