We had our typical users (some exceptions for Security team, etc) change their password on AD (Ctrl-Alt-Del) with a 3rd party tool providing extra controls as desired. Then we scripted a send of the accepted pw/phrase up to RACF with the request to set the password/phrase there. The basic RACF rules had to be basically the same as the AD rules as far as complexity, history, etc. But all the expansive lists and restrictions were done once by the other product and RACF was happy with the complexity of the password supplied. It worked for us. Just an idea. R. Sent from [Proton Mail](https://proton.me/mail/home) for iOS
On Wed, Feb 28, 2024 at 4:35 PM, Linda Hagedorn <[000005cf4637de00-dmarc-requ...@listserv.ua.edu](mailto:On Wed, Feb 28, 2024 at 4:35 PM, Linda Hagedorn <<a href=)> wrote: > My company wants an external password manager to substitute for RACF. > I need to know if anyone has experience with this, or common password > matching in RACF. > > Background > Regulations NYDFS require preventing common passwords to be used. > Vendor tools (Courion, CyberArk, etc.) have a corpus to match password > changes to prevent the use of common passwords. > RACF passwords can be changed from TSO, the internal reader, JCL, Candle > Session manager, etc., so trying to block password changing through RACF and > forcing everyone through one of these 3rd party tools may be near impossible. > > Any input is appreciated. Thanks! Linda > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN