Although these security enhancements are probably under discussion in the
RACF-L mailing list and may be "old news" to some, I'd like to draw your
attention to them here as well. Continuous vigilance is imperative.

IBM has released some password-related enhancements for the z/OS Security
Server's Resource Access Control Facility (RACF) and for z/VM's RACF. There
are also potential co-requisite enhancements for tools and/or middleware
products depending on your installation. The enhancements are available for
z/OS 1.12 and above, and they are included in z/OS 2.2. The enhancements
include:

* A stronger encryption algorithm for passwords and password phrases;

* Support for 14 additional special characters in passwords;

* The ability for users to have password phrases without passwords;

* A new password syntax control to help encourage/enforce stronger
passwords;

* Various other enhancements.

I personally recommend implementing at least some of these enhancements on
all your z/OS and z/VM systems as quickly as you are able. For z/OS please
refer to APARs OA43999 and OA43998, and you may also refer to II14765. For
z/VM please refer to APARs PI40702 and VM65719.

Also, in my view, if you have not yet adopted passphrases (or TLS/SSL
client certificate authentication) and strong network encryption across all
sessions (user, server, administrator, etc.), it's long past time to get
that accomplished. Network encryption has been a standard included feature
of z/OS (and its predecessors) for "only" about two decades, and RACF
TLS/SSL client certificate authentication almost as long. I do not
recommend having any passphrases or other credentials, or any other
sensitive information, flying across networks (including LANs) in
plaintext. You can refer to my previous comments on that subject at the
Millennial Mainframer blog, for example.

Thanks, everybody.

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: [email protected]

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to