Although these security enhancements are probably under discussion in the RACF-L mailing list and may be "old news" to some, I'd like to draw your attention to them here as well. Continuous vigilance is imperative.
IBM has released some password-related enhancements for the z/OS Security Server's Resource Access Control Facility (RACF) and for z/VM's RACF. There are also potential co-requisite enhancements for tools and/or middleware products depending on your installation. The enhancements are available for z/OS 1.12 and above, and they are included in z/OS 2.2. The enhancements include: * A stronger encryption algorithm for passwords and password phrases; * Support for 14 additional special characters in passwords; * The ability for users to have password phrases without passwords; * A new password syntax control to help encourage/enforce stronger passwords; * Various other enhancements. I personally recommend implementing at least some of these enhancements on all your z/OS and z/VM systems as quickly as you are able. For z/OS please refer to APARs OA43999 and OA43998, and you may also refer to II14765. For z/VM please refer to APARs PI40702 and VM65719. Also, in my view, if you have not yet adopted passphrases (or TLS/SSL client certificate authentication) and strong network encryption across all sessions (user, server, administrator, etc.), it's long past time to get that accomplished. Network encryption has been a standard included feature of z/OS (and its predecessors) for "only" about two decades, and RACF TLS/SSL client certificate authentication almost as long. I do not recommend having any passphrases or other credentials, or any other sensitive information, flying across networks (including LANs) in plaintext. You can refer to my previous comments on that subject at the Millennial Mainframer blog, for example. Thanks, everybody. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
