Re: RACF, external password management

2024-04-09 Thread Tom Marchant 
FWIW, the list of messages that I posted came from the web interface.

On Tue, 9 Apr 2024 22:25:57 +0100, Jeremy Nicoll 
 wrote:

>On Tue, 9 Apr 2024, at 21:29, Tom Marchant wrote:
>> I haven't noticed. How did you determine that they are gone? I see
>> these posts from you, some of which reference zMFA.
>
>I just looked in the list archive whose address is specified in the
>
>  List-Archive: 
>
>header in every mail.  I had to register a password for the website
>to do that ... but it looks as if the mails are there.
>
>So... does Linda mean that they vanished from her gmail account,
>or something else?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-04-09 Thread Jeremy Nicoll 
On Tue, 9 Apr 2024, at 21:29, Tom Marchant wrote:
> I haven't noticed. How did you determine that they are gone? I see 
> these posts from you, some of which reference zMFA.

I just looked in the list archive whose address is specified in the

  List-Archive: 

header in every mail.  I had to register a password for the website
to do that ... but it looks as if the mails are there.

So... does Linda mean that they vanished from her gmail account, 
or something else?

-- 
Jeremy Nicoll - my opinions are my own.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-04-09 Thread Tom Marchant 
I haven't noticed. How did you determine that they are gone? I see these posts 
from you, some of which reference zMFA.

Re: RACF, external password management  Linda Hagedorn 
   2024-02-29 15:53IBM-MAIN
Re: RACF, external password management  Linda Hagedorn 
   2024-02-29 13:00IBM-MAIN
Re: RACF, external password management  Linda Hagedorn 
   2024-02-29 12:44IBM-MAIN
Re: RACF, external password management  Linda Hagedorn 
   2024-02-29 12:43IBM-MAIN
Re: RACF, external password management  Linda Hagedorn 
   2024-02-29 12:31IBM-MAIN
Re: RACF, external password management  Linda Hagedorn 
   2024-02-29 12:30IBM-MAIN
RACF, external password management  Linda Hagedorn 
   2024-02-28 16:35IBM-MAIN

On Tue, 9 Apr 2024 13:20:56 -0500, Linda Hagedorn  
wrote:

>Has anyone else noticed their posts deleted?  
>My posts re: zMFA are gone.  Poof.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-04-09 Thread Linda Hagedorn 
Has anyone else noticed their posts deleted?  
My posts re: zMFA are gone.  Poof.  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-04 Thread Colin Paice 
I wrote One minute MVS: What is IBM Multi Factor Authentication on z/OS?
<https://colinpaice.blog/2024/01/07/one-minute-mvs-what-is-ibm-multi-factor-authentication-on-z-os/>
and a series of implementation posts starting with Multi Factor
Authentication(MFA): Planning.
<https://colinpaice.blog/2024/02/03/multi-factor-authenticationmfa-planning/>
I found the MFA product easy to set up and use.  I had little problems like
ordering the wrong YubiKey which did not support MFA!

Colin

On Sun, 3 Mar 2024 at 22:22, Jared Hunter 
wrote:

> Hi all,
>
> I’m an architect/implementor on the IBM Z MFA team since the prehistory /
> notional phase of the product.
>
> If folks would be interested in one or more “office hours” style Q+A
> sessions about the product and its (many, sometimes exotic) features, feel
> free to reach out to me at this address.
>
> No sales touch implied, just a question-driven tour of the tech and design
> philosophy.
>
> -Jared
>
> Jared Hunter
> Strategic Architect, Security
> Rocket Software, USA
> E: jhun...@rocketsoftware.com<mailto:jhun...@rocketsoftware.com>
>
>
>
> Date: Fri, 1 Mar 2024 06:24:45 +0000
> From: Timothy Sipples mailto:sipp...@sg.ibm.com>>
> Subject: Re: RACF, external password management
>
> Linda Hagedorn wrote:
> >This is very promising. Do you know where I can read more about ZMFA?
>
> The documentation landing page is here:
> https://www.ibm.com/docs/en/zma<https://www.ibm.com/docs/en/zma>
>
> >I'm interested in knowing how to configure the external source, and how
> >the token is passed back to RACF, and how long the token lasts.
> >For example, if systems programmers are working a problem, we
> >wouldn't want the token to expire in 3 hrs.
> >Or does the token last for the duration of the session?
> >If tso/ispf times out (sysprog is doing research or answering
> >mgmt questions), will they have to generate a new token?
>
> If for example you’re configuring ZMFA to use a LDAP server as an
> “external” factor then this landing page has further details:
> https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap
> <
> https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap
> >
>
> I put the word external in quotation marks because the LDAP server could
> be z/OS’s LDAP server or some other LDAP server running on the same IBM Z
> machine. And LDAP is just one example. Many “external” and external
> factors’ interfaces are supported.
>
> You can configure ZMFA for “out-of-band” authentication so that users
> obtain what’s called a “cache token credential” (CTC) to log into RACF (via
> TSO/E for example). You can choose whether the CTC is reusable and how
> quickly it expires.
>
>
> https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout
> <
> https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout
> >
>
> https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable
> <
> https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable
> >
>
> —
> Timothy Sipples
> Senior Architect
> Digital Assets, Industry Solutions, and Cybersecurity
> IBM Z/LinuxONE, Asia-Pacific
> sipp...@sg.ibm.com<mailto:sipp...@sg.ibm.com>
>
> 
> Rocket Software, Inc. and subsidiaries ¦ 77 Fourth Avenue, Waltham MA
> 02451 ¦ Main Office Toll Free Number: +1 855.577.4323
> Contact Customer Support:
> https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
> Unsubscribe from Marketing Messages/Manage Your Subscription Preferences -
> http://www.rocketsoftware.com/manage-your-email-preferences
> Privacy Policy -
> http://www.rocketsoftware.com/company/legal/privacy-policy
> 
>
> This communication and any attachments may contain confidential
> information of Rocket Software, Inc. All unauthorized use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> notify Rocket Software immediately and destroy all copies of this
> communication. Thank you.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-03 Thread Jared Hunter 
Hi all,

I’m an architect/implementor on the IBM Z MFA team since the prehistory / 
notional phase of the product.

If folks would be interested in one or more “office hours” style Q+A sessions 
about the product and its (many, sometimes exotic) features, feel free to reach 
out to me at this address.

No sales touch implied, just a question-driven tour of the tech and design 
philosophy.

-Jared

Jared Hunter
Strategic Architect, Security
Rocket Software, USA
E: jhun...@rocketsoftware.com<mailto:jhun...@rocketsoftware.com>



Date: Fri, 1 Mar 2024 06:24:45 +
From: Timothy Sipples mailto:sipp...@sg.ibm.com>>
Subject: Re: RACF, external password management

Linda Hagedorn wrote:
>This is very promising. Do you know where I can read more about ZMFA?

The documentation landing page is here:
https://www.ibm.com/docs/en/zma<https://www.ibm.com/docs/en/zma>

>I'm interested in knowing how to configure the external source, and how
>the token is passed back to RACF, and how long the token lasts.
>For example, if systems programmers are working a problem, we
>wouldn't want the token to expire in 3 hrs.
>Or does the token last for the duration of the session?
>If tso/ispf times out (sysprog is doing research or answering
>mgmt questions), will they have to generate a new token?

If for example you’re configuring ZMFA to use a LDAP server as an “external” 
factor then this landing page has further details:
https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap<https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap>

I put the word external in quotation marks because the LDAP server could be 
z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. 
And LDAP is just one example. Many “external” and external factors’ interfaces 
are supported.

You can configure ZMFA for “out-of-band” authentication so that users obtain 
what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for 
example). You can choose whether the CTC is reusable and how quickly it expires.

https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout<https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout>
https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable<https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable>

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com<mailto:sipp...@sg.ibm.com>


Rocket Software, Inc. and subsidiaries ¦ 77 Fourth Avenue, Waltham MA 02451 ¦ 
Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: 
https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - 
http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy


This communication and any attachments may contain confidential information of 
Rocket Software, Inc. All unauthorized use, disclosure or distribution is 
prohibited. If you are not the intended recipient, please notify Rocket 
Software immediately and destroy all copies of this communication. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-03 Thread Radoslaw Skorupka 

W dniu 01.03.2024 o 19:43, Seymour J Metz pisze:

And after the user is revoked. *permanently*.

Making a logon loop a convenient option for a DOS attack.


...and your proposal is?

(not to say userlist need not to be published)

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-03 Thread Timothy Sipples 
Frank Swarbrick wrote:
>I have a curious question about MFA on z/OS.  Does each login
>require a different token?  Meaning, if I log on to TSO and to CICS,
>can I use the same token?  I ask because I log on and off to
>various CICS regions throughout the day, and I'd hate to have to
>get a new token for each login.  (We don't use MFA right now,
>except for our mainframe "outsourcer" teams (Kyndryl).

That’s configurable based on what security posture you’re trying to maintain. 
The token can be one-time (and time limited) or can be reused (and still time 
limited). The time limit is configurable, too.

>I wish that you could just "logon to VTAM," as it were, and it would
>log you in to each VTAM application you use.  I don't think this is
>available right now, correct me if I'm wrong!

Yes, you can do that with a combination of CL/SUPERSESSION, Z MFA, and 
PassTickets. Other combinations may be possible, but that’s the typical IBM 
combination. The entry point to the documentation is here:

https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-clsupersession-zos

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-01 Thread Steve Thompson 

Hi Frank:

2FA, where it calls you to get a code, or prompts you for a code 
off some security device (RSA?) will be per logon attempt. Now, 
if you have a session manager (of some kind), that may only 
require one response with the "token" they want, and the session 
manager may then not trigger 2FA for each logon under its control.


In the remote logons I've done, Cisco was effectively the session 
manager and handled the initial connection to customer site 
(using VPN). Once authenticated, it was basically a single 
sign-on -- with the exception of TSO and other Mainframe specific 
access/logons, but 2FA was not activated in that case.


YMMV as usual.

Steve Thompson





On 3/1/2024 5:49 PM, Frank Swarbrick wrote:

I have a curious question about MFA on z/OS.  Does each login require a different token?  
Meaning, if I log on to TSO and to CICS, can I use the same token?  I ask because I log 
on and off to various CICS regions throughout the day, and I'd hate to have to get a new 
token for each login.  (We don't use MFA right now, except for our mainframe 
"outsourcer" teams (Kyndryl).

I wish that you could just "logon to VTAM," as it were, and it would log you in 
to each VTAM application you use.  I don't think this is available right now, correct me 
if I'm wrong!

Frank

From: IBM Mainframe Discussion List  on behalf of Timothy 
Sipples 
Sent: Thursday, February 29, 2024 11:24 PM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: RACF, external password management

Linda Hagedorn wrote:

This is very promising. Do you know where I can read more about ZMFA?

The documentation landing page is here:
https://www.ibm.com/docs/en/zma


I'm interested in knowing how to configure the external source, and how
the token is passed back to RACF, and how long the token lasts.
For example, if systems programmers are working a problem, we
wouldn't want the token to expire in 3 hrs.
Or does the token last for the duration of the session?
If tso/ispf times out (sysprog is doing research or answering
mgmt questions), will they have to generate a new token?

If for example you’re configuring ZMFA to use a LDAP server as an “external” 
factor then this landing page has further details:
https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap

I put the word external in quotation marks because the LDAP server could be 
z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. 
And LDAP is just one example. Many “external” and external factors’ interfaces 
are supported.

You can configure ZMFA for “out-of-band” authentication so that users obtain 
what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for 
example). You can choose whether the CTC is reusable and how quickly it expires.

https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout
https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-01 Thread Frank Swarbrick 
I have a curious question about MFA on z/OS.  Does each login require a 
different token?  Meaning, if I log on to TSO and to CICS, can I use the same 
token?  I ask because I log on and off to various CICS regions throughout the 
day, and I'd hate to have to get a new token for each login.  (We don't use MFA 
right now, except for our mainframe "outsourcer" teams (Kyndryl).

I wish that you could just "logon to VTAM," as it were, and it would log you in 
to each VTAM application you use.  I don't think this is available right now, 
correct me if I'm wrong!

Frank

From: IBM Mainframe Discussion List  on behalf of 
Timothy Sipples 
Sent: Thursday, February 29, 2024 11:24 PM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: RACF, external password management

Linda Hagedorn wrote:
>This is very promising. Do you know where I can read more about ZMFA?

The documentation landing page is here:
https://www.ibm.com/docs/en/zma

>I'm interested in knowing how to configure the external source, and how
>the token is passed back to RACF, and how long the token lasts.
>For example, if systems programmers are working a problem, we
>wouldn't want the token to expire in 3 hrs.
>Or does the token last for the duration of the session?
>If tso/ispf times out (sysprog is doing research or answering
>mgmt questions), will they have to generate a new token?

If for example you’re configuring ZMFA to use a LDAP server as an “external” 
factor then this landing page has further details:
https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap

I put the word external in quotation marks because the LDAP server could be 
z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. 
And LDAP is just one example. Many “external” and external factors’ interfaces 
are supported.

You can configure ZMFA for “out-of-band” authentication so that users obtain 
what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for 
example). You can choose whether the CTC is reusable and how quickly it expires.

https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout
https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-01 Thread Seymour J Metz 
> And after the user is revoked. *permanently*.

Making a logon loop a convenient option for a DOS attack.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Radoslaw Skorupka <0471ebeac275-dmarc-requ...@listserv.ua.edu>
Sent: Friday, March 1, 2024 10:27 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF, external password management

W dniu 29.02.2024 o 21:53, Linda Hagedorn pisze:
> The regulations are from NY state, NYDFS.
> https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf
>
>   500.7 Access privileges and management.
>
>   500.7(c) Each class A company shall monitor privileged access activity 
> and shall implement:
>   (1) a privileged access management solution; and
>   (2) an automated method of blocking commonly used passwords for all 
> accounts on
>   information systems owned or controlled by the class A company and 
> wherever feasible
>   for all other accounts.
>
> To automatically block commonly used passwords, a corpus is necessary.  For 
> example, Cybernews Investigation team was able to collect 15m passwords.*  If 
> they can do it, software vendors will see the opportunity here.
>
> It's one option to force all RACF password changes through a single point.  
> However, there's a lot of ways to reach the password change process in MVS, 
> and writing blocks for all of them isn't reasonable.
>
> The ZMFA holds promise, if I can find a software company that has 
> bought/collected the same 15m passwords that Cybernews did.  I can route all 
> RACF password changes to the  software company for 
> validation.
>
>
> *https://cybernews.com/best-password-managers/most-common-passwords/

I'm not a lawyer, however I did managed a lot of multi-million
contracts. And what I learned is accuracy and term definitions.
Regarding 500.7(c) (2)
1. What a complex numbering scheme :-)
2. Where "commonly used password" is defined? Is it as obvious as water,
Earth or kg?
3. What does it mean "blocking"? Should we check any *existing*
password? Or only new ones?
4. IMHO the ALPHANUM is the solution, because it "blocks" all English
dictionary. Of course one may say it doesn't block "PASSW0RD" (note the
zero, not o), but then we come back to the definition of "commonly used
password".
5. BTW: When you search "the most popular passwords" you will find
several lists, but majority of them contain lowercase strings, sometimes
mixed case. Conclusion: do not allow lowercase letters. :-)


Oh, BTW: I don't care how many passwords some company collected. First,
it is not applicable, second I do not trust them.
BTW2: most of us use 4-character password, no mixed case, no
punctuation, no alphabetic letter. Just four numbers. And the password
is used for access to our money. We call it PIN.
BTW3: Apples and oranges. There is no big reason to compare password
from completely different systems, usually poor social media, fora
(forums), e-shops, etc. Not to mention very few of top 10 would pass
regular syntax checking ALPHANUM.
BTW4: In RACF world we have limited number of attempts. And after the
user is revoked. *permanently*.



--

Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-01 Thread Radoslaw Skorupka 

W dniu 29.02.2024 o 21:53, Linda Hagedorn pisze:

The regulations are from NY state, NYDFS.
https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf

  500.7 Access privileges and management.

  500.7(c) Each class A company shall monitor privileged access activity 
and shall implement:
  (1) a privileged access management solution; and
  (2) an automated method of blocking commonly used passwords for all 
accounts on
  information systems owned or controlled by the class A company and 
wherever feasible
  for all other accounts.

To automatically block commonly used passwords, a corpus is necessary.  For 
example, Cybernews Investigation team was able to collect 15m passwords.*  If 
they can do it, software vendors will see the opportunity here.

It's one option to force all RACF password changes through a single point.  
However, there's a lot of ways to reach the password change process in MVS, and 
writing blocks for all of them isn't reasonable.
  
The ZMFA holds promise, if I can find a software company that has bought/collected the same 15m passwords that Cybernews did.  I can route all RACF password changes to the  software company for validation.



*https://cybernews.com/best-password-managers/most-common-passwords/   


I'm not a lawyer, however I did managed a lot of multi-million 
contracts. And what I learned is accuracy and term definitions.

Regarding 500.7(c) (2)
1. What a complex numbering scheme :-)
2. Where "commonly used password" is defined? Is it as obvious as water, 
Earth or kg?
3. What does it mean "blocking"? Should we check any *existing* 
password? Or only new ones?
4. IMHO the ALPHANUM is the solution, because it "blocks" all English 
dictionary. Of course one may say it doesn't block "PASSW0RD" (note the 
zero, not o), but then we come back to the definition of "commonly used 
password".
5. BTW: When you search "the most popular passwords" you will find 
several lists, but majority of them contain lowercase strings, sometimes 
mixed case. Conclusion: do not allow lowercase letters. :-)



Oh, BTW: I don't care how many passwords some company collected. First, 
it is not applicable, second I do not trust them.
BTW2: most of us use 4-character password, no mixed case, no 
punctuation, no alphabetic letter. Just four numbers. And the password 
is used for access to our money. We call it PIN.
BTW3: Apples and oranges. There is no big reason to compare password 
from completely different systems, usually poor social media, fora 
(forums), e-shops, etc. Not to mention very few of top 10 would pass 
regular syntax checking ALPHANUM.
BTW4: In RACF world we have limited number of attempts. And after the 
user is revoked. *permanently*.




--

Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-01 Thread Radoslaw Skorupka 

It does not, however password exit can provide same functionality.

BTW: In my opinion it is big lack in RACF features.
IBM take care about GUI, java, python etc. to make the platform more 
attractive to young IT folks. However sometimes it would be nice to have 
sample job with list of words, it does not to be integrated with z/OSMF, 
API, java, go lang.


--
Radoslaw Skorupka
Lodz, Poland



W dniu 01.03.2024 o 05:08, Michael Brennan pisze:

Both ACF2 and Top Secret have common phrases that can not be used for
passwords and you can add or subtract from the list.  You would think RACF
would have the same. I have not dug through the RACF manuals to determine
if it does or not.

On Thu, Feb 29, 2024 at 12:09 AM Timothy Sipples  wrote:


Linda Hagedorn wrote:

My company wants an external password manager to substitute for RACF.
I need to know if anyone has experience with this, or common password
matching in RACF.
Background
Regulations NYDFS require preventing common passwords to be used.
Vendor tools (Courion, CyberArk, etc.) have a corpus to match password
changes to prevent the use of common passwords.
RACF passwords can be changed from TSO, the internal reader, JCL,
Candle Session manager, etc., so trying to block password changing through
RACF and forcing everyone through one of these 3rd party tools may be near
impossible.
Any input is appreciated.

This’d be easy to do with IBM Z Multi Factor Authentication (ZMFA).
Despite its name you could use ZMFA to support a single “external” factor
such as a super vetted passphrase verifier, although it’d obviously be best
to have a genuine second factor too (while you’re at it).

Let’s suppose for example you maintain/update these super rule compliant
passphrases in a LDAP server. OK, then configure ZMFA so that it validates
passphrases against the LDAP server and gives RACF yes or no decisions. You
could for example use “out-of-band” authentication so that users who clear
the ZMFA hurdle (log in via a secure Web page) get a one-time token that
they use to log into RACF (in place of a password). And then you’ve neatly
solved the problem of handling RACF password/passphrase changes everywhere.
Other variations are possible — this is just an example.

If you’re concerned about the “What if the LDAP server is down,
unreachable, or slow?” scenarios then one straightforward solution is to
use z/OS’s LDAP server and simply keep that LDAP server synced reasonably
well with another LDAP server. (LDAP supports syncing.) In that case ZMFA
simply loops back to z/OS LDAP, an ultra short loop. If the syncing is down
for a little while it’s not a calamity. Or use another LDAP server that
runs in the z/OS Container Extensions or in a Linux on IBM Z partition.
LDAP is just an example too, although it’s a common one.

https://www.ibm.com/products/ibm-multifactor-authentication-for-zos

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN





--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-01 Thread kekronbekron 
MFA and this aren't either or. They're different things.

Can the exit only run REXX, or can any language's compiled code be called there 
(with ADDRESS ...)?



On Friday, March 1st, 2024 at 18:17, Robert S. Hansel 
 wrote:

> Hi Linda,
> 
> Short term solution is to implement the RACF password change exit ICHPWX01 
> and its companion System REXX module IRRPWREX module. Relatively simple to 
> implement and governs all password changes. IRRPWREX has numerous options you 
> can activate, such as disallowing repeating characters and specific character 
> strings, that can address the common password prohibition requirement. The 
> IBM-provided exit code is available on GitHub:
> 
> https://github.com/IBM/IBM-Z-zOS/tree/main/zOS-RACF/Downloads/RexxPwExit
> 
> Also, implement KDFAES password encryption if you have not already done so. 
> And I recommend a single SETROPTS PASSWORD RULE of LENGTH(8) MIXEDALL(1:8), 
> which requires a password to be 8 characters in length and have at least one 
> letter, one number, and one special character (e.g., National Characters). 
> This rule alone will block many of the common passwords. Be sure all your 
> resource managers processing logons can handle special characters.
> 
> Longer term solution is MFA.
> 
> I recommend you contact the authors of this regulation and ask them to 
> provide you with the list of common passwords they expect you to disallow.
> 
> Regards, Bob
> 
> Robert S. Hansel 2024 IBM Champion
> Lead RACF Specialist
> RSH Consulting, Inc.
> 617-969-8211
> www.linkedin.com/in/roberthansel
> www.rshconsulting.com
> 
> -Original Message-
> Date: Thu, 29 Feb 2024 14:53:36 -0600
> From: Linda Hagedorn linda.haged...@gmail.com
> 
> Subject: Re: RACF, external password management
> 
> The regulations are from NY state, NYDFS.
> https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf
> 
> 500.7 Access privileges and management.
> 
> 500.7(c) Each class A company shall monitor privileged access activity and 
> shall implement:
> (1) a privileged access management solution; and
> (2) an automated method of blocking commonly used passwords for all accounts 
> on
> information systems owned or controlled by the class A company and wherever 
> feasible
> for all other accounts.
> 
> To automatically block commonly used passwords, a corpus is necessary. For 
> example, Cybernews Investigation team was able to collect 15m passwords.* If 
> they can do it, software vendors will see the opportunity here.
> 
> It's one option to force all RACF password changes through a single point. 
> However, there's a lot of ways to reach the password change process in MVS, 
> and writing blocks for all of them isn't reasonable.
> 
> The ZMFA holds promise, if I can find a software company that has 
> bought/collected the same 15m passwords that Cybernews did. I can route all 
> RACF password changes to the  software company for 
> validation.
> 
> 
> 
> *https://cybernews.com/best-password-managers/most-common-passwords/
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Subject: Re: RACF, external password management

2024-03-01 Thread billogden 
A simple suggestion: Do not let this project create an even worse situation!
More recent z/OS setups (with RACF) can "disable" a userid after "n"
password failures. ("n" is often 3.) If your userids are easily
found/duplicated, a really bad guy could, with relatively minor
Linux/Windows scripts, disable many of your userids! (RACF SPECIAL users
have a way around this, but that method depends on prompt z/OS operator
actions, etc. Unfortunately, some z/OS installations have almost banished
the operator functions and have very, very few SPECIAL users --- and these
few might not be readily available if this situation happens.)

Long, long ago I was involved in minor "checkups" of OS/390 security
situations. In those days, long ago, it was not too difficult to monitor
token-ring traffic to see userids/password. We also wrote a program that
checked a list of about 5000 "common passwords" we helped create. (A
surprisingly large number were variations of profane/obscene words.) This
list might have been useful to push users into a thought pattern for
"acceptable" passwords and this "thought pattern" itself was a bad result.
This was long ago, and I realize things are more sophisticated now.

Bill

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-03-01 Thread Robert S. Hansel 
Hi Linda,

Short term solution is to implement the RACF password change exit ICHPWX01 and 
its companion System REXX module IRRPWREX module. Relatively simple to 
implement and governs all password changes. IRRPWREX has numerous options you 
can activate, such as disallowing repeating characters and specific character 
strings, that can address the common password prohibition requirement. The 
IBM-provided exit code is available on GitHub:

https://github.com/IBM/IBM-Z-zOS/tree/main/zOS-RACF/Downloads/RexxPwExit

Also, implement KDFAES password encryption if you have not already done so. And 
I recommend a single SETROPTS PASSWORD RULE of LENGTH(8) MIXEDALL(1:8), which 
requires a password to be 8 characters in length and have at least one letter, 
one number, and one special character (e.g., National Characters). This rule 
alone will block many of the common passwords. Be sure all your resource 
managers processing logons can handle special characters.

Longer term solution is MFA.

I recommend you contact the authors of this regulation and ask them to provide 
you with the list of common passwords they expect you to disallow.

Regards, Bob

Robert S. Hansel   2024 IBM Champion
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Thu, 29 Feb 2024 14:53:36 -0600
From:Linda Hagedorn 
Subject: Re: RACF, external password management

The regulations are from NY state, NYDFS.  
https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf

 500.7 Access privileges and management.

 500.7(c) Each class A company shall monitor privileged access activity and 
shall implement:
 (1) a privileged access management solution; and
 (2) an automated method of blocking commonly used passwords for all 
accounts on
 information systems owned or controlled by the class A company and 
wherever feasible
 for all other accounts.  

To automatically block commonly used passwords, a corpus is necessary.  For 
example, Cybernews Investigation team was able to collect 15m passwords.*  If 
they can do it, software vendors will see the opportunity here.   

It's one option to force all RACF password changes through a single point.  
However, there's a lot of ways to reach the password change process in MVS, and 
writing blocks for all of them isn't reasonable.  
 
The ZMFA holds promise, if I can find a software company that has 
bought/collected the same 15m passwords that Cybernews did.  I can route all 
RACF password changes to the  software company for 
validation.  


*https://cybernews.com/best-password-managers/most-common-passwords/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Timothy Sipples 
Michael 
Brennan
 wrote:

>Both ACF2 and Top Secret have common phrases that can not be

>used for passwords and you can add or subtract from the list.

>You would think RACF would have the same. I have not dug through

>the RACF manuals to determine if it does or not.



RACF has a new-passphrase exit called ICHPWX11. IBM provides a sample exit 
routine, and you can use REXX to run whatever passphrase quality checks you 
wish. The REXX script could even make an external (or “external”) network call 
to check the passphrase against some database. But you’d have to write and 
maintain this REXX code, and it wouldn’t provide multi-factor authentication. 
It’d merely help strengthen new passphrase selections.



https://www.ibm.com/docs/en/zos/3.1.0?topic=users-assigning-password-phrases

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Timothy Sipples 
Linda Hagedorn wrote:
>It's one option to force all RACF password changes through a single
>point.  However, there's a lot of ways to reach the password change
>process in MVS, and writing blocks for all of them isn't reasonable.
>The ZMFA holds promise, if I can find a software company that has
>bought/collected the same 15m passwords that Cybernews did.
>I can route all RACF password changes to the 
>software company for validation.

Not that it’s necessarily the only way to do it, but what I’m thinking with 
ZMFA is that you’d already have passphrases somewhere that have been validated 
(and that are changed and managed) according to your requirements, including 
vetting against previously breached passphrases. These passphrases are already 
residing in an enterprise-wide LDAP server, for example. I’m assuming RACF 
isn’t the only security authenticator that needs to meet this requirement. You 
probably have many other systems and applications that also need to meet this 
requirement, and they’re depending on passphrases stored/managed somewhere.

So, users would stop changing or managing RACF passwords/passphrases. RACF 
wouldn’t even allow it, really, because their user IDs are marked as 
MFA-enabled IDs. That means RACF will loop through ZMFA when they try to log 
in. Users’ would instead first log into ZMFA “out-of-band,” provide their 
enterprise LDAP-stored passphrases, and get back 8 character tokens that 
expire. These tokens can be one-time use or multiple use (always within their 
validity periods). Users then treat the 8 character token as a RACF password to 
log in RACF, and since the user ID is MFA-enabled RACF checks with ZMFA that 
the token/password is valid. ZMFA says, “Yes, that’s the user I just gave that 
token to, it’s not an expired token, and (if one-time use) it hasn’t been used 
before” then tells RACF it’s OK to let that user in. When a user wants to 
change his/her passphrase they do that in the enterprise passphrase database, 
against that LDAP server, not in RACF at all. (They don’t get the opportunity 
to do so. Effectively they’re changing their password every time they grab a 
new token, and that password can be one-time use and always has a relatively 
short validity period.)

As Radoslaw Skorupka wisely pointed out, a passphrase, no matter how well 
managed and vetted, is only one factor. It’s best to authenticate with a second 
strong factor and the passphrase. ZMFA can do this, too. It has “Multi” in its 
name, after all. :-) You can adopt ZMFA in a phased approach if you’re not 
ready to add the second factor immediately. For example, you could first 
require “privileged” users to provide vetted/well-managed passphrases (stored 
in a LDAP server for example) to get their RACF log-in tokens. Then extend this 
requirement to every RACF user ID (except non-human machine ones of course). 
Then require “privileged” users to log in using 2 factors (the 
vetted/well-managed passphrase plus a 6 digit code from an IBM or Google 
authenticator app on their mobile device, for example). Then extend 2 factor 
authentication (2FA) to every user.

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Timothy Sipples 
Linda Hagedorn wrote:
>This is very promising. Do you know where I can read more about ZMFA?

The documentation landing page is here:
https://www.ibm.com/docs/en/zma

>I'm interested in knowing how to configure the external source, and how
>the token is passed back to RACF, and how long the token lasts.
>For example, if systems programmers are working a problem, we
>wouldn't want the token to expire in 3 hrs.
>Or does the token last for the duration of the session?
>If tso/ispf times out (sysprog is doing research or answering
>mgmt questions), will they have to generate a new token?

If for example you’re configuring ZMFA to use a LDAP server as an “external” 
factor then this landing page has further details:
https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap

I put the word external in quotation marks because the LDAP server could be 
z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. 
And LDAP is just one example. Many “external” and external factors’ interfaces 
are supported.

You can configure ZMFA for “out-of-band” authentication so that users obtain 
what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for 
example). You can choose whether the CTC is reusable and how quickly it expires.

https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout
https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Michael Brennan 
Both ACF2 and Top Secret have common phrases that can not be used for
passwords and you can add or subtract from the list.  You would think RACF
would have the same. I have not dug through the RACF manuals to determine
if it does or not.

On Thu, Feb 29, 2024 at 12:09 AM Timothy Sipples  wrote:

> Linda Hagedorn wrote:
> >My company wants an external password manager to substitute for RACF.
> >I need to know if anyone has experience with this, or common password
> >matching in RACF.
> >Background
> >Regulations NYDFS require preventing common passwords to be used.
> >Vendor tools (Courion, CyberArk, etc.) have a corpus to match password
> >changes to prevent the use of common passwords.
> >RACF passwords can be changed from TSO, the internal reader, JCL,
> >Candle Session manager, etc., so trying to block password changing through
> >RACF and forcing everyone through one of these 3rd party tools may be near
> >impossible.
> >Any input is appreciated.
>
> This’d be easy to do with IBM Z Multi Factor Authentication (ZMFA).
> Despite its name you could use ZMFA to support a single “external” factor
> such as a super vetted passphrase verifier, although it’d obviously be best
> to have a genuine second factor too (while you’re at it).
>
> Let’s suppose for example you maintain/update these super rule compliant
> passphrases in a LDAP server. OK, then configure ZMFA so that it validates
> passphrases against the LDAP server and gives RACF yes or no decisions. You
> could for example use “out-of-band” authentication so that users who clear
> the ZMFA hurdle (log in via a secure Web page) get a one-time token that
> they use to log into RACF (in place of a password). And then you’ve neatly
> solved the problem of handling RACF password/passphrase changes everywhere.
> Other variations are possible — this is just an example.
>
> If you’re concerned about the “What if the LDAP server is down,
> unreachable, or slow?” scenarios then one straightforward solution is to
> use z/OS’s LDAP server and simply keep that LDAP server synced reasonably
> well with another LDAP server. (LDAP supports syncing.) In that case ZMFA
> simply loops back to z/OS LDAP, an ultra short loop. If the syncing is down
> for a little while it’s not a calamity. Or use another LDAP server that
> runs in the z/OS Container Extensions or in a Linux on IBM Z partition.
> LDAP is just an example too, although it’s a common one.
>
> https://www.ibm.com/products/ibm-multifactor-authentication-for-zos
>
> —
> Timothy Sipples
> Senior Architect
> Digital Assets, Industry Solutions, and Cybersecurity
> IBM Z/LinuxONE, Asia-Pacific
> sipp...@sg.ibm.com
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


-- 
Michael Brennan

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread roscoe5 
I like it. And there are more than one potential software vendors reading your 
request on this site. ;-)

Sent from [Proton Mail](https://proton.me/mail/home) for iOS

On Thu, Feb 29, 2024 at 3:53 PM, Linda Hagedorn 
<[05cf4637de00-dmarc-requ...@listserv.ua.edu](mailto:On Thu, Feb 29, 2024 
at 3:53 PM, Linda Hagedorn < wrote:

> The regulations are from NY state, NYDFS.
> https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf
>
> 500.7 Access privileges and management.
>
> 500.7(c) Each class A company shall monitor privileged access activity and 
> shall implement:
> (1) a privileged access management solution; and
> (2) an automated method of blocking commonly used passwords for all accounts 
> on
> information systems owned or controlled by the class A company and wherever 
> feasible
> for all other accounts.
>
> To automatically block commonly used passwords, a corpus is necessary. For 
> example, Cybernews Investigation team was able to collect 15m passwords.* If 
> they can do it, software vendors will see the opportunity here.
>
> It's one option to force all RACF password changes through a single point. 
> However, there's a lot of ways to reach the password change process in MVS, 
> and writing blocks for all of them isn't reasonable.
>
> The ZMFA holds promise, if I can find a software company that has 
> bought/collected the same 15m passwords that Cybernews did. I can route all 
> RACF password changes to the  software company for 
> validation.
>
> *https://cybernews.com/best-password-managers/most-common-passwords/
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Linda Hagedorn 
The regulations are from NY state, NYDFS.  
https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf

 500.7 Access privileges and management.

 500.7(c) Each class A company shall monitor privileged access activity and 
shall implement:
 (1) a privileged access management solution; and
 (2) an automated method of blocking commonly used passwords for all 
accounts on
 information systems owned or controlled by the class A company and 
wherever feasible
 for all other accounts.  

To automatically block commonly used passwords, a corpus is necessary.  For 
example, Cybernews Investigation team was able to collect 15m passwords.*  If 
they can do it, software vendors will see the opportunity here.   

It's one option to force all RACF password changes through a single point.  
However, there's a lot of ways to reach the password change process in MVS, and 
writing blocks for all of them isn't reasonable.  
 
The ZMFA holds promise, if I can find a software company that has 
bought/collected the same 15m passwords that Cybernews did.  I can route all 
RACF password changes to the  software company for 
validation.  


*https://cybernews.com/best-password-managers/most-common-passwords/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Radoslaw Skorupka 

W dniu 28.02.2024 o 22:35, Linda Hagedorn pisze:

My company wants an external password manager to substitute for RACF.
I need to know if anyone has experience with this, or common password matching 
in RACF.

Background
Regulations NYDFS require preventing common passwords to be used.
Vendor tools (Courion, CyberArk, etc.) have a corpus to match password changes 
to prevent the use of common passwords.
RACF passwords can be changed from TSO, the internal reader, JCL, Candle 
Session manager, etc., so trying to block password changing through RACF and 
forcing everyone through one of these 3rd party tools may be near impossible.

Any input is appreciated.  Thanks!  Linda


My humble input: go MFA.
Explanation
You can easily forbid dictionary passwords by ALPHANUM - a mix of 
alphabetics and numbers.
So, no sophisticated English (or Polish) word will be accepted. However 
PASSWRD1 will be.

You can enforce use of uppercase and lowercase. Passwrd1 will be accepted.
You can turn off old passwords and enforce pass phrases. "My Password01" 
will be accepted. Yes, with the space.
You can create and maintain your own black list of forbidden passwords - 
now neither of the above will not be accepted. However this is a little 
bit more complex - you need to code and maintain password (passphrase) 
exit. It can be REXX code.


Finally you still have a problem - your employee used his car plate 
number, for example LDB-9091. Looks fine, but ethical hacker will try 
this id. Mother's name? Wife's car plate number? No. You are not able to 
collect that information, but ethical hacker would try it!


The solution is MFA. Yes, the password is still important, however the 
hacker has no token.

Advantage: JOHN will no longer be able to share his password with MARY.

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Howard Rifkind 
Sorry no; was this problem on the main frame?  

Sent from my iPhone

> On Feb 29, 2024, at 13:00, Linda Hagedorn 
> <05cf4637de00-dmarc-requ...@listserv.ua.edu> wrote:
> 
> In the process you describe, could I still while logged into tso/ispf change 
> my password in RACF, bypassing the AD routine?  
> 
> // JOB (ACCT INFO),'PGMR INFO',
> // CLASS=??,MSGCLASS=??,NOTIFY=userid,
> // USER=userid,PASSWORD=(OLDPASS,NEWPASS)
> //IEBFR14  EXEC  PGM=IEFBR14  
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Steve Thompson 
I think the exit point(s) mentioned by others is(are) where you 
would check the clear text against those common passwords, and 
reject that password change at that point.


Specifically to your question "any development to ingest": Unless 
you can find a vendor to provide you with such, your "shop" may 
have to do this, updating the table (or disk file) that contains 
the proscribed passwords.


And another thing you have to think about: Can you set rules that 
could keep such passwords from being tried?


Let's say they all have in common the use of $$, or ## or some 
such, so you would restrict any character from being repeated. 
But at the same time, suppose this is only seen in passwords of 
less than 10 characters...


[I've been exposed to many different systems with different rules].

Not that you would want to go this far, but you may need to go to 
2FA, depending on how secure you have to be (that could be a pain 
in your submit a job to change pswd


Another question: How do you make up your user-IDs? Now looking 
at the common passwords, can one know what user id was 
associated? This goes to the exposure you have to these common 
passwords.


   How many attempts to user-id revoked?
   How does one get their id restored?

   Suppose you are logged on, and a dictionary attack is done
   and your ID is now flagged as revoked. How do you get out of
   this?

Many things to think about. But mostly what is your exposure to 
an attack?


What if I wanted to shut down your biz? If I know how all of your 
user-ids are constructed, and I can get access to your system, 
somehow, and do dictionary attacks to cause all IDs to get 
revoked  It has been done.


Steve Thompson


On 2/29/2024 12:44 PM, Linda Hagedorn wrote:

Do you know if there's any development to ingest the list of passwords known to 
be involved in breaches, and match RACF password changes against them?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Linda Hagedorn 
In the process you describe, could I still while logged into tso/ispf change my 
password in RACF, bypassing the AD routine?  

// JOB (ACCT INFO),'PGMR INFO',
// CLASS=??,MSGCLASS=??,NOTIFY=userid,
// USER=userid,PASSWORD=(OLDPASS,NEWPASS)
//IEBFR14  EXEC  PGM=IEFBR14

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Linda Hagedorn 
Do you know if there's any development to ingest the list of passwords known to 
be involved in breaches, and match RACF password changes against them?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Linda Hagedorn 
This is very promising.  Do you know where I can read more about ZMFA?  

I'm interested in knowing how to configure the external source, and how the 
token is passed back to RACF, and how long the token lasts.  

For example, if systems programmers are working a problem, we wouldn't want the 
token to expire in 3 hrs.  
Or does the token last for the duration of the session?  
If tso/ispf times out (sysprog is doing research or answering mgmt questions), 
will they have to generate a new token?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Linda Hagedorn 
Commonly used passwords and those found in breaches (dark web for example). 

P@$$w0rd, etc.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Linda Hagedorn 
This is exactly where I'm going.  

I think IBM should, if they haven't already, find a way to register the 
frequently found passwords and make an option to scan the PW in RACF.  
There may be a liability, but certainly a disclaimer can be included in the 
license.  

If this already exists, a referral to the manuals would be appreciated.  
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread kekronbekron 
Hi Bob,

If it is what I am thinking... I didn't think this day would come.
There are hashes of known, breached passwords generally collected.
Here's the most prominent one - https://haveibeenpwned.com/Passwords

There are blog posts on the same site explaining what it is, how to use that 
collection, etc.
Would be fun indeed if the collection can be brought to zOS and RACF/ACF2 
adapted to look up a new pw in it, before using/setting it.


On Thursday, February 29th, 2024 at 17:13, Robert S. Hansel 
 wrote:

> Hi Linda,
> 
> How do you define "common password"?
> 
> Regards, Bob
> 
> Robert S. Hansel 2024 IBM Champion
> Lead RACF Specialist
> RSH Consulting, Inc.
> 617-969-8211
> www.linkedin.com/in/roberthansel
> www.rshconsulting.com
> 
> -Original Message-
> Date: Wed, 28 Feb 2024 15:35:54 -0600
> From: Linda Hagedorn linda.haged...@gmail.com
> 
> Subject: RACF, external password management
> 
> My company wants an external password manager to substitute for RACF.
> I need to know if anyone has experience with this, or common password 
> matching in RACF.
> 
> Background
> Regulations NYDFS require preventing common passwords to be used.
> Vendor tools (Courion, CyberArk, etc.) have a corpus to match password 
> changes to prevent the use of common passwords.
> RACF passwords can be changed from TSO, the internal reader, JCL, Candle 
> Session manager, etc., so trying to block password changing through RACF and 
> forcing everyone through one of these 3rd party tools may be near impossible.
> 
> Any input is appreciated. Thanks! Linda
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-29 Thread Robert S. Hansel 
Hi Linda,

How do you define "common password"?

Regards, Bob

Robert S. Hansel   2024 IBM Champion
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Wed, 28 Feb 2024 15:35:54 -0600
From:Linda Hagedorn 
Subject: RACF, external password management

My company wants an external password manager to substitute for RACF.  
I need to know if anyone has experience with this, or common password matching 
in RACF.  

Background
Regulations NYDFS require preventing common passwords to be used. 
Vendor tools (Courion, CyberArk, etc.) have a corpus to match password changes 
to prevent the use of common passwords.  
RACF passwords can be changed from TSO, the internal reader, JCL, Candle 
Session manager, etc., so trying to block password changing through RACF and 
forcing everyone through one of these 3rd party tools may be near impossible. 

Any input is appreciated.  Thanks!  Linda  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-28 Thread Jack Zukt 
Hi,
If what you need is to prevent users from using easy to guess passwords,
RACF already has the tools that you need, from implementing mixed case,
passphrases, and special characters, or/and using the password or
passphrase exit, which is very easy to implement, to validate password
complexity and preventing the use of any words you want.
Regards
Jack

On Wed, Feb 28, 2024, 21:36 Linda Hagedorn <
05cf4637de00-dmarc-requ...@listserv.ua.edu> wrote:

> My company wants an external password manager to substitute for RACF.
> I need to know if anyone has experience with this, or common password
> matching in RACF.
>
> Background
> Regulations NYDFS require preventing common passwords to be used.
> Vendor tools (Courion, CyberArk, etc.) have a corpus to match password
> changes to prevent the use of common passwords.
> RACF passwords can be changed from TSO, the internal reader, JCL, Candle
> Session manager, etc., so trying to block password changing through RACF
> and forcing everyone through one of these 3rd party tools may be near
> impossible.
>
> Any input is appreciated.  Thanks!  Linda
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-28 Thread Steve Thompson 

Hi Linda:

Could you define common passwords?

Are we talking about commonly used passwords? Or are we talking 
about a password that is common to multiple users IDs?


Suppose you were to use three Chars and then numbers to make up a 
TSO ID. These are the IDs used by people that do not need access 
to system level datasets other than read (PROCLIBs, MACRO, COPY, 
etc.). So for an example we have ABC01234. So ABC needs a second 
ID (I'm used to having 3 or more), so we have ABC1234, ABC1235, 
ABC1237 (someone else got in there).  Are these three prohibited 
from having the same password?


Now, take me for example. Not only do I have those IDs that I use 
for programming, looking at DUMPS and tests, I also have an ID 
for updating certain system files. So we will do this one 
differently. ABCX001 is my system level ID. I would NOT have it 
have the same password, but you might want to enforce that.


RACF, as I understand it, may have the ability to keep a history 
so that a password can't be reused within 6 months or 9 90day 
cycles which ever is more restrictive. (I had to take RACF admin 
classes, I don't remember a lot because I never intended to be a 
RACF admin - it was needed for "SAF" and product security).


So are these questions and "contrived" circumstances matching 
your situation for what you have to handle?


Another thing that has to be recognized -- changing of passwords 
too often can result in problems for history. But changing not 
often enough is a different exposure.


So, is this being driven by auditors, or something else?

Steve Thompson


On 2/28/2024 4:35 PM, Linda Hagedorn wrote:

My company wants an external password manager to substitute for RACF.
I need to know if anyone has experience with this, or common password matching 
in RACF.

Background
Regulations NYDFS require preventing common passwords to be used.
Vendor tools (Courion, CyberArk, etc.) have a corpus to match password changes 
to prevent the use of common passwords.
RACF passwords can be changed from TSO, the internal reader, JCL, Candle 
Session manager, etc., so trying to block password changing through RACF and 
forcing everyone through one of these 3rd party tools may be near impossible.

Any input is appreciated.  Thanks!  Linda

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-28 Thread Jousma, David 
Linda,

I'd think twice on this topic.   We do vault our elevated access id's and I am 
fine with that, but to hand off all password management is a solution looking 
for a problem.

There is the racf password quality exit that can be coded up to disallow 
"common" passwords.  On top of that, you can "Force" passphrase use with 
minimum length requirements making such common passwords pretty much a thing of 
the past.

Dave Jousma

Vice President | Director, Technology Engineering


Fifth Third Bank  |  1830 East Paris Ave, SE  |  MD RSCB2H  |  Grand Rapids, MI 
49546

616.653.8429

From: IBM Mainframe Discussion List  on behalf of 
Linda Hagedorn <05cf4637de00-dmarc-requ...@listserv.ua.edu>
Sent: Wednesday, February 28, 2024 4:35:54 PM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: RACF, external password management

My company wants an external password manager to substitute for RACF. I need to 
know if anyone has experience with this, or common password matching in RACF. 
Background Regulations NYDFS require preventing common passwords to be used. 
Vendor


My company wants an external password manager to substitute for RACF.
I need to know if anyone has experience with this, or common password matching 
in RACF.

Background
Regulations NYDFS require preventing common passwords to be used.
Vendor tools (Courion, CyberArk, etc.) have a corpus to match password changes 
to prevent the use of common passwords.
RACF passwords can be changed from TSO, the internal reader, JCL, Candle 
Session manager, etc., so trying to block password changing through RACF and 
forcing everyone through one of these 3rd party tools may be near impossible.

Any input is appreciated.  Thanks!  Linda

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF, external password management

2024-02-28 Thread roscoe5 
We had our typical users (some exceptions for Security team, etc) change their 
password on AD (Ctrl-Alt-Del) with a 3rd party tool providing extra controls as 
desired. Then we scripted a send of the accepted pw/phrase up to RACF with the 
request to set the password/phrase there. The basic RACF rules had to be 
basically the same as the AD rules as far as complexity, history, etc. But all 
the expansive lists and restrictions were done once by the other product and 
RACF was happy with the complexity of the password supplied.
It worked for us. Just an idea.
R.
Sent from [Proton Mail](https://proton.me/mail/home) for iOS

On Wed, Feb 28, 2024 at 4:35 PM, Linda Hagedorn 
<[05cf4637de00-dmarc-requ...@listserv.ua.edu](mailto:On Wed, Feb 28, 2024 
at 4:35 PM, Linda Hagedorn < wrote:

> My company wants an external password manager to substitute for RACF.
> I need to know if anyone has experience with this, or common password 
> matching in RACF.
>
> Background
> Regulations NYDFS require preventing common passwords to be used.
> Vendor tools (Courion, CyberArk, etc.) have a corpus to match password 
> changes to prevent the use of common passwords.
> RACF passwords can be changed from TSO, the internal reader, JCL, Candle 
> Session manager, etc., so trying to block password changing through RACF and 
> forcing everyone through one of these 3rd party tools may be near impossible.
>
> Any input is appreciated. Thanks! Linda
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN