IBM Security zSecure support for brand-new RACF password security enhancements
JeroenTiggelman 27000186A5 Visits (12065)
On November 13, 2014 password security enhancements in RACF were made available for z/OS V1R12, V1R13, and V2R1. A service stream enhancement to zSecure 1.12, 1.13, 1.13.1, 2.1, and 2.1.1 was made available at the same time. Among other improvements, these updates allow a larger password space (additional special characters allowed) and a stronger encryption method (KDFAES).
Password security is a function as much of user education (e.g., do not use the same password on a strongly protected work account as on your favorite personal gaming website of unknown protection, so that a compromise of the latter password does not expose the security of your work system) as of technical controls such as making it harder for a cracker to run a brute-force attack (e.g., through longer passwords, stronger encryption, enforcing better password quality through rules, allowing more different characters in a password, and controlling the security of the security database). A more extensive discussion can be found in the Introduction provided in the Technote made available for RACF APAR OA43999. The enhancements described here provide new configurations that can be activated to strengthen some of these technical controls.
Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting System z. When an access check occurs in a resource manager (i.e., a program that must make an access decision about the use of certain resources) the application programming interface (API) known as the System Authorization Facility (SAF) is called. If the system is protected by RACF, then SAF will forward the question to that External Security Manager (ESM) and return the answer (allowed/protection undefined/denied).
IBM Security zSecure suite helps to protect System z in various ways. IBM Security zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password (so that the administrator does not know it). IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting log records from the System Management Facilities (SMF) and by displaying global RACF security settings (SETROPTS configurations). IBM Security zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment. IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. IBM Security zSecure Visual provides a user interface for RACF administration from Windows. IBM Security zSecure Alert is a real-time monitor for security events. IBM Security zSecure Adapters for QRadar SIEM send enriched SMF information to IBM Security QRadar SIEM. IBM Tivoli Compliance Insight Manager Enabler for z/OS does the same for IBM Tivoli Security Information and Event Manager. All these products are affected, though in the case of zSecure Alert, zSecure Adapters, and TCIM Enabler this is limited to the availability of more extensive information in SMF output. As a corollary, all the IBM
Many other products and components also work together with RACF and are affected by these updates, including Information Management System (IMS), Tivoli NetView, Time Sharing Option Extended (TSO/E), and z/OS Communications Server. Relevant restrictions are being summarized in the Info
The RACF function benefits are extensively described in a technote from the RACF team. They include a stronger password encryption algorithm, the ability to use additional characters in a password and extensions to password rule specifications, additional features when using password phrases, and more.
zSecure has provided the following:
Documentation has been provided in a technote from the zSecure team.
Note: the VERIFY PASSWORD function will continue to do the specific verifications documented. It has not been adapted to test passwords encrypted using the new Key Derivation Function with AES (KDFAES) algorithm (i.e., it will simply skip these userids).
To fully benefit from these enhancements you must run IBM Security zSecure 2.1 or 2.1.1. Compatibility support is provided for zSecure 1.12.0, 1.13.0, and 1.13.1.
Support is provided via various PTFs for the various product components and levels that can be identified through function keywords as explained in the Migration section below
Edit: On z/VM you must run z/VM V6R3 and IBM Security zSecure Manager for RACF z/VM 1.11.1 or 1.11.2.
The following aids are available to assist in planning for and applying all relevant maintenance at once:
Note: As always the proper order of doing things for zSecure Visual is to first upgrade the server and then the client. If a zSecure Visual client end user attempts to log on with a passphrase (from a client with the fix pack installed) to a Visual server that does not have the new support installed, the server might crash.
zSecure on z/OS: OA45693 (RACF-Offline toleration), OA45989 (CARLa-driven components, more extensive for V2), OA45990 (Command Verifier), OA45991 (CICS Toolkit), OA46097 (Command Verifier/CARLa driven components), OA46358 (Visual server, V2 only), OA46505 (RACF-Offline, V2 only), OA46517 (CICS Toolkit).
zSecure Visual client: Fix Packs 2.1.
Edit: For z/VM, refer to this article.
If you have any questions about this involving zSecure, please post them here or on the zSecure forum. You can also visit the zSecure community and wiki. The current zSecure for z/VM release at the time of original publication was 1.11.1. The I