Security Planning

IBM® Connect:Direct® supports signon security checking through its own Authorization Facility and through security exits interfacing with CA-ACF2 and CA-TOP SECRET by Computer Associates International, Inc., and Resource Access Control Facility (RACF) by IBM. Any of these packages can control access to IBM Connect:Direct functions. Read Implementing Security in the IBM Connect:Direct for z/OS® Administration Guide.

If your system has z/OS UNIX System Services and RACF Program Control turned on, every JOBLIB/STEPLIB/LINKLIB DSN in the IBM Connect:Direct startup must be in the appropriate RACF Program Control list for HFS support to work correctly. If not, z/OS UNIX System Services considers the address space “dirty,” and setting thread-level security (which HFS support uses) fails with 0000008B xxxx02AF. IBM Connect:Direct initialization fails with the message SITA997I.
Note: The SP Admin tool is unable to open a Secure parameter file created prior to release 5.2.0. See DGASCONV – Secure Parameter File Conversion Utility for more information.

Extended Submit Facility (ESF)

The Extended Submit Facility (ESF) enables Processes to be submitted even if the Connect:Direct DTF or the communications path between the API and DTF is not active.

The ESF is active because YES is the default parameter value for the ESF keyword on the Connect:Direct SIGNON command. An AuthorizationRequired error occurs if the logon ID where the API is running is not appropriately authorized when a Process is submitted through ESF. To prevent this error, do the following:

  • If you submit Processes through ESF with CA-ACF2, ensure the logon ID is authorized through CA-ACF2 to update TCX and TCQ data sets.
  • If you submit Processes through ESF with RACF, ensure the logon ID has control access authority for TCX and TCQ.

RACF Password Phrase (Passphrase)

IBM Connect:Direct for z/OS supports RACF Password Phrase(Passphrase) up to 64 characters in length. Any location within Connect:Direct where a password is accepted, a passphrase can be used in its place. For more information on RACF support of Password Phrase, see the Security Server RACF General User’s Guide, SA22-7685-05 at http://pic.dhe.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.icha100%2Fichza14003.htm.

Passphrases can contain characters that the Connect:Direct z/OS parser defines as "delimiter" characters:
Character Description
  blank
< less than
¬ logical not
, comma
> greater than
= equal sign
/ forward slash
\ backward slash
' single quote
" double quote
( open parenthesis
) close parenthesis

Passphrases can begin with a blank.

Passphrases can end with a blank.

Special Connect:Direct z/OS rules for Passphrase:

  • Passphrases that contain a special character that is also a "delimiter" must be enclosed in double quotes or single quotes:
    'This is<a>passphrase.'

    or

    "This is<a>passphrase."
  • Passphrases that end with a blank must be enclosed with a combination of single quotes and double quotes:
    '" Passphrase that contains blanks. "'
  • Passphrases that contain one or more single quotes must be enclosed in double quotes:
    "That's a passphrase, not his'ns."
    Note: Passphrases that contain single quotes cannot be entered in the ISPF panels and should be avoided.
  • Passphrases that contain one or more double quotes must be enclosed in single quotes:
    'Passphrase for the "world".'
  • Rules for entering a passphrase through the ISPF panels are the same as for entering the passphrase in a PROCESS statement. However, they are somewhat relaxed:
    • The ISPF code automatically encloses the passphrase in single quotes if it isn't entered enclosed in single or double quotes.
      This is a <passphrase> and is "easy" to enter.

      or

      'This is a <passphrase> and is "easy" to enter.'
    • Passphrase that end in a blank should be enclosed in double quotes (or the single/double quote - double/single quote pair).
      "This is a passphrase that ends with a blank. "

      or

      '"This is a passphrase that ends with a blank. "'
      Note: Passphrases that contain a single quote cannot be entered into the ISPF panels and should be avoided.
      Note: If "delimiter" characters are avoided, entering the longer passphrase is the same as entering the password.

Summary

Passphrase Enclosed within
Contains no Connect:Direct "delimiter" none required
Contains Connect:Direct "delimiter" except single quote and/or double quote (see ending blank rule below) ' or "
Contains single quote *Cannot be entered with ISPF* "
Contains double quote '
Contains both single quote and double quote *Not allowed*
Ends with blank, but has no single quote or double quote '" "'
Ends with blank, and has a single quote or double quote *Not allowed*