Security Planning
IBM® Connect:Direct® supports signon security checking through its own Authorization Facility and through security exits interfacing with CA-ACF2 and CA-TOP SECRET by Computer Associates International, Inc., and Resource Access Control Facility (RACF) by IBM. Any of these packages can control access to IBM Connect:Direct functions. Read Implementing Security in the IBM Connect:Direct for z/OS® Administration Guide.
Extended Submit Facility (ESF)
The Extended Submit Facility (ESF) enables Processes to be submitted even if the Connect:Direct DTF or the communications path between the API and DTF is not active.
The ESF is active because YES
is the default parameter value for the ESF keyword
on the Connect:Direct
command. An
SIGNON
AuthorizationRequired
error occurs if the logon ID where the API is running is not
appropriately authorized when a Process is submitted through ESF. To prevent this error, do the
following:
- If you submit Processes through ESF with CA-ACF2, ensure the logon ID is authorized through CA-ACF2 to update TCX and TCQ data sets.
- If you submit Processes through ESF with RACF, ensure the logon ID has control access authority for TCX and TCQ.
RACF Password Phrase (Passphrase)
IBM Connect:Direct for z/OS supports RACF Password Phrase(Passphrase) up to 64 characters in length. Any location within Connect:Direct where a password is accepted, a passphrase can be used in its place. For more information on RACF support of Password Phrase, see the Security Server RACF General User’s Guide, SA22-7685-05 at http://pic.dhe.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.icha100%2Fichza14003.htm.
Character | Description |
---|---|
blank | |
< | less than |
¬ | logical not |
, | comma |
> | greater than |
= | equal sign |
/ | forward slash |
\ | backward slash |
' | single quote |
" | double quote |
( | open parenthesis |
) | close parenthesis |
Passphrases can begin with a blank.
Passphrases can end with a blank.
Special Connect:Direct z/OS rules for Passphrase:
- Passphrases that contain a special character that is also a "delimiter"
must be enclosed in double quotes or single quotes:
'This is<a>passphrase.'
or
"This is<a>passphrase."
- Passphrases that end with a blank must be enclosed with a combination
of single quotes and double quotes:
'" Passphrase that contains blanks. "'
- Passphrases that contain one or more single quotes must be enclosed
in double quotes:
"That's a passphrase, not his'ns."
Note: Passphrases that contain single quotes cannot be entered in the ISPF panels and should be avoided. - Passphrases that contain one or more double quotes must be enclosed
in single quotes:
'Passphrase for the "world".'
- Rules for entering a passphrase through the ISPF panels are the
same as for entering the passphrase in a PROCESS statement. However,
they are somewhat relaxed:
- The ISPF code automatically encloses the passphrase in single
quotes if it isn't entered enclosed in single or double quotes.
This is a <passphrase> and is "easy" to enter.
or
'This is a <passphrase> and is "easy" to enter.'
- Passphrase that end in a blank should be enclosed in double quotes
(or the single/double quote - double/single quote pair).
"This is a passphrase that ends with a blank. "
or
'"This is a passphrase that ends with a blank. "'
Note: Passphrases that contain a single quote cannot be entered into the ISPF panels and should be avoided.Note: If "delimiter" characters are avoided, entering the longer passphrase is the same as entering the password.
- The ISPF code automatically encloses the passphrase in single
quotes if it isn't entered enclosed in single or double quotes.
Summary
Passphrase | Enclosed within |
---|---|
Contains no Connect:Direct "delimiter" | none required |
Contains Connect:Direct "delimiter" except single quote and/or double quote (see ending blank rule below) | ' or " |
Contains single quote *Cannot be entered with ISPF* | " |
Contains double quote | ' |
Contains both single quote and double quote | *Not allowed* |
Ends with blank, but has no single quote or double quote | '" "' |
Ends with blank, and has a single quote or double quote | *Not allowed* |