SAF exit: User password and passphrase authentication

The SAF exit is used to authenticate your identity when you connect to the data server.

The supplied sample exit (CACSX04) supports authenticating a user ID along with a password or passphrase that is provided at connection time.

The sample SAF exit calls the RACF® RACROUTE REQUEST=VERIFY macro for user authentication. It determines when to use a password or passphrase based on the length of the password that is provided on the connect using the following rules:

  • If length is eight bytes or less, pass it to the RACROUTE as a password.
  • If length is greater than eight bytes, pass it to the RACROUTE as a passphrase. The SAF Exit supports passphrases up to 32 bytes in length.

The following examples illustrate using the RACROUTE macro to validate a password or passphrase.

Validation of the user ID and an eight-byte password
         RACROUTE  REQUEST=VERIFY,                                     +
               ENVIR=CREATE,          : ACEE creation.                 +
               USERID=USERID,         : User ID string                 +
               PASSWRD=PASSWD,        : Password string up to 8 bytes  +
                  ……
Validation of the user ID and a passphrase
         RACROUTE  REQUEST=VERIFY,                                     +
               ENVIR=CREATE,          : ACEE creation.                 +
               USERID=USERID,         : User ID string                 +
               PHRASE=PASSPHRS,       : Passphrase 9-32 bytes          +
               ……

The sample SAF exit supports mixed-case passwords and passphrases. It checks the RACF Communications Vector Table (RCVT) RCVTPLC setting to determine if RACF is configured for mixed-case passwords. If this is not set, the SAF exit will pass the password or passphrase as uppercase to RACF. If this is set, the SAF exit will pass the password or passphrase as is to RACF.

IBM® provides example definitions for RACF. You should work with your site security experts to create the correct security statements for your site's ESM and site rules.