Configure RACF for mixed case

IBM® generally recommends that you enable mixed-case passwords if you use IBM MFA in-band authentication. If mixed-case passwords are not enabled, you may encounter problems successfully authenticating in-band if the factor credential values contain lowercase characters. This section describes important considerations for mixed-case passwords.

About this task

Mixed-case credentials are often expected when using many authentication servers, such as RSA SecurID or RADIUS. When authenticating with in-band authentication, IBM MFA passes authentication requests made using RACF through to these servers, which means that a mixed-case credential value must be accepted by RACF and passed on to IBM MFA.

If the mixed-case credential is a passphrase (it has 9 or more characters) it will always be accepted and passed through. However, if the mixed-case credential is a password (it has 8 or fewer characters) SETROPTS PASSWORD(MIXEDCASE) must be enabled to allow it to be accepted and passed through.

The SETROPTS PASSWORD(MIXEDCASE) option allows mixed-case passwords for all users on all applications on this system and on all systems that share the RACF® database.

Important considerations for mixed-case passwords

Mixed-case passwords may be undesirable in the following situations:

  • Not all applications support mixed-case passwords. These applications may expect lower case passwords to be converted to uppercase character in RACF. If your applications do not support mixed-case passwords, do not activate the SETROPTS PASSWORD(MIXEDCASE) option.
  • If mixed-case passwords are not feasible in your environment, consider using IBM MFA Out-of-Band authentication request to obtain a cache token credential (CTC), which is not dependent on the SETROPTS PASSWORD(MIXEDCASE) option, and use the token to perform the authentication request.
  • You do not need mixed-case passwords if the authentication server to which IBM MFA passes an authentication request generates only uppercase credentials that contain 8 or fewer characters.
  • You do not need mixed-case passwords if the authentication server to which IBM MFA passes an authentication request generates only mixed-case credentials that contain 9 or more characters.
Note: Carefully plan your application updates and password rule changes before activating MIXEDCASE. Once MIXEDCASE is activated, subsequently issuing the SETROPTS PASSWORD(NOMIXEDCASE) command might cause unintended results. When you reset to NOMIXEDCASE, users who have mixed-case or lowercase passwords will be unable to enter the system until you reset their passwords. See z/OS Security Server RACF Security Administrator's Guide

Procedure

  1. Enter the following command to enable mixed-case password in RACF:
    SETROPTS PASSWORD(MIXEDCASE)
  2. Verify the changes.