Configure RACF for mixed case
IBM® generally recommends that you enable mixed-case passwords if you use IBM MFA in-band authentication. If mixed-case passwords are not enabled, you may encounter problems successfully authenticating in-band if the factor credential values contain lowercase characters. This section describes important considerations for mixed-case passwords.
About this task
Mixed-case credentials are often expected when using many authentication servers, such as RSA SecurID or RADIUS. When authenticating with in-band authentication, IBM MFA passes authentication requests made using RACF through to these servers, which means that a mixed-case credential value must be accepted by RACF and passed on to IBM MFA.
If the mixed-case credential is a passphrase (it has 9 or more characters) it will always be accepted and passed through. However, if the mixed-case credential is a password (it has 8 or fewer characters) SETROPTS PASSWORD(MIXEDCASE) must be enabled to allow it to be accepted and passed through.
The SETROPTS PASSWORD(MIXEDCASE) option allows mixed-case passwords for all users on all applications on this system and on all systems that share the RACF® database.
Mixed-case passwords may be undesirable in the following situations:
- Not all applications support mixed-case passwords. These applications may expect lower case passwords to be converted to uppercase character in RACF. If your applications do not support mixed-case passwords, do not activate the SETROPTS PASSWORD(MIXEDCASE) option.
- If mixed-case passwords are not feasible in your environment, consider using IBM MFA Out-of-Band authentication request to obtain a cache token credential (CTC), which is not dependent on the SETROPTS PASSWORD(MIXEDCASE) option, and use the token to perform the authentication request.
- You do not need mixed-case passwords if the authentication server to which IBM MFA passes an authentication request generates only uppercase credentials that contain 8 or fewer characters.
- You do not need mixed-case passwords if the authentication server to which IBM MFA passes an authentication request generates only mixed-case credentials that contain 9 or more characters.