Planning console security

Console security means controlling which commands operators can enter on their consoles to monitor and control MVS™. How you define command authorities for your consoles or control logon for operators allows you to plan the operations security of your MVS system or sysplex. In a sysplex, because an operator on one system can enter commands that affect the processing on another system, your security measures become more complicated and you need to plan accordingly.

An operator typically logs on to a single console. However, if you want to allow an operator to log on to multiple consoles concurrently within a system or sysplex, your security administrator can enable this. When the security profile MVS.MULTIPLE.LOGON.CHECK is defined in the OPERCMDS class, an operator may log on to multiple consoles. Defining this profile allows all operators to log on multiple times. There is no limit to the number of consoles to which an operator may log on. Operators are still required to provide a password while logging on to each console.

Consoles password phrase support becomes enabled on a system when the security profile is defined. There is no authority access checking from a user ID perspective.

The consoles function checks for the existence of a security profile in the OPERCMDS class to cover the MVS.CONSOLE.PASSWORDPHRASE.CHECK resource.

For example, the following RACF command can be used to define the profile: 
REDEFINE OPERCMDS (MVS.CONSOLE.PASSWORDPHRASE.CHECK)

If the profile exists, the new LOGON panel display is revealed which will allow for either the new password phrase input or the standard eight (8) character passwords.

After enabling password phrases, active consoles need to be recycled to pick up the setting. If the console is not recycled, the 8-character password processing remains in effect for that console. There are several ways to recycle the console so the new password state is used:
  • Place the console in standby mode (VARY CN(*),STANDBY) and then take the console out of standby mode by pressing the enter key on the console.
  • Vary the console offline (VARY CN(cnname),OFFLINE) and then back online (VARY CN(cnname),ONLINE). Note that the online request must be made from another active console.
  • Re-IPL the system.
  • Note that SMCS consoles do not support standby, so they must be logged off and then reconnected to z/OS.

Note that during the process of an operator logging on, z/OS may issue messages referring to passwords. In these messages, passwords mean either passwords (8-byte variety) or password phrases.

If your installation plans to use extended MCS consoles, you should consider ways to control what an authorized TSO/E user can do during a console session. Because an extended MCS console can be associated with a TSO/E userid and not a physical console, you might want to use RACF® to limit not only the MVS commands a user can enter but from which TSO/E terminals the user can enter the commands.

You can control whether an operator can enter commands from a console:
  • Through the AUTH keyword on the CONSOLE statement of CONSOLxx
  • Through the LOGON keyword of the DEFAULT statement and RACF commands and profiles.

Controlling command authority with the AUTH attribute describes the AUTH attribute and command groups. Using RACF to control command authority and operator logon describes RACF and the LOGON keyword for the DEFAULT statement. Special security considerations for SMCS consoles appear in Providing security for SMCS consoles.