Using RACF to authorize console operators and command use

If your installation requires additional security controls on the use of system commands, you must first determine what controls are required. For example, do you want to require all your operators to logon to MCS, HMCS or SMCS consoles, or do you want certain operators with special authority to be able to enter commands that require a higher authority than the console allows? Do you want to audit logon activity? If so, do you want to log all command activity or only unauthorized, or unsuccessful, attempts to issue system commands? Using RACF® and the LOGON keyword in CONSOLxx can help you achieve the kind of added security you might need.

An operator typically logs on to a single console. However, if you want to allow an operator to log on to multiple consoles concurrently within a system or sysplex, your security administrator can enable this. When the security profile MVS.MULTIPLE.LOGON.CHECK is defined in the OPERCMDS class, an operator may log on to multiple consoles. Defining this profile allows all operators to log on multiple times. There is no limit to the number of consoles to which an operator may log on. Operators are still required to provide a password while logging on to each console.

Consoles password phrase support becomes enabled on a system when the security profile is defined. There is no authority access checking from a user ID perspective.

The consoles function checks for the existence of a security profile in the OPERCMDS class to cover the MVS.CONSOLE.PASSWORDPHRASE.CHECK resource.

For example, the following RACF command can be used to define the profile: 
REDEFINE OPERCMDS (MVS.CONSOLE.PASSWORDPHRASE.CHECK)

If the profile exists, the new LOGON panel display is revealed which will allow for either the new password phrase input or the standard eight (8) character passwords.

After enabling password phrases, active consoles need to be recycled to pick up the setting. If the console is not recycled, the 8-character password processing remains in effect for that console. There are several ways to recycle the console so the new password state is used:
  • Place the console in standby mode (VARY CN(*),STANDBY) and then take the console out of standby mode by pressing the enter key on the console.
  • Vary the console offline (VARY CN(cnname),OFFLINE) and then back online (VARY CN(cnname),ONLINE). Note that the online request must be made from another active console.
  • Re-IPL the system.
  • Note that SMCS consoles do not support standby, so they must be logged off and then reconnected to z/OS.

Note that during the process of an operator logging on, z/OS may issue messages referring to passwords. In these messages, passwords mean either passwords (8-byte variety) or password phrases.

If your installation uses extended MCS consoles, you need to plan for their security. Your TSO or security administrator can help you authorize TSO/E users and control the console attributes (defined in the OPERPARM segment) for those users. For examples, see Controlling extended MCS consoles using RACF.

Note that using RACF to authorize commands can increase the path length the system requires to process a command, and auditing command activity can increase the number of security-related SMF records your system generates.