Security Planning

Sterling Connect:Direct® supports signon security checking through its own Authorization Facility and through security exits interfacing with CA-ACF2 and CA-TOP SECRET by Computer Associates International, Inc., and Resource Access Control Facility (RACF) by IBM®. Any of these packages can control access to Sterling Connect:Direct functions. Read Implementing Security in the IBM Sterling Connect:Direct for z/OS® Administration Guide.

If your system has z/OS UNIX System Services and RACF Program Control turned on, every JOBLIB/STEPLIB/LINKLIB DSN in the Sterling Connect:Direct startup must be in the appropriate RACF Program Control list for HFS support to work correctly. If not, z/OS UNIX System Services considers the address space “dirty,” and setting thread-level security (which HFS support uses) fails with 0000008B xxxx02AF. Sterling Connect:Direct initialization fails with the message SITA997I.

Note: The SPAdmin tool will not be able to open a secure parameter file created in a previous version. See DGASCONV – Secure Parameter File Conversion Utility for more information.

RACF Password Phrase (Passphrase)

Sterling Connect:Direct for z/OS supports RACF Password Phrase(Passphrase) up to 64 characters in length. Any location within Connect:Direct where a password is accepted, a passphrase can be used in its place. For more information on RACF support of Password Phrase, see the Security Server RACF General User’s Guide, SA22-7685-05 at http://pic.dhe.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.icha100%2Fichza14003.htm.

Passphrases can contain characters that the Connect:Direct z/OS parser defines as "delimiter" characters:

Character	Description
	blank
<	less than
¬	logical not
,	comma
>	greater than
=	equal sign
/	forward slash
\	backward slash
'	single quote
"	double quote
(	open parenthesis
)	close parenthesis

Passphrases can begin with a blank.

Passphrases can end with a blank.

Special Connect:Direct z/OS rules for Passphrase:

Passphrases that contain a special character that is also a "delimiter" must be enclosed in double quotes or single quotes:
```
'This is<a>passphrase.'
```
or
```
"This is<a>passphrase."
```
Passphrases that end with a blank must be enclosed with a combination of single quotes and double quotes:
```
'" Passphrase that contains blanks. "'
```
Passphrases that contain one or more single quotes must be enclosed in double quotes:
```
"That's a passphrase, not his'ns."
```
Note: Passphrases that contain single quotes cannot be entered in the ISPF panels and should be avoided.
Passphrases that contain one or more double quotes must be enclosed in single quotes:
```
'Passphrase for the "world".'
```
Rules for entering a passphrase through the ISPF panels are the same as for entering the passphrase in a PROCESS statement. However, they are somewhat relaxed:
- The ISPF code automatically encloses the passphrase in single quotes if it isn't entered enclosed in single or double quotes.
```
This is a <passphrase> and is "easy" to enter.
```
  or
```
'This is a <passphrase> and is "easy" to enter.'
```
- Passphrase that end in a blank should be enclosed in double quotes (or the single/double quote - double/single quote pair).
```
"This is a passphrase that ends with a blank. "
```
  or
```
'"This is a passphrase that ends with a blank. "'
```
  Note: Passphrases that contain a single quote cannot be entered into the ISPF panels and should be avoided.
  
  Note: If "delimiter" characters are avoided, entering the longer passphrase is the same as entering the password.

Summary

Passphrase	Enclosed within
Contains no Connect:Direct "delimiter"	none required
Contains Connect:Direct "delimiter" except single quote and/or double quote (see ending blank rule below)	' or "
Contains single quote Cannot be entered with ISPF	"
Contains double quote	'
Contains both single quote and double quote	Not allowed
Ends with blank, but has no single quote or double quote	'" "'
Ends with blank, and has a single quote or double quote	Not allowed