MAINFRAME > TRENDS > SECURITY

Migrate to KDFAES for Stronger Encryption of RACF Passwords


 

VLF Caching and CPACF

The virtual lookaside facility (VLF) needs to be properly configured to cache RACF information. It’s the first logon of the day that’s the costly one. If you don’t enable this option then you run the risk of experiencing a performance problem.

To enable VLF caching of logons in SYS1.PARMLIB(COFVLFxx) code:

CLASS NAME(IRRACEE)
      EMAJ(ACEE)

While here, validate the following entries exist in the COFVLF parmlib member:

CLASS NAME(IRRGTS)
      EMAJ(GTS)

CLASS NAME(IRRSMAP)
      EMAJ(SMAP)

CLASS NAME(IRRGMAP)
      EMAJ(GMAP)

CLASS NAME(IRRUMAP)
      EMAJ(UMAP)

In order of appearance to the parmlib statements above:

  • Cache RACF Group Tree
  • Cache User Security Packet for z/OS UNIX
  • Cache z/OS UNIX Group IDs
  • Cache z/OS UNIX User IDs

Changing these parms requires a restart of VLF or IPL.

The Central Processor Assist for Cryptographic Functions (CPACF) needs to be enabled for hardware acceleration of AES. There are two ways to validate this support is enabled:

  1. See your systems programmer who can validate from the HMC that CPACF is enabled for every system.
  2. If you’re running the Integrated Cryptographic Services Facility, check it for message:
    CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.

To Convert or Not to Convert

There are two schools of thought about migrating to AES. You can simply enable the support in RACF:

SETR PASSWORD(ALGORITHM(KDFAES))

Then wait for passwords to convert as time marches on. Eventually every password in your password history will be converted to AES as users logon to change them. But do you have time to wait?

I prefer and recommend option two. Enable AES support in RACF the same way. Next, build RACF commands to convert all passwords to AES using the new command:

ALU UserID PWCONVERT

I prefer converting everything up front because I can tell my auditors I am “fully” converted to AES and I’d rather find out now rather than later if I have a problem. Your mileage may vary depending upon the business requirements so I provide both methods; choose the one that makes the most sense for your business.

Passphrase Considerations

If you have adopted passphrases before enabling AES then you’re in for a shock. There’s not any command you can use to convert a RACF passphrase from DES to AES. The only option you have available to you is to force the end user to change the password using command:

ALTUSER UserID EXPIRE

That’s right; RACF now supports expiration of passwords. You could forcibly expire the password of your passphrase users as one strategy.

If you have non-humans (i.e., servers), logging in using passphrases then consider this approach:

ALTUSER UserID NOPASSWORD
ALTUSER UserID PWCLEAN
ALTUSER UserID Phrase(‘MyLongPasswordPhraseGoesHere’)

Joel Tilton is a senior mainframe security engineer. A former employee of IBM, where he got his start with mainframes, he continues to champion mainframe security issues and solutions. The views expressed are his own personal views, and are not endorsed or supported by, and do not necessarily express or reflect, the views, positions or strategies of his employer. He can be reached via LinkedIn at http://www.linkedin.com/in/joeltilton.



Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.


comments powered by Disqus

Advertisement

Advertisement

2017 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Application Integration With PCI

The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters