Migrate to KDFAES for Stronger Encryption of RACF Passwords
VLF Caching and CPACF
The virtual lookaside facility (VLF) needs to be properly configured to cache RACF information. It’s the first logon of the day that’s the costly one. If you don’t enable this option then you run the risk of experiencing a performance problem.
To enable VLF caching of logons in SYS1.PARMLIB(COFVLFxx) code:
While here, validate the following entries exist in the COFVLF parmlib member:
In order of appearance to the parmlib statements above:
Cache RACF Group Tree
Cache User Security Packet for z/OS UNIX
Cache z/OS UNIX Group IDs
Cache z/OS UNIX User IDs
Changing these parms requires a restart of VLF or IPL.
The Central Processor Assist for Cryptographic Functions (CPACF) needs to be enabled for hardware acceleration of AES. There are two ways to validate this support is enabled:
See your systems programmer who can validate from the HMC that CPACF is enabled for every system.
If you’re running the Integrated Cryptographic Services Facility, check it for message:
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
To Convert or Not to Convert
There are two schools of thought about migrating to AES. You can simply enable the support in RACF:
Then wait for passwords to convert as time marches on. Eventually every password in your password history will be converted to AES as users logon to change them. But do you have time to wait?
I prefer and recommend option two. Enable AES support in RACF the same way. Next, build RACF commands to convert all passwords to AES using the new command:
ALU UserID PWCONVERT
I prefer converting everything up front because I can tell my auditors I am “fully” converted to AES and I’d rather find out now rather than later if I have a problem. Your mileage may vary depending upon the business requirements so I provide both methods; choose the one that makes the most sense for your business.
If you have adopted passphrases before enabling AES then you’re in for a shock. There’s not any command you can use to convert a RACF passphrase from DES to AES. The only option you have available to you is to force the end user to change the password using command:
ALTUSER UserID EXPIRE
That’s right; RACF now supports expiration of passwords. You could forcibly expire the password of your passphrase users as one strategy.
If you have non-humans (i.e., servers), logging in using passphrases then consider this approach:
ALTUSER UserID NOPASSWORD
ALTUSER UserID PWCLEAN
ALTUSER UserID Phrase(‘MyLongPasswordPhraseGoesHere’)
Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.
comments powered by