Skip to main content

How to Ensure a Secure IBM Z System With RACF

Systems like IBM Z rely on passwords to be secure. RACF offers various options which can be used to strengthen password complexity.

Man typing on a keyboard with various illustrations of keys illuminated in the background

Once upon a time, it was easy to secure a z/OS* (e.g., MVS) system. Users were defined, passwords were created and data sets were protected. Users accessed the mainframe from terminals connected directly to it. Now consider today’s environment. Users are accessing the mainframe from different places and devices.

IBM Z* systems host mission-critical corporate information and production applications for banking, financial services, healthcare, government and retail companies that require highly secure systems.

Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, dating, banking, social media, private work and life communications. They can present a relatively simple point of attack for hackers to exploit.

For systems like the IBM Z platform that rely on passwords to be secure, they must enforce password controls and provide user education. Users tend to pick common passwords, write down passwords and unintentionally install malware that can key log passwords. Good passwords are hard to remember. Many times people pick passwords that are either patterns or are simple.

While a password like 9$Ff2%^*( may be strong, this leads to another problem: Good passwords are often written down to help the user remember. Or, a user reuses the password or makes a minimal change to it. Passwords can be forgotten. Now think about this: How many passwords do you have?

Secure RACF Password Suggestions

Thinking about passwords and more specifically in RACF*—since it provides authentication options for the mainframe—various options can be used to strengthen password complexity. Some options include:

  • Having RACF set up to have a password length of eight characters that’s made up of uppercase letters, digits and nationals (@#$). The possible combinations of passwords are 39**8, or 5,352,009,260,481.
  • By adding mixed-case passwords to the above, there are 65 possible options for each space. This is a number of 65**8, or 318,644,812,890,625 possible eight-character passwords.
  • Taking it one step farther, with the addition of 14 special characters, the possible combinations go to 79**8, or 1,517,108,809,906,561

Beyond the Eight- Character Password

Beyond the eight-character password, RACF offers other options for authenticating with the mainframe. These will be described in the following sections.

Password Phrase
A password phrase is a character string consisting of mixed-case letters, numbers and special characters including blanks. RACF enforces a basic set of syntax rules to establish strength in password phrases, including:

  • Maximum length of 100 characters
  • Minimum length of nine characters, when a RACF exit is used
  • Is present and allows the new value, 14 characters, when ICHPWX11 isn’t present
  • Must not contain the user ID (as sequential uppercase or sequential lowercase characters)
  • Must contain at least two alphabetic characters (“A” through “Z” or “a” through “z”)
  • Must contain at least two non-alphabetic characters (numerics, punctuation or special characters)
  • Must not contain more than two consecutive characters that are identical

The RACF PassTicket function allows a workstation to communicate without using a RACF password or password phrase. This secured signon function (i.e., PassTicket) creates a one-time-use token that isn’t reusable and is time dependent. The PassTicket is a one-time-only password that’s generated by the requesting product or function. End users of the application use the PassTicket to authenticate.

Digital Certificate
A digital certificate is a digital document issued by a trusted third party that binds an end entity to a public key. Two parties are involved in the use of certificates. One party uses a certificate to identify itself, the other party must validate it. This process is referred to as a handshake. The protocol that’s used is SSL/Transport Level Security. For the handshake process to work, both parties must store the certificates in their own certificate store (also referred as a keystore or a key database).

Network Authentication Service
Kerberos performs authentication as a trusted third-party authentication service by using conventional shared secret key cryptography. Kerberos support is provided via the Network Authentication Service for z/OS. It performs authentication as a trusted third-party authentication service by using conventional shared secret-key cryptography.

Network Authentication Service provides a means of verifying the identities of principals, without relying on authentication by the host OS, without basing trust on host addresses, without requiring physical security of all the hosts on the network, and under the assumption that packets traveling along the network can be read, modified and inserted at will. The Network Authentication Service uses RACF to store and administer information about principals and realms.

IBM Multi-Factor Authentication for z/OS
IBM Multi-Factor Authentication for z/OS (IBM MFA) requires users to authenticate with multiple authentication factors during the logon process. The main support components for IBM MFA on z/OS are the MFA server and RACF. This MFA solution is designed to be very flexible because it’s not locked to any particular authentication factors. As new authentication factors become available, they can be added to MFA for z/OS without requiring changes to the RACF MFA infrastructure.

MFA raises the level of assurance of mission-critical systems with a flexible and tightly integrated solution. MFA and the RACF security server infrastructure creates a layered defense by requiring selected z/OS users to log on with more than one authentication factor including:

  • Something they know (e.g., a password or security question)
  • Something they have (e.g., an ID badge or cryptographic token device)
  • Something they are (e.g., a fingerprint)


Multiple Options

Multiple ways to authenticate with RACF exist to provide a highly securable z/OS environment. More than one of the aforementioned options could be the solution to strengthen authentication to the mainframe.

IBM Systems Webinar Icon

View upcoming and on-demand (IBM Z, IBM i, AIX, Power Systems) webinars.
Register now →