IBM Security Z Security

 View Only

IBM Security zSecure support for RACF password phrase interval

By Jeroen Tiggelman posted Tue August 02, 2022 08:18 AM


z/OS Security Server RACF has provided new function updates in the service stream that allow a password phrase interval separate from, and longer than, the password interval, for z/OS 2.5. Functional updates have been provided to zSecure 2.5 to exploit this new functionality.


Password phrases provide better security than traditional passwords because of the longer length of the secret. It is reasonable to allow their use for a longer time than is reasonable for passwords, which can encourage constructing a very secure phrase.

Resource Access Control Facility (RACF) is the foundational IBM package for protecting IBM zSystems. When an access check occurs in a resource manager (that is, a program that must make an access decision about the use of certain resources) the application programming interface (API) known as the System Authorization Facility (SAF) is called. If the system is protected by RACF, then SAF will forward the question to that External Security Manager (ESM) and return the answer (allowed/protection undefined/denied).

IBM Security zSecure suite builds on the security support in IBM zSystems, z/OS, and RACF to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. Most of the products run on the z/OS operating system. The zSecure for z/OS release numbers follow those of z/OS. For complete support of a z/OS release, you generally need the same release of zSecure. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, and MQ.

IBM Security zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password (so that the administrator does not know it). IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by displaying global RACF security settings (SETROPTS configurations). IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. IBM Security zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment. IBM Security zSecure Visual provides a user interface for RACF administration from Windows. IBM Security zSecure Alert is a real-time monitor for security events. The IBM Security zSecure Adapters for SIEM send enriched SMF information to security information and event management (SIEM) solutions such as IBM QRadar SIEM.

With the exception of zSecure CICS Toolkit, updates for password phrase interval support have been provided for all zSecure for z/OS components.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, zSecure Adapters for QRadar SIEM, and the z/OS Compliance Integration Manager component for IBM Z Security and Compliance Center is called the CARLa Auditing and Reporting Language (CARLa).

New functionality

You can specify a password phrase interval at the user level. If this is specified as 0 [or not specified], the system-wide default password phrase interval is used. Note that unlike for the password interval, where the system-wide default is taken as a maximum, the user-level interval simply overrides the default. The maximum value is 65534 days. In addition, it is possible to specify that the password phrase will never expire.

If you specify the system-wide default password phrase interval as 0 [or you do not specify it], the password interval will continue to be used.

In all cases, if you have MINCHANGE specified (the minimum number of days between password or password phrase changes), then this will be taken as the minimum of the effective interval.

To specify the new intervals, PHRASEINT and NOPHRASEINT keywords have been added to the SETROPTS and PASSWORD commands.

zSecure Command Verifier requires updates to recognize and control these new RACF command keywords. zSecure Audit, Alert, and Adapters for SIEM require updates to format the keywords for SMF events. zSecure Admin, Audit, and Visual require updates to display the new settings; and the administrative components also allow modifying the settings.


To fully benefit from these enhancements the following is required:
* IBM Security zSecure 2.5, or one of the zSecure Compliance and Administration solutions
* PTF UJ90042 for APAR OA61952 (this updates SAF)
* PTF UJ90043 for APAR OA61951 (this updates RACF)
* PTF UJ08616 for APAR OA63372 (this updates code shared among most zSecure components)
* PTF UJ08617 for APAR OA63373 (this updates code specific to zSecure Command Verifier)
* PTF UJ08618 for APAR OA63374 (this updates code shared between zSecure Command Verifier, zSecure Admin, and zSecure Visual)
* Fix pack 2.5.0-ISS-ZSECURE-FP0003 for APAR IJ40485 (this updates the zSecure Visual client)

The zSecure 2.5.0 documentation has been updated for these changes. A summary of the updates can be found in this Technote.

If you have any questions, please ask them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.