IBM Security Z Security

Expand all | Collapse all

CKNDSN profiles in XFACILIT

  • 1.  CKNDSN profiles in XFACILIT

    Posted Thu July 23, 2020 12:02 PM
    Having defined CKNDSN profiles with READ access, we have noticed in Access Monitor that there are some return code 8 when trying to get UPDATE access. We don't see any ICH408I messages and everything appears to be working fine. Can anyone explain this please?

    Thanks

    ------------------------------
    Anji Stephens
    ------------------------------


  • 2.  RE: CKNDSN profiles in XFACILIT

    Posted Fri July 24, 2020 04:37 AM
    Update access is checked in the server to determine if this client is allowed to see sensitive fields, like passwords. Without update access, the sensitive field values are replaced by asterisks. This is somewhat poorly documented in the manuals. Because most users are not allowed to see sensitive fields (and the user did not explicitly ask for such access), insufficient access is not logged (SMF and ICH408I).

    ------------------------------
    Guus Bonnes
    ------------------------------



  • 3.  RE: CKNDSN profiles in XFACILIT

    Posted Fri July 24, 2020 05:25 AM
    Thank you Guus. Just to confirm, do you mean sensitive fields like passwords when using CKGRACF?

    ------------------------------
    Anji Stephens
    IT Mainframe Security Consultant
    Belmont Technologies Ltd
    ------------------------------



  • 4.  RE: CKNDSN profiles in XFACILIT

    Posted Sat July 25, 2020 06:15 AM

    This applies to all kind of sensitive fields in the RACF database, like password, passphrases (although encrypted), certificate keys, etc.
    CKGRACF is a zSecure command that can be used to set a password/phrase. These are hidden in the command output. But that is independent of the CKNDSN setting to hide/allow showing of the sensitive field-values for all the existing profiles.

    If you look at the RACF templates, there is a flag that specifies if the field in the RACF database is considered "sensitive". zSecure hides these (and a few more) by default.



    ------------------------------
    Guus Bonnes
    ------------------------------



  • 5.  RE: CKNDSN profiles in XFACILIT

    Posted Mon July 27, 2020 05:48 AM
    Thank you Guus.

    ------------------------------
    Anji Stephens
    ------------------------------