IBM Security Z Security

I am looking for thoughts or suggestions on converting users from passwords to passphrases. From what I've found users can't use their passwords to reset a passphrase. I'm not too excited about the idea of creating thousands of temporary passphrases for every user and sending them out to them individually, was wondering if there are any solutions to assist with this type of rollout?

------------------------------
Jim Elliott
Senior IT Consultant, GlassHouse Systems Inc.
------------------------------

Yes. To confirm: (1) Passphrases are completely separate from passwords. You can't use one to set the other. (2) A passphrase must be defined by an administrator for each user, before they can use passphrases.

A simple solution would be to randomly generate a passphrase for each user in your pilot group, and ask the users to contact service desk to reset it. You could use Carla to generate the commands  CKGRACF USER userid PWSET RANDOM PHRASE

If it's not feasible to use your service desk this way, then you need a process to generate and store passphrases, and then either batch mail them out, or make them accessible to the users individually.

Here's what I did:
Define a custom field for a 2-way-encrypted passphrase, with appropriate FIELD controls. [I'd probably investigate enveloping if I were doing it now]
Download 5 books from Project Gutenberg as a source of readable phrases.
Write some rexx to loop through each user and:
 Randomly select a phrase from a random book, and process it to meet the default passphrase requirements;
 Encrypt the passphrase and store it in the custom field in the user's profile;
 Issue the ALU command to set the passphrase.
Write a simple ISPF/Rexx utility to allow the users to retrieve their initial passphrase, when logged on to TSO using password.

Later on, we had a need to store all users' emails in RACF (in another custom field). So storing the passphrase was no longer necessary, as we could generate and send emails in the process. 

Hopefully this will give you some ideas, and allow you to come up with something better.

------------------------------
Pete Buckley
Mainframe Tech Specialist
AXA
------------------------------

Original Message:
Sent: Thu July 15, 2021 10:02 AM
From: Jim Elliott
Subject: z/OS Password to Passphrase migration

I am looking for thoughts or suggestions on converting users from passwords to passphrases. From what I've found users can't use their passwords to reset a passphrase. I'm not too excited about the idea of creating thousands of temporary passphrases for every user and sending them out to them individually, was wondering if there are any solutions to assist with this type of rollout?

------------------------------
Jim Elliott
Senior IT Consultant, GlassHouse Systems Inc.
------------------------------

I don't want to enable TSO and CICS login panel for all user at the same time. Is there any way to enable login panel (TSO, CICS)  for sets of mainframe users at first level and then enabled for all. 

------------------------------
Mukund Kumar
------------------------------

Original Message:
Sent: Tue July 20, 2021 04:43 AM
From: Peter Buckley
Subject: z/OS Password to Passphrase migration

Yes. To confirm: (1) Passphrases are completely separate from passwords. You can't use one to set the other. (2) A passphrase must be defined by an administrator for each user, before they can use passphrases.

A simple solution would be to randomly generate a passphrase for each user in your pilot group, and ask the users to contact service desk to reset it. You could use Carla to generate the commands  CKGRACF USER userid PWSET RANDOM PHRASE

If it's not feasible to use your service desk this way, then you need a process to generate and store passphrases, and then either batch mail them out, or make them accessible to the users individually.

Here's what I did:
Define a custom field for a 2-way-encrypted passphrase, with appropriate FIELD controls. [I'd probably investigate enveloping if I were doing it now]
Download 5 books from Project Gutenberg as a source of readable phrases.
Write some rexx to loop through each user and:
 Randomly select a phrase from a random book, and process it to meet the default passphrase requirements;
 Encrypt the passphrase and store it in the custom field in the user's profile;
 Issue the ALU command to set the passphrase.
Write a simple ISPF/Rexx utility to allow the users to retrieve their initial passphrase, when logged on to TSO using password.

Later on, we had a need to store all users' emails in RACF (in another custom field). So storing the passphrase was no longer necessary, as we could generate and send emails in the process. 

Hopefully this will give you some ideas, and allow you to come up with something better.

------------------------------
Pete Buckley
Mainframe Tech Specialist
AXA

Original Message:
Sent: Thu July 15, 2021 10:02 AM
From: Jim Elliott
Subject: z/OS Password to Passphrase migration

I am looking for thoughts or suggestions on converting users from passwords to passphrases. From what I've found users can't use their passwords to reset a passphrase. I'm not too excited about the idea of creating thousands of temporary passphrases for every user and sending them out to them individually, was wondering if there are any solutions to assist with this type of rollout?

------------------------------
Jim Elliott
Senior IT Consultant, GlassHouse Systems Inc.
------------------------------

I don't think so.

TSO login panel is enabled in the system parmlib, member IKJTSOxx. So this will apply to an entire lpar (at minimum).

CICS login panel is enabled by setting CESN to be an alias of CESL, if I recall correctly. This could be done at CICS address space level, but I can't think of an obvious way to make this different for different users. Maybe using different MRO CICS address spaces to sign on different users?
I suspect this would be far more trouble than it's worth.

------------------------------
Peter Buckley
------------------------------

Original Message:
Sent: Tue June 27, 2023 06:22 AM
From: Mukund Kumar
Subject: z/OS Password to Passphrase migration

I don't want to enable TSO and CICS login panel for all user at the same time. Is there any way to enable login panel (TSO, CICS)  for sets of mainframe users at first level and then enabled for all. 

------------------------------
Mukund Kumar

Original Message:
Sent: Tue July 20, 2021 04:43 AM
From: Peter Buckley
Subject: z/OS Password to Passphrase migration

Yes. To confirm: (1) Passphrases are completely separate from passwords. You can't use one to set the other. (2) A passphrase must be defined by an administrator for each user, before they can use passphrases.

A simple solution would be to randomly generate a passphrase for each user in your pilot group, and ask the users to contact service desk to reset it. You could use Carla to generate the commands  CKGRACF USER userid PWSET RANDOM PHRASE

If it's not feasible to use your service desk this way, then you need a process to generate and store passphrases, and then either batch mail them out, or make them accessible to the users individually.

Here's what I did:
Define a custom field for a 2-way-encrypted passphrase, with appropriate FIELD controls. [I'd probably investigate enveloping if I were doing it now]
Download 5 books from Project Gutenberg as a source of readable phrases.
Write some rexx to loop through each user and:
 Randomly select a phrase from a random book, and process it to meet the default passphrase requirements;
 Encrypt the passphrase and store it in the custom field in the user's profile;
 Issue the ALU command to set the passphrase.
Write a simple ISPF/Rexx utility to allow the users to retrieve their initial passphrase, when logged on to TSO using password.

Later on, we had a need to store all users' emails in RACF (in another custom field). So storing the passphrase was no longer necessary, as we could generate and send emails in the process. 

Hopefully this will give you some ideas, and allow you to come up with something better.

------------------------------
Pete Buckley
Mainframe Tech Specialist
AXA

Original Message:
Sent: Thu July 15, 2021 10:02 AM
From: Jim Elliott
Subject: z/OS Password to Passphrase migration

I am looking for thoughts or suggestions on converting users from passwords to passphrases. From what I've found users can't use their passwords to reset a passphrase. I'm not too excited about the idea of creating thousands of temporary passphrases for every user and sending them out to them individually, was wondering if there are any solutions to assist with this type of rollout?

------------------------------
Jim Elliott
Senior IT Consultant, GlassHouse Systems Inc.
------------------------------