IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  DB2 users passwords in RACF

    Posted 25 days ago

    Hello.

    I have a new task that it's to periodically rotate in RACF the password of users used out of Mainframe to connect to Db2. 

    Some of that users are crítical and are used thousand of times in a second.

    The password of that users have been put manually by the responsible of each user in the aplicattion out of mainframe.

    Please, i would like to know how i can do this without stopping the service.

    Other question. In the future, what is the best? Use of certificates instead users/passwords? A central vault where the users ask for the password? Are there any tool that can help in this task?

    Thanks for your help.



    ------------------------------
    Victor Ramos
    ------------------------------


  • 2.  RE: DB2 users passwords in RACF

    Posted 24 days ago

    Hello Victor,

    I believe in modern changing paces, static passwords would be much deprecated approach. To answer your first question, cloning a existing RACF user(having same access) and then try rotating it would be more feasible without interrupting services. However, It still is time and resource consuming. 

    For future purposes, I believe Digital Certificates are better option. This is the industry-standard and most secure method for server-to-server authentication. The external application is issued a digital certificate. It presents this certificate when connecting to Db2. On the mainframe, Application Transparent TLS (AT-TLS) intercepts the connection and validates the certificate. RACF is configured to map that specific, trusted certificate to a mainframe user ID (e.g., APPUSER). The user ID itself is set to NOPASSWORD in RACF because authentication is handled by the certificate.


    It is better because it completely removes the problem of password rotation, management, and exposure in config files. It is more secure as authentication is based on public-key cryptography, which is vastly more secure than a shared password. It is easily managed in the certificate's lifecycle. If it needs to be revoked, access is cut off instantly. 

    Warm regards,

    Shashank Srivastava

    Airbus



    ------------------------------
    Shashank Srivastava
    ------------------------------

    Original Message


  • 3.  RE: DB2 users passwords in RACF

    Posted 23 days ago

    Check these blogs for inspiration

    https://www.idug.org/news/tls-client-authentication-with-db2--part-1-introduction

    https://www.idug.org/news/tls-client-authentication-with-db2--part-2-setting-up-db2-for-zos-servers

    https://www.idug.org/news/tls-client-authentication-with-db2--part-3-setting-up-db2-clients



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


Related Content