IBM is constantly enhancing functions or adding new functions to RACF. Read on:
- z/OS Version 2 Release 2
z/OS V2.2 is available! This release includes these new RACF functions:
- A new user attribute, ROAUDIT, which grants the user the privileges of the AUDITOR attribute, without the ability to change log settings and options
- Three new RRSF functions:
- NEWMAIN, which allows you to change the MAIN system dynamically
- Unidirectional nodes, which allow you to block inbound RRSF activity from a node
- A new function in the r_Admin callable service to return configuration and operational information on RRSF (also available in the IRRXUTIL REXX interface)
- More granular controls on certificates administration, supporting narrowed spans of administrative control
- IRRDBU00 requires only READ authority to the input RACF data base when PARM=NOLOCKINPUT is specified
- Password enhancements:
- Elimination of the need for an ICHDEX01 exit to eliminate the use of the RACF masking algorithm for a user's password
- RACF commands no longer assign a "default" password by default
- The RACF_ENCRYPTION_ALGORITHM health check raises an exception if KDFAES is not active
- Enable the use of password phrases in the RACLINK DEFINE command
- New health checks:
- RACF_RRSF_RESOURCES, which examines the protection of your RRSF data sets
- Additional resources checked in RACF_SENSITIVE_RESOURCES
- Password Security Enhancements
A number of significant enhancements to password and password phrase security are available with new function APAR OA43999 on z/OS V1.12 and higher! These new functions include:
- A stronger encryption algorithm for passwords and password phrases
- Support for 14 additional special characters in passwords
- The ability for a user to have a password phrase without a password
- A new password syntax control that requires a password to contain at least one character from each of four different categories: upper case letters, lower case letters, numeric digits, and symbolic characters
- The ability to expire a user's password without changing its value
- An ALTUSER command function to "clean up" after lowering the SETROPTS(PASSWORD(HISTORY(nn)) value.
Details on this new function can be found at ftp://public.dhe.ibm.com/eserver/zseries/zos/racf/pdf/oa43999.pdf.
- New and Updated RACF Health Checks
With new function APARs OA44696 and OA45608 RACF is:
- Updating the RACF_SENSITIVE_RESOURCES check to examine the access protections on your ICSF data sets
- Introducing the RACF_PASSWORD_CONTROLS check to examine your setting for password history, mixed case passwords, and the maximum number of days that a password or password phrase is valid
- Introducing the RACF_ENCRYPTION_ALGORITHM check to examine the return codes from your ICHDEX01 exit to ensure that at least DES-only encryption is being used for passwords and password phrases on your system.
Information on RACF_PASSWORD_CONTROLS and RACF_ENCRYPTION_ALGORITHM can be found at ftp://public.dhe.ibm.com/eserver/zseries/zos/racf/pdf/oa45608.pdf .
- z/OS Version 2 Release 1
z/OS V2.1 is available! This release includes these new RACF functions:
- IPv6 and transport layer security (TLS) 1.2 cipher suite support for the RACF Remote Sharing Facility (RRSF).
This page was last updated October, 2015.