IBM is constantly enhancing functions or adding new functions to RACF. Read on:

 

  • z/OS Version 2 Release 2

    z/OS V2.2 is available! This release includes these new RACF functions:
    • A new user attribute, ROAUDIT, which grants the user the privileges of the AUDITOR attribute, without the ability to change log settings and options
    • Three new RRSF functions:
      • NEWMAIN, which allows you to change the MAIN system dynamically
      • Unidirectional nodes, which allow you to block inbound RRSF activity from a node
      • A new function in the r_Admin callable service to return configuration and operational information on RRSF (also available in the IRRXUTIL REXX interface)
    • More granular controls on certificates administration, supporting narrowed spans of administrative control
    • Password enhancements:
      • Elimination of the need for an ICHDEX01 exit to eliminate the use of the RACF masking algorithm for a user's password
      • Enable the use of password phrases in the RACLINK DEFINE command
    • New health checks:
      • RACF_RRSF_RESOURCES, which examines the protection of your RRSF data sets
      • Additional resources checked in RACF_SENSITIVE_RESOURCES

  • Password Security Enhancements

    A number of significant enhancements to password and password phrase security are available with new function APAR OA43999 on z/OS V1.12 and higher! These new functions include:
    • A stronger encryption algorithm for passwords and password phrases
    • Support for 14 additional special characters in passwords
    • The ability for a user to have a password phrase without a password
    • A new password syntax control that requires a password to contain at least one character from each of four different categories: upper case letters, lower case letters, numeric digits, and symbolic characters
    • The ability to expire a user's password without changing its value
    • An ALTUSER command function to "clean up" after lowering the SETROPTS(PASSWORD(HISTORY(nn)) value.

Details on this new function can be found at ftp://public.dhe.ibm.com/eserver/zseries/zos/racf/pdf/oa43999.pdf.
 

  • New and Updated RACF Health Checks
     

    With new function APARs OA44696 and OA45608 RACF is:

    • Updating the RACF_SENSITIVE_RESOURCES check to examine the access protections on your ICSF data sets
    • Introducing the RACF_PASSWORD_CONTROLS check to examine your setting for password history, mixed case passwords, and the maximum number of days that a password or password phrase is valid
    • Introducing the RACF_ENCRYPTION_ALGORITHM check to examine the return codes from your ICHDEX01 exit to ensure that at least DES-only encryption is being used for passwords and password phrases on your system.
       
Information on RACF_PASSWORD_CONTROLS and RACF_ENCRYPTION_ALGORITHM can be found at ftp://public.dhe.ibm.com/eserver/zseries/zos/racf/pdf/oa45608.pdf .

  • z/OS Version 2 Release 1

    z/OS V2.1 is available! This release includes these new RACF functions:
    • IPv6 and transport layer security (TLS) 1.2 cipher suite support for the RACF Remote Sharing Facility (RRSF).