Password sensitivity using a local operating system registry
Allowing for a larger number of password combinations benefits WebSphere® Application Security. Passwords restricted to 8 characters have limits on how secure they can be. Hacking attempts often are successful with 8 character passwords. WebSphere Application Server expands the possible combinations beyond the 8 character password by providing the ability to additionally use a password phrase from 9 to 100 characters long. The password phrase gives you an exponentially larger number of combinations for securing any given user ID to an application.
z/OS Version 1.9 RACF
In z/OS® Version 1.9, RACF® allows you to use password phrases in securing a user ID to an application. Password phrase support for WebSphere Application Server provides infrastructure changes that you (or other applications) can exploit to facilitate authentication information across environments and applications.
A password phrase can be from 9 to 100 characters in length and provide a far greater number of possible combinations of characters and numbers than do passwords. A password phrase is a character string made up of mixed-case letters, numbers, and special characters. A user ID can have both a password and a password phrase associated with it. The user ID uses the password for existing applications that accept an eight-character password and the password phrase for those applications that are sensitive to the longer character string.
- Use z/OS Version 1.9 or higher
- Use the local operating system registry as your active registry
- Use the System Authorization Facility (SAF) as your authorization provider.
- Install the WebSphere Application Server Fix Pack 6.1.0.15 or later.
- If you want to specify a password phrase that is between 9 and 13 characters, inclusive, then you must also install the ICHPWX11 RACF exit routine.
For more information about password phrases in z/OS Version 1.9, see Z/OS V1R9.0 Security Server RACF Security Administrator's Guide. This guide is available under "Security Server and Integrated Security Services. Within the guide, see section 3.4.14.