[z/OS]

Password sensitivity using a local operating system registry

Allowing for a larger number of password combinations benefits WebSphere® Application Security. Passwords restricted to 8 characters have limits on how secure they can be. Hacking attempts often are successful with 8 character passwords. WebSphere Application Server expands the possible combinations beyond the 8 character password by providing the ability to additionally use a password phrase from 9 to 100 characters long. The password phrase gives you an exponentially larger number of combinations for securing any given user ID to an application.

z/OS Version 1.9 RACF

In z/OS® Version 1.9, RACF® allows you to use password phrases in securing a user ID to an application. Password phrase support for WebSphere Application Server provides infrastructure changes that you (or other applications) can exploit to facilitate authentication information across environments and applications.

A password phrase can be from 9 to 100 characters in length and provide a far greater number of possible combinations of characters and numbers than do passwords. A password phrase is a character string made up of mixed-case letters, numbers, and special characters. A user ID can have both a password and a password phrase associated with it. The user ID uses the password for existing applications that accept an eight-character password and the password phrase for those applications that are sensitive to the longer character string.

While password phrases inherently support the use of mixed-case characters, traditional 8-character passwords do not. If you want to allow mixed-case characters in traditional passwords, you must use the RACF mixed case password option and enable it by using the SETROPTS PASSWORD(MIXEDCASE) RACF command. See Password case sensitivity using a local operating system registry for more information about mixed case passwords.
Remember: After initializing the use of RACF mixed case passwords, you MUST restart the WebSphere Application Server.
To use password phrases in WebSphere Application Server, you must comply with all of the following requirements:
  1. Use z/OS Version 1.9 or higher
  2. Use the local operating system registry as your active registry
  3. Use the System Authorization Facility (SAF) as your authorization provider.
  4. Install the WebSphere Application Server Fix Pack 6.1.0.15 or later.
  5. If you want to specify a password phrase that is between 9 and 13 characters, inclusive, then you must also install the ICHPWX11 RACF exit routine.
Important: All of these requirements must be met; otherwise, WebSphere Application Server password phrases are not recognized and do not take effect.

For more information about password phrases in z/OS Version 1.9, see Z/OS V1R9.0 Security Server RACF Security Administrator's Guide. This guide is available under "Security Server and Integrated Security Services. Within the guide, see section 3.4.14.