IBM ZOS V1.12 Manual - page 16
IBM United States Software Announcement
210-008
IBM is a registered trademark of International Business Machines Corporation
16
• The Command Prefix Facility (CPF), which you can use to route commands from
one system to another within a sysplex, is planned to support security checking
similar to that provided for the ROUTE operator command. Defining a new
MVS
TM
.CPF.ROUTE.CHECK profile in the RACF OPERCMDS class will specify that
the system use the MVS.ROUTE.CMD profile in the RACF OPERCMDS class to
determine whether the operator is allowed to send a command to the specified
system. This is intended to add the same level of checking to CPF that exists for
the MVS ROUTE command.
• The Network Authentication Service for z/OS is planned to utilize RACF function to
help improve the availability of applications that use Kerberos or GSSAPI services
when deployed in a DVIPA environment. This new support is designed to allow you
to remove the dependency on which image of the Sysplex a Kerberos or GSSAPI
application request is routed to. This can help improve application availability by
enabling transparent failover for improved application availability and improved
workload balancing between images in a Sysplex.
• IBM Tivoli Directory Server for z/OS is planned to provide support for configurable
password policy rules that can be applied to user passwords in the directory.
Support is planned for automatic password revocation, password expiration,
formatting checks, history, and a password change mechanism that can be
enforced on an individual, group, or directory basis. This new function is intended
to help you ensure that:
– Users change their passwords periodically
– New passwords meet your password requirements
– Recently used passwords not be reused
– Users can be locked out after a defined number of failed attempts
In addition, when a password policy control has been received, native or SDBM
authentication will map RACF response codes to password policy response codes
where possible, and the password policy response control will be returned.
• IBM Tivoli Directory Server for z/OS is planned to support continuous activity
logging. This new function will be designed to close the current log file or
generation data set and open a new one based on the time of day or the size of
an activity log file you specify. The console command will be designed to allow
initiation of an activity logfile switch. Also planned in this support is a new function
that will allow specification that log entries be filtered by IP address.
• IBM Tivoli Directory Server for z/OS is planned to provide an extension to access
control lists (ACLs) to provide the ability to dynamically transform base ACLs using
filter ACLs you specify, to add or remove permissions based on:
– Bind distinguished name (DN)
– Alternate DNs
– Pseudo DNs
– Groups a bind or alternate DN belongs to
– IP address of the client connection
– Time of day that directory entry was accessed
– Day of week that directory entry was accessed
– The bind mechanism used
– Whether bind encryption was used
This function is designed to provide additional flexibility in access controls for
LDAP connections.
• IBM Tivoli Directory Server for z/OS is planned to provide Salted SHA-1 encryption
support. Intended to make dictionary attacks against SHA-1 encrypted data
much more difficult, stored Salted SHA-1 password values in LDAP will include a
random 20-byte string so that encrypting the same password more than once will
usually result in differing encrypted values. This is intended to make it much more
difficult to determine the encrypted password value. This support is designed to
be functionally equivalent to that currently provided by the IBM Tivoli Directory
Server and can allow easier migration of LDAP server workloads to z/OS.