On Tue, 10 Aug 2010 17:13:27 -0500, Pommier, Rex R. <rex.pomm...@cnasurety.com> wrote:
>Ken, (and any others who would like to weigh in on this), > >We were playing with this on our sandbox just now, and came across an >interesting scenario. There are 2 of us here who are RACF SPECIAL. As >you know, if a SPECIAL user types in the wrong password too many times, >instead of simply revoking their account, RACF will toss message ICH301I >to allow another attempt. Unfortunately, the console and the system >apparently get caught in a twilight-zone type loop. We couldn't log >onto the console as a different ID to respond to the message because all >RACF logons were stacked up behind the message! I tried to reply to the >ICH301I message from an SDSF session and that, too, locked. Fortunately >I was logged onto a different console already (thanks, IBM, for not >implementing console timeouts :-) ) and was able to respond to the RACF >message. The affected console then rapid-fire logged off and on each of >the IDs that we had tried to log on to. > >I think that alone will probably be enough to convince management that >activating console logon requirements is a bad idea. > You might consider setting up automatic logon, and allowing the automatic IDs the authority to issue the REPLY command. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html