IMHO: exits as a subspecies are evil critters. They become an ongoing maintenance challenge and tend to attract unwelcome attention from auditors. Exits are hard to write, hard to stress test, and introduce a level of risk. You need extraordinary measures in place to protect the code.
On the well proven fact that there is no software that is completely bug free, why would you want to introduce -more- bugs into your most sacred of processes: authentication? There is another pretty interesting argument that as the complexity of your solution package increases, so do the opportunities for holes. Perhaps put there intentionally (the largest risk is internal) or intentionally (bugs). I once worked in an exit happy shop. Getting the exits updated and tested tended to be the single biggest bottleneck in rolling out new operating system levels. Of course, if you have a compelling business/technical need, then lock and load. My humble $0.02 US (before taxes). -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Jousma, David Sent: Friday, March 06, 2009 7:06 AM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF password & id checking Yikes, Should I be scared of this? Externalizing the password rules in REXX? Seems to make it too easy to "collect" passwords. _________________________________________________________________ Dave Jousma Assistant Vice President, Mainframe Services david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Walt Farrell Sent: Friday, March 06, 2009 7:58 AM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF password & id checking On Fri, 6 Mar 2009 12:17:49 +0800, Tommy Tsui <tommyt...@gmail.com> wrote: > Is there any RACF password rule that can validate the password >cannot be a part of USERID? or only write a user exit to implement it? You would probably need an exit to do that. You can find a sample exit on the RACF downloads page (http://www-03.ibm.com/servers/eserver/zseries/zos/racf/goodies.html ) that should simplify that. See REXXPWEXIT. It works on z/OS R10 and later, and provides an ICHPWX01 exit that invokes a REXX exec via System REXX, and a sample REXX exec that you can tailor easily. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
