But...but... (Still expostulating, here, you see.) When I want to open a dataset for editing in TSO, the OS sends a question to the security system, asking "is <Bob Bridges> allowed <this level of access> to <this dataset>?". To identify <Bob Bridges> it specifies my ID. The question is routed to RACF, ACF2 or Top Secret, and the part of the OS that is performing the action doesn't know and doesn't care which one - but before it performs the open, it requires an answer from the security system, and all three of them have an 8-byte limit on the ID.
You talk about authenticating with a certificate, but how would permissions work in that case? Isn't RACROUTE the funneling point for all such checks? And doesn't RACROUTE require an 8-byte ID to identify the actor? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* To be humble to superiors is duty, to equals courtesy, to inferiors nobleness. -Poor Richard */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Timothy Sipples Sent: Saturday, May 2, 2020 02:34 RACF is a popular but optional z/OS component. z/OS is not equivalent to RACF. Second, if you are talking about RACF specifically, yes, it does use maximum 8 character user IDs.... But you're not required to authenticate with them. I (somewhat facetiously) pointed out that you don't have to authenticate at all, although (as I also pointed out) I'll urge you to at least perform authorizations. More seriously, z/OS RACF has supported client certificate authentication since the 1990s. (This feature was initially introduced way back in the OS/390 days. The OS/390 TN3270E Server picked up support for it with OS/390 2.9, backported to 2.8. IBM Personal Communications picked up support for this feature in the late 1990s, too.) See here for an introductory reference: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.ic ha700/icha700_Enabling_client_login_using_certificates.htm In this case users don't present maximum 8 character user IDs at all, or not really. They present digital certificates, and those may be coming from PIN-protected smart cards for example. Please do check this out! It's a really nifty solution, and the world seems to be (re)discovering it lately. Another approach you can take is to authenticate with the IBM Directory Server for z/OS (or other LDAP server, but that one is a terrific one) and leverage a mapping to a "short name." This is the approach z/VSE takes when you turn on its included LDAP authentication support, and it's both simple and clever. You're certainly free to submit RFEs for IBM's consideration if you'd like more such features, such as a TSO/E sign on screen comparable to z/VSE's LDAP friendly sign on screen. --- Bob Bridges wrote: >Or put it this way: If you say I can be authenticated via LPAR using a >longer ID, and then perform tasks on the mainframe using that ID, how >does RACF-or-whatever determine permissions? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
