I consulted a mainframe buddy of mine, who sent the info below. If the shop is running RACF as its security manager, you can try logging into TSO with userid IBMUSER password SYS1.
Hope this helps, Brian The primer userid that IBM supplies is IBMUSER and in fact it is hard coded into RACF. If you delete it RACF will add it back at the next IPL. IBMUSER comes out of the factory with RACF SYSTEM SPECIAL ready to be used to configure your system. Most sites pull the teeth of IBMUSER by removing any authority after they bootstrap RACF and REVOKEing it but it may remain enabled with the default password if someone forget AUDITing 101. It certainly is a default account. At least in old school shops it's unlikely this would ever be left open as an exploit. In new age shops that might be deploying z/OS.e just to support the new workloads like Wehsphere and where an mainframe audit is not (yet) an annual event it might just be left open if they did not get a good consultant. You can find the current z/OS Security Server nee RACF book shelf here http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/ICHZBK21 Here is where you can find specific documentation that points IBMUSER and it's default password (SYS1) in the System Administrator's Guide. http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ICHZA720/8.2?SHELF=ICHZBK21&DT=20020109124747 CICS at the current level is a another story. Since CICS no longer supports internal security it requires an external security manager IBM RACF/CA-Top-Secret,CA-ACF2 CICS itself does not have any default users. Many shops do wind up using the IBM samples and seeing an id called CICSUSER is not uncommon. CICSTEST,CICSPROD after also likely to be present in more than a few shops just by the way people seem to think. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
