wants, of course. As we all do.
Love your disclaimer tag.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Roach, Dennis (N-GHG)
Sent: Friday, March 06, 2009 3:26 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
I have
object, natural or
manufactured, since the beginning of time.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Hal Merritt
Sent: Tuesday, March 10, 2009 9:28 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
Ah
On Tue, 10 Mar 2009 09:25:08 -0600, Roach, Dennis (N-GHG) wrote:
Try FIPS 112 or ADS 545 for starters.
Does IBM provide at least a sample exit supporting these industry
recognized best practices? (Though I'd prefer default or at
least optional over sample.)
-- gil
2009-03-06 Hal Merritt hmerr...@jackhenry.com wrote:
IMHO: exits as a subspecies are evil critters. They become an ongoing
maintenance challenge and tend to attract unwelcome attention from auditors.
Exits are hard to write, hard to stress test, and introduce a level of risk.
You need
Exits are hard to write, hard to stress test, and introduce a level of risk.
You need extraordinary measures in place to protect the code.
You could say exactly the same thing about application code.
I've worked in many a shop where the application source code had been missing
for years.
And,
;-)
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Ted MacNEIL
Sent: Tuesday, March 10, 2009 12:44 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
Exits are hard to write, hard to stress test, and introduce a level of risk.
You need
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Tommy Tsui
Hi all,
Is there any RACF password rule that can validate the password
cannot be a part of USERID? or only write a user exit to implement it?
That functionality requires an exit routine.
-jc-
On Fri, 6 Mar 2009 12:17:49 +0800, Tommy Tsui tommyt...@gmail.com wrote:
Is there any RACF password rule that can validate the password
cannot be a part of USERID? or only write a user exit to implement it?
You would probably need an exit to do that. You can find a sample exit on
the RACF
Rapids, MI 49546 MD RSCB1G
p 616.653.8429
f 616.653.8497
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Walt Farrell
Sent: Friday, March 06, 2009 7:58 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
On Fri, 6 Mar 2009
On Fri, 6 Mar 2009 08:05:30 -0500, Jousma, David david.jou...@53.com wrote:
Should I be scared of this? Externalizing the password rules in REXX?
Seems to make it too easy to collect passwords.
System REXX execs run APF-authorized, and the libraries containing them must
be protected the same
East Paris, Grand Rapids, MI 49546 MD RSCB1G
p 616.653.8429
f 616.653.8497
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Walt Farrell
Sent: Friday, March 06, 2009 7:58 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
On Fri, 6 Mar 2009 08:48:18 -0600, Hal Merritt hmerr...@jackhenry.com wrote:
IMHO: exits as a subspecies are evil critters. They become an ongoing
maintenance challenge and tend to attract unwelcome attention from auditors.
Exits are hard to write, hard to stress test, and introduce a level of
I saw the REXX code and it's quite simple. Just turn it on...I will try it ..
thanks all of your help
On Fri, Mar 6, 2009 at 11:46 PM, Walt Farrell wfarr...@us.ibm.com wrote:
On Fri, 6 Mar 2009 08:48:18 -0600, Hal Merritt hmerr...@jackhenry.com wrote:
IMHO: exits as a subspecies are evil
On Sat, 7 Mar 2009 00:12:16 +0800, Tommy Tsui tommyt...@gmail.com wrote:
I saw the REXX code and it's quite simple. Just turn it on...I will try it ..
thanks all of your help
Do remember that it works only on z/OS R10 and later, though.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--snip-
Is there any RACF password rule that can validate the password cannot be
a part of USERID? or only write a user exit to implement it?
--unsnip---
I used an exit to
snip
Yikes,
Should I be scared of this? Externalizing the password rules in REXX?
Seems to make it too easy to collect passwords.
---unsnip-
You can always use RACF to
snip---
IMHO: exits as a subspecies are evil critters. They become an ongoing
maintenance challenge and tend to attract unwelcome attention from
auditors. Exits are hard to write, hard to stress test, and introduce a
level
-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Rick Fochtman
Sent: Friday, March 06, 2009 12:34 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
snip--
-
IMHO: exits
@bama.ua.edu
Subject: Re: RACF password id checking
Exits are a good alternative when: 1. The skillful author never
retires,
finds a better job, gets laid off, is transferred, gets fired, wins the
lottery, or ages. 2. The company never is merged, acquired, downsizes,
asks
for a government bailout
'cuz the RACF ones I have to deal with... :-)
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Schwarz, Barry A
Sent: Friday, March 06, 2009 1:09 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
How do
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
snip--
-
IMHO: exits as a subspecies are evil critters. They become an ongoing
maintenance challenge and tend to attract unwelcome attention from auditors.
Exits
] On Behalf Of
Schwarz, Barry A
Sent: Friday, March 06, 2009 1:09 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF password id checking
How do any of these considerations differ between an exit and the key
applications the business depends on and without which they wouldn't
need a computer system at all
: Re: RACF password id checking
In my 40+ years, exits tend to be politically motivated. That is, the
business/technical issue is really easily solvable some other way.
For the case in point, someone just wants the system to work
differently. There is no technical justification, no business
I check the following web site and it shows z/os R9 that already
support this REXX...
http://www-03.ibm.com/servers/eserver/zseries/zos/racf/downloads/rexxpwexit.html
On Sat, Mar 7, 2009 at 12:50 AM, Walt Farrell wfarr...@us.ibm.com wrote:
On Sat, 7 Mar 2009 00:12:16 +0800, Tommy Tsui
Hi all,
Is there any RACF password rule that can validate the password
cannot be a part of USERID? or only write a user exit to implement it?
many thanks
--
For IBM-MAIN subscribe / signoff / archive access instructions,
25 matches
Mail list logo
