S 2.290 Use of RACF exits

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Along with the adaptation options of RACF (Resource Access Control Facility) by means of commands and parameters, it is furthermore possible to implement additional security rules by using RACF exits. Exits are passed through at different locations of the RACF functions and allow for individual interventions at these locations. Using exits requires high levels of know-how and experience in the field of assembler programming.

The following recommendations should be taken into consideration when using exits:

Maintenance of the exits

If exits are necessary to extend the RACF functionality, they must be installed via SMP/E (System Management Program/Enhanced) as Usermod (see S 2.293 Maintenance of zSeries systems).

DES algorithms for authentication

RACF encrypts the ID with the help of the DES algorithm (Data Encryption Standard), with the entered password being used as the key (the password itself is not stored in so doing). In order to ensure that the DES algorithm (and not the weaker Masking algorithm) is used, the ExitICHDEX01 delivered in the SYS1.LINKLIB must not be used in the Link Pack Area. Therefore, it is recommended to remove this load module and to disable the corresponding entry on SMP/E (Usermod) so that future maintenance activities do not reinstall this load module. The DES algorithm is normally the default setting when RACF is delivered under z/OS.

Changes to exit

It must be observed that any changes to exits require an IPL (Initial ProgramLoad). This does not include IRREVX01, which can be loaded dynamically afterwards.

Advanced password rules

It should be considered whether password rules mechanisms provided by the SETROPTS functions of RACF are sufficient or whether New Password Exit ICHPWX01 should be used to implement further password rules.

Use of tools

When using password synchronisation tools or tape management products, it must be checked whether RACF exits are delivered with the product or even constitute a prerequisite for operating the respective product.

Exit control

The use of exits can be controlled using the DSMON function. Such controls should be performed regularly within the framework of audits (see also S 2.291 Security reporting and security audits under z/OS). This does not include IRREVX01. However, this exit should also be controlled, if used.

Review questions:

• Have exits for extending the RACF functionality in z/OS been installed using SMP/E as Usermod?
• Has it been ensured that the DES algorithm or a stronger procedure is used for authentication in the z/OS systems?
• Is the use of exits regularly controlled within the framework of audits?