Mainframe
There are three options for managing RACF, CA-TopSecret, or CA-ACF2 user accounts or passwords on OS/390 or z/OS:
Using the connector for RACF (
agtracf), CA-TopSecret (agtts), and CA-ACF2 (agtacf2), in conjunction with Mainframe Connector (sold separately), which is installed as a started task on the LPAR with the RACF, CA-TopSecret, or CA-ACF2 security database.The following sections deal with this method.
Mainframe Connector acts as a TCP/IP listener, and accepts inbound connections on a designated TCP port. The Bravura Security Fabric server negotiates a cryptographic handshake with the started task, and asks the started task to issue RACROUTE commands to enumerate accounts, validate current passwords, and perform other Bravura Security Fabric operations.
Mainframe Connector can also intercept password changes made in native mode in RACF, CA-TopSecret or CA-ACF2 and automatically trigger automatic password synchronization for the user whose password changed.
See Mainframe Connector documentation for more information.
Using the Telnet connector (
agttelnet), where the Telnet service is enabled and available through either TCP/IP or an SNA gateway.This method is less secure and robust, but requires no change control or local agent on the mainframe. Providing the Telnet service is available, you can also use this method for systems running older versions of MVS.
See TCP Telnet HTTP or HTTPS Access to learn about this method.
Using the LDAP connector (
agtldap) to connect to an LDAP directory server installed on the mainframe.This method is fast and potentially secure, if LDAP+SSL is used. Mainframe LDAP directory products are relatively new and quite fragile. Change control and a local software footprint on the mainframe are still required.
See LDAP Directories to learn how to target an LDAP directory.
RACF, CA-TopSecret and CA-ACF2 connectors
Connector name |
|
Connector type | Executable |
Type (UI field value) | RACF (with Mainframe Connector) |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
Installation / setup | The |
Connector name |
|
Connector type | Executable |
Type (UI field value) | TopSecret (with Mainframe Connector) |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
Installation / setup | The |
Connector name |
|
Connector type | Executable |
Type (UI field value) | ACF2 (with Mainframe Connector) |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
Installation / setup | The |
agtracf, agtts, and agtacf2 supported operations
The following Bravura Security Fabric operations are supported by the agents for RACF (agtracf), CA-TopSecret (agtts), and CA-ACF2 (agtacf2 ):
user verify password
get server information
user change password
administrator reset password
administrator reset+expire password
expire password (only RACF)
administrator verify password
verify+reset password
enable account
disable account
check account enabled
lock account
unlock account
check account lock
create account
delete account
update attributes
list account attributes
add user to group (only RACF and TopSecret)
delete user from group (only RACF and TopSecret)
List:
accounts
attributes
groups (only RACF and TopSecret)
members (only RACF and TopSecret)
Network resource update (only TopSecret and RACF)
Support for upgrades
Bravura Security's Mainframe Connector does not directly integrate with the operating system; it integrates with one of the three operating system security modules described above.
As long as those modules' plugin infrastructure does not change, the integration is supported.
Bravura Security recommends testing the integration several months before the production upgrade, so there can be time for us to address any issues introduced by the new version.
The current Mainframe Connector can communicate with connector packs 2.3.0 or newer.
Preparation
Before you configure Bravura Security Fabric to manage CA-ACF2, RACF, or CA-TopSecret user accounts and passwords with Mainframe Connector, you must:
Install Mainframe Connector on the mainframe. This process is documented in the Mainframe Connector documentation.
Document the host name or IP address of the mainframe LPAR where Mainframe Connector is installed.
Document the TCP port number of the Mainframe Connector socket listener.
Set the secret key in the configuration data set for Mainframe Connector to match the key on the Bravura Security Fabric server.
Create an unprivileged account on the mainframe. The Bravura Security Fabric server will have to present the password for this account before Mainframe Connector will accept administrative transactions from it.
Create at least one test account, whose password you will manage.
Best practice: Administrative account for targets using the Mainframe Connector
While it is possible to create an administrative account when installing the Mainframe Connector on a z/OS LPAR, this is not recommended. If it is done, then the ID and password must be used in the target system's Administrator credentials tab. However, this is not required, and is not always recommended. This is because the existence of this account could potentially be an attack vector. The Mainframe Connector can be installed with admin account of N/A, which will disable this check.
Bravura Security recommends using an unprivileged account on the mainframe.
The connection between Bravura Security Fabric works as follows:
On a password change, Bravura Security Fabric initiates a connection on the started task port.
The Mainframe Connector replies with a challenge: a random string encrypted (via AES) with the Communications Key in the started task parameters.
Bravura Security Fabric decrypts the challenge string, and returns the first half of the string.
The Mainframe Connector verifies correctness of the response, or drops the session if it is incorrect.
If the challenge response is correct, the Mainframe Connector and Bravura Security Fabric continue their communication, encrypted with the second half of the challenge string as the random key.
The first part of this communication involves an authentication request using an administrative account and password. To compromise security, an attacker would need to know the Mainframe Connector 's address, the encryption algorithm (which is public knowledge), and the connection key (stored on the server, encrypted with another key). The attacker would need significant access to the mainframe LPAR or Bravura Security Fabric server to reverse engineer and decrypt keys.
An attacker with these privileges could do much more than change passwords on the LPAR, as they would have extensive control:
An LPAR administrator can perform any action.
An Active Directory administrator can remove z/OS user login accounts.
Someone with access to the Bravura Security Fabric server and the ability to decrypt the communications key can access sensitive information.
Any attacker who can impersonate Bravura Security Fabric through the AES challenge wouldn't be deterred by needing to know an administrative account and password.The existence of this administrative account itself poses a potential security risk.
As a result, the Mainframe Connector supports passwords for target system administrative accounts, not passphrases, to maintain security.
Mainframe Connector does support managed accounts with passphrases; this only applies to the target system administrative credential.
For mainframe targets using ACF2 security, a passphrase reset invokes an operation of modifying the field PHP-EXP on mainframe server. This requires special permission "SECURITY" granted to the mainframe user, which is created on mainframe server when setting up the MFC connector initially. This user will be used as "Run as" when performing the operations through the target credential of the target. Without the proper permission assigned, the reset operation fails.
Targeting a RACF, CA-TopSecret, or CA-ACF2 system with Mainframe Connector
For each mainframe instance, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems).
Type is one of the following:
ACF2 (with Mainframe Connector)
RACF (with Mainframe Connector)
TopSecret (with Mainframe Connector)
Address uses the options described in the table below.
Administrator ID and Password are the name and password of the placeholder account that you created earlier.
Table 1. ACF2, RACF, TopSecret address configurationOption
Description
Server
DNS name or IP address.
(key: server)
Port
The Mainframe Connector listener TCP port number.
(key: port)
Passphrase reset/verify
Optionally enable the target system to manage a second additional password attribute named "passphrase" for the following settings for the password and passphrase used for authentication and password resets:
Reset/verify password
Only a password is used, passphrase is not used.
If a password is longer than 8 characters, it will be truncated to the first 8 characters.
Reset/verify passphrase
Only a passphrase is used, password is not used.
The passphrase must be longer than 8 characters.
reset/verify both password and passphrase
Both the password and passphrase are passed in, depending on the length.
Only the password is passed in if it is 8 characters or under, passphrase is not passed in for this case.
If it is longer than 8 characters, the passphrase is passed in and the password is truncated to the first 8 characters.
reset/verify either password or passphrase (dependent on password length)
Only either the password or passphrase will be passed in, depending on length.
The password is used if it is 8 characters or under, passphrase is not used.
The passphrase is used if it is more than 8 characters, password is not used.
(key: passphrase)
Note
Maintaining both password and passphrase is not recommended for the same target as it may cause confusion as to what the password/passphrase is set to and when the password is truncated. If both must be maintained, it is best to have two targets configured with each having their own password policies defined.
The address syntax is as follows:
<DNS name (or IP address)>/<port number>[/passphrase=<true|false|both|either-or>]
Transparent synchronization
Mainframe Connector can intercept password changes on OS/390 or z/OS mainframes, with RACF, ACF2 or TopSecret security software. This is done by inserting an exit trap into the security system, and by installing an authorized task which starts at IPL.
The combination of an exit and task apply password strength rules defined on the Bravura Pass server to all new password selections, made using any user interface, natively on MVS or OS390. The task forwards a request for synchronization to the Bravura Pass server after every successful mainframe password change.
Before installing the exit and task on your mainframe, be sure to inform your users that:
All mainframe password changes for users who appear in the Bravura Pass server’s user database will be subjected to the password policy enforced on the Bravura Pass server.
When users who are defined on the Bravura Pass server change their passwords on the mainframe, their new password will be automatically applied to all of their other accounts, on other systems defined on the Bravura Pass server.
Refer to the Mainframe Connector documentation for detailed instructions about installing and configuring the exit and task on your security system (RACF, ACF2 or TopSecret).
If you install Mainframe Connector, but do not install the password exit in your security product, then Bravura Pass will be able to manage mainframe passwords, but transparent password synchronization will not be triggered by native mainframe password changes.
Configuring the Password Manager service for transparent synchronization
The interceptor installed with Mainframe Connector uses a legacy protocol to communicate with the Password Manager service (idpm ). You must configure the Password Manager service (idpm ) for backward compatibility:
Set the following field to use the port configured for this interceptor (default 3333):
Enable this port for backward compatibility (to communicate with older interceptors/triggers). Must be different from Port number above
Add a CIDR mask address for the trigger system in the following setting:
Comma-delimited list of IP addresses with CIDR bitmask that are allowed to send socket requests
If using load balancers, do not configure any SSL options for transparent synchronization traffic. SSL options should only be configured on load balancers for WebUI traffic, not transparent synchronization. Transparent synchronization is encrypted using a proprietary encryption algorithm. Contact support@bravurasecurity.com for more details. See Password Manager Service (idpm) for more information.
Handling account attributes
Customer data fields
Customer data fields (CSDATA_*) can be managed by the Mainframe Connector 7.0.1+. You can add target system attributes at the target system type or target system level for custom fields that are to be managed in Bravura Security Fabric .
These attribute can be set on account creation or updated on existing user accounts.
TopSecret network resource operations
The TopSecret network resource update operation (NRUP) allows changes to ACLs to programs and dataset. This requires:
Bravura Security Fabric 6.2.1 or higher.
Mainframe Connector 7.0.2 or higher
The operation parameter (resourcetype) is the TSS resource class. (for example, DSNAME and TSOACCT).
The operation parameter (resourceaddress) is the resource name.
The following account attributes can be mapped to a request-only attribute to set the flags on the network resource update:
ACL_ACCESS can be one or more access levels (such as READ, UPDATE, FETCH, NONE, ALL). A comma separated list is used to combine access (for example READ,UPDATE).
ACL_SUBJECT is the target userid involved in the request.
To submit requests for network resources in Bravura Security Fabric 6.2.1 or higher, you must use the IDSYNCH REQUEST REWRITE PLUGIN to add the resources operations to the request.
RACF network resource operations
The RACF network resource update operation (NRUP) allows changes to ACLs to programs and dataset. This requires:
RACF security products that support resource access lists.
Bravura Security Fabric 6.2.1 or higher.
Mainframe Connector 7.0.2 or higher
The operation parameter (resourcetype) is the resource class (for example, DATASET, FACILITY, PROGRAM). The operation parameter (resourceaddress) is the resource class profile.
The following account attributes can be mapped to a request-only attribute to set the flags on the network resource update:
ACL_ACCESS can be READ, DELETE, UPDATE, EXECUTE, CONTROL, ALTER, NONE, depending on the resource class.
ACL_GENERIC can be T or F. Only required if the class is a DATASET.
ACL_CONDITION maps to the WHEN condition for the PERMIT command.
Information on the PERMIT command can be found here:
http://publib.boulder.ibm.com/infocenter/zos/v1r12/topic/com.ibm.zos.r12.icha400/permit.htm#permit
To submit requests for network resources in Bravura Security Fabric 6.2.1 or higher, you must use the IDSYNCH REQUEST REWRITE PLUGIN to add the resources operations to the request.
RACF account revoke and resume
Bravura Security Fabric uses the following attributes supplied by the agtracf to control behavior on RACF target systems:
BASE_REVOKE This attribute is present on listing and set to "T" if an account is revoked. To revoke an account using the BASE_REVOKE attribute, the value set needs to be "YES".
BASE_REVOKEDT If the revoke date is set on the account, this is listed in BASE_REVOKEDT. To remove the revoke date on the account, this account attribute needs to be set to "NO". Otherwise, the date (YYYY-MM-DD) will be set as the revoke date for the account.
BASE_RESUME This attribute is not listed by default (BASE_RESUME omitted implies "T"). To resume an account using the BASE_RESUME attribute, the value set needs to be "YES".
BASE_RESUMEDT If the resume date is set on the account, this is listed in BASE_RESUMEDT. To remove the resume date on the account, this account attribute needs to be set to "NO". Otherwise, the date (YYYY-MM-DD) will be set as the resume date for the account.
In both cases, if BASE_RESUME or BASE_REVOKE are set, the date is ignored. To update the status flag and date, two requests need to be submitted (Just as the native ALTUSER RESUME/REVOKE operates).
ACF2 date format
On the ACF2 targets, the ACTIVE and EXPIRY attribute is listed and set with an ISO formatted date (YYYY-MM-DD). When updated on the ACF2 target, the default format (mm/dd/yy) is used. If ACF2 is configured differently, the behavior can be set with the registry entry in:
HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\
Entry name ACF2_DATE_FORMAT
Value
0 = mm/dd/yy
1 = dd/mm/yy
2 = yy/mm/dd
Data type DWORD
Default 0
Warning
Ensure that you are comfortable and knowledgeable in the mechanics of the registry before you attempt to change any configuration settings. Contact support@bravurasecurity.com if in doubt.
Troubleshooting
If you experience any errors, check the mainframe’s address in the Bravura Security Fabric database, and confirm that the placeholder account you defined can log in and perform operations. If this fails, there is probably an error in the configuration of Mainframe Connector. Please refer to the Mainframe Connector documentation for further information.