Preparation
Before you configure Bravura Security Fabric to manage CA-ACF2, RACF, or CA-TopSecret user accounts and passwords with Mainframe Connector, you must:
Install Mainframe Connector on the mainframe. This process is documented in the Mainframe Connector documentation.
Document the host name or IP address of the mainframe LPAR where Mainframe Connector is installed.
Document the TCP port number of the Mainframe Connector socket listener.
Set the secret key in the configuration data set for Mainframe Connector to match the key on the Bravura Security Fabric server.
Create an unprivileged account on the mainframe. The Bravura Security Fabric server will have to present the password for this account before Mainframe Connector will accept administrative transactions from it.
Create at least one test account, whose password you will manage.
Best practice: Administrative account for targets using the Mainframe Connector
While it is possible to create an administrative account when installing the Mainframe Connector on a z/OS LPAR, this is not recommended. If it is done, then the ID and password must be used in the target system's Administrator credentials tab. However, this is not required, and is not always recommended. This is because the existence of this account could potentially be an attack vector. The Mainframe Connector can be installed with admin account of N/A, which will disable this check.
Bravura Security recommends using an unprivileged account on the mainframe.
The connection between Bravura Security Fabric works as follows:
On a password change, Bravura Security Fabric initiates a connection on the started task port.
The Mainframe Connector replies with a challenge: a random string encrypted (via AES) with the Communications Key in the started task parameters.
Bravura Security Fabric decrypts the challenge string, and returns the first half of the string.
The Mainframe Connector verifies correctness of the response, or drops the session if it is incorrect.
If the challenge response is correct, the Mainframe Connector and Bravura Security Fabric continue their communication, encrypted with the second half of the challenge string as the random key.
The first part of this communication involves an authentication request using an administrative account and password. To compromise security, an attacker would need to know the Mainframe Connector 's address, the encryption algorithm (which is public knowledge), and the connection key (stored on the server, encrypted with another key). The attacker would need significant access to the mainframe LPAR or Bravura Security Fabric server to reverse engineer and decrypt keys.
An attacker with these privileges could do much more than change passwords on the LPAR, as they would have extensive control:
An LPAR administrator can perform any action.
An Active Directory administrator can remove z/OS user login accounts.
Someone with access to the Bravura Security Fabric server and the ability to decrypt the communications key can access sensitive information.
Any attacker who can impersonate Bravura Security Fabric through the AES challenge wouldn't be deterred by needing to know an administrative account and password.The existence of this administrative account itself poses a potential security risk.
As a result, the Mainframe Connector supports passwords for target system administrative accounts, not passphrases, to maintain security.
Mainframe Connector does support managed accounts with passphrases; this only applies to the target system administrative credential.
For mainframe targets using ACF2 security, a passphrase reset invokes an operation of modifying the field PHP-EXP on mainframe server. This requires special permission "SECURITY" granted to the mainframe user, which is created on mainframe server when setting up the MFC connector initially. This user will be used as "Run as" when performing the operations through the target credential of the target. Without the proper permission assigned, the reset operation fails.