Skip to main content

Transparent synchronization

Mainframe Connector can intercept password changes on OS/390 or z/OS mainframes, with RACF, ACF2 or TopSecret security software. This is done by inserting an exit trap into the security system, and by installing an authorized task which starts at IPL.

The combination of an exit and task apply password strength rules defined on the Bravura Pass server to all new password selections, made using any user interface, natively on MVS or OS390. The task forwards a request for synchronization to the Bravura Pass server after every successful mainframe password change.

Before installing the exit and task on your mainframe, be sure to inform your users that:

  • All mainframe password changes for users who appear in the Bravura Pass server’s user database will be subjected to the password policy enforced on the Bravura Pass server.

  • When users who are defined on the Bravura Pass server change their passwords on the mainframe, their new password will be automatically applied to all of their other accounts, on other systems defined on the Bravura Pass server.

Refer to the Mainframe Connector documentation for detailed instructions about installing and configuring the exit and task on your security system (RACF, ACF2 or TopSecret).

If you install Mainframe Connector, but do not install the password exit in your security product, then Bravura Pass will be able to manage mainframe passwords, but transparent password synchronization will not be triggered by native mainframe password changes.

Configuring the Password Manager service for transparent synchronization

The interceptor installed with Mainframe Connector uses a legacy protocol to communicate with the Password Manager service (idpm ). You must configure the Password Manager service (idpm ) for backward compatibility:

  • Set the following field to use the port configured for this interceptor (default 3333):

    Enable this port for backward compatibility (to communicate with older interceptors/triggers). Must be different from Port number above

  • Add a CIDR mask address for the trigger system in the following setting:

    Comma-delimited list of IP addresses with CIDR bitmask that are allowed to send socket requests

If using load balancers, do not configure any SSL options for transparent synchronization traffic. SSL options should only be configured on load balancers for WebUI traffic, not transparent synchronization. Transparent synchronization is encrypted using a proprietary encryption algorithm. Contact support@bravurasecurity.com for more details. See Password Manager Service (idpm) for more information.

In this section: