OIDCARD IN RACF



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

OIDCARD IN RACF

Postby use_hadi » Tue Jul 30, 2019 5:43 pm

Hi friends

How to activate OIDCARD in z/OS RACF?
Is OIDCARD a Physical Device?
How do they use it?
You might describe the OIDCARD.

Thank you.
use_hadi
 
Posts: 1
Joined: Tue Jul 23, 2019 4:05 pm
Has thanked: 1 time
Been thanked: 0 time

Re: OIDCARD IN RACF

 

Re: OIDCARD IN RACF

Postby enrico-sorichetti » Tue Jul 30, 2019 6:22 pm

googling with OIDCARD will return quite a few links that will tell all You might want to know about the subject
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2886
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 153 times

Re: OIDCARD IN RACF

Postby Robert Sample » Tue Jul 30, 2019 6:28 pm

From the Security Administrator's Guide for RACF version 2.3, page 1:
User identification and verification
RACF controls access to and protects resources. For a software access control mechanism to work effectively, it must first identify the person who is trying to gain access to the system, and then verify that the user is really that person.
RACF uses a user ID and a system-encrypted password or password phrase to perform its user identification and verification. When you define a user to RACF, you assign a user ID and password or a password phrase. The user ID identifies the person to the system as a RACF user.
The password or password phrase verifies the user's identity. The password or password phrase permits initial entry to the system, at which time the person is required to choose a new password or password phrase. Unless the user divulges it, no one else knows the user ID-password or password phrase combination.
During terminal processing, RACF allows the use of an operator identification card (OIDCARD) in place of, or in addition to, the password or password phrase. (The OIDCARD information is also encrypted.) By requiring a user to know both the correct password and the correct OIDCARD, you have increased assurance that the proper user has entered the user ID.
OIDCARD is activated, like many other things in RACF, via the ALU TSO command.

These users thanked the author Robert Sample for the post:
use_hadi (Tue Jul 30, 2019 6:33 pm)
Robert Sample
Global moderator
 
Posts: 3624
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 267 times

Re: OIDCARD IN RACF

Postby Robert Sample » Tue Jul 30, 2019 8:21 pm

Also, from the TSO/E Administration manual version 2.1, in the section entitled RACF Security Information:
OPERATOR ID CARD
The OPERATOR ID CARD field indicates whether the user must insert an operator ID card in a card reader when logging onto the system. (Some terminals have a card reader attachment for reading operator ID cards during LOGON processing. Using operator ID cards is a security feature.) If the field specifies Y, the administrator enrolling the person must insert the same card during enrollment to associate the card with the user. The field is preset to N, which indicates no card is required.
I don't recall ever using a terminal with attached card reader, and I haven't found anything about what happens if the terminal does not have an attached card reader but OIDCARD is specified. Unless the terminal(s) you're using have attached card readers, I recommend staying away from the OIDCARD option of RACF.
Robert Sample
Global moderator
 
Posts: 3624
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 267 times

Re: OIDCARD IN RACF

Postby Robert Sample » Tue Jul 30, 2019 10:16 pm

I had a chance to do a little more research. Page 88 of http://www.textfiles.com/bitsavers/pdf/ibm/3270/GA27-2742-1_Operators_Guide_for_IBM_3270_Information_DIsplay_Systems_Jul72.pdf which is the 1972 (yes, 47 years ago) version of the Operators Guide for IBM 3270 Information Display Systems manual has a picture of an OIDCARD reader attached to a 3270 terminal.
Robert Sample
Global moderator
 
Posts: 3624
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 267 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post