Credentials

Enhanced Definition

In the mainframe context, credentials refer to the authentication information required by a user, program, or system component to verify its identity and gain authorized access to z/OS resources. This typically involves a `User ID` and a `password` or `passphrase`, managed by an `External Security Manager (ESM)` like `RACF`, `ACF2`, or `Top Secret`.

Key Characteristics

- User ID: A unique identifier assigned to an individual user, a batch job, a started task, or a system component within the mainframe environment.
- Password/Passphrase: A secret string of characters associated with a User ID, used to prove the identity of the user or entity during the authentication process. Passphrases are longer and offer enhanced security over traditional passwords.
- Managed by ESM: All credentials and their associated access rights are centrally managed and enforced by an External Security Manager (e.g., RACF, ACF2, Top Secret).
- Authentication Input: Credentials are the primary input for the authentication process, which verifies the identity before granting access to resources.
- Case Sensitivity: Depending on the ESM configuration and specific field, passwords and User IDs can be case-sensitive.
- Expiration and History: ESMs typically enforce password expiration policies and maintain a history of previous passwords to prevent reuse.

Use Cases

- User Logon: When a user logs into TSO/ISPF, CICS, IMS, or OMVS (UNIX System Services), they provide their User ID and password to gain interactive access.
- Batch Job Submission: A JCL job's JOB statement often includes a USER parameter (and sometimes PASSWORD or GROUP) to specify the identity under which the job will execute, determining its access rights to datasets and other resources.
- Started Tasks (STCs): System services and daemons that run as Started Tasks are associated with a specific User ID in the ESM, which defines their privileges to perform system functions.
- Programmatic Access: Applications (e.g., COBOL programs, REXX execs) that interact with secure resources operate under the identity of the logged-on user or the job's User ID, implicitly using those credentials for authorization checks.
- API and Integration: For modern mainframe integration, REST APIs or SOAP services often require credentials (e.g., User ID/password in headers or tokens) for authenticating external systems or applications.

Related Concepts

Credentials are the cornerstone of mainframe security and access control. They are the initial input for External Security Managers (ESMs) like RACF, ACF2, or Top Secret, which perform authentication to verify identity. Once authenticated, the ESM uses the associated User ID to perform authorization checks against resource profiles, determining what datasets, programs, transactions, or system commands the entity is permitted to access. This entire process is critical for maintaining the confidentiality, integrity, and availability of z/OS systems.

Best Practices:

Strong Passwords/Passphrases: Enforce robust password policies, including minimum length, complexity requirements, and preferably, the use of long passphrases (e.g., 9-100 characters) to resist brute-force attacks.
Regular Expiration: Mandate periodic password/passphrase changes and prevent reuse of recent passwords to mitigate the risk of compromised credentials.
Multi-Factor Authentication (MFA): Implement MFA for enhanced security, especially for privileged accounts, using solutions like IBM Z Multi-Factor Authentication or third-party products.
Least Privilege: Assign only the minimum necessary authorizations to a User ID based on its specific function, limiting potential damage if credentials are compromised.
Audit Logging: Enable comprehensive logging of all authentication attempts (successful and failed) within the ESM to detect suspicious activity and support security investigations.
Secure Storage and Handling: Never hardcode credentials directly into JCL or application code; instead, rely on the system's security context or secure credential management solutions.