You’ve Solved Password Resets for Your Network. Now What About Your Mainframe?

Humans. For the person managing network access, we are nothing but a pain. That’s because network access involves passwords, and passwords are hard for humans. We hide them, lose them, forget them, share them, and fail to update them.

The struggle is real, and understandable. We are buried in passwords. They’re needed for every aspect of our lives. To keep track of them, most of us write them down and use the “increment” strategy to avoid recreating and trying to memorize a different password at every turn. But the struggle continues.

Yes, passwords are hard for humans. And that makes them an incredibly weak security solution.

If you’ve been in IT for any length of time, you get it. For years, password resets were a constant interruption and source of irritation for IT. Fortunately, that changed when password-reset tools came along. Now used by most enterprises, these tools help IT shops get out of the password-reset business and onto more strategic tasks.

What About Mainframe Passwords?

Mainframe-password resets are even more costly and time consuming than network-password resets. That’s because mainframe passwords have to be reset in RACF, on the mainframe, which means someone who has mainframe access and knows how to execute this type of command has to do it—typically a mainframe systems programmer/admin. Plus, mainframe users often need access to multiple hosts and applications. And each application requires a separate username and password.

There are no automated password-reset tools for the mainframe—your wealthiest data bank of all. But what if there were a completely different way to solve this problem? What if you could get rid of mainframe passwords altogether and strengthen security for mainframe access in the process?

In fact, there is a way that you can do just that. Two Micro Focus products—Host Access Management and Security Server (MSS) and an MSS add-on product called Automated Sign-On for Mainframe (ASM) make it possible.

How Do MSS and ASM Work?

MSS puts a security control point between mainframe users and your host systems. It uses your existing Identify and Access Management structure—specifically, strong authentication—to authorize access to the mainframe. The MSS-ASM combo enables automatic sign-on all the way to the mainframe application—eliminating the need for users to enter any IDs or passwords.

Here’s what’s happening behind the scenes: When a user launches a mainframe session though a Micro Focus terminal emulator’s logon macro, the emulator requests the user’s mainframe credentials from MSS and ASM. ASM employs the user’s enterprise identity to get the mainframe user ID.

Then, working with the IBM z/OS Digital Certificate Access Server (DCAS) component, ASM obtains a time-limited, single-use RACF PassTicket for the target application. In case you didn’t know, PassTickets are dynamically generated by RACF each time users attempt to sign on to mainframe applications. Unlike static passwords, PassTickets offer replay protection because they can be used only once. PassTickets also expire after a defined period of time (10 minutes by default), even if they have never been used. These features all translate into secure access.

ASM returns the PassTicket and mainframe user ID to the terminal emulator’s logon macro, which sends the credentials to the mainframe to sign the user on to the application.

No interaction is needed from the user other than starting the session in the usual way. Imagine that. They don’t have to deal with passwords, and neither do you.

No More Mainframe Passwords

Humans. We are a messy, forgetful, chaotic bunch. But fortunately, we humans know that. That’s why we humans at Micro Focus build solutions to help keep systems secure and humans moving forward. Learn more about Host Access Management and Security Server and its Automated Sign-On Add-On.

Leave a Reply

Your email address will not be published. Required fields are marked *