IBM Z Software
Hide about this portal


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Future consideration
Workspace zSecurity
Categories zSecure Command Verifier
Created by Guest
Created on Jun 22, 2023

RELATED IDEAS

zSecure - User defined character set for PHRASE when using C4R.USER.=ATTR

See this idea on ideas.ibm.com

With OA64290 the ability was introduced to define in the APPLDATA for C4R.USER.=ATTR PHRASE. That support is great as it allows to generate by default passphrases instead of passwords.

However, zSecure generates a passphrase selecting all characters, numbers and special characters available by default to zSecure. If one is using IBM supplied REXX IRRPHREX to limit some special characters, the random passphrase generation does fail:

adduser USER1 name('USER1') data('PHR TEST') owner(USRSPC) dfltgrp(USRSPC)

C4R913I ADDUSER USER1 OWNER(USRSPC) DFLTGRP(USRSPC) NAME('USER1') DATA('PHR TEST') NOADSP NOSPECIAL NOOPERATIONS NOGRP

TOR NOOIDCARD PHRASE('********') AUTH(USE) UACC(NONE)

ICH01020I PASS PHRASE REJECTED BY INSTALLATION PASS PHRASE EXIT

ICH01024I User USER1is defined as PROTECTED.

CKX962M Command may have failed, return code 4


We need the ability to define the 'pool' of characters zSecure is allowed to select characters from or limit them.

For example allow the APPLDATA parameter in the following variations:

  • PHRASE -> allows all available characters/numbers/special/length

  • PHRASE-C-50 -> allows for a passphrase based on text characters only and 50 characters long

  • PHRASE-N-80 -> allows for a passphrase based on numbers only and 80 characters

  • PHRASE-CN-70 -> allows for a passphrase based on text characters and numbers and 70 characters total

  • PHRASE-CNS-40 -> allows for a passphrase based on the all available charachters/numbers/special but limit the length to 40 characters.


Idea priority High
  • Guest
    Reply
    |     Jun 28, 2023

    Hi Hans

    Yes the simple solution should be sufficient then to steer the rule in a way it passes the definitions from the exit.

  • Admin
    HANS SCHOONE
    Reply
    |     Jun 27, 2023

    The proposed rules are in no way general enough to cover all the algorithms people might have to limit pass phrases. For instance there might be multiple groups from which a character must be present, the proposal does not cover that.

    Also, if we were to call the exit beforehand to see if a randomly generated phrase is allowed then there is no guarantee on the time it takes to find one that is allowed.

    We could add a simple function to just reduce the character set we choose from to a list the user can specify. We could also allow specification of a minimum and maximum length. But it is still not a general solution at all, and no guarantee it matches the phrase exit domain.

    Does the simple solution has sufficient worth to build it?


By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.