NRS6317: Can Director support 12 character or larger passwords?

Commentary

Monday, September 27, 2010 at 09:46:20 am    Client is researching the ability to use ANY Character set and a minimum of 12 character passwords. What's needed for Director to support that, if possible?

Monday, September 27, 2010 at 11:15:12 am    Assuming all the subsystems and the security package (RACF) are happy with this, there are three basic areas we'll have things to deal with: 1. Character Set for Passwords. We'll need to change the Director's Translate table on input for validating the Passwords to permit the desired characters. Currently, we only accept UPPER/lower case letters, numbers and the special symbols from the National Character Set. A PTF to either disable the Translate completely or a modification of the Password Character translate table will need to be provided. 2. Password Length The Director's internal mechanisms are constrained to 8 characters MAXIMUM, thus, we've got nothing to offer that will permit greater than 8 characters. That said, if the client desires to proceed, TNDEXT01 can be utilized to obtain the input stream that arrived after the User has specified his/her Userid/Password and BEFORE the Director has validated it. Exit code would have to parse the input to obtain the desired password string and process it in the exit instead of permitting the Director to do so. The Identification area's Password field is currently defined as a maximum of 17 characters (for "password/new-password" sorts of syntaxs). Any desire for more than 17 character passwords would require a change to the 3270 native stream produced. 3. Subsystem propagation (SSI) If the client has SSI principles active, the various subsystems (CICS, TSO, etc.) will have to be looked at, one at a time. Each of them have slightly different mechanisms to automate the Signon, some of which are going to be constrained to 8 characters. So...this will be the third area to look at for both the longer passwords and the extended Character Set (as some of the special characters may or may not transfer into the Subsystem properly). It is likely that implementation of the longer/wider character set will require use of TNDEXT12 to format and communicate between the Director's address space and the Subsystem

Thursday, September 30, 2010 at 04:28:53 am    Since RACF will not allow 12 character passwords, we are looking at using password phrases (13 to 100 characters) or PKI (certificates). We are doing research on using PKI. Can Network Directory use PKI?

Wednesday, October 6, 2010 at 07:08:30 am    We have decided to go with PKI. Will your product work with DCAS (Digital Certificate Authorization Server).