Security Milestones in Connector RRSF Support

This section describes security milestones along the path of a password change event shipped between components of the Connector RRSF Support feature, as illustrated in the figure in Connector for RACF RRSF Support.

Milestones on the non-managed node:

• The ICHRIX02 exit traps the user-initiated password change event and sends the event to the local Connector Online Interceptor using the regular Connector for RACF secure cross-memory channel.

• The Connector Online Interceptor encapsulates the new password in the password keyword of the special ALTUSER command; therefore the password is not displayed in the RRSFLIST logs used by RRSF. An example of a log dataset name is STCUSER.RRSFLIST, where the Connector Online Interceptor runs under the RACF user STCUSER.

• The Connector Online Interceptor started task on the non-managed node is run under a RACF user that: - Must be defined (using the RCFRRSTB table) to the IRREVX01 component on the managed node - Must be authorized to direct RRSF commands to the target managed node

Milestones on the managed node:

• The CTSEVX01 exit prevents impersonation of the source of the RRSF-inbound RACF command by using the RCFRRSTB mechanism. For more information, see Customizing the RCFRRSTB Table.

• After interpreting the RRSF-inbound RACF command, CTSEVX01 forwards the password change event to local Connector Online Interceptor, using Connector built-in cross memory channels.

• As a RACF exit, CTSEVX01 fails (does not execute) the command that contains the password change event; therefore there is no SMF recording of the RACF command with password value.

• If module CTSEVX01 is not defined as RACF exit IRREVX01, the encapsulated ALTUSER command will be executed in the managed RACF system. This command will fail, as it refers to a dummy user name that does not exist in the managed RACF system. The failed command is not logged in SMF and the password is not exposed.