Issues syncing passwords to a Mainframe or Mid-range computer

  • 3669562
  • 22-Aug-2007
  • 26-Apr-2012

Environment

Novell Identity Manager Driver - Mainframe ACF2 Fanout
Novell Identity Manager Driver - Mainframe ACF2 Bi-directional
Novell Identity Manager Driver - Mainframe RACF Bi-directional
Novell Identity Manager Driver - Mainframe RACF Fan Out
Novell Identity Manager Driver - Mainframe Top Secret Bi-directional
Novell Identity Manager Driver - Mainframe Top Secret Fan Out
Novell Identity Manager Driver - Midrange OS/400 Bi-directional
Novell Identity Manager Driver - Midrange OS/400 Fan Out

Situation

What issues exist when syncing passwords from eDirectory to Mainframe or Mid-range computers.

Resolution

There is a limit of 8 characters on passwords for mainframes. For mid-range computers, there is a limit of 10 or 128 characters depending on the mid-range computers settings.
Fan-out Driver
Mainframes.
In the fan-out driver, password sync does not occur directly. It doesn't receive passwords from the receiver, but it can update the local RACF database if a user successfully logs onto the mainframe. During auth redirection, users can only type in 8 chars on the terminal.
Midrange
Fan-out driver does not do redirection. But it will send password changes through the receiver to the midrange computer.
Bi-directional Driver
In the bidirectional driver (not fanout), passwords are not truncated by default. They would need to add policy to truncate it.
If a password comes through from universal password to a mainframe box that is too long, the mainframe will reject it. It will return an error in the status document for that password change.
Mainframe reason for the 8 character limit.
Up until recent versions of the z/OS, 8 characters was all that the operating system permitted. In more recent versions, RACF introduced a "pass-phrase” that can be used instead of a password. Applications and system entry points like logon screens will have to be modified to support it. Currently, Novell does not support that feature.
Due to limitations on the mapping of special characters, they may get set to a different character, so they should be avoided. If they are standard EBCDIC characters, they will be fine.