Mainframe Cybersecurity & Compliance

  • 1.  Issuing TSS commands through the z/OS Console

    Posted Dec 12, 2016 09:14 AM

    Hi,

     

    By issuing the command "F TSS,TSS" on a z/OS console, we can issue TSS commands on the z/OS console. 

    But it requires MSCA's previous password instead of its current one. Does anyone know, why it has been designed that way? I should change the password of the MSCA, if I don't know it's previous password. Why can't we use it's current password, since it's not written clearly to the system log? 

     

    Regards,

     

    Erdem.


    #TopSecret


  • 2.  Re: Issuing TSS commands through the z/OS Console
    Best Answer

    Broadcom Employee
    Posted Dec 14, 2016 01:41 PM

    Erdem,

     

    In past, the password were visible when entered on the console which is why the previous password was required to prevent the current password from being revealed.

     

    This functionality has not been changed since it was put in.

     

    Would recommend submitting an enhancement request in Ideation. But what happens, ***IF*** IBM decides  to show the password on the console again oneday? Just a thought.

     

    Regards,

     

    Joseph Porto - CA Level 1 Support


    #TopSecret


  • 3.  Re: Issuing TSS commands through the z/OS Console

    Posted Dec 15, 2016 12:29 AM

    Hi Joseph,

     

    You're right. It can cause a vulnerability, if IBM decides to show the password on console. But, this command isn't used during daily operations. It's used in urgent cases, where tso commands cannot be issued. I believe, it would be worse when I cannot use this functionality in an urgent case, than the passwords' appereance in the console. Since IBM already changed it that way, they wouldn't change it in the near future.  CA have some collaboration with IBM in some cases like new version testing, etc. IBM may make CA aware or CA can follow IBM's announcements about such changes.

     

    I will create an idea as you also recommended.

     

    Thank you for your interest.

     

    Regards,

     

    Erdem.


    #TopSecret


  • 4.  Re: Issuing TSS commands through the z/OS Console

    Posted Dec 22, 2016 03:34 PM

    Joe / Erdem -

     

    WTOs/WTORs with ROUTCDE=9 are explicitly defined by IBM as "Security Messages".  Replies are suppressed (from MVS Assembler Services Guide, Chapter 21 [at least in my edition]: Each console that received the original WTOR also receives the accepted reply unless it is a security message. A security message is a WTO or WTOR message with routing code 9. No console receives the accepted reply to a security message.)

     

    - Don

     

    P.S.  Please also see my reply to your idea.  I saw that entry first.


    #TopSecret