Mainframe Cybersecurity & Compliance

ACF2 (and similarly in RACF) CICS signon with an invalid user returns a different message than with a valid user (ACF01004 LOGONID lid NOT FOUND or ACF01012 PASSWORD NOT MATCHED) , which could validate for an attacker that the ID is valid. Is there a way to reduce the information returned from an invalid signon?

FYI this is an issue in Top Secret as well, and it is not just CICS. These different error messages come up in other Multi-User Address spaces as well.

I too would like to see this changed, but I am not sure if this is CA's todo or IBM, as it might be an inherent problem with SAF Signon processing.

CICS returns this message at the bottom of the CESN screen for either invalid userid or password and thus does it correctly:

DFHCE3530 Your userid or password is invalid. Please retype both.

So I think it's CA's responsibility to match that behavior.

Also consider message "ACF01013 LOGONID <logonid> SUSPENDED BECAUSE OF PASSWORD VIOLATIONS".

From looking in CAI.CAX1MAC1(ACFAEUSC), I think CAI makes it very clear that the presentation of the messages from ACF2 is a customer responsibility. So change ACFAEUSC to produce a message that does not give away the knowledge of whether the user entered an invalid logonid or an invalid password (implying a valid logonid). Out of the box, ACFAEUSC helps the user figure out what prevented the signon.

Thanks Bruce, I'll run this past our CICS folks and have them review it.

It appears that there has already been an enhancement opened for this.

ACF Username enumeration messages

I'm not sure it does any good, but I'd recommend voting for this enhamcement.

It has my vote, as we'll try multiple avenues to address the auditing request.