NewEra Software Inc. is a sponsor of the zExchange - A community of z/OS Citizens

Our goal? Enrich the function of ibm security server RACF

ICE/Applications - built, distributed & supported by NewEra Software, Inc.

The trusted Computing Base

A Trusted z/OS Computing Base is built on System Integrity and Security

We should all consider it self-evident that z/OS System Integrity is enriched by the inclusion of the user as an active participant in the overall z/OS mainframe Security Paradigm. Consider this: in real time, the Only Person who can ACTUALLY know if YOUR logon credential is being used legitimately is YOU! Not a SIEM, not the Help Desk, certainly not an SMF record of any type. Just YOU and YOU alone!

.

Active User Envolvement

Realtime Notifications

Notification of credential use, at logon, gives your users confidence that their integrity and the integrity of the system has not been undermined by credential theft. Notification of password/phrase reset request/attempt provides users additional assurance that overall integrity remains intact and that they have not been ‘Locked Out’. These notifications allow you to engage your staff in the premier defense of your z/OS Systems.

Watchful Periods & Conditions

‘Flooding’ would exist if emails, texts, or SIEM messages, were sent with each logon, each reset, or each password expiration event. Not a good idea! ICE/PSWD deals with potential 'flooding' by supporting the creation of ‘Watchful Periods’ - selected by Day, Date, and Time - and/or ‘Watchful Conditions’ – triggered by selected Return Codes or events on specifically Named z/OS LPARs - that will satisfy each individual's requirement.

.

Stronger Password Processes

How do users know when their passwords are expiring?

Typically, they don't! A z/OS user may, from time to time, logon to TSO and be notified of a pending expiration. But this is not so for CICS, FTP, VTAM, and others. Expiration notification leads to stronger passwords because it gives the user an interval of time to plan for a stronger password reset.

How can we enforce the use of more complex passwords?

By using a simple process, called 'Format Binding', individual users can be bound to one or more of the available password format rules. Complex format rules (mixed case, special characters) generally result in passwords that are more difficult for hackers to guess.


What about Failed Logons and Invalid UserIds?

When a password fails during logon, it may be the result of an invalid password/userid or a malicious "Brute-Force" or "Password Spray" attack. ICE/PSWD will report these and other such events - for example, the logon of Privileged Users - in real time, by email, text, or by logging it to your SIEM.


Equally troubling is the discovery of an invalid and/or revoked UserId, often used in various types of "Phishing" attacks. When ICE/PSWD detects such an event, notification is sent directly to a named, central location, by email, text, and/or routed directly to your SIEM.

Use Multi-Factor Authentication - MFA

What is MFA?

MFA is a process for adding a ‘Factor’ to the user's logon credential. Such a process often results in a secret only the user knows, or an object only the user has. The use of MFA can dramatically enrich the integrity of all system credentials. The result is better overall system security.


ICE/PSWD takes the MFA process one step further with processes that add factors to both the logon and password reset processes. Together, they enforce a better, overall higher level of system integrity and security. Using ICE/PSWD, a user never knows a required password until it is actually needed and requested from the target z/OS system.

Multi-Factor Logon - MFL

Including a z/OS complex, with the control of a Federated Identity Management(FIM) or Single Sign On(SSO), user logon process often invites a loss of system integrity and security. MFL employs the best MFA concepts, i.e. the user never knows the complete password/passphrase in advance of logon, while at the same time preserving the user RACF credential and RACF's ultimate control over the user logon. All software, simple, straight-forward.


Both MFL and MFR support the users MFA secret, her prefix, by generating and storing its encrypted form within z/OS. The prefix may be updated at any time, as often as needed. Users begin a logon by entering their valid, RACF userid and password after which the z/OS system generates and sends them, via email or text, a time-sensitive suffix. The user concatenates the prefix and suffix into a new password that, along with their userid, can be used for logging on during a 'Validity Window'.

Multi-Factor Reset - MFR

Conventional MFA systems either totally ignore or overlook the need for users to update/reset their passwords or passphrase. The result: a critical RACF control point becomes disabled, thus eliminating a 'factor' from the overall Multi-Factor process.


ICE/PSWD preserves RACF control over the reset process, whether voluntary or required. During either, users request a One-Time Password suffix, to which they append their secret prefix, and return to complete the reset. If the reset is voluntary, and the password has not expired, the user may be allowed to bypass the reset. But, if the reset is required because the password has expired, the user MUST complete the reset all within a window of time, not to exceed 15 minutes.

What People are saying

Security Culture

"In a recent survey of prospective ICE/PSWD users, over 95% said they believe that ICE/PSWD would help them to improve their organization's Security Culture"

MFA Implementation

"ICE/PSWD simplifies the implementation of MFA and enriches it by providing a software solution that supports both Multi-Factor Logon & Multi-Factor Reset"

Privileged Users

"Not all users should be treated the same. ICE/PSWD can discriminate, allowing Privileged Users to adhere to better password/passphrase use and reset practices."

ICE/PSWD, like all NewEra Software Products, is licensed on an MSU, tiered price scale, 

for a defined term or in perpetuity by CPU, Site, Region or Globaly. 

Maintenance is included in the first license year and thereafter is 15% of the then current list price.

Contact Us

NewEra Software, Inc.

18625 Sutter Boulevard, Morgan Hill, California 95037, United States

(800) 421-5035

We're Here for You, Ready to Help!

Cancel