Intro to security on z/OS

I've just read a good article from the IBM Systems Journal: Security on z/OS: Comprehensive, current, and flexible. About 20 printed pages, from 2001, and written "at a high level, aimed at enterprise decision makers and application architects. The intent is to explain the comprehensive security componentry within z/OS and to show how these techniques and functions are exploited by modern distributed and Internet applications".

This is not mentioned in the article, but one thing that in the past has made me feel uneasy about z/OS security was the limited maximum password length (8 chars), giving a very small password-space by today's computing standards. No need to be concerned about this anymore: z/OS V1.8 supports RACF pass phrases from 14 to 100 characters in length.

I learned some neat things about the z/OS security capabilities that, as far as I know, are not available in other operating systems, e.g.

• access control can be made dependant on time.
• great separation of roles: admins can administer resources without having access to them, or admins cannot prevent the auditor from auditing them, while the auditors cannot authorize themselves to resources (Update: César Gustavo Miramontes, Domino for iSeries wizard, pointed to me that iSeries also has this capability).
  

The article mentions that the SSL performance has dramatically increased: from 13 SSL handshakes per second in 1998 to 2,000 in 2001. Likely to be old data, but this talks about 11,000 SSL handshakes/second.

Another introductory article that I liked is Ensuring Security On IBM Mainframes. Shorter (10 pages), but was useful for me to get a basic understanding of RACF classes and profiles.

More security-related goodies comming with z/OS v1.9; dear to me with what is keeping me busy today are support for PKCS#11 and a Java API for RACF administration.