In IBM z/OS mainframes, security is a critical concern, particularly regarding password management. One key element is colloquially known as “The Fly,” a hash derived from applying the DES algorithm to a user ID with an eight-character password. Once considered secure decades ago, modern password-cracking utilities such as John The Ripper combined with RACF functions can now guess these keys in a matter of hours. This vulnerability was central in the 2014 Logica and Nordea Bank breaches perpetrated by the Pirate Bay group from Cambodia.

The risk is particularly relevant today because many large organizations—banks, insurers, and government agencies—rely on z/OS for critical operations such as payment processing, insurance claims, customer data management, and state-level record keeping. Despite the availability of advanced encryption and passphrase options, approximately 50% of mainframe users continue to use simple eight-character passwords, exposing organizations to unnecessary security risks. Transitioning to stronger passphrases and advanced encryption algorithms is essential for protecting sensitive data and maintaining regulatory compliance.

des algorithm

How “The Fly” works and why it matters

Before diving into password migration, it is important to understand how “The Fly” operates and why it is a critical security consideration for z/OS environments.

Extracting “The Fly”

The simplest method to obtain “The Fly” is by dumping the RACF database contents into a sequential file. This requires either direct READ access to the RACF database or access via an STC with the appropriate privileges. Once this file is obtained, attackers can pair users with their DES hashes, exposing the vulnerability of simple eight-character passwords.

This scenario demonstrates why DES-based password hashing, although standard for decades, is insufficient in today’s threat landscape. Organizations must implement advanced measures to safeguard credentials and protect critical systems.

Strengthening password security

To mitigate these risks, z/OS provides several options to enhance password security:

  • Algorithm upgrade: Transition from DES to Triple DES (3DES) or stronger algorithms.
  • Passphrase length and quality: Replace simple eight-character passwords with long, high-entropy passphrases.
  • Passphrase rules: A secure passphrase should:
    • Avoid sequences from the username or full name longer than two characters.
    • Contain a minimum of seven characters.
    • Include at least three of the following categories: uppercase letters, lowercase letters, numeric digits, and special characters (!, $, #, %).

Despite these options, adoption remains limited due to usability challenges, SSO and password synchronization constraints, and underestimation of the threat landscape. Organizations must address these barriers to fully protect their mainframe environments.

Preparing your z/OS environment for passphrase migration

Proper preparation is essential to ensure that passphrase migration does not disrupt operations or security controls.

Standard environment setup

The following steps are critical to prepare z/OS for KDFAES and passphrase upgrades:

  • LPAR configuration: Typical setups include TEST, Development, and Production LPARs, each with its own RACF database. The TEST environment contains users specific to test systems.
  • Connectivity: Ensure Development RACF databases synchronize with Production and integrate with the organization’s single sign-on system.
  • Security feature verification: Confirm CPACF (cryptographic processor) and ICSF (Integrated Cryptographic Service Facility) are enabled on all LPARs. Ensure system modifications OA43998, OA43999, and II14765 are applied.
  • User information: Compile lists of active SETROPs, active RACF exits, and passwords not associated with real users. Determine maximum password lengths and additional cryptography characteristics.

These steps ensure the infrastructure can support KDFAES encryption and passphrase propagation without operational disruptions.

Pre-conversion activities

Before implementing the new passphrase and algorithm, system readiness must be verified and key configurations prepared:

Test environment verification

  • Cache ACEE and RACF group tree definitions in storage.
  • Cache UID and GID information to optimize cryptographic operations.
  • Ensure CSFM126I confirms full CPU-based cryptography services are available.

Security verification

  • Review all SETROP lists and active exits.
  • Define secure key characteristics for the new passphrase.
  • Confirm compliance with organizational security policies.

This preparation ensures a smooth transition and minimizes risks of operational issues during conversion.

Conversion activities

Conversion activities must be conducted carefully to avoid disruptions.

Test environment conversion

  • Exit deployment: Implement the ICHPWX11 exit and the associated REXX script IRRPHREX to enforce passphrase rules.
  • KDFAES activation: Install and activate the KDFAES encryption exit.
  • Logon panel update: Modify IKJTSOxx to enable passphrase logon.
  • Unit testing: Add new users, change existing passwords, and verify propagation of passphrase rules across RACF and applications. Include rollback options for safe operation.

Development and production conversion

  • Conversion checklist: Prepare step-by-step checklist based on test environment outcomes.
  • Execution: Perform conversion activities in Development and Production LPARs.
  • Validation: Confirm logon functionality, dataset access, password replication, and exit operations.
  • Remediation: Correct any discrepancies or failed password migrations.

Post-conversion activities

After conversion, additional configurations enhance security and performance:

ICSF enhancements

  • Apply XFACILIT UACC(NONE) AUDIT(NONE).
  • Disable SAF calls for one-way hash and random number generation (CSF.CSFSERV.AUTH.CSFOWH.DISABLE, CSF.CSFSERV.AUTH.CSFRNG.DISABLE).
  • Verify CSFM650I messages to confirm authorization checks are disabled as intended.
  • Ensure compatibility with hardware and software, including HCR77A1 release or later.

These actions optimize cryptographic operations while maintaining secure functionality.

Benefits of KDFAES and strong passphrases

Implementing KDFAES and high-quality passphrases provides multiple advantages:

  • Enhanced security: Increased computational effort prevents brute-force attacks.
  • Regulatory compliance: Aligns with modern security standards and internal audits.
  • Operational resilience: Reduces the risk of unauthorized access to critical systems.
  • Seamless integration: Works with RACF, CICS applications, and single sign-on systems.

Summary checklist

A consolidated checklist ensures that all activities are tracked and verified:

Phase Action Notes
Pre-Conversion Verify environment, CPACF, ICSF, SETROPs, active exits Test LPAR first
Conversion (Test) Deploy KDFAES, configure exit, enforce passphrase rules Validate logon & replication
Conversion (Dev/Prod) Execute checklist from Test Ensure propagation, correct failures
Post-Conversion ICSF optimizations, SAF bypass Verify CSFM650I messages

This table helps maintain operational control and ensures compliance throughout the process.

Securing z/OS mainframes with KDFAES and strong passphrases

Migrating to KDFAES and strong passphrases in z/OS is essential to mitigate risks, meet modern security standards, and maintain regulatory compliance. By carefully preparing the environment, executing conversions in test and production LPARs, and validating post-conversion operations, organizations can safeguard sensitive data without disrupting critical operations.

Strong passwords, automated cryptography, and structured testing ensure operational resilience, regulatory confidence, and protection against modern threats, empowering z/OS mainframes to remain secure in a rapidly evolving cybersecurity landscape.