Select Page

Your z/OS password quality guarantor and login protector

Harden your “z entrance area” guaranteeing most safe passwords and ultimate protection of the authentication (“login”) services – both in real-time!

z/OS penetration tests and audits clearly prove: Weaknesses in password and login security lead to a particularly high vulnerability – and quick success for the attacker. Why? First, although RACF does sport some login-related protection features and offers supplemental products, it still does not provide sufficiently sensitive (“filigree”) and automated security controls actually required in the fields of login and password security. Second, these are usual omissions made by the mainframe user himself because of a lack of real-time quality assurance, monitoring and audit in the areas of user IDs, passwords, phrases, and certificates.

As a powerful, cost-effective and hardware-free solution, SF-LoginHood paves the new integral path to the state-of-the-art protection of the z/OS platform in the area of the password and login security. Our company’s independence allowed a uniquely relentless and effective identification of all risks associated with the z platform in order to


Guarantee maximum password and phrase quality


Provide maximum protection against theft of any authentication-related data


Employ additional hardening of the authentication mechanisms that prevent their abuse 

Ensure transparency and completeness in effectively logging 100% of all relevant activities, and to

Establish real-time anomaly detection on the system, administration and user levels

This spectrum of necessary precautionary measures in the “z entrance area” clearly proves both. Simply setting up a list of forbidden passwords is just not enough anymore. Do not forget that RACF still requires you to program an exit in Assembler to realize that measure. Merely implementing audit solutions to reveal problems “ex-post” is also too little too late.

Euro-SOX, Basel II, PCI, ISO, BSI, DOD, and other standards make additional pro-active measures in the login environment almost a 100% duty – not only for financial service providers – and are a prerequisite for receiving the certificate of compliance. SF-LoginHood was developed specifically for this purpose in a needs-based approach based on 15 years of practical experience. You can say it is an optimally aligned and overhead-free bundle of effective measures that tackles all of the above-mentioned problems at the root by completing the z/OS security based on RACF. SF-LoginHood is therefore the ideal solution for all mainframe users across all business sectors and company sizes. It is also the “perfect match” for all pragmatic z/OS users who dismiss any “monitoring or compliance overkill” and just desire a strong and state-of-the-art protection for their sensitive “z/OS entrance area”.

Do you already use or plan to use any Smart Card, Token or Identity Management solution? That’s a good idea! SF-LoginHood does not become superfluous. On the contrary, only SF- LoginHood completes these measures, and could even be a low-cost alternative to them.

Finally, the z/os mainframe becomes an impregnable fortress!


Over the past several years, compliance has become more and more an important issue, but also a tedious task. Our SF solutions assist you in automating the resulting workload to the max by also covering the entire mainframe platform - thanks to a 360-degree approach.


With SF-Sherlock, you can also protect your mainframe platform against attacks and combat high-level risks. Thanks to our max approach this also includes malicious code and exploits. Yes, both of these are real risks on the mainframe platform!

SF Solutions

All SF solutions are invented and developed in-house. Therefore, you can count on both our unique expertise and our high level of motivation in providing you with solutions and services with maximum performance, effectiveness, and productivity.

Are you expecting a governmental audit of your mainframe platform soon, as
by the BaFin, ECB, or one of
the “Big Four”?

Let us help you prepare your mainframe security and compliance.

+800 - 37 333 853 or simply dial: +800 - DRFEDTKE

Call our world-wide toll-free number now!

(+ represents the prefix for international calls; in most countries it is 00, and you have to dial 00800-37333853; in the U.S. it corresponds to 011)

News & IT Security Forum

System REXX and BCPii are the ”next APF“

If you look back along the evolutionary steps of mainframe security, APF libraries play a leading role – due to their “superpower.” Until the 1980s, “almost anyone” working on a mainframe was able and allowed to define one themselves. In most cases, there was no APF library protection at all. Then there was a phase where APF-related auditing received more and more attention, and correspondingly became an important audit issue.

The attention that “APF” received as a security risk has continued to increase over time. Today, it has almost reached the highest level of awareness: only a very few members of a company’s mainframe team are allowed to define a new APF library or update existing ones. Any such action requires prior permission, not just some documentation after it has happened. On our customer visits, we have seen companies where a new APF library requires not only an official change request, but up to “5 signatures.” Otherwise, you lose your job. Correspondingly, relentless monitoring and compliance reporting has become standard for the “APF” risk, resulting in real-time security alerts by a SIEM if corresponding rules are bypassed.

So far, so good. Now that there is great awareness of “APF,” the question will be if the entire mainframe security mission has now been accomplished? Or what’s the next superpower, following “APF,” that mainframe users need to focus on?

Based on our worldwide penetration testing experience, we have determined that “System REXX” and “BCPii” are two further members of the superpower league; both are good candidates for becoming the next “big focus.” In recent years, both z/OS features have been improved so that they are now “easy-to-use” functions. But there is no free lunch. As a consequence, highly critical operations became minimally complex, and you have to “pay” the price for setting up gap-free security measures. User-friendly and easy-to-use superpower features are an invitation to attackers. Complexity is a kind of protection. Compared to assembler programming or disassembling machine code, REXX programming is pretty trivial!

This is why SF-Sherlock focuses intensively on both of these areas. Please feel free to contact us to discuss additional details of what is necessary to properly protect System REXX and BCPii.

Join our newsletter list

Worldwide toll-free phone number

+800 - 37 333 853
or simply dial:

+41 (0)41 710 7444

(+ represents the prefix for international calls; in most countries it is 00, and you have to dial 00800-37333853; in the U.S. it corresponds to 011, and you have to dial 011-800-37333853)

Find Us


Seestrasse 3a, 6300 Zug, Switzerland

Visitors & Training

Dammstrasse 19, 6301 Zug, Switzerland

Social Media

Xing → Linkedin →

Write Us

copy the address

Technical support and hotline
copy the address

Legal and compliance
copy the address

error: Content is protected!