Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
Hide the password from Connect:Direct JCL

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
shekar_thandava

New User


Joined: 15 Mar 2005
Posts: 2

PostPosted: Tue May 08, 2007 4:45 pm    Post subject: Hide the password from Connect:Direct JCL
Reply with quote

Hi Everyone,

Currently using a JCL I call a utility to use Connect:Direct. In this JCL I have hard-coded my user_name and pwd for the UNIX box to where the files are to be transfered.

The requirement is to remove the hard-coding of the user_name and pwd from the JCL. For this I suggested that they put the user_name and pwd in a PDS member and use this in sysin. However my client wants a better solution.

Is there anything we can do on the Connect:Direct side to hide the user id & pwd? Or can we somehow hide the user id & pwd on the Mainframe side itself?

Can anyone help?
Back to top
View user's profile Send private message

agkshirsagar

Active Member


Joined: 27 Feb 2007
Posts: 686
Location: Earth

PostPosted: Tue May 08, 2007 4:51 pm    Post subject:
Reply with quote

Why don't you design a panel to submit the JOB, enter the USERID and PWD as an when required on that (You need not store your password anywhere), using those submit your JCL in the background. There may be better suggestions, lets wait for those.. icon_smile.gif
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Tue May 08, 2007 5:10 pm    Post subject:
Reply with quote

Could you not set up a 'dummy' user id on the unix box which does not require a password.

I know nothing about open systems security, but surely there must be something to restrict what this user id could do, i.e. nothing but recieve files from the mainframe.

What about RACF - I believe, but may well be way off target here, that it can also be used with some open systems, and if so, by using a shared or cloned database would have the matching user id of the sending host user, and not need a password ?

As I say, just thoughts that need to be checked out, and who knows maybe even a solution icon_rolleyes.gif
Back to top
View user's profile Send private message
superk

Moderator Team Head


Joined: 26 Apr 2004
Posts: 4650
Location: Raleigh, NC, USA

PostPosted: Tue May 08, 2007 6:32 pm    Post subject: Re: Hide the password from Connect:Direct JCL
Reply with quote

Coding a userid and password in the JCL was a poor solution and should never have been allowed to begin with. The PARMLIB solution isn't much better.

The better solution is to code the userid and password within the Process. The Process code should only be made available to the CONNECT:Direct system Administrators, and only those Administrators should know what the userids and passwords are.

There is some blame here that can be placed on the Administrators of the Unix system that you're communicating with. They could have opted to use available security exits to control access to the file systems.

As far as the mainframe, those same exits are available, but all of that security is for your INBOUND connections. There's nothing you can do at the mainframe end to control security access on another node for OUTBOUND connections.
Back to top
View user's profile Send private message
shekar_thandava

New User


Joined: 15 Mar 2005
Posts: 2

PostPosted: Wed May 09, 2007 5:18 pm    Post subject:
Reply with quote

Hey superk,

Thanks for the reply.

However can you explain a bit more?
What do you mean by the ?Process? and ?Process Code??
And how do we make the code available to the system administrators?

Thanks again.
Back to top
View user's profile Send private message
superk

Moderator Team Head


Joined: 26 Apr 2004
Posts: 4650
Location: Raleigh, NC, USA

PostPosted: Wed May 09, 2007 8:04 pm    Post subject:
Reply with quote

shekar_thandava wrote:

What do you mean by the ?Process? and ?Process Code??


Start by reviewing these two previous topics:

http://www.ibmmainframes.com/viewtopic.php?t=1247
http://www.ibmmainframes.com/viewtopic.php?t=5700


shekar_thandava wrote:

And how do we make the code available to the system administrators?


I guess I'm thinking about normal dataset access security of the Process Library (DMPUBLIB) through RACF, where only the Admins would have READ/WRITE authority, batch just READ only, and no one else would have any authority.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts DIrect link of dynam/nodynam nkjain87 COBOL Programming 2 Mon Apr 24, 2017 6:23 pm
No new posts Connect:Direct - RC=000000FF MSG=SVTM... R.Manivannan All Other Mainframe Topics 3 Fri Apr 21, 2017 1:30 am
No new posts Random Password (in string format) ge... ezhavendhan COBOL Programming 10 Mon Aug 29, 2016 3:18 pm
No new posts DB2 CONNECT query mistah kurtz DB2 3 Fri Jul 15, 2016 6:37 pm
No new posts Help Needed with View Direct shailesh_do CA Products 2 Wed Jul 13, 2016 10:39 am

Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us