|
View previous topic :: View next topic
|
| Author |
Message |
shekar_thandava
New User
Joined: 15 Mar 2005
Posts: 2
|
|
|
|
Hi Everyone,
Currently using a JCL I call a utility to use Connect:Direct. In this JCL I have hard-coded my user_name and pwd for the UNIX box to where the files are to be transfered.
The requirement is to remove the hard-coding of the user_name and pwd from the JCL. For this I suggested that they put the user_name and pwd in a PDS member and use this in sysin. However my client wants a better solution.
Is there anything we can do on the Connect:Direct side to hide the user id & pwd? Or can we somehow hide the user id & pwd on the Mainframe side itself?
Can anyone help? |
|
| Back to top |
|
 |
agkshirsagar
Active Member
Joined: 27 Feb 2007
Posts: 691
Location: Earth
|
|
|
|
Why don't you design a panel to submit the JOB, enter the USERID and PWD as an when required on that (You need not store your password anywhere), using those submit your JCL in the background. There may be better suggestions, lets wait for those..  |
|
| Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007
Posts: 8797
Location: Welsh Wales
|
|
|
|
Could you not set up a 'dummy' user id on the unix box which does not require a password.
I know nothing about open systems security, but surely there must be something to restrict what this user id could do, i.e. nothing but recieve files from the mainframe.
What about RACF - I believe, but may well be way off target here, that it can also be used with some open systems, and if so, by using a shared or cloned database would have the matching user id of the sending host user, and not need a password ?
As I say, just thoughts that need to be checked out, and who knows maybe even a solution  |
|
| Back to top |
|
|
superk
Global Moderator
Joined: 26 Apr 2004
Posts: 4652
Location: Raleigh, NC, USA
|
|
|
|
Coding a userid and password in the JCL was a poor solution and should never have been allowed to begin with. The PARMLIB solution isn't much better.
The better solution is to code the userid and password within the Process. The Process code should only be made available to the CONNECT:Direct system Administrators, and only those Administrators should know what the userids and passwords are.
There is some blame here that can be placed on the Administrators of the Unix system that you're communicating with. They could have opted to use available security exits to control access to the file systems.
As far as the mainframe, those same exits are available, but all of that security is for your INBOUND connections. There's nothing you can do at the mainframe end to control security access on another node for OUTBOUND connections. |
|
| Back to top |
|
|
shekar_thandava
New User
Joined: 15 Mar 2005
Posts: 2
|
|
|
|
Hey superk,
Thanks for the reply.
However can you explain a bit more?
What do you mean by the ?Process? and ?Process Code??
And how do we make the code available to the system administrators?
Thanks again. |
|
| Back to top |
|
|
superk
Global Moderator
Joined: 26 Apr 2004
Posts: 4652
Location: Raleigh, NC, USA
|
|
|
|
| shekar_thandava wrote: |
What do you mean by the ?Process? and ?Process Code??
|
Start by reviewing these two previous topics:
www.ibmmainframes.com/viewtopic.php?t=1247
www.ibmmainframes.com/viewtopic.php?t=5700
| shekar_thandava wrote: |
And how do we make the code available to the system administrators?
|
I guess I'm thinking about normal dataset access security of the Process Library (DMPUBLIB) through RACF, where only the Admins would have READ/WRITE authority, batch just READ only, and no one else would have any authority. |
|
| Back to top |
|
|
|
|
