Walt, thanks very much. As mentioned in the OP, the FTP INPUT (command) file is totally built by a fairly complex program, so adding the logic to call an address in MVS, pass two parameters, and get back 8 bytes in 2 registers is almost trivial.
I will definitely look at the 1.7 docs. I was a little put off by the need for Key 0 (authorization, in other words) - or rather, by the need to "sell" authorization to customers - so I am glad to hear you have loosened things up a little. Obviously not all of our customers are on 1.7, but they will be someday. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Friday, January 06, 2006 5:19 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: FTP userid propagation On 1/5/2006 12:30 PM, Charles Mills wrote: > Thanks. Let me echo Bob Lester's request for more pointers if possible and > ALSO ask: > > I ran across the facility called PassTicket. Wouldn't this do the job? The > job being letting a program running for user XYZ log on to FTP on a > different machine using the same userid (and assuming synchronized passwords > and clocks)? Any "gotchas" with PassTicket? Good question, Charles. PassTickets would work, but you would need to implement some code on the client side to calculate the PassTicket so you could then provide it in response to the password prompt from the server. Prior to z/OS V1R7 that code must run APF-authorized. In z/OS R7 we provide enhanced functions for generating PassTickets that can be used by non-APF programs or Java. See http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza360/11.1?SHE LF=EZ2ZO10F&DT=20050621032554 or http://makeashorterlink.com/?H2A842C6C for more information. On z/OS V1R7 or later using PassTickets for functions like this has thus become more feasible. However, it still does require some programming around the FTP process. You can't simply run the standard FTP client. Walt Farrell, CISSP z/OS Security Design, IBM ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
