On 9/15/2017 12:21 PM, Tom Conley wrote:
On 9/15/2017 9:41 AM, Richards, Robert B. wrote:
My cyber security folks are asking me about why I am doing FTPs with
the password "in the clear". At first, I did not know what they
talking about.
It appears that within the SERVINFO data "user=" and "pw=" are *in the
clear*. Not always, but often enough.
<snip>
Here are my client and server datasets. No user= or pw=. So whatchoo
talkin' 'bout Willis?
<CLIENT
javahome="/usr/lpp/java/J8.0"
downloadmethod="https"
downloadkeyring="javatruststore">
</CLIENT>
<ORDERSERVER
url="https://eccgw02.rochester.ibm.com/services/projects/ecc/ws/";
keyring="FTPSERVE/SHOPZRING2048"
certificate="SMPE Client Certificate2048">
</ORDERSERVER>
Apples and oranges. Tom you're talking about RECEIVE ORDER and I
believe the OP is talking about RECEIVE FROMNETWORK where the order was
submitted using Shopz, not using SMP/E.
For Shopz initiated orders, the entire <SERVER> information is provided
to you when you display the Download page for the order, which is
presented to your browser using HTTPS, so the entire page, including the
PW, is encrypted. Once you cut that info from your browser and paste
into some data set, you are correct the PW is "in the clear" but as
already suggested, hopefully that data set is protected with appropriate
security profiles using RACF or similar.
When you run your SMP/E RECEIVE FROMNETWORK job, you must use either
FTPS or HTTPS for the download, so the PW is never sent over the wire in
the clear.
Where exactly do your "cyber security folks" think the PW is in the clear?
Kurt Quackenbush -- IBM, SMP/E Development
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
