Kurt, You are correct. I am doing a RFN.
I will find out where the Cyber folks are getting their information and get back to you. Stay tuned! Bob -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kurt Quackenbush Sent: Monday, September 18, 2017 8:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ShopzSeries FTP password in the clear On 9/15/2017 12:21 PM, Tom Conley wrote: > On 9/15/2017 9:41 AM, Richards, Robert B. wrote: >> My cyber security folks are asking me about why I am doing FTPs with >> the password "in the clear". At first, I did not know what they >> talking about. >> >> It appears that within the SERVINFO data "user=" and "pw=" are *in >> the clear*. Not always, but often enough. <snip> > Here are my client and server datasets. No user= or pw=. So whatchoo > talkin' 'bout Willis? > > <CLIENT > javahome="/usr/lpp/java/J8.0" > downloadmethod="https" > downloadkeyring="javatruststore"> > </CLIENT> > > <ORDERSERVER > url="https://eccgw02.rochester.ibm.com/services/projects/ecc/ws/"; > keyring="FTPSERVE/SHOPZRING2048" > certificate="SMPE Client Certificate2048"> </ORDERSERVER> Apples and oranges. Tom you're talking about RECEIVE ORDER and I believe the OP is talking about RECEIVE FROMNETWORK where the order was submitted using Shopz, not using SMP/E. For Shopz initiated orders, the entire <SERVER> information is provided to you when you display the Download page for the order, which is presented to your browser using HTTPS, so the entire page, including the PW, is encrypted. Once you cut that info from your browser and paste into some data set, you are correct the PW is "in the clear" but as already suggested, hopefully that data set is protected with appropriate security profiles using RACF or similar. When you run your SMP/E RECEIVE FROMNETWORK job, you must use either FTPS or HTTPS for the download, so the PW is never sent over the wire in the clear. Where exactly do your "cyber security folks" think the PW is in the clear? Kurt Quackenbush -- IBM, SMP/E Development ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
