Hi David, Something simple that might meet your requirements would be to use a NETRC file with FTP. We do this and the production NETRC data set is secured against access by any but the production FTP jobs and the System Security staff who maintain it. This still transmits a userid/password in the clear but if that transmission is over an internal secure network or a VPN connection it might be acceptable. Check the IBM TCP/IP manuals setting yourself up a NETRC file is easy enough.
Did you see the Dovetailed Technologies announcement earlier today it seems to include exactly what you want. http://www.dovetail.com/ 3.13 Copy an MVS dataset from one z/OS system to another over an SSH connection fromdsn -k -l rdw mvs1.input.dataset | todsn-ssh [EMAIL PROTECTED] -l rdw mvs2.output.dataset fromdsn is run locally to create a stream of RDW-delimited records that is piped into todsn-ssh todsn-ssh creates an SSH client connection over which it runs a remote todsn command on todsn-ssh has identical syntax as todsn, except that it starts with the the [EMAIL PROTECTED] name of the remote z/OS system, preceded by any options for the ssh command. See other todsn recipes in this cookbook for explanation of options that may also be used on the todsn-ssh client command. todsn-ssh requires that the "IBM Ported Tools for z/OS (SSH)" product be installed and configured. This example assumes that you have configured SSH authentication keys, since the todsn-ssh command does not allow for password prompting. Best Regards, Sam Knutson, GEICO Performance and Availability Management mailto:[EMAIL PROTECTED] (office) 301.986.3574 This fortune soaks up 47 times its own weight in excess memory. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of David Huysmans Sent: Thursday, May 18, 2006 9:05 AM To: [email protected] Subject: ftp and kerberos Hello List(eners), we have the following situation : we want to send data between 2 different MVS sysplexes. We're planning to use FTP as the protocol for the datatransfer. The only problem we have with this is the confidentiality of the passwords we have to use to set up the communication. The user(s) we will use for the FTP needs to have access to a lot of production data, so the impact when the password is revealed, could be huge. We were now thinking of using Kerberos as the authentication protocol for FTP, because this should eliminate the need for a password. When I look at the TCPIP security redbook, I'm surprised to see the need to send a user and password, after the kerberos authentication has been set up. I'm wondering what the added value then is for using kerberos. As I understood; you receive a ticket from your kerberos server, and with this ticket you should be able to gain access to other servers within the realm. There should be no more need for a password. The tickets map you to a user defined within your SAF database (I our case ACF2). Is there any way to eliminate the use of user/password when doing an FTP (TSO/batch) from one MVS to another MVS? When kerberos would be the answer for this problem : does anyone have a document for implementing it using ACF2 as the SAF database (something more usable than the ACF2 administrator book). Any sugestion is welcome, Regards. Bert Gilis ==================== This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
