On 9/13/2006 4:49 PM, Charles Mills wrote:
My problem is I have responsibility for batch FTP processes at customer
sites. The FTP server userid is specifically non-TSO-enabled. How do they
know it is about to expire? How do they change it? I don't have a good (as
in good human/business process, not as in working technology) answer.
You run IRRDBU00 to get a flat-file of the RACF database, then generate
a report of IDs with passwords about to expire, and for the ones that
you care about you issue ALTUSER whatever-id PASSWORD(newpw) NOEXPIRED
and then you change the batch processes to use the new password.
Or, you make those IDs have non-expiring passwords, and change them at
your convenience, rather than every normal interval of time.
Or you authenticate differently, possibly with Kerberos, if that makes
things simpler (I don't know that it does, not having full details of
your environment).
Or you use something like SFTP (provided on z/OS by OpenSSH) and its
public/private key support to avoid password expiration.
Or you use web-based technology, with a browser at one end, and a server
at the other, with authentication done via digital certificates.
Or you use something based on PassTickets, if the host is a z/OS system.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
