On Fri, 31 Oct 2025 at 12:10, Donald Russell < [email protected]> wrote:
> We have systems external to z/OS that submit jobs to JES over encrypted ftp > sessions. We “site filetype=jes” then “put” a jcl file. > > Unfortunately the JCL JOB statement uses the same USERID= and PASSWORD= > values as were used to authenticate for the ftp connection. That all > worked perfectly until password/phrases were replaced with OTP. One-Time > Password. > So I'm clear, this authentication of the OTP is done in the external (non z/OS) system? > > Well, the one time use gets into ftp, now the submitted job fails because > the password check fails. > What credentials does the remote FTP use to connect to the z/OS FTP server? The same as what's on the JOB card? I’m not on the z/OS side of things, but I want to help them by providing a > possible solution. I’m thinking a user exit could vet the JCL submitted > through site filetype=jes to skip the password check when the job is > submitted that way. The exit should either (en)force the JOB USERID= value > to match the ftp id, or perhaps recognize a special userid id of FTPJES > that the user exit would change to the ftp user logged in and accept the > job without further password checks. > I'm not clear on how this would keep unauthorized FTPers from submitting the job. Could the submitting end generate a RACF PassTicket to be used instead of a static password? This is discussed in the RACF Security Admin Guide https://www.ibm.com/docs/en/zos/3.1.0?topic=guide-using-passtickets . The gory details of generating your own PassTicket off z/OS are at https://www.ibm.com/docs/en/zos/3.1.0?topic=passticket-generating-evaluating . Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
