Can you assume that the user has properly been validated at the
point that the FTP to JES2 is being used? If so, can you use the
userID to search a table to extract a password to be passed to
JES2? That file, where those "passwords" are kept would have to
be encrypted so that only those with authority to see the data
can edit that file. Just an idea that might trigger a better
solution.
IF you have C:D|NDM, could you send that JOB to it and have it
trigger a RUNTASK that could do the submit?
Steve Thompson.
On 10/31/2025 1:27 PM, Donald Russell wrote:
Hi Tony,
Here's a sample workflow. Originating on a zLinux system web page, a user
fills in a form and two of the fields are for their z/OS userid and
password.
The user creates an OTP with a yubikey or phone app.
The web server code builds JCL, inserts the specified userid and (now) OTP
in the JOB USERID= PASSWORD= fields.
The web server uses those credentials to start an FTP session to JES...
then it uses 'site filetype=jes' and 'put's the jcl file.
The problem is the one-time password is consumed by the ftp login. The
process worked fine when passwords/phrases were used because the ftp login
was successful, then the JCL job file was submitted and it uses the same
credentials.
Now that user authentication is done by one-time password, that no
longer works... I need a TTP (two-time password) :-)
On Fri, Oct 31, 2025 at 9:49 AM Tony Harminc <[email protected]> wrote:
On Fri, 31 Oct 2025 at 12:10, Donald Russell <
[email protected]> wrote:
We have systems external to z/OS that submit jobs to JES over encrypted
ftp
sessions. We “site filetype=jes” then “put” a jcl file.
Unfortunately the JCL JOB statement uses the same USERID= and PASSWORD=
values as were used to authenticate for the ftp connection. That all
worked perfectly until password/phrases were replaced with OTP. One-Time
Password.
So I'm clear, this authentication of the OTP is done in the external (non
z/OS) system?
Well, the one time use gets into ftp, now the submitted job fails because
the password check fails.
What credentials does the remote FTP use to connect to the z/OS FTP server?
The same as what's on the JOB card?
I’m not on the z/OS side of things, but I want to help them by providing a
possible solution. I’m thinking a user exit could vet the JCL submitted
through site filetype=jes to skip the password check when the job is
submitted that way. The exit should either (en)force the JOB USERID=
value
to match the ftp id, or perhaps recognize a special userid id of FTPJES
that the user exit would change to the ftp user logged in and accept the
job without further password checks.
I'm not clear on how this would keep unauthorized FTPers from submitting
the job.
Could the submitting end generate a RACF PassTicket to be used instead of a
static password? This is discussed in the RACF Security Admin Guide
https://www.ibm.com/docs/en/zos/3.1.0?topic=guide-using-passtickets . The
gory details of generating your own PassTicket off z/OS are at
https://www.ibm.com/docs/en/zos/3.1.0?topic=passticket-generating-evaluating
.
Tony H.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
