I guess I don’t understand the problem. Yea, that password is in the clear, but it’s a IBM generated password for that one specific order, good for a few weeks, the entire order is removed anyway?
The only time I use that method is when I order CBPDO product upgrades between serverpack upgrades. Even is using this method for regular maintenance, I don’t see as a problem, because once again, it’s a IBM generated, temporary password for that one specific order. _________________________________________________________________ Dave Jousma Manager Mainframe Engineering, Assistant Vice President [email protected] 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Kurt Quackenbush Sent: Monday, September 18, 2017 8:55 AM To: [email protected] Subject: Re: ShopzSeries FTP password in the clear **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** On 9/15/2017 12:21 PM, Tom Conley wrote: > On 9/15/2017 9:41 AM, Richards, Robert B. wrote: >> My cyber security folks are asking me about why I am doing FTPs with >> the password "in the clear". At first, I did not know what they >> talking about. >> >> It appears that within the SERVINFO data "user=" and "pw=" are *in >> the clear*. Not always, but often enough. <snip> > Here are my client and server datasets. No user= or pw=. So whatchoo > talkin' 'bout Willis? > > <CLIENT > javahome="/usr/lpp/java/J8.0" > downloadmethod="https" > downloadkeyring="javatruststore"> > </CLIENT> > > <ORDERSERVER > url="https://eccgw02.rochester.ibm.com/services/projects/ecc/ws/"; > keyring="FTPSERVE/SHOPZRING2048" > certificate="SMPE Client Certificate2048"> </ORDERSERVER> Apples and oranges. Tom you're talking about RECEIVE ORDER and I believe the OP is talking about RECEIVE FROMNETWORK where the order was submitted using Shopz, not using SMP/E. For Shopz initiated orders, the entire <SERVER> information is provided to you when you display the Download page for the order, which is presented to your browser using HTTPS, so the entire page, including the PW, is encrypted. Once you cut that info from your browser and paste into some data set, you are correct the PW is "in the clear" but as already suggested, hopefully that data set is protected with appropriate security profiles using RACF or similar. When you run your SMP/E RECEIVE FROMNETWORK job, you must use either FTPS or HTTPS for the download, so the PW is never sent over the wire in the clear. Where exactly do your "cyber security folks" think the PW is in the clear? Kurt Quackenbush -- IBM, SMP/E Development ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
