Re: ShopzSeries FTP password in the clear
I guess I don’t understand the problem. Yea, that password is in the clear, but it’s a IBM generated password for that one specific order, good for a few weeks, the entire order is removed anyway? The only time I use that method is when I order CBPDO product upgrades between serverpack upgrades. Even is using this method for regular maintenance, I don’t see as a problem, because once again, it’s a IBM generated, temporary password for that one specific order. _ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kurt Quackenbush Sent: Monday, September 18, 2017 8:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ShopzSeries FTP password in the clear **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** On 9/15/2017 12:21 PM, Tom Conley wrote: > On 9/15/2017 9:41 AM, Richards, Robert B. wrote: >> My cyber security folks are asking me about why I am doing FTPs with >> the password "in the clear". At first, I did not know what they >> talking about. >> >> It appears that within the SERVINFO data "user=" and "pw=" are *in >> the clear*. Not always, but often enough. > Here are my client and server datasets. No user= or pw=. So whatchoo > talkin' 'bout Willis? > > javahome="/usr/lpp/java/J8.0" > downloadmethod="https" > downloadkeyring="javatruststore"> > > > url="https://eccgw02.rochester.ibm.com/services/projects/ecc/ws/; > keyring="FTPSERVE/SHOPZRING2048" > certificate="SMPE Client Certificate2048"> Apples and oranges. Tom you're talking about RECEIVE ORDER and I believe the OP is talking about RECEIVE FROMNETWORK where the order was submitted using Shopz, not using SMP/E. For Shopz initiated orders, the entire information is provided to you when you display the Download page for the order, which is presented to your browser using HTTPS, so the entire page, including the PW, is encrypted. Once you cut that info from your browser and paste into some data set, you are correct the PW is "in the clear" but as already suggested, hopefully that data set is protected with appropriate security profiles using RACF or similar. When you run your SMP/E RECEIVE FROMNETWORK job, you must use either FTPS or HTTPS for the download, so the PW is never sent over the wire in the clear. Where exactly do your "cyber security folks" think the PW is in the clear? Kurt Quackenbush -- IBM, SMP/E Development -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
Kurt, You are correct. I am doing a RFN. I will find out where the Cyber folks are getting their information and get back to you. Stay tuned! Bob -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kurt Quackenbush Sent: Monday, September 18, 2017 8:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ShopzSeries FTP password in the clear On 9/15/2017 12:21 PM, Tom Conley wrote: > On 9/15/2017 9:41 AM, Richards, Robert B. wrote: >> My cyber security folks are asking me about why I am doing FTPs with >> the password "in the clear". At first, I did not know what they >> talking about. >> >> It appears that within the SERVINFO data "user=" and "pw=" are *in >> the clear*. Not always, but often enough. > Here are my client and server datasets. No user= or pw=. So whatchoo > talkin' 'bout Willis? > > javahome="/usr/lpp/java/J8.0" > downloadmethod="https" > downloadkeyring="javatruststore"> > > > url="https://eccgw02.rochester.ibm.com/services/projects/ecc/ws/; > keyring="FTPSERVE/SHOPZRING2048" > certificate="SMPE Client Certificate2048"> Apples and oranges. Tom you're talking about RECEIVE ORDER and I believe the OP is talking about RECEIVE FROMNETWORK where the order was submitted using Shopz, not using SMP/E. For Shopz initiated orders, the entire information is provided to you when you display the Download page for the order, which is presented to your browser using HTTPS, so the entire page, including the PW, is encrypted. Once you cut that info from your browser and paste into some data set, you are correct the PW is "in the clear" but as already suggested, hopefully that data set is protected with appropriate security profiles using RACF or similar. When you run your SMP/E RECEIVE FROMNETWORK job, you must use either FTPS or HTTPS for the download, so the PW is never sent over the wire in the clear. Where exactly do your "cyber security folks" think the PW is in the clear? Kurt Quackenbush -- IBM, SMP/E Development -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
On 9/15/2017 12:21 PM, Tom Conley wrote: On 9/15/2017 9:41 AM, Richards, Robert B. wrote: My cyber security folks are asking me about why I am doing FTPs with the password "in the clear". At first, I did not know what they talking about. It appears that within the SERVINFO data "user=" and "pw=" are *in the clear*. Not always, but often enough. Here are my client and server datasets. No user= or pw=. So whatchoo talkin' 'bout Willis? https://eccgw02.rochester.ibm.com/services/projects/ecc/ws/; keyring="FTPSERVE/SHOPZRING2048" certificate="SMPE Client Certificate2048"> Apples and oranges. Tom you're talking about RECEIVE ORDER and I believe the OP is talking about RECEIVE FROMNETWORK where the order was submitted using Shopz, not using SMP/E. For Shopz initiated orders, the entire information is provided to you when you display the Download page for the order, which is presented to your browser using HTTPS, so the entire page, including the PW, is encrypted. Once you cut that info from your browser and paste into some data set, you are correct the PW is "in the clear" but as already suggested, hopefully that data set is protected with appropriate security profiles using RACF or similar. When you run your SMP/E RECEIVE FROMNETWORK job, you must use either FTPS or HTTPS for the download, so the PW is never sent over the wire in the clear. Where exactly do your "cyber security folks" think the PW is in the clear? Kurt Quackenbush -- IBM, SMP/E Development -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
Gil, I was aware of Kurt's response. It doesn't solve my problem with FTPS and Shopz though. It merely provides a different method of obtaining the order...one I am not prepared to regularly use at the moment but have in my back pocket if FTPS becomes unavailable. Bob -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Friday, September 15, 2017 12:38 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ShopzSeries FTP password in the clear On 2017-09-15, at 10:25, Richards, Robert B. wrote: > You are using HTTPS. I am using FTPS. :-) > So it appears that's the solution to your problem. I believe IBM recommends that. (See ply by Kurt Quackenbush on 2017-08-07 https://listserv.ua.edu/cgi-bin/wa?A2=ind1708=ibm-main=R9940 ) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
On 2017-09-15, at 10:25, Richards, Robert B. wrote: > You are using HTTPS. I am using FTPS. :-) > So it appears that's the solution to your problem. I believe IBM recommends that. (See ply by Kurt Quackenbush on 2017-08-07 https://listserv.ua.edu/cgi-bin/wa?A2=ind1708=ibm-main=R9940 ) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
You are using HTTPS. I am using FTPS. :-) -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Conley Sent: Friday, September 15, 2017 12:23 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ShopzSeries FTP password in the clear On 9/15/2017 9:41 AM, Richards, Robert B. wrote: > My cyber security folks are asking me about why I am doing FTPs with the > password "in the clear". At first, I did not know what they talking about. > > It appears that within the SERVINFO data "user=" and "pw=" are *in the > clear*. Not always, but often enough. > > I sent an email to L2 Shopz over a week ago and have not heard back from them. > > Before I open a PMR, I wondered if the list had some sage advice (like an > options statement that I am missing). > > Thanks in advance, > > Bob > Bob, Here are my client and server datasets. No user= or pw=. So whatchoo talkin' 'bout Willis? https://eccgw02.rochester.ibm.com/services/projects/ecc/ws/; keyring="FTPSERVE/SHOPZRING2048" certificate="SMPE Client Certificate2048"> Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
Actually both. I am doing FTPS for all my FTPs. Bob -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Chris Hoelscher Sent: Friday, September 15, 2017 12:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ShopzSeries FTP password in the clear Did the op mean FTPs as in the product FTPS ? or as in multiple FTP executions? Chris Hoelscher Technology Architect, Database Infrastructure Services Technology Solution Services 123 East Main Street Louisville, KY 40202 Humana.com (502) 476-2538 or 407-7266 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Allan Staller Sent: Friday, September 15, 2017 10:02 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] ShopzSeries FTP password in the clear They do not know what they are talking about. The primary difference between FTP and FTPS is the FTPS encrypts the password. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Richards, Robert B. Sent: Friday, September 15, 2017 8:43 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: ShopzSeries FTP password in the clear My cyber security folks are asking me about why I am doing FTPs with the password "in the clear". At first, I did not know what they talking about. It appears that within the SERVINFO data "user=" and "pw=" are *in the clear*. Not always, but often enough. I sent an email to L2 Shopz over a week ago and have not heard back from them. Before I open a PMR, I wondered if the list had some sage advice (like an options statement that I am missing). Thanks in advance, Bob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
On 9/15/2017 9:41 AM, Richards, Robert B. wrote: My cyber security folks are asking me about why I am doing FTPs with the password "in the clear". At first, I did not know what they talking about. It appears that within the SERVINFO data "user=" and "pw=" are *in the clear*. Not always, but often enough. I sent an email to L2 Shopz over a week ago and have not heard back from them. Before I open a PMR, I wondered if the list had some sage advice (like an options statement that I am missing). Thanks in advance, Bob Bob, Here are my client and server datasets. No user= or pw=. So whatchoo talkin' 'bout Willis? https://eccgw02.rochester.ibm.com/services/projects/ecc/ws/; keyring="FTPSERVE/SHOPZRING2048" certificate="SMPE Client Certificate2048"> Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
Did the op mean FTPs as in the product FTPS ? or as in multiple FTP executions? Chris Hoelscher Technology Architect, Database Infrastructure Services Technology Solution Services 123 East Main Street Louisville, KY 40202 Humana.com (502) 476-2538 or 407-7266 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Allan Staller Sent: Friday, September 15, 2017 10:02 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] ShopzSeries FTP password in the clear They do not know what they are talking about. The primary difference between FTP and FTPS is the FTPS encrypts the password. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Richards, Robert B. Sent: Friday, September 15, 2017 8:43 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: ShopzSeries FTP password in the clear My cyber security folks are asking me about why I am doing FTPs with the password "in the clear". At first, I did not know what they talking about. It appears that within the SERVINFO data "user=" and "pw=" are *in the clear*. Not always, but often enough. I sent an email to L2 Shopz over a week ago and have not heard back from them. Before I open a PMR, I wondered if the list had some sage advice (like an options statement that I am missing). Thanks in advance, Bob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
On Fri, 15 Sep 2017 14:02:29 +, Allan Staller wrote: >They do not know what they are talking about. >The primary difference between FTP and FTPS is the FTPS encrypts the password. > The problem is that even though it's encrypted over the network, it appears in the clear in the SERVINFO data set. I don't know that RACF protecting that data set will placate the security folks. >-Original Message- >From: Richards, Robert B. >Sent: Friday, September 15, 2017 8:43 AM > >My cyber security folks are asking me about why I am doing FTPs with the >password "in the clear". At first, I did not know what they talking about. > >It appears that within the SERVINFO data "user=" and "pw=" are *in the clear*. >Not always, but often enough. > >I sent an email to L2 Shopz over a week ago and have not heard back from them. > >Before I open a PMR, I wondered if the list had some sage advice (like an >options statement that I am missing). -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ShopzSeries FTP password in the clear
They do not know what they are talking about. The primary difference between FTP and FTPS is the FTPS encrypts the password. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Richards, Robert B. Sent: Friday, September 15, 2017 8:43 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: ShopzSeries FTP password in the clear My cyber security folks are asking me about why I am doing FTPs with the password "in the clear". At first, I did not know what they talking about. It appears that within the SERVINFO data "user=" and "pw=" are *in the clear*. Not always, but often enough. I sent an email to L2 Shopz over a week ago and have not heard back from them. Before I open a PMR, I wondered if the list had some sage advice (like an options statement that I am missing). Thanks in advance, Bob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
ShopzSeries FTP password in the clear
My cyber security folks are asking me about why I am doing FTPs with the password "in the clear". At first, I did not know what they talking about. It appears that within the SERVINFO data "user=" and "pw=" are *in the clear*. Not always, but often enough. I sent an email to L2 Shopz over a week ago and have not heard back from them. Before I open a PMR, I wondered if the list had some sage advice (like an options statement that I am missing). Thanks in advance, Bob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN