I have the following code to send a file through FTP using JCL:
//FTP00001 EXEC PGM=IKJEFT01,DYNAMNBR=50
//OUT DD SYSOUT=*
//AMSDUMP DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSPRINT DD DUMMY
//OUTPUT DD SYSOUT=*
//SYSTSIN DD *
123.234.345.67
myuser1
p4ssw0rd
ascii
cd infos
PUT 'EF35.LMINFO.D180203' info_180203.txt
QUIT
/*
It works like a charm, the problem is that I don't want to put the credentials hardcoded inside the JCL. How could we hide them so anyone who has access to the JCL can't see the connection details? I'd like to hide the credentials from the output too, but note I still want to see the rest of the info: bytes transferred, possible error messages, and so on.
I thought in putting the SYSTSIN content inside a file, but I'd face the same problem: anyone who has access to the file, will see the user and pass. Therefore, what is the best method to sort this out?
The way I have seen it done is like this:
//FTP00001 EXEC PGM=IKJEFT01,DYNAMNBR=50
//OUT DD SYSOUT=*
//AMSDUMP DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSPRINT DD DUMMY
//OUTPUT DD SYSOUT=*
//SYSTSIN DD DSN=AA.SOMETHING.LOGIN,DISP=SHR
// DD DSN=AA.SOMETHING.FTP,DISP=SHR
// DD DSN=AA.SOMETHING.LOGOFF,DISP=SHR
where AA.SOMETHING.LOGIN
would contain
123.234.345.67
myuser1 <- replace with ACID for this job
p4ssw0rd <- replace with password for the ACID
AA.SOMETHING.FTP
would conatin
ascii
cd infos
PUT 'EF35.LMINFO.D180203' info_180203.txt
AA.SOMETHING.LOGOFF
would contain
QUIT
This JCL would run via a batch ACID and only the ACID would have read/write access to the AA.SOMETHING.LOGIN
file. So the FTP server would need to add the ACID as a user. That is really the only way to do it. You are right though, anyone with access to AA.SOMETHING.LOGIN
can see the credentials, but because we separated the login information from the FTP commands, there is no reason to need access to the login files unless the username/pass or the IP address changes. So you would be able to change anything in the files you have access to. You could also take it a step further than put the IP address in a separate dataset so then you can edit/view literally anything except the login credentials. That would look like this:
//FTP00001 EXEC PGM=IKJEFT01,DYNAMNBR=50
//OUT DD SYSOUT=*
//AMSDUMP DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSPRINT DD DUMMY
//OUTPUT DD SYSOUT=*
//SYSTSIN DD DSN=AA.SOMETHING.SERVER,DISP=SHR
// DD DSN=AA.SOMETHING.LOGIN,DISP=SHR
// DD DSN=AA.SOMETHING.FTP,DISP=SHR
// DD DSN=AA.SOMETHING.LOGOFF,DISP=SHR
This also allows you to change the server, FTP commands and logout/cleanup all without having access to the login credentials.
The only real downside to this is if you ever need to update the login credentials, you either need to:
Even with that in mind, I still think this is the best way.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With