When running FTP batch jobs to transfer files to the Broadcom support servers (or any other servers), many customers will include their login credentials (user and password) within the data. This allows those credentials to be easily seen by anyone looking at the jobs, either in the JCL library, or the z/OS Spool files. This creates an unnecessary exposure for these user credentials which can be easily remedied.
By using a file containing the login details for a specific user, and by ensuring that this file has security so that only the user can open the file, it is possible for FTP processes to successfully login to any number of servers without showing these credentials.
z/OS Mainframe FTP
In order to prevent the user's login credentials from being seen in a clear-text stream while using FTP, we have recommended that the client use a NETRC file, which is a part of standard IBM FTP processing. This file (which can be a single PS file or a PDS member) will contain one or more sets of login details, identified for a particular server. It is not required that each entry should only be on a single line, but the keywords and values must be in a specific order. If desired, the user can allocate a file with a record length of 100 bytes so that longer email addresses can be supported in a single line.
To begin, you can either allocate a file (I recommend a file named userid.NETRC) with an LRECL of 100 bytes. No more than a single track is needed, which would hold login details for nearly 550 servers. Comments are not allowed, but you can use blank lines to group related entries.
In this file, all three fields below are needed to make up a single login entry. Note that in the z/OS NETRC file, the keywords must be in lower case. Here are the keywords needed for each entry, and the order that they need to be specified:
Below is an example showing all values on a single line:
machine ftp.broadcom.com login anonymous password [email protected]
Below is an example using two different servers, with values on multiple lines:
machine supportftp.broadcom.com
login [email protected] password xXxXx1
machine ftp.broadcom.com
login anonymous
password [email protected]
The NETRC login credentials are used only for FTP processing, so using this file means changing any batch JCL used for FTP functions. To use this file, you must first be sure that the remote server you wish to access has been defined using the machine-login-password settings as shown above. Then, you need to add a DD statement named NETRC to your JCL, and this must refer to the NETRC file you created and populated above. Finally, you can remove the user and password commands from your FTP INPUT file.
For example, your original JCL might have looked like this:
//FTP EXEC PGM=FTP,REGION=0K,PARM=' fileserver.company.com 21'
//OUTPUT DD SYSOUT=*
//INPUT DD *
[email protected] myPassWord
asc
ls -l
quit
/*
After creating the NETRC file, you would add an entry like this to that file (order is not important):
machine fileserver.company.com login [email protected] password myPassWord
Now, your JCL will look like this:
//FTP EXEC PGM=FTP,REGION=0K,PARM=' fileserver.company.com 21'
//NETRC DD DISP=SHR,DSN=myuserid.NETRC
//OUTPUT DD SYSOUT=*
//INPUT DD *
asc
ls -l
quit
/*
As you can see, the user credentials are not seen in the JCL and the FTP process will mask them in the OUTPUT file, so there is nothing to see there.
Note that if you use the FTP commands through a TSO process, you can allocate the NETRC file to your TSO session, either through a permanent JCL allocation in your login proc, or through the TSO ALLOC command. You will then be able to use NETRC processing from your TSO FTP sessions.
By using the NETRC file, you can more easily manage all your passwords for the different FTP servers while protecting your login details.
As always, please contact Broadcom support if you have further questions.