When running FTP batch jobs to transfer files to the Broadcom support servers (or any other servers), many customers will include their login credentials (user and password) within the data. This allows those credentials to be easily seen by anyone looking at the jobs, either in the JCL library, or the z/OS Spool files. This creates an unnecessary exposure for these user credentials which can be easily remedied.

By using a file containing the login details for a specific user, and by ensuring that this file has security so that only the user can open the file, it is possible for FTP processes to successfully login to any number of servers without showing these credentials.

z/OS Mainframe FTP

In order to prevent the user's login credentials from being seen in a clear-text stream while using FTP, we have recommended that the client use a NETRC file, which is a part of standard IBM FTP processing. This file (which can be a single PS file or a PDS member) will contain one or more sets of login details, identified for a particular server. It is not required that each entry should only be on a single line, but the keywords and values must be in a specific order. If desired, the user can allocate a file with a record length of 100 bytes so that longer email addresses can be supported in a single line.

Creating the NETRC file

To begin, you can either allocate a file (I recommend a file named userid.NETRC) with an LRECL of 100 bytes. No more than a single track is needed, which would hold login details for nearly 550 servers. Comments are not allowed, but you can use blank lines to group related entries.

In this file, all three fields below are needed to make up a single login entry. Note that in the z/OS NETRC file, the keywords must be in lower case. Here are the keywords needed for each entry, and the order that they need to be specified:

• machine (followed by the name of the server to use),
• login (followed by the username that will log in), and
• password (followed by the password for this login)

Below is an example showing all values on a single line:

machine ftp.broadcom.com login anonymous password [email protected]

Below is an example using two different servers, with values on multiple lines:

machine supportftp.broadcom.com
          login [email protected] password xXxXx1

machine ftp.broadcom.com
login anonymous
password [email protected]

Using the NETRC file

The NETRC login credentials are used only for FTP processing, so using this file means changing any batch JCL used for FTP functions. To use this file, you must first be sure that the remote server you wish to access has been defined using the machine-login-password settings as shown above. Then, you need to add a DD statement named NETRC to your JCL, and this must refer to the NETRC file you created and populated above. Finally, you can remove the user and password commands from your FTP INPUT file.

For example, your original JCL might have looked like this:

//FTP       EXEC PGM=FTP,REGION=0K,PARM='   fileserver.company.com 21'
//OUTPUT    DD SYSOUT=* 
//INPUT     DD *
[email protected]     myPassWord
asc
ls -l
quit
/*

After creating the NETRC file, you would add an entry like this to that file (order is not important):

machine fileserver.company.com login [email protected] password myPassWord

Now, your JCL will look like this:

//FTP       EXEC PGM=FTP,REGION=0K,PARM='   fileserver.company.com 21'
//NETRC     DD DISP=SHR,DSN=myuserid.NETRC
//OUTPUT    DD SYSOUT=* 
//INPUT     DD *
asc
ls -l
quit
/*

As you can see, the user credentials are not seen in the JCL and the FTP process will mask them in the OUTPUT file, so there is nothing to see there.

Note that if you use the FTP commands through a TSO process, you can allocate the NETRC file to your TSO session, either through a permanent JCL allocation in your login proc, or through the TSO ALLOC command. You will then be able to use NETRC processing from your TSO FTP sessions.

By using the NETRC file, you can more easily manage all your passwords for the different FTP servers while protecting your login details.

As always, please contact Broadcom support if you have further questions.