Our enterprise uses XCOM massively to transfer files, primarily in batch mode. Historically, whenever we have been installing XCOM on network servers, we have defined a userid for file transfer with a password that never expires, so that this password could be hard coded in mainframe batch jobs.
Over the years, many information security reviews pointed out that having a userid with a password that never expires is a security hazard. Our argument that this user has very limited permissions only worked to make them grade that hazard as "medium", as opposed to "severe".
Has anyone figured out a way to use XCOM file transfers without allocating users with passwords that never expires?
Does anyone knows of a way to keep the password in an encrypted form, rather than in a clear text?
To the best of my understanding, the certificates mechanism works in addition to using user/password as means of authentication, not instead of using them.
We also use passwords that never expire for transfers that are initiated by network servers. In that scenario, we are coding a CA Top Secret ACID and a non-expiring password in the script that calls XCOM on the server. However, no security review ever mentions that, because the guys that do them seldom know about IBM mainframe and CA Top Secret.
Please offer your experience with this.
Yohai Ben Ami
CA XCOM provides an utility (e.g xcomencr ) to encrypt the password stored in the batch job. See sample xcomencr JCL in CA XCOM Transport r12.0 for z/OS User Guide.
Have you had chance to configure trusted database? This alleviates the requirement of providing password in your batch job.
Providing minimum previleges for the XCOM user used in the batch transfer is a good practice.
CA XCOM Team
Thanks for your prompt reply.
I did look at the trusted access facilty at some earlier version of XCOM (before it was a database). The thing is, that with this facility one can initiate a transfer with no password at all, and that does not strike me as more secure than coding the password on the job, quite the contrary.
The documentation of XCOMENCR utility does not provide comprehensive information about its usage. Where is the encription key kept, what encription algorythm is used, how to refer to the encrypted SYSIN01 from the batch job, etc. Is there a document that fully describe this solution?
Again, what we would really want is to avoid using a password that never expires in the server's directory (or in the directory of the domain, for that sake). Encrypting that password is of some consolation, but will not exempt us from being criticized for leaving hazards in the system.
CA XCOM uses proprietary encryption algorithm. There is a tip available on securing password in batch mode. https://communities.ca.com/message/241737850#241737850
After having read the tip, I was a ble to test the XCOMENCR, and it works well.
(You might want to include the tip in the next version of the manual!)
Still, there is the problem of having a userid with a non-expiring password.
I will forward this request to XCOM documentation team.
Regarding non-expiring passwords -
Trusted transfers allow the transfer to be submitted without a userid and password but there are checks within the trusted facility to verify the machine and user that initiated the transfer. With the trusted facility, you can configure the trusted database for your entire XCOM network. Expiring passwords can be changed centrally then.
We are discussing alternate passsword less mechanism here. Could you please create an idea under this XCOM community?
You are right, Machindra. It has not occured to me that once trusted facility is deployed, the password for some node can be reset centrally.