Hi all,
Our enterprise uses XCOM massively to transfer files, primarily in batch mode. Historically, whenever we have been installing XCOM on network servers, we have defined a userid for file transfer with a password that never expires, so that this password could be hard coded in mainframe batch jobs.
Over the years, many information security reviews pointed out that having a userid with a password that never expires is a security hazard. Our argument that this user has very limited permissions only worked to make them grade that hazard as "medium", as opposed to "severe".
Has anyone figured out a way to use XCOM file transfers without allocating users with passwords that never expires?
Does anyone knows of a way to keep the password in an encrypted form, rather than in a clear text?
To the best of my understanding, the certificates mechanism works in addition to using user/password as means of authentication, not instead of using them.
We also use passwords that never expire for transfers that are initiated by network servers. In that scenario, we are coding a CA Top Secret ACID and a non-expiring password in the script that calls XCOM on the server. However, no security review ever mentions that, because the guys that do them seldom know about IBM mainframe and CA Top Secret.
Please offer your experience with this.
Regards,
Yohai Ben Ami
Technical support