System Authorization Facility is an interface used by RACF and competitors.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Donald Russell <[email protected]> Sent: Friday, October 31, 2025 12:51 PM To: [email protected] <[email protected]> Subject: Re: OTP authentication External Message: Use Caution What’s SAF? (I’m not a z/OS guy). I’ll see what happens if I omit the userid/password parm’s from the job statement. Thanks for the suggestion. On Fri, Oct 31, 2025 at 09:47 Seymour J Metz <[email protected]> wrote: > How does the FTP server use SAF? What happens if you omit the userid and > password? If the copy to the internal reader uses n ACEE for your userid > thn everything might work. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > > > ________________________________________ > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Donald Russell <[email protected]> > Sent: Friday, October 31, 2025 12:09 PM > To: [email protected] <[email protected]> > Subject: OTP authentication > > > External Message: Use Caution > > > We have systems external to z/OS that submit jobs to JES over encrypted ftp > sessions. We “site filetype=jes” then “put” a jcl file. > > Unfortunately the JCL JOB statement uses the same USERID= and PASSWORD= > values as were used to authenticate for the ftp connection. That all > worked perfectly until password/phrases were replaced with OTP. One-Time > Password. > > Well, the one time use gets into ftp, now the submitted job fails because > the password check fails. > > I’m not on the z/OS side of things, but I want to help them by providing a > possible solution. I’m thinking a user exit could vet the JCL submitted > through site filetype=jes to skip the password check when the job is > submitted that way. The exit should either (en)force the JOB USERID= value > to match the ftp id, or perhaps recognize a special userid id of FTPJES > that the user exit would change to the ftp user logged in and accept the > job without further password checks. > > Has anybody else run into this problem, and what did you do to solve it? > > Cheers, > Don > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
