User Profiles

To address the security issue in implementing a file transfer environment, the platform server has implemented a secure environment where both user IDs and passwords are required for every file transfer.

By implementing the user profile facility, the user must submit jobs to the internal reader with both user ID and password defined. In some cases, this control information must be stored in parameter files on a disk, which can present a security exposure in some organizations. The platform server user profile facility resolves these issues by giving a user the ability to store a user ID and encrypted password on a z/OS data space, and using that user ID and password in all future transfer requests.

Another requirement for users is to remotely access information on the z/OS mainframe. The users might be located in remote locations, subsidiaries, or completely different companies. These users typically initiate a file transfer to send or receive data to or from the platform server on z/OS.

Because the platform server uses the security implemented by the z/OS operating system, a user has to supply a user ID and password. The platform server then passes this information to RACF. Therefore, every user who uses the platform server requires a RACF user ID and a password. This means that thousands of users require RACF user IDs when the only goal they have for access is file transfers.

The platform server can alleviate this requirement with the responder profile feature. The platform server administrator can configure the user profiles in such way that when receiving a request, the platform server compares the user ID and password against its profile database. If a match is made on user ID, password and node name, the platform server uses the RACF user ID associated with the profile. This feature can greatly reduce the number of RACF user IDs required by the system.
Note: Only the platform server administrator can control this feature. By default the feature is disabled, and can be enabled on a node-by-node basis or on the entire system.

To use the platform server user profile facility, you must define the platform server user profile VSAM file as defined in the Defining the User Profile VSAM Data set, and define the PROFILE DD statement in the platform server JCL as described in The Startup JCL. If the PROFILE DD statement is not defined, a message is displayed and the platform server user profile facility is disabled.

The platform server user profile facility has the following three main functions:
  • A user can define a user ID/password combination for a particular node. This information is stored in the platform server user profile data space. Whenever the user sends a transfer to that node, the platform server substitutes the predefined user ID/password. Therefore, the user ID/password does not have to be defined in the file transfer JCL.
  • The platform server administrator can define user ID/password combinations for any user who might transfer data to a particular node. This provides all of the advantages of the previous function as well as another important feature: if an administrator predefines a user ID/password combination for a user to transfer data to a node, then the user that submits the file transfer request does not have to know the remote password or even the remote user ID of the target computer. The mainframe users can perform file transfer functions to a computer without knowing the user IDs and passwords of that remote system. They can send files to the system but cannot logon to the system because they do not know the user ID and password of the remote system.
    Note: The mainframe administrator still has control over who can submit jobs to a remote node, and the security administrator still has control over what files and directories the mainframe user can access.
  • The number of RACF user IDs that are required on the system can be reduced. Additionally, users can perform file transfers without being given access to a RACF user ID that might give them other access into the system.
Note: The user profile facility is optional. You can continue to use the batch, REXX and ISPF interface parameters to define the user ID/password for each individual file transfer. You can even use a combination of the user ID/password and user profile.
The platform server user profiles have two types of usage:
  • Initiator profiles: when a request is initiated by the local platform server. Only initiator profiles are used by the initiator profile facility.
  • Responder profiles: when a request is initiated by a remote platform server and is processed on the local platform server. Only responder profiles are used by the responder profile facility.

A profile is considered to be an initiator profile unless the RESPONDER=YES parameter is defined.