• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • When Good Batch FTP Users Go Bad

    October 2, 2002 Timothy Prickett Morgan

    Hey, Joe:

    I set up a Windows batch FTP script to automatically transfer files from my iSeries box to a Windows desktop. I set up this transfer to occur every Friday evening. This week, the batch transfer stopped working because the remote OS/400 FTP server rejected the FTP user profile and password in the script. The strange thing is that the OS/400 FTP user profile is still enabled on the server. Any ideas what’s happening here?

    — Al

    To get an idea of what’s going on, let’s examine the following sample Windows batch FTP script from a recent article on batch FTP, “FTP Basics: Batch Processing,” by Shannon O’Donnell, and I will use that example to explain what’s happening.

    open YourIPAddress
    AS400UserID
    AS400Password
    get /QSYS.LIB/QGPL.LIB/QRPGLESRC.FILE/PROOF.MBR  C:Proof.txt
    quit
    

    Like many client/server programs, this script opens an FTP session, passes in a valid OS/400 user profile and password, and then transfers the file to a Windows directory. More than likely, your problem is that your AS/400 FTP user password was automatically expired because it passed the expiration time interval set up in the Password expiration interval system value (QPWDEXPITV). When the batch FTP runs and attempts to sign on with this user, OS/400 won’t allow it because it considers the password expired and the FTP session fails.

    Many shops set QPWDEXPITV to a fairly low time value–such as 30 days–which complicates matters in this case, because the password is used weekly for unattended processing, and it’s fairly awkward to change your script every month. One answer is to override the QPWDEXPITV value for this user by changing the user profile’s individual password expiration interval to never expire. You do this by using the Change User Profile (CHGUSRPRF) command to set the Password Expiration Interval (PWDEXPITV) parameter to *NOMAX, as shown here:

    CHGUSRPRF USRPRF(ftp_user_name) PWDEXPITV(*NOMAX)
    

    Setting PWDEXPITV to *NOMAX tells OS/400 to ignore QPWDEXPITV processing for this particular user and let the password stay active even if it should be expired according to the system. And once you make this change, I suspect your batch FTP transfer will start working again.

    The unfortunate thing about this solution, and most client/server solutions, is that you’re forced to leave an active OS/400 user profile and password sitting around in a script on another server, where it may be discovered by hackers. There’s no getting around the necessity for embedding passwords in these types of programs. However, you can set the following OS/400 user profile parameters for your FTP user to minimize damage if someone discovers the password and tries to sign on as that user.

    • Set the FTP user’s User Class (USRCLS) parameter to *USER, so he has no special authorities on systems using security level 30 or above.
    • Set the Initial Program to Call (INLPGM) parameter to *NONE so that no initial program is called if the user is able to sign on.
    • Set the Initial Menu (INLMNU) parameter to *SIGNOFF so OS/400 will automatically sign off the FTP user if the user is ever able to sign on to a terminal session.
    • Set the Limit Capabilities (LMTCPB) parameter to *YES so the user cannot change the program, menu, current library, and run commands, select commands from a menu, and use or change the Attention (ATTN) key program from a green screen.

    Similar to setting the PWDEXPITV parameter to *NOMAX, prompt the CHGUSRPRF command to change these values for your user.

    In addition, be sure the FTP user has no authority to any OS/400 or IFS object other than what is needed for its batch FTP transfer. This will protect your other OS/400 objects.

    Client/server situations are problematic because of potential password exposure issues. However, if you lock down your FTP user profiles, you can limit the potential for abuse and make the situation somewhat (but not perfectly) safe.

    I hope this helps.

    — Joe

    Sponsored By
    RJS SOFTWARE SYSTEMS

    Implement Document Imaging on your iSeries-AS/400 in 30 minutes or less

    Image Server/400 is a Web browser-based document image management system for the iSeries.

    Documents can be quickly scanned and stored in IFS folders, and then located and retrieved for viewing via any Web browser. Integrate with other iSeries-AS/400 applications.

    Visit us at COMMON, Booth 418, call us at 888-RJS-SOFT, or download a FREE fully functional demo from our Web site at

    www.rjssoftware.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: mgo_rc, Volume 2, Number 75 -- October 2, 2002

    Sponsored by
    VISUAL LANSA 16 WEBINAR

    Trying to balance stability and agility in your IBM i environment?

    Join this webinar and explore Visual LANSA 16 – our enhanced professional low-code platform designed to help organizations running on IBM i evolve seamlessly for what’s next.

    🎙️VISUAL LANSA 16 WEBINAR

    Break Monolithic IBM i Applications and Unlock New Value

    Explore modernization without rewriting. Decouple monolithic applications and extend their value through integration with modern services, web frameworks, and cloud technologies.

    🗓️ July 10, 2025

    ⏰ 9 AM – 10 AM CDT (4 PM to 5 PM CEST)

    See the webinar schedule in your time zone

    Register to join the webinar now

    What to Expect

    • Get to know Visual LANSA 16, its core features, latest enhancements, and use cases
    • Understand how you can transition to a MACH-aligned architecture to enable faster innovation
    • Discover native REST APIs, WebView2 support, cloud-ready Azure licensing, and more to help transform and scale your IBM i applications

    Read more about V16 here.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Find the Cursor Position in a CL Program Reader Feedback and Insights: A Timely OPNQRYF Tip

    Leave a Reply Cancel reply

MGO Volume: 2 Issue: 75

This Issue Sponsored By

    Table of Contents

    • Reader Feedback and Insights: Displaying Menu Options
    • FTP and Save Files
    • When Good Batch FTP Users Go Bad

    Content archive

    • The Four Hundred
    • Four Hundred Stuff
    • Four Hundred Guru

    Recent Posts

    • With Power11, Power Systems “Go To Eleven”
    • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
    • Izzi Buys CNX, Eyes Valence Port To System Z
    • IBM i Shops “Attacking” Security Concerns, Study Shows
    • IBM i PTF Guide, Volume 27, Number 26
    • Liam Allan Shares What’s Coming Next With Code For IBM i
    • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
    • VS Code Will Be The Heart Of The Modern IBM i Platform
    • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
    • IBM i PTF Guide, Volume 27, Number 25

    Subscribe

    To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

    Pages

    • About Us
    • Contact
    • Contributors
    • Four Hundred Monitor
    • IBM i PTF Guide
    • Media Kit
    • Subscribe

    Search

    Copyright © 2025 IT Jungle