How can inbound FTP from a specific IP address be secured with ACF2 rules?

Release:
Component: ACF2MS

In order to secure inbound FTP from a specific address resource class SERVAUTH rules can be written provided your IP network is configured to use named security zones. If the client IP address is mapped into a network access security zone, sites can grant each login user ID READ access to the SERVAUTH profile that corresponds to the security zone. This can be done as follows.

a. Define a profile in the SERVAUTH class for the FTP port.

b. Grant at least READ access to the profile to the users that you want to permit to log in to FTP. For example, if for ACFS, your FTP port is port 21, following rule can be used the user ID FTPUSER access:

SET RESOURCE(SER)
RECKEY EZB ADD( FTP.*.*.PORT21 UID(uid string for FTPUSER) SERVICE(READ) ALLOW)

c. Code VERIFYUSER TRUE in the server's FTP.DATA file. FTP verifies the user's access to the resource for every session, whether or not that session is secured.
 

For details on VERIFYUSER TRUE in the server's FTP.DATA file see "Summary of FTP client and server configuration statements".

For details on the SERVAUTH class for the FTP for see "Steps for controlling user access to the FTP server".

For details on classifying IP addresses into security zones see "Network access control" .