How can inbound FTP from a specific IP address be secured with ACF2 rules?

book

Article ID: 129625

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction



How can inbound FTP from a specific IP address be secured with ACF2 rules?

Environment

Release:
Component: ACF2MS

Resolution

In order to secure inbound FTP from a specific address resource class SERVAUTH rules can be written provided your IP network is configured to use named security zones. If the client IP address is mapped into a network access security zone, sites can grant each login user ID READ access to the SERVAUTH profile that corresponds to the security zone. This can be done as follows.

a. Define a profile in the SERVAUTH class for the FTP port.

b. Grant at least READ access to the profile to the users that you want to permit to log in to FTP. For example, if for ACFS, your FTP port is port 21, following rule can be used the user ID FTPUSER access:

SET RESOURCE(SER)
RECKEY EZB ADD( FTP.*.*.PORT21 UID(uid string for FTPUSER) SERVICE(READ) ALLOW)

c. Code VERIFYUSER TRUE in the server's FTP.DATA file. FTP verifies the user's access to the resource for every session, whether or not that session is secured.
 

Additional Information

For details on VERIFYUSER TRUE in the server's FTP.DATA file see "Summary of FTP client and server configuration statements".

For details on the SERVAUTH class for the FTP for see "Steps for controlling user access to the FTP server".

For details on classifying IP addresses into security zones see "Network access control" .