Activate FTP port security by protecting SERVAUTH(EZB.PORTACCESS.xxxxxxx) is not working.
search cancel

Activate FTP port security by protecting SERVAUTH(EZB.PORTACCESS.xxxxxxx) is not working.

book

Article ID: 13057

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction



I have updated TCP parms and added the Top Secret permissions, but I am having trouble securing the port. My test user is still able to FTP. Here are the steps I performed:

1. Added statement VERIFYUSER TRUE to FTPSDATA
2. Added SAF FTPx to port statement in TCPprofile 
21 TCP FTPnn SAF FTPxx ; FTP Server
3. Permitted ACID to prevent access:
TSS PER(acid) SERVAUTH(EZB.PORTACCESS.*.TCPIP.FTP21) ACCESS(NONE)

When I ran test FTP job, the FTP is successful.
In the previous case, I issued command:
TSS PER(acid) SERVAUTH(EZB.FTP) ACCESS(NONE)

This prevented the user from FTPing, but I realized when I wanted to grant permission to the new port, the user will not be able to FTP.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

SERVAUTH resource EZB.PORTACCESS is only for servers (not clients) and should be permitted for out-bound traffic.

The "human"-user will never be validated on the SAF-call because it's in-bound traffic.

The PORTACCESS is for out-bound traffic and should be permittet to the daemon (Started task) user who runs the server.

So in summary SERVAUTH ressource EZB.PORTACCESS is only for servers (not clients) and should be permitted for out-bound traffic.

SERVAUTH EZB.FTP is used for controlling client port access which is inbound traffic.