How can FTP and TN3270 be secured to only allow access to local servers?

TCP/IP uses the SERVAUTH resource class to protect TCP/IP resources from unauthorized access. There are seven (7) functions protected by the SERVAUTH class. They are:

Stack Access
This resource controls which users can get access to the TCP/IP stack. Resource name: EZB.STACKACCESS.sysname.tcpipid

Net Access
This resource controls which users can access the individual networks. Resource name: EZB.NETACCESS.sysname.tcpipid.netname

Port Access
This resource controls which users can use the TCP and UDP ports. Resource name: EZB.PORTACCESS.sysname.tcpipid.portname

Netstat Access - (added at z/OS V1 R2.0 and above)
This resource controls access to the Netstat command output from the TSO or UNIX System Services Shell environments. Resource name: EZB.NETSTAT.sysname.tcpname.netstatoption

TN3270
This resource controls which users can use secured ports. Resource name: EZB.TN3270.sysname.tcpipid.PORTnnnnn

FTP HFS Access - (with IBM apar PQ63326)
This resource controls which users can access the HFS when connecting to the mainframe from FTP. Without access to the resource, FTP users are denied use of HFS. Resource name: EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS

FRCA Access (Fast Response Cache Accelerator Access) (added at z/OS 1.4 and above)
This resource allows control of application access to Fast Response Cache Accelerator (FRCA) services. The FRCA configuration ioctl is considered the resource to be protected and is represented with a resource profile in the SERVAUTH class. Resource name: EZB.FRCAACCESS.sysname.tcpname

In the above resource name constructs the following variables are used:

sysname is the name of the system
tcpipid is the name of the TCP/IP started task
netname is the network name in PROFILE.TCPIP
portname is the port name in PROFILE.TCPIP
ftpdaemonname is FTP Daemon
nnnnn is the port number with leading zeros.

Refer to the appropriate z/OS TCP/IP profile (PROFILE.TCPIP) and configuration statements and Local user access control to TCP/IP resources using SAF for additional information about these functions.

ACF2 support for the SERVAUTH class adds an internal CLASMAP for SERVAUTH resource class that maps CA-ACF2 resource rules to a type code of SER. Sites must add rules giving Logonids READ access to SERVAUTH resources as appropriate. If no rule allowing access exists, you may receive several different error messages, including EDC5111I Permission denied.

For example, an ACFRPTRV report may show:

RSER-EZB.STACKACCESS.SYS1.TCPIP *VIO RSER-EZB
BPXOINIT STCINRDR LPAR ACF9CFAT NO-REC - - READ
01.019 01/19 11.31 BPXOINIT BPXOINIT 0 8 0 0 16
SAF RESOURCE CLASS SERVAUTH

The EZB.STACKACCESS violation would be seen on all systems that do not have rules allowing the access. Calls for the other functions will not be made unless additional setup is done in PROFILE.TCPIP. Refer to the appropriate z/OS IP Configuration Guide for additional information.

Instructions:

To allow access to these resources, issue the following commands to create and store the necessary rule:

ACF
SET RESOURCE(SER)

COMPILE
$KEY(EZB) TYPE(SER)
NETACCESS.- UID(uidmask) SERVICE(READ) ALLOW
NETSTAT.- UID(uidmask) SERVICE(READ) ALLOW <== Note 1
STACKACCESS.- UID(uidmask) SERVICE(READ) ALLOW
PORTACCESS.- UID(uidmask) SERVICE(READ) ALLOW
TN3270.- UID(uidmask) SERVICE(READ) ALLOW
FTP.- UID(ftpuser) ALLOW <== Note 2
FRCAACCESS.- UID(uidmask) ALLOW <== Note 3

* Note 1 == added at z/OS V1 R2.0 and above
* Note 2 == added with IBM apar PQ63326
* Note 3 == added at z/OS V1 R4.0 and above

STORE

The SERVAUTH resource must be made resident by adding type SER to theINFODIR record

SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RSER)

To activate the new records issue the following operator commands:

F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(SER)