ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Although I expected that when an FTP connection from MS-Dos or a similar platform is done, a check for the port access is performed in the SERVAUTH class, this is not the case.

book

Article ID: 51011

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services Datacom/AD CA ecoMeter Server Component FOC EASYTRIEVE REPORT GENERATOR FOR COMMON SERVICES INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA On Demand Portal CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

I have permitted to the ACID that does the access:

TSS PERMIT(USER001) SERVAUTH(EZB.PORTACCESS.) ACCESS(NONE)
TSS PERMIT(USER001) SERVAUTH(EZB.STACKACCESS.) ACCESS(READ

Nevertheless, I only see a check for SERVAUTH(EZB.STACKACCESS in the traces, and the user can access the port I intended to protect.

Why don't I see the checks for port access?

Solution:

The following was verified by the customer:

For the checks for port access to occur, they had to define:

VERIFYUSER=TRUE

in the FTP.DATA parameters.

This resulted in the following checks, as per the traces submitted (trace extracts):

For access to HFS files:

X TSS-C-0000*USER001  TCPFTPA4 10SERVAUTH2008 G/0000000000,FF20000000
L/300002 F/00400328,000100,0001,000040
X TSS-1 400000004000 00000000   T/0000000000
EZB.FTP.FDBA.TCPFTPA1.ACCESS.HFS

For access to VSAM files:

X TSS-C-0000*USER001  TCPFTPA4 10SERVAUTH2008 G/0000000000,FF20000000
L/300002 F/00400328,000100,0001,000040
X TSS-1 400000004000 00000000   T/0000000000
EZB.FTP.FDBA.TCPFTPA1.PORT21

A description of the VERIFYUSER=TRUE parameter is available in the PDF linked from:
http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/topic/com.ibm.iea.commserv_v1/commserv/1.10z/security/appsec.pdf.

Environment

Release:
Component: AWAGNT