Activate FTP port security by protecting SERVAUTH(EZB.PORTACCESS.xxxxxxx) is not working.

Document ID : KB000013057
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

I have updated TCP parms and added the Top Secret permissions, but I am having trouble securing the port. My test user is still able to FTP. Here are the steps I performed:

1. Added statement VERIFYUSER TRUE to FTPSDATA
2. Added SAF FTP21 to port statement in TCPPROF
21 TCP FTPD1 SAF FTP21 ; FTP Server
3. Permitted ACID to prevent access:
TSS PER(PERKITO) SERVAUTH(EZB.PORTACCESS.*.TCPIP.FTP21) ACCESS(NONE)

When I ran test FTP job, the FTP is successful.
In the previous case, I issued command:
TSS PER(PERKITO) SERVAUTH(EZB.FTP) ACCESS(NONE)

This prevented the user from FTPing, but I realized when I wanted to grant permission to the new port, the user will not be able to FTP.

Answer:

SERVAUTH ressource EZB.PORTACCESS is only for servers (not clients) and should be permitted for out-bound traffic.

The "human"-user will never be validated on the SAF-call because it's in-bound traffic.

The PORTACCESS is for out-bound traffic and should be permittet to the daemon (Started task) user who runs the server.

So in summary SERVAUTH ressource EZB.PORTACCESS is only for servers (not clients) and should be permitted for out-bound traffic.

SERVAUTH EZB.FTP is used for controlling client port access which is inbound traffic.