Although I expected that when an FTP connection from MS-Dos or a similar platform is done, a check for the port access is performed in the SERVAUTH class, this is not the case.

Document ID : KB000051011
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

I have permitted to the ACID that does the access:

TSS PERMIT(USER001) SERVAUTH(EZB.PORTACCESS.) ACCESS(NONE)
TSS PERMIT(USER001) SERVAUTH(EZB.STACKACCESS.) ACCESS(READ

Nevertheless, I only see a check for SERVAUTH(EZB.STACKACCESS in the traces, and the user can access the port I intended to protect.

Why don't I see the checks for port access?

Solution:

The following was verified by the customer:

For the checks for port access to occur, they had to define:

VERIFYUSER=TRUE

in the FTP.DATA parameters.

This resulted in the following checks, as per the traces submitted (trace extracts):

For access to HFS files:

X TSS-C-0000*USER001  TCPFTPA4 10SERVAUTH2008 G/0000000000,FF20000000
L/300002 F/00400328,000100,0001,000040
X TSS-1 400000004000 00000000   T/0000000000
EZB.FTP.FDBA.TCPFTPA1.ACCESS.HFS

For access to VSAM files:

X TSS-C-0000*USER001  TCPFTPA4 10SERVAUTH2008 G/0000000000,FF20000000
L/300002 F/00400328,000100,0001,000040
X TSS-1 400000004000 00000000   T/0000000000
EZB.FTP.FDBA.TCPFTPA1.PORT21

A description of the VERIFYUSER=TRUE parameter is available in the PDF linked from:
http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/topic/com.ibm.iea.commserv_v1/commserv/1.10z/security/appsec.pdf.