When starting up the NMFTP Monitor getting error message NY4C07 Region not permitted to connect to SYSTCPSM service on stack TCPIP

Document ID : KB000025834
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

When starting up the NMFTP Monitor getting error message NY4C07 Region not permitted to connect to SYSTCPSM service on stack TCPIP.

Resolution:

The NMFTP Monitor needs access to the NMI API SMF Records.

The following is from the CA NetMaster File Transfer Management Installation Guide.

NMFTP Monitor Access to NMI API SMF Records

Note: Perform this task only if you need to monitor FTP events.

You can use one of the following methods to grant the NMFTP Monitor region access to Network Management Interface (NMI) API SMF records:

  1. SERVAUTH
  2. Access to BPX.SUPERUSER

SERVAUTH

If you want to ensure the highest level of security, define the SERVAUTH profile name EZB.NETMGMT.sysname.tcpname.SYSTCPSM and grant the NMFTP Monitor user ID READ access to this profile name.

Important! After the SERVAUTH facility has been defined to your security system, TCP/IP resource protection will be enabled. This affects the ability of users to access TCP/IP resources other than just SYSTCPSM. For example, it may restrict the ability to open sockets, bind to non-ephemeral ports, use Netstat, and use certain network resources. Before using this method, see IBM's Communications Server IP Configuration Guide for more information about TCP/IP resource protection.
Important! If your security setup does not distinguish between a resource profile not defined and a user not permitted to that resource, you may need to define profiles for resources other than just SYSTCPSM whenever the SERVAUTH class is active. See IBM's Communications Server IP Configuration Guide for more information.
Note: We recommend that you use this method.

Example: CA ACF2 System
SET RESOURCE(SERVAUTH)
COMPILE *
$KEY(EZB) TYPE(SERVAUTH)
NETMGMT.SYSA.TCPIPA.SYSTCPSM UID(USER1) SERVICE(READ) ALLOW
STORE

Note: Instead of using TSO, you can use the ACFBATCH utility in JCL. If you do this, omit the [ACF] and [END] lines.

Example: CA Top Secret System
TSS ADD SERVAUTH(EZB.NETMGMT.SYSA.TCPIPA.SYSTCPSM)
TSS PER(nmuser) SERVAUTH(EZB.NETMGMT.SYSA.TCPIPA.SYSTCPSM) ACCESS(READ)

Example: RACF System
RDEFINE SERVAUTH EZB.NETMGMT.SYSA.TCPIPA.SYSTCPSM UACC(NONE)
SETR RACLIST(SERVAUTH) REFRESH
PE EZB.NETMGMT.SYSA.TCPIPA.SYSTCPSM CLASS(SERVAUTH) ID(nmuser) ACCESS(READ)

BPX.SUPERUSER

If you are less concerned with security, grant the NMFTP Monitor user ID READ access to the BPX.SUPERUSER facility.

Example: CA ACF2 System
SET RESOURCE(FAC) COMPILE *
$KEY(BPX) TYPE(FAC) SUPERUSER UID(USER1) SERVICE(READ) ALLOW
STORE

Note: Instead of using TSO, you can use the ACFBATCH utility in JCL. If you do this, omit the [ACF] and [END] lines.

Example: CA Top Secret System
TSS PER(nmuser) IBMFAC(BPX.SUPERUSER) ACCESS(READ)

Example: RACF System
PE BPX.SUPERUSER CLASS(FACILITY) ID(nmuser) ACCESS(READ)