Steps for controlling user access to the FTP server

Every user that logs in to your FTP server requires access to that server. Use these steps to provide and control user access to your server.

Before you begin

You need to know which users you want to allow to log in to your FTP server. You need to know whether your IP network is configured to use named security zones.

This procedure assumes that you are using RACF® as your security product. You can, however, use any SAF-compliant security product.

Procedure

Perform the following steps to control user access to the FTP server:

  1. Provide each user who is going to log in to the FTP server with a z/OS® UNIX UID.
    You can either provide a UID to the user, or the user can use the default UNIX UID.
  2. If your IP network is configured to use named security zones, each defined security zone has a SERVAUTH profile for the resource named EZB.NETACCESS.sysname.tcpname.zonename. If the client IP address is mapped into a network access security zone, grant each login user ID READ access to the SERVAUTH profile that corresponds to the security zone.
    For more information about security zones, see Network access control.
  3. Do one or more of the following items to allow only certain users to log in to the FTP server:
    • Code an FTCHKPWD user exit routine to allow or deny access to users, based on user ID.

      For more information about user exits, see FTP server user exits in z/OS Communications Server: IP Configuration Reference and Configuring the optional FTP user exits.

    • Use the SERVAUTH resource profile that FTP uses for TLS level 3 authentication to control which users can log in to FTP:
      1. Define a profile in the SERVAUTH class for the FTP port.
      2. Grant at least READ access to the profile to the users that you want to permit to log in to FTP.
        For example, if your security product is RACF, your FTP port is port 21, and the profile that you defined is EZB.FTP.*.*.PORT21, issue the following command to grant the user ID FTPUSER access to the profile: 
        PERMIT EZB.FTP.*.*.PORT21 CL(SERVAUTH) ID(FTPUSER)

        See z/OS Security Server RACF Command Language Reference, z/OS Security Server RACF Security Administrator's Guide, or the documentation for your SAF-compliant security product for more information.

      3. Code VERIFYUSER TRUE in the server's FTP.DATA file.

        FTP verifies the user's access to the profile for every session, whether or not that session is secured. TLS-secured sessions are also verified, even when level 3 authentification has not been requested.

  4. (Optional) Set up transport layer security (TLS) support or Kerberos support for the FTP server.
    The FTP server supports TLS. TLS enables secure file transfer by providing data privacy, message authentication, and message integrity services for data sent and received using the FTP control and data connections. For information about setting up TLS support for the FTP server, see Customizing Transport Layer Security and Kerberos security.

    You can use the Generic Security Service Application Programming Interface (GSSAPI) to authenticate FTP clients to FTP servers. For more information about setting up GSS support for the FTP server, see Customizing Transport Layer Security and Kerberos security.

Results

When you are finished, only certain users will be able to log in to your FTP server.