The port of entry is the origin of work for
the FTP server. You must establish a port of entry for each user who
logs in to your FTP server.
Before you begin
You must know:
- The IP addresses of the clients that are to log in to your FTP
server
- Whether your connection partners are in a network access security
zone
- Whether your RACF® SETROPTS
options are TERMINAL(READ) or TERMINAL(NONE)
For IPv4 connection partners, you can establish either terminal
access or SERVAUTH access. IPv6 connection partners must use SERVAUTH
access, which is established automatically for them.
The following procedure assumes that you are using RACF as your security product.
You can, however, use any SAF-compliant security product.
Procedure
Perform the following steps to set up the port of entry
for IPv4 and IPv6 users of the FTP server.
- To establish terminal access for IPv4 connection partners,
take one of the following actions:
- If your RACF SETROPTS options
are TERMINAL(NONE):
- Define profiles for the IP addresses that you want to permit to
your system in the TERMINAL class.
Translate all the IP addresses
of any clients that connect to the FTP server to an 8-byte hexadecimal
character strings that contain an IPv4 address. Add the strings to
the TERMINAL class.
For example, the IP address 163.97.227.17
is translated to A361E311. To allow all addresses in the 163.97.227.17
subnet, code the following statement:
RDEFINE TERMINAL A361E3* UACC(READ)
- Ensure that login user IDs have READ access to the TERMINAL profile
that includes their client system IP address.
- If your RACF SETROPTS options
are TERMINAL(READ), then all terminals are allowed access to your
system and you do not need to add extra resource definitions to your RACF database.
- To establish SERVAUTH access, instead of terminal access,
for IPv4 connection partners, specify PORTOFENTRY4 SERVAUTH in the
FTP.DATA file. The FTP server will use the UNIX System Services _poe() service to identify
the control socket as the port of entry.
- To establish SERVAUTH access for IPv6 connection partners,
you do not need to do anything; IPv6 connection partners automatically
establish SERVAUTH access. If the IPv6 connection partner is not in
a network access security zone, the _poe() service does not pass a
port of entry resource name and the port of entry is not checked.
For information about network access security zones, see Network access control. For IPv4 and IPv6 users with either terminal or SERVAUTH access,
you can optionally restrict access to DATASET resources during the
login session by adding WHEN(TERMINAL=...) or WHEN(SERVAUTH=...) conditions
to DATASET resource profiles in RACF.
Results
When you are finished, access to the FTP server is controlled
based on the client's port of entry.