Application security

The Communications Server protects data and other system resources accessed by applications included in the Communications Server element. This protection requires verification of the identity of the user requesting access. This process is called identification and authentication. In addition, access to resources must be limited to those users with permission. This process is called access control. Communications Server applications use RACF® for identification and authentication, and access control decisions. Authenticated users are granted access to RACF resources only for which they have permission

Some applications allow anonymous access. Applications that allow anonymous access include anonymous FTP, Remote Execution, and Trivial File Transfer Program (TFTP). The Communications Server ensures that all anonymous access can be controlled by the installation. If anonymous access is allowed, the resources accessed can be limited in several ways:

The application can be configured to limit resources for which access will be attempted.
The application can be configured to use a RACF user ID to represent the anonymous user. In this case, access is allowed for those resources specifically permitted for the anonymous RACF user ID and for those resources that are universally accessible.

Most Communications Server applications must be configured specifically to allow anonymous access. One exception is TFTP. TFTP can be configured to control those directories that contain files that can be transferred.

Table 1 depicts a representative set of Communications Server applications, whether user identification is required, and the security credentials under which resource access is made. For more information on specific application considerations, see the topic about each application.

Table 1. User identification, authentication, and access control for z/OS® Communications Server applications
Server	End-user identification	Resource access
FTP	Optional ¹	End-user ID or configured anonymous user ID ²
LPD	Optional ¹	Server ID or end-user ID
MVS™ REXECD	Required	End-user ID
MVS RSHD	Required (password optional) ¹	Surrogate user ID or end-user ID
NSSD [network security services (NSS) server]	Required	NSS client user ID
Policy Agent server	Required	Policy client user ID
TFTP	No	Server user ID ²
UNIX REXECD	Required	End-user ID
UNIX RSHD	Required (password optional) ¹	End-user ID or Server user ID (exit routine to verify request)
UNIX shell (Telnet/rlogin)	Required	End-user ID
All items listed as optional are installation controlled and can all be configured to require full end-user identification. Accessible files can be configured on a server basis to limit access.