Use
the VERIFYUSER statement to indicate whether the FTP server should
verify that every user ID used to log into FTP has been granted access
to the server's port profile in the SERVERAUTH class.
Tips: - The FTP server port profile is the same profile that is checked
for TLS secured sessions when SECURE_LOGIN VERIFY_USER is coded in
FTP.DATA. See SECURE_LOGIN (FTP server) statement for
more information.
- When sessions are secured with TLS and VERIFYUSER TRUE is coded
in FTP.DATA, the server verifies the user access to the FTP server
port profile regardless of the SECURE_LOGIN value.
Syntax
.-VERIFYUSER FALSE------.
>>-+-----------------------+-----------------------------------><
'-VERIFYUSER--+-FALSE-+-'
'-TRUE--'
Parameters
- TRUE
- If the SERVAUTH class is active and a profile has been defined
for the FTP port, the connection is allowed only if the user ID has
a minimum of READ access to the profile.
The resource name is as
follows:
EZB.FTP.systemname.ftpdaemonname.PORTxxxx
xxxx is
replaced by the port number for the FTP daemon. The profile name
can contain wildcard values to the extent that the security product
allows. All security product rules apply.
For example, if
the procedure FTPD is used to start the FTP daemon on system MVS164
and the FTP daemon uses the default FTP port 21, the resource name
is:
EZB.FTP.MVS164.FTPD1.PORT21
To
protect all ports with a single profile, you could use the following
security product profile name:
EZB.FTP.*.FTPD1.PORT*
Result: If
the VERIFYUSER value is TRUE, but the security product profile is
not defined, the FTP server does not verify access to the profile
prior to allowing users to log into FTP.
- FALSE
- The server does not verify access to the profile EZB.FTP.systemname.ftpdaemonname.PORTxxxx before
allowing the login.
Restriction: If the session is secured
with TLS and SECURE_LOGIN VERIFY_USER is coded in FTP.DATA, the server
checks the user's access to the profile as described in SECURE_LOGIN (FTP server) statement regardless of the VERIFYUSER
setting.
Examples
To request that the FTP server
verify user access to the SERVAUTH profile for all sessions regardless
of whether they are secured with TLS and regardless of whether TLS
level 3 authentication is requested, code this statement in FTP.DATA:
VERIFYUSER TRUE
You
should also define the port profile of the server in the SERVAUTH
class of your security product.
For example, if the FTPD procedure
is used to start the FTP daemon on system MVS164, and the FTP daemon
uses the default FTP port 21, the resource name is as follows:
EZB.FTP.MVS164.FTPD1.PORT21
If
all systems use the same access list and generic profile checking
is active for the SERVAUTH class, you can use the following profile
name:
EZB.FTP.*.FTPD1.PORT21
To protect
all ports with a single profile, you can use the following security
product profile name:
EZB.FTP.*.FTPD1.PORT*