You need to provide appropriate access to the user ID that
is associated with the FTP daemon.
Before you begin
You need to know the user ID that is associated with the FTP
daemon and how TCP/IP is configured for security. You should also
know the resource profiles that are in the SAF classes.
Procedure
To set up security for your FTP server, perform one or
more of the following tasks:
- If the SERVAUTH class is activated and a profile is defined
for the EZB.STACKACCESS.mvsname.tcpname resource,
you must grant the user ID that is associated with the FTP daemon
READ access to the profile.
- If the SAF class APPL is activated and the OMVSAPPL resource
profile is defined, grant the user ID that is associated with the
FTP daemon READ access to the OMVSAPPL resource profile. For
more information on defining the OMVSAPPL profile, see z/OS UNIX System Services Planning.
- If the SAF class APPL is activated and you have a resource
profile defined in that class that matches the job name of the address
space that the FTP server starts when a user logs into FTP, a user
ID should have READ access to that resource profile.
- The FTP daemon listening port should be reserved for the
FTPD job by a PORT statement in the TCPIP PROFILE. If the PORT statement
for the FTPD port is protected with the SAF keyword, you must define
a SERVAUTH profile for the EZB.PORTACCESS.sysname.tcpname.SAFkeyword
resource. The user ID associated with the FTP daemon must have READ
access to that resource.
- If your IP network is configured to use named security
zones, grant the user ID that is associated with the FTP daemon READ
access to the security zone that maps its bind address (0.0.0.0/32
for INADDR_ANY or ::/128 for the IPv6 unspecified address, in6addr_any),
unless these addresses are overridden by the PORT statement in the
TCP/IP profile.
Results
You know you are done when you can start the FTP server without
receiving an error.