Re: Controlling the FTP server - FTCHKPWD
I ran this exit at my last site. I ran a 'secure' FTP server on a separate port (2121) with this exit along with FTCHKIP. From memory I based these exits on samples in a redbook (TCP/IP Implementation Vol 2?). These redbook samples were far more comprehensive than those provided in the SEZAINST DD. Implementing the exits was as simple as assembling them to a LOADLIB, APF authorising it and concatenating it in the FTP server proc. As you have alluded since, the SERVAUTH RACF profile along with a SAF statement in your TCPIP PROFILE against your FTPSERVE port, or even PAGENT (policy agent) with z/OS MF configurator may be more straightforward. Cheers, MARK DOUGLAS -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Jake anderson Sent: Friday, 8 June 2012 8:05 PM To: IBM-MAIN@bama.ua.edu Subject: Controlling the FTP server - FTCHKPWD Dear List, Good Day !! To control the FTP server we know we can use FTCHKPWD user exit. Has anyone used this EXIT at your shop to control the FTP access ? Just wanted to understand the method to install this exit and control only the specified user gaining access to FTP server running on Z/OS. Environment : Z/OS 1.8 Resource link : http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.ibm.zos.r11.halz002/f1a1b391185.htm Any comments or suggestions would help a lot Jake -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN * Disclaimer * The contents of this electronic message and any attachments are intended only for the addressee and may contain privileged or confidential information. They may only be used for the purposes for which they were supplied. If you are not the addressee, you are notified that any transmission, distribution, downloading, printing or photocopying of the contents of this message or attachments is strictly prohibited. The privilege of confidentiality attached to this message and attachments is not waived, lost or destroyed by reason of mistaken delivery to you. If you receive this message in error please notify the sender by return e-mail or telephone. Please note: the Department of Science, Information Technology, Innovation and the Arts carries out automatic software scanning, filtering and blocking of E-mails and attachments (including emails of a personal nature) for detection of viruses, malicious code, SPAM, executable programs or content it deems unacceptable. All reasonable precautions will be taken to respect the privacy of individuals in accordance with the Information Privacy Act 2009 (Qld). Personal information will only be used for official purposes, e.g. monitoring Departmental Personnel's compliance with Departmental Policies. Personal information will not be divulged or disclosed to others, unless authorised or required by Departmental Policy and/or law. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Controlling the FTP server - FTCHKPWD
Jake,
I do not use FTCHKPWD, but I use FTCHKCMD to control user access (and lots
of other things). I preferred FTCHKCMD, because I found I could accomplish
everything that FTCHKPWD allowed me to do and more, and it shares a
scratchpad with FTPOSTPR.
The server exits are pretty easy to install and test. You can use a STEPLIB
in your FTP server proc and put the exits in there. Changes are picked up
right away, since the FTP server spawns a new address space for each
session. Just assemble and link your exit to the STEPLIB library and
connect to the server.
The exits need to be in an APF authorized library, and must be
program-controlled, like this:
RDEF PROGRAM FTCHKCMD ADDMEM ('LOAD.LIBRARY.NAME'/volser /NOPADCHK)
UACC(READ)
SETR WHEN(PROGRAM) REFRESH
Failure to do this will result in messages like this to the console:
ICH420I PROGRAM FTCHKCMD FROM LIBRARY LOAD.LIBRARY.NAME CAUSED THE
ENVIRONMENT TO BECOME UNCONTROLLED
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
You can make SAF (RACROUTE) calls from the exits.
The number of parameters passed to the exits can change from release to
release, so be sure to check the second parameter, which tells you how many
parameters are passed.
Hope this helps.
Steven St.Jean
http://sdsusa.com
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
Behalf Of Jake anderson
Sent: Friday, June 08, 2012 6:05 AM
To: IBM-MAIN@bama.ua.edu
Subject: Controlling the FTP server - FTCHKPWD
Dear List,
Good Day !!
To control the FTP server we know we can use FTCHKPWD user exit. Has
anyone used this EXIT at your shop to control the FTP access ? Just
wanted to understand the method to install this exit and control only
the specified user gaining access to FTP server running on Z/OS.
Environment : Z/OS 1.8
Resource link :
http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.
ibm.zos.r11.halz002/f1a1b391185.htm
Any comments or suggestions would help a lot
Jake
--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Controlling the FTP server - FTCHKPWD
Steven is an expert in this area, but there is also some good information
in the IBM document:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FRAMESET/F1A1B391/2.3.4.1?SHELF=F1A1BKB1DT=20100121150057
See Steps
forhttp://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/F1A1B391/2.3.4.1.3?SHELF=F1A1BKB1DT=20100121150057FS=TRUEScrollTOP=HDRWQ678#HDRWQ678
controlling user access to the FTP server in topic
2.3.4.1.3http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/F1A1B391/2.3.4.1.3?SHELF=F1A1BKB1DT=20100121150057FS=TRUEScrollTOP=HDRWQ678#HDRWQ678
).
You might also consider using a port of entry (the TERMINAL CLASS), to
restrict access by IP address.
Kirk Wolf
Dovetailed Technologies
http://dovetail.com
On Fri, Jun 8, 2012 at 7:41 AM, Steven St.Jean sstj...@sdsusa.com wrote:
Jake,
I do not use FTCHKPWD, but I use FTCHKCMD to control user access (and lots
of other things). I preferred FTCHKCMD, because I found I could accomplish
everything that FTCHKPWD allowed me to do and more, and it shares a
scratchpad with FTPOSTPR.
The server exits are pretty easy to install and test. You can use a
STEPLIB
in your FTP server proc and put the exits in there. Changes are picked up
right away, since the FTP server spawns a new address space for each
session. Just assemble and link your exit to the STEPLIB library and
connect to the server.
The exits need to be in an APF authorized library, and must be
program-controlled, like this:
RDEF PROGRAM FTCHKCMD ADDMEM ('LOAD.LIBRARY.NAME'/volser /NOPADCHK)
UACC(READ)
SETR WHEN(PROGRAM) REFRESH
Failure to do this will result in messages like this to the console:
ICH420I PROGRAM FTCHKCMD FROM LIBRARY LOAD.LIBRARY.NAME CAUSED THE
ENVIRONMENT TO BECOME UNCONTROLLED
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON)
PROCESSING.
You can make SAF (RACROUTE) calls from the exits.
The number of parameters passed to the exits can change from release to
release, so be sure to check the second parameter, which tells you how many
parameters are passed.
Hope this helps.
Steven St.Jean
http://sdsusa.com
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
Behalf Of Jake anderson
Sent: Friday, June 08, 2012 6:05 AM
To: IBM-MAIN@bama.ua.edu
Subject: Controlling the FTP server - FTCHKPWD
Dear List,
Good Day !!
To control the FTP server we know we can use FTCHKPWD user exit. Has
anyone used this EXIT at your shop to control the FTP access ? Just
wanted to understand the method to install this exit and control only
the specified user gaining access to FTP server running on Z/OS.
Environment : Z/OS 1.8
Resource link :
http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.
ibm.zos.r11.halz002/f1a1b391185.htm
Any comments or suggestions would help a lot
Jake
--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Controlling the FTP server - FTCHKPWD
You might also consider using a port of entry (the TERMINAL CLASS), to
restrict access by IP address.
I could see examples on CICS but any syntax which secures the port 21 alone
?
Jake
On Fri, Jun 8, 2012 at 10:48 PM, Kirk Wolf k...@dovetail.com wrote:
Steven is an expert in this area, but there is also some good information
in the IBM document:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FRAMESET/F1A1B391/2.3.4.1?SHELF=F1A1BKB1DT=20100121150057
See Steps for
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/F1A1B391/2.3.4.1.3?SHELF=F1A1BKB1DT=20100121150057FS=TRUEScrollTOP=HDRWQ678#HDRWQ678
controlling user access to the FTP server in topic
2.3.4.1.3
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/F1A1B391/2.3.4.1.3?SHELF=F1A1BKB1DT=20100121150057FS=TRUEScrollTOP=HDRWQ678#HDRWQ678
).
You might also consider using a port of entry (the TERMINAL CLASS), to
restrict access by IP address.
Kirk Wolf
Dovetailed Technologies
http://dovetail.com
On Fri, Jun 8, 2012 at 7:41 AM, Steven St.Jean sstj...@sdsusa.com wrote:
Jake,
I do not use FTCHKPWD, but I use FTCHKCMD to control user access (and
lots
of other things). I preferred FTCHKCMD, because I found I could
accomplish
everything that FTCHKPWD allowed me to do and more, and it shares a
scratchpad with FTPOSTPR.
The server exits are pretty easy to install and test. You can use a
STEPLIB
in your FTP server proc and put the exits in there. Changes are picked
up
right away, since the FTP server spawns a new address space for each
session. Just assemble and link your exit to the STEPLIB library and
connect to the server.
The exits need to be in an APF authorized library, and must be
program-controlled, like this:
RDEF PROGRAM FTCHKCMD ADDMEM ('LOAD.LIBRARY.NAME'/volser /NOPADCHK)
UACC(READ)
SETR WHEN(PROGRAM) REFRESH
Failure to do this will result in messages like this to the console:
ICH420I PROGRAM FTCHKCMD FROM LIBRARY LOAD.LIBRARY.NAME CAUSED THE
ENVIRONMENT TO BECOME UNCONTROLLED
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON)
PROCESSING.
You can make SAF (RACROUTE) calls from the exits.
The number of parameters passed to the exits can change from release to
release, so be sure to check the second parameter, which tells you how
many
parameters are passed.
Hope this helps.
Steven St.Jean
http://sdsusa.com
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
Behalf Of Jake anderson
Sent: Friday, June 08, 2012 6:05 AM
To: IBM-MAIN@bama.ua.edu
Subject: Controlling the FTP server - FTCHKPWD
Dear List,
Good Day !!
To control the FTP server we know we can use FTCHKPWD user exit. Has
anyone used this EXIT at your shop to control the FTP access ? Just
wanted to understand the method to install this exit and control only
the specified user gaining access to FTP server running on Z/OS.
Environment : Z/OS 1.8
Resource link :
http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.
ibm.zos.r11.halz002/f1a1b391185.htm
Any comments or suggestions would help a lot
Jake
--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
