If you are using an FTP server, consider the following for security:
User IDs
To log into the FTP server, a user ID must have an OS/390 UNIX UID.
MVS Network Access Controls
If PortAccess or NetAccess is used to SAF resource secure TCP ports or networks,
see the NETACCESS statement in OS/390 IBM Communications Server: IP
Configuration Reference for more information.
The FTPD cataloged procedure must be:
Defined to the security program.
Added to the RACF started class facility or the started procedures table. The user ID associated with the FTP server started class must have a UID of 0.
See SEZAINST(EZARACF) for more information on SAF resource requirements needed for FTP.
Terminal Access
The terminal ID passed from FTP to RACF is an 8-byte hexadecimal character
string containing an IP address. RACF interprets this as a terminal logon
address and rejects it if it is not previously defined. For example, the IP
address 163.97.227.17 is translated to X'A361E311'.
Therefore, if the SETROPTS TERMINAL(NONE) setting is used in RACF, you must
define profiles for the IP addresses in class TERMINAL to avoid problems when
trying to FTP to MVS. You must translate all the IP addresses of any clients
connecting to FTP servers to hexadecimal character strings and add them to the
class TERMINAL.
To allow access by all addresses starting with "163", define a profile for all
addresses in the 163.97.227 subnet:
RDEFINE TERMINAL A361E3* UACC(READ)
If your RACF SETROPTS options are TERMINAL(READ), all terminals are allowed access to your system, and you do not have to add extra resource definitions to your RACF data base.
For more information, see OS/390 UNIX System Services Planning and the OS/390 SecureWay Security Server RACF Security Administrator's Guide.