Previous Topic: Expanded Rule SizeNext Topic: TCP/IP NFS Interface

Installation OptionsTCP/IP FTP Interface

TCP/IP FTP Interface

The CA ACF2 for z/VM interface with TCP/IP FTP is implemented by using the ESM feature of FTP. CA ACF2 for z/VM uses our SAF interface to process calls from CA‑ESM (release 1.1 or above) to provide the ESM functions to FTP.

Follow the steps below to implement the TCP/IP FTP Interface:

  1. If your site has installed CMS security, make sure that the FTPSERVE ID is not included in the MAINT VMO record. If it is, remove the FTPSERVE ID from the MAINT VMO record and use the ACFSERVE RELOAD CONTROL VMO MAINT command to reload the MAINT VMO record. Also, make sure that the FTPSERVE ID does NOT have the NON-CNCL attribute.

    The combination of FTPSERVE being in the MAINT VMO record and the NON-CNCL attribute will allow FTPSERVE to bypass CMS file level security. This has been replaced with the VMD4FSEC attribute that will cause CMS file access by the FTPSERVE ID to be validated against the user that initiated the file transfer.

  2. From a security administrator's user ID, provide the following logonid attributes to FTPSERVE: 
    VMESM

    VMSAF

    VMD4AUTH

    VMD4TARG

    VMD4RSET

    VMD4FSEC (only if CMS security is installed)

    Important! If the FTPSERVE directory entry includes the IBM option LNKNOPAS, remove this option. With this option, FTPSERVE bypasses minidisk passwords when it does the LINK to a minidisk to make the FTP connection. Without this option, FTPSERVE respects whatever setting you specified for CA ACF2 for z/VM for minidisk passwords.

    If you set the CA ACF2 for z/VM option DIRMDPW=RESPECT and a user tries to use FTP to get to a minidisk protected with passwords, he is prompted for the minidisk password.

    If you set DIRMDPW=DENYNOPW, then minidisk passwords are ignored except when no minidisk passwords exist at all on the MDISK statement. Then, the FTP connection to the minidisk is denied.

    If the DIRMDPW=IGNORE option is set in CA ACF2 for z/VM, it does not matter whether the LNKNOPAS option is set in the directory.

    However, we still recommend not using LNKNOPAS for FTPSERVE in case the DIRMDPW= setting is ever changed.

  3. Copy the following file from the CAIMAINT 291 to the TCPMAINT 198 minidisk to make it accessible to FTPSERVE and other TCP/IP service machines, replacing any existing version: 
    ACFSAFA0 MODULE

    If not already there, copy the following file from the CIAMAINT 291 to the TCPMAINT 198 minidisk tomake it accessible to FTPSERVE and other TCP/IP service machines:

    CAIRPI PARMS

    Modify the CAIRPI PARMS file on the TCPMAINT 198 minidisk to make sure that the APPLNAME is OTHER (not the default SFS):

    ESMID *RPI     APPLNAME OTHER

    In the SYSTEM DTCPARMS file, change the following lines in the :nick.ftp section. If you don't have a section with the :nick.ftp tag, you can copy the section from the IBM DTCPARMS file. The SYSTEM DTCPARMS file should be located on the TCPMAINT 198 disk, and it overides the IBM DTCPARMS file.

    From:

    :ESM_Enable.NO
:ESM_Validate.RPIVAL
:ESM_Racroute.RPIUCMS

    To:

    :ESM_Enable.Yes
:ESM_Validate.ACFSAFA0
:ESM_Racroute.RPIUCMS
:VMLink.CAIMAINT 391
  4. The use of CA‑ESM requires that your FTP service machine (normally FTPSERVE) directory entry must include the following statement: 
    IUCV *RPI
  5. To use the FTP option that allows you to transfer files to a user's VM RDR, you need to write resource rules to allow the transfer. By default, the resource type is VMR. To allow a user with a UID value of USERA put a file into the VM RDR of TARGETID, the following rule is required: 
    $KEY(TARGETID) TYPE(VMR)
 UID(USERA) SERVICE(UPDATE) ALLOW)

    To allow USERA to execute the DIR and DELETE commands, write the following rule:

    $KEY(TARGETID) TYPE(VMR)
 UID(USERA) SERVICE(UPDATE,DELETE) ALLOW

    Note: If the rule is created without the SERVICE keyword, it is equivalent to specifying all services, which allows PUT, DIR, and DELETE FTP commands.