Controlling the Use of FTP › CA TCPaccess FTP Server for z/OS Policy Rule Sets

CA TCPaccess FTP Server for z/OS Policy Rule Sets

CA TCPaccess FTP Server for z/OS policy rule sets, together with your security package, let you control the transfer of files using FTP. A rule set is a grouping of rules.

An FTP policy rule set contains the following criteria to match the rule to FTP file transfer requests:

• File names
• Users
• Transfer direction
• Local server IP address and port
• Remote IP addresses
• Time of day and day of week

You can define a rule set containing FTP policy rules on your CA NetMaster FTM region and load it. You can define many rule sets of policy rules on your CA NetMaster FTM region; however, only one of the rule sets can be loaded at any one time.

The FTP policy rule sets are stored in the CA NetMaster FTM knowledge base and you can maintain them in this region. Rule set maintenance does not effect the loaded policy rule set; to change the loaded rule set, you need to reload it.

To activate a policy rule set, you must load a copy of the rule set.

The loaded policy rule set is enforced if an active SOLVE SSI has set PKTANALYZER=YES and the policy mode is ON. It does not depend on the CA NetMaster FTM region once it is loaded.

The user of the loaded policy rule set is CA TCPaccess FTP Server for z/OS.

Define a Policy Rule Set

To define a policy rule set

1. Enter /FTADMIN.P.M at the command prompt.

   The FTP Policy Ruleset List panel appears.

2. Press F4 (Add).

   The FTP Policy Ruleset panel appears.

3. Complete the following fields:
   • Name

     Specifies the name of the rule set.

   • Description

     Briefly describes the rule set.

4. Press F3 (File).

   The definition is saved in the knowledge base.

Add Policy Rules to a Rule Set

During operation, only one rule set can be loaded; therefore, you should combine all the CA TCPaccess FTP Server for z/OS policy rules that are to be used together into the same rule set. You can create different rule sets to do the following:

• Load at a future time
• Load on another LPAR

To add a policy rule to a rule set

1. Enter /FTADMIN.P.M at the command prompt.

   The File Transfer Ruleset List appears.

2. Enter R beside the rule set to which you want to add rules.

   The FTP Policy Rule List appears.

   Note: Policy rules are evaluated in the order that they appear in the list, until a match is made.

3. Press F4 (Add).

   The FTP Policy Rule panel appears.

4. Complete the following fields:
   • Description

     Briefly describes the rule.

   • Status

     Specifies whether the rule is used when it is loaded.

   • Allow Request?

     Specifies whether the rule allows matched FTP requests.

   • Log

     Specifies whether messages are logged for matched FTP requests in CA TCPaccess FTP Server for z/OS:

     • FAIL logs messages for requests disallowed by SAF security when the Allow Request? field is YES and a SAF qualifier is specified.
     • NO logs no messages, except when the policy mode is WARN.
     • YES logs messages for all matched requests.
   • SAF Qualifier

     Used to support SAF security. If Allow Request? is YES, you can use this value to perform further checking of a matched FTP request.

     The resource that can be checked is as follows: FTP.saf-qualifier.remote-ip-address.filename.

     The default SAF class is $FTP. However, you can change the class through the FTPCNTL parameter group.

   • File Name

     Specifies the names of files to match. You can use a mask to allow matching of more than one file. The specified value is not case sensitive.

     The wildcard characters are %, representing zero or more characters, and _, representing a single character.

   • User List

     Specifies the user IDs to match. You can specify a list of IDs separated by comma (,). You can use masks. The specified value is not case sensitive.

     The wildcard characters are %, representing zero or more characters, and _, representing a single character.

   • Transfer Direction

     Specifies whether the rule matches inbound or outbound file transfers.

   • Local Server IP Address

     Specifies the CA TCPaccess FTP Server for z/OS on the local system to match.

   • Local Server Port

     Specifies the CA TCPaccess FTP Server for z/OS on the local system to match.

   • Remote IP Address

     Specifies the range of remote IP addresses to match. To match a single address, leave the High field blank.

   • Time of Day

     Specifies the period to match. If the first time is later than the second time, then the period spans midnight.

   • Day of Week

     Specifies the days of the week to match.

     Press F3 (File).

     The rules are saved in the knowledge base.

Load a Policy Rule Set

When a rule set is complete, you can activate it by loading it.

Note: Only one rule set can be active at any time.

To load a policy rule set

1. Enter /FTADMIN.P.M at the command prompt.

   The FTP Policy Ruleset List appears.

2. Type L beside the name of the rule set definition to load.

   The FTP Policy Ruleset panel appears, showing the name of the rule set definition to be loaded.

3. Complete the following field:
   • Policy Mode

     Specifies the policy mode to use:

     • ON permits access according to rules.
     • OFF disables rules and always permits access.
     • WARN permits access and logs matches according to rules

       Press F6 (Confirm).

       The FTP policy rule set is loaded.

Note: After you have loaded a policy rule set, it is highlighted in white in the rule set list. If you have made any changes to the rule set since it was loaded, then ** MODIFIED ** appears to the right of its name. If you make changes to the loaded rule set, they do not take effect until you reload the rule set.

Set Policy Mode for an Active Policy Rule Set

To set the policy mode for an active policy rule set

1. Enter /FTADMIN.P.S at the command prompt.

   The FTP Policy Ruleset panel appears.

2. Complete the following field:
   • Policy Mode

     Specifies the policy mode to use:

     • ON permits access according to rules.
     • OFF disables rules and always permits access.
     • WARN permits access and logs matches according to rules

       Press F6 (Confirm).

       The policy mode is saved.