When you request a file transfer to or from CA TCPaccess FTP Server for z/OS, the server compares the request to the loaded rules until a criteria match is found. The actions in the matching rule (allow request, log, check SAF) are then performed.
Note: If no rules match or no active SOLVE SSIs have PKTANALYZER=YES, then the request is allowed.
To default to disallowing requests, define the last rule in the rule set as having no criteria (matches all requests) and Allow Request?=NO.
If your network environment is using a firewall and performing address translation, then you should determine the translated address of the remote and specify this address in the rule.
FTP SAF rules are checked only if the matching FTP rule does both of the following:
Note: To check that the new SAF class has been activated and that SAF profiles have been set up, refer to your security administrator.
The SAF resource checked has a CLASS value as specified in the FTPCNTL parameter group. The default is $FTP. The profile name is FTP.saf-qualifier.remote-ip-address.filename.
The first 44 bytes of the file name are used. MVS file names have a maximum of 44 bytes, so no truncation occurs; however, HFS file names can be much longer. The remote IP address is trimmed of leading zeros. Member names for PDS files are not used in the profile name.
Note: HFS file names can be in mixed case, but all file names are converted to upper case before calling the SAF exit.
The level of access required depends on whether the transfer is outgoing or incoming:
This is similar to normal data set access security checks.
Note: For incoming new file allocations, the normal data set security call checks for alter access. However, for FTP SAF calls, the call is incoming, so the SAF rule access is update. The FTP SAF rule does not distinguish between new files and existing file replacement.
A remote client at IP address 192.168.10.255 issues a PUT transfer request output to PDS data set DEPT1.USER.FILE1(MEMBER1). This indicates an incoming transfer. The FTP matching rule specifies a SAF qualifier of DEPTUSER. A SAF check is then performed on the following SAF profile:
FTP.DEPTUSER.192.168.10.400.DEPT1.USER.FILE1
Update access is required for the transfer to proceed.
Note: You can use masking in rules in the normal manner for your security packages.
The normal security check for accessing the data set is still performed. The FTP SAF check is in addition to the normal security call for data set access.
A user issues a PUT request for an HFS file called /usr/var/DevProc.log from the local host-to-host 172.24.10.222. The matching FTP policy rule has a SAF qualifier of DEVFILES. The security facility is called with the following SAF profile:
FTP.DEVFILES.172.24.10.222./USR/VAR/DEVPROC.LOG
The user requires read access for this resource for the transfer to proceed.