Using TCP/IP › Using FTP › Secure FTP for USS

Secure FTP for USS

OE/FTP is an OMVS application that executes under USS to facilitate the file transfer of HFS files throughout a TCP/IP network. OE/FTP typically executes under a started‑task FTPD whereas FTP typically executes under a started‑task named FTPSERVE.

OE/FTP includes an optional message‑log daemon (Syslog‑D) that logs past and present message traffic related to OE/FTP. Without this logging task, no ongoing log of OE/FTP activity occurs.

To replace the IBM requirements when installing OE/FTP with CA Top Secret:

• The O/E FTP started task (daemon) typically runs under a user ID of FTPD. The exception occurs when the task is automatically started by OMVS, in which case it inherits the identity of the OMVS kernel, typically OMVS or OMVSKERN.

  If running as an FTPD, the following example shows the administration needed to properly define the ACID:

  TSS CRE(FTPD) TYPE(USER)
                NAME('OE/FTP STC ID')
                DEPT(anydept)
                FAC(STC)
                PASSWORD(password,0)
                MASTFAC(TCP)
  

  TSS ADD(FTPD) UID(0)
                GROUP(OMVSGRP)
                DFLTGRP(OMVSGRP)
  

  TSS ADD(STC)  PROCname(FTPD)
                ACID(FTPD)
  

  If running under the OMVS kernel ID, no additional setup is necessary.

• The FTP server ACID requires the ability to perform work on behalf of users logging on to FTP, and at times switch its identity to that of a user. Accordingly, it requires superuser authority. This can be done by adding UID(0) to the ACID or giving the ACID a non‑zero UID and permitting it access to superuser authority as follows:

  TSS PERMIT(FTPD) IBMFAC(BPX.SUPERUSER)
                   ACCESS(READ)
  

  IBM recommends that you increase your level of security by protecting daemon authority by owning the resource IBMFAC(BPX.DAEM). To explicitly permit daemon authority to the server, even if it is running under UID(0), enter the following command:

  TSS PERMIT(FTPD) IBMFAC(BPX.DAEMON)
                   ACCESS(READ)
  

  IBM also documents the requirement for the FTPD user ID to have access to the FACILITY class resource of BPX.POE; therefore, the following permission may be required:

  TSS PERMIT(FTPD) IBMFAC(BPX.POE) ACCESS(READ)
  

• The TSS TCP facility controls which end users are able to access OE/FTP. Access to the TCP facility must be given to user ACIDs that access OE/FTP.