joel tilton may 2016 - · pdf filesecurity with racf. joel is also an active member of the...
TRANSCRIPT
Joel Tilton RACF Engineer
Mainframe Evangelist May 2016
Joel Tilton is a former employee of IBM, where he got his start with mainframes, who continues to champion mainframe security issues and solutions.
Over 20+ years technical IT experience, the majority of which was gained in hands-on technical roles, performing a variety of duties in diverse and complex environments.
The majority of Joel's experience is focused on IBM mainframe systems, where he performs as a Technician and Project Manager. Joel's specialist subject is IT Security, in particular z/OS and associated subsystems (CICS, DB2, MQ, zSecure, etc.) security with RACF.
Joel is also an active member of the Tampa Bay RUG (RACF User Group) which meets jointly with the NY RUG. Joel has a true passion for security and the mainframe. Long live the mainframe!
https://www.linkedin.com/in/joeltilton
702-483-RACF (Google Voice)
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 2
All products, trademarks, and information mentioned are the property of the respective vendors.
Mention of a product does not imply a recommendation. Always test new profiles on a non-production system. Only you can prevent IPLs… The views expressed are his own personal views, and are
not endorsed or supported by, and do not necessarily express or reflect, the views, positions or strategies of his employer
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 3
How do you know who is moving your data around? Or stealing it?
Are you 100% certain EVERY dataset profile is securing your data? UACC(NONE) AUDIT(SUCCESS(UPDATE) FAILURES(READ))
PCI and other standards require an audit trail PCI Requirement 10 A.1.3
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 4
Take your systems programmer out to lunch Find the FTP.DATA dataset or member Depends on where your sysprog decided to put it (ask them! See
previous bullet) Often stored in a parmlib under TCP/IP or SYS1 qualifiers Or search the STARTED class for entries that have FTP in them and go
digging through all your parmlibs to find it ▪ Sr class(started) filter(*ftp*.**) ▪ Yes I assume or hope the proc name will at least have FTP in it somewhere
Now search all proc libs for that proc name ▪ TSO ISRDDN
Then look for the SYSFTPD DD card and note the dataset name While here make note of the dataset specified by the SYSTCPD DD
card as well
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 5
SMF type 119 records rock (yes they really do!) Was the control connection encrypted? Was the data connection encrypted Version of TLS used? ▪ SSL is no longer recommended. See POODLE Virus. ▪ 119 subtype 2 if and if only if using AT TLS policies
IP addresses recorded in IPv6 format only SMF type 118 do not record any of the above
information SMF type 118 records have been “functionally
stabilized”
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 6
Search for all occurrences of “SMF” in the location of the FTP.DATA specified in the SYSFTPD DD card we found earlier.
There are three parameters that should be set for SMF recording to occur: SMF TYPE 119 SMFJES TYPE119 SMFSQL TYPE119
PCI and other standards require an audit trail PCI (Requirement 9 and A.1.3)
Wouldn’t you want to log who’s moving your data around using FTP? Would you care if someone tried to FTP the RACF DB?
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 7
Be extremely careful not to record both type 118 and 119 records Doing so will create a performance problem! “Records of type 118 and type 119 can both be
requested; however, do not do this due to performance implications of writing both record types.” http://publib.boulder.ibm.com/infocenter/zos/v1r1
3/index.jsp?topic=%2Fcom.ibm.zos.r13.halz001%2Fcsmfsta.htm
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 8
SMF TYPE119 Cut one FTP type 119 subtype 70 for every MVS and z/OS
UNIX dataset transferred For PDS cut one SMF record per member of the PDS
SMFSQL TYPE119 SQL commands can be sent directly to your DB2
subsystem via FTP! If the “DB2 subsystem_id” statement is not specified then
the z/OS FTP server assumes a DB2 ssid of simply “DB2” http://publib.boulder.ibm.com/infocenter/zos/v1r13/in
dex.jsp?toic=%2Fcom.ibm.zos.r13.halz001%2Fcsmfsql.htm&path=8_6_20_137
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 9
Some people read the manuals and see “SAF” next to JESINTERFACELEVEL2
They think “SAF” = external security = we’re safe; yes we want this setting
“Sorry wrong answer would you like to go for double Jeopardy where the scores can really chagne?”
When you set JESTINTERFACELEVEL2 you need to be absolutely sure of the security implications
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 10
DO NOT set JESINTERFACELEVEL2 unless: The JESSPOOL class is configured to secure ALL
spool datasets Reminder JESSPOOL is a default RC of 8 class!
The SDSF class is active with the following SAF resources secured appropriately: ISFCMD.DSP.ACTIVE.jesx ISFCMD.DSP.INPUT.jesx ISFCMD.DSP.OUTPUT.jesx ISFCMD.FILTER.OWNER ISFCMD.FILTER.PREFIX Reminder SDSF is a default RC of 4 class!
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 11
Ingenious application developers punch jobs straight to JES via FTP!
Transfer sensitive jobs to your workstation with sensitive data (PCI, HIPAA, payroll, etc.)
If JESSPOOL & SDSF classes are not configured appropriately then JESINTERFACELEVEL should never be set to 2
JESINTERFACELEVEL1 is default! © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 12
Captures why the FTP logon failed but also… Was it encrypted? With what version of TLS? With what type of algorithm? Helpful for tracking end users still attempting
to use unencrypted FTP Validate someone is not trying to repeatedly
login to breach accounts via FTP Many standards require complete audit trails
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 13
The FTP client SMF type 119 subtype 3 records are configured in the TCP/IP stack
Find the running TCP/IP started task using SDSF, Sysview, etc.
Browse it and do a find for ‘profile’ Should see a message similar to: EZZ0300I OPENED PROFILE FILE DD:PROFILE
Read through the output until you find the PROFILE DD card
Browse that dataset or member Other options: Just use zSecure’s RE.I menu to
validate the entire configuration of TCP/IP including which SMF records are enabled
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 14
Bring up the TCP/IP PROFILE dataset in browse or view mode and do a search for ‘SMFCONFIG’
If nothing is found then TCP/IP is NOT configured to cut ANY SMF records!
PCI and other standards require a complete audit trail
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 15
In order to cut type 119 subtype 3 SMF records for all FTPs where z/OS is the client (or all OUTBOUND FTPs) the following needs to be added to the TCPIP profile parms:
• SMFCONFIG TYPE119 FTPCLIENT • This is a change that of course requires assistance
from systems programming! • Did I mention taking your systems programmer to
lunch? • Can be changed dynamically (OBEY file) or with an
IPL (cycle of TCPIP)
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 16
SMFCONFIG TYPE119 TN3270 CLIENT ▪ Logs outbound telnet connections to other systems
PROFILE ▪ Logs changes to the configuration of the TCP/IP Stack
TCPSTACK ▪ Logs useful information every time a TCP/IP stack is
started or stopped
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 17
SMFCONFIG TYPE119 TCPTERM
▪ Cut a record every time a TCP connection closes ▪ Logs version of TLS used ▪ Logs level of security the server required
And more… Virtual IP Addresses (subtypes 32 – 37) z/OS CS SMTP server (subtypes 48 – 52)
▪ New as of z/OS V1R11 Subtypes 73 – 80 for IPSec UDP Socket close (subtype 10) Others for statistics
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 18
ICETOOL SYS1.TCPIP.AEZASMP1(EZASMF) IBM sample C code to report on type 119 SMF
Assembler SYS1.MACLIB – EZASMF77
IBM Security zSecure Audit Via the EV.I menu automatically processes FTP
records creating reports to tell you if the FTP was encrypted or not and if so using what version of SSL and which algorithm was used
Note: This list might not be all inclusive © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 19
Table 257 z/OS Communications Server IP Programmer's Guide and Reference
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 20
Off set
Name Description
1 SMF119FT_FSCProtect Security of the control connection
2 SMF119FT_FSDProtect Security of the data connection.
3 SMF119FT_FSLoginMech Was login via password or certificate?
4 SMF119FT_FSProtoLevel Version of TLS Used
12 SMF119FT_FSCipherSpec Encryption algorithm used.
To protect the user ID and password of RACF accounts Person in the middle attack.
It’s the 21st century so why are we still sending passwords around any network (even our internal one) in the clear? Do you really trust that your LAN/WAN is bullet
proof? Would you take that risk?
PCI requires encryption of cardholder data
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 21
Central Processor Assist for Cryptographic Functions Enhances encryption/decryption of clear-key operations Random Number Generate One Way Hash etc.
Must be enabled using a no-charge feature (#3863) Check the HMC (Hardware Management Console) Check the output in the ICSF Address Space: CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
REMINDER: ICSF must come up before PAGENT (AT TLS) or hardware acceleration will not be used
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 22
Both are independent of the other CPACF is a hardware feature enabled at HMC ICSF (Integrated Cryptographic Services
Facility) accelerates encrypt/decrypt operations via CyptoExpress Cards
You do not have to run ICSF address space to make CPACF available
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 23
Saves 1-2% of Overhead On Average 75+ Million SAF calls per SFTP UserID
XFACILIT UACC(NONE) AUDIT(NONE) They simply need to exist
CSF.CSFSERV.AUTH.CSFOWH.DISABLE Bypass SAF call for CSFSERV CSFOWH profile (one way hash)
CSF.CSFSERV.AUTH.CSFRNG.DISABLE Bypass SAF class for CSFSERV CSFRNG profile (random number generation)
Example: SFTP, CSFOWH called for every packet sent & received! Uffda…
Requires HCR77A1 release of ICSF at a minimum
CSFM650I CSFSERV AUTHORIZATION CHECK FOR RANDOM NUMBER GENERATE SERVICES IS DISABLED
CSFM650I CSFSERV AUTHORIZATION CHECK FOR ONE-WAY HASH SERVICES IS DISABLED
© 2016, Joel M. Tilton KDFAES – April 2016 24
In these examples we use the z/OS FTP servers TLS implementation
EXTENSIONS AUTH_TLS Enables the use of TLS by the FTP Server or client Default is off
SECURE_FTP ALLOWED Encrypted FTPs are “ok” Client and server setting
SECURE_FTP REQUIRED Changing this setting DENIES any inbound FTP that is unable to
establish an encrypted session. The goal after mining the type 119 subtype 3 and 70 SMF
records and remediating all unencrypted FTPs is: To be able to changed to REQUIRED with no impact
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 25
SECURE_CTRLCONN CLEAR CLEAR is the default Control port is unencrypted by default! Unless EXTENSIONS AUTH_TLS is specified
SECURE_CTRLCONN PRIVATE The goal after unencrypted FTP remediation is to
be able to change this setting to PRIVATE ▪ Then the z/OS FTP server rejects any FTP session that
can’t establish an encrypted control port connection
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 26
SECURE_DATACONN CLEAR CLEAR is the default Data sent to the z/OS FTP server is not encrypted!
SECURE_DATALCONN PRIVATE The goal after unencrypted FTP remediation is to
be able to change this setting to PRIVATE Then the z/OS FTP server rejects any FTP session
that can’t establish an encrypted data port connection
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 27
SECURE_LOGIN NO_CLIENT_AUTH means we’re not requiring a certificate for
authentication Some auditors get confused by this setting (I did too
at first) NO_CLIENT_AUTH is the default
SECURE_PASSWORD REQUIRED While this may seem to imply encryption all it means
is: We must enter a password to login via FTP REQUIRED is the default
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 28
The default z/OS FTP server cipher is a null cipher That means it’s a cipher that doesn’t actually encrypt
anything!!!! Why? Well that’s how RFC 4346 is written…
Search your FTP parms for a statement that starts with: CIPHERSUITE Note by using cryptography parms that are provided by
the z/OS FTP server we’re using crypto at the application layer
AT TLS offers stronger cryptography (more on that later) ▪ Application Transparent Transport Layer Security ▪ TCP/IP provides encryption & application does not need to know
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 29
CIPHERSUITE SSL_NULL_MD5 ; 01 No encryption or message authentication and RSA key exchange
CIPHERSUITE SSL_NULL_SHA ; 02 No encryption with MD5 message authentication and RSA key
exchange CIPHERSUITE SSL_RC4_MD5_EX ; 03 40-bit RC4 encryption with MD5 message authentication and RSA key
exchange CIPHERSUITE SSL_RC2_MD5_EX ; 06 40-bit RC2 encryption with MD5 message authentication and RSA key
exchange CIPHERSUITE SSL_DES_SHA ; 09 56-bit DES encryption with SHA-1 message authentication and RSA
key exchange
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 30
CIPHERSUITE SSL_RC4_MD5 ; 04 128-bit RC4 encryption with MD5 message
authentication and RSA key exchange MD-5 is now depreciated and won’t pass PCI
standards From Wikipedia, “…a group of researchers used this
technique to fake SSL certificate validity,[7][8] and CMU Software Engineering Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use",[9] and most U.S. government applications now require the SHA-2 family of hash functions.[10] “
http://en.wikipedia.org/wiki/MD5 © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 31
NIST Special Publication 800-131A http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-131Ar1.pdf “SHA-1: Federal agencies should stop using
SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance. ”
http://csrc.nist.gov/groups/ST/hash/policy.html NIST comments on cryptanalytic attacks on
SHA-1 http://csrc.nist.gov/groups/ST/hash/statement.html
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 32
By the end of the year SHA-1 will be removed from the certificates in most browsers http://www.zdnet.com/article/as-attacks-near-
microsoft-mulls-banning-sha1-certificates/ What happens if you don’t migrate to SHA-2
certificates?
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 33
Application Transparent Transport Layer Security Encrypt the communication without the
application needing to know Several Advantages: Centralized Configuration Management Single Refresh Command ▪ F PAGENT,REFRESH
Let Communications Server Manage TLS Lin Overby, STSM IBM Communications Server http://www.ibmsystemsmag.com/mainframe/adminis
trator/systemsmanagement/Lighten-your-Administrator-Load-with-AT-TLS-and--C/
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 34
With AT TLS 256 bit AES with SHA-256 & SHA-384
Required for converting RRSF from SNA to TCP/IP
Best available Cipher built into z/OS FTP Server provides AES 256 with SHA-1
CIPHERSUITE SSL_AES_256_SHA ; 35 256-bit AES encryption with SHA-1 message
authentication and RSA key exchange Advanced Encryption Standard is established by the
National Institute of Standards and Technology (NIST).
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 35
TLSMECHANISM ATTLS Both a client and server statement TLSMECHANISM FTP is Default
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.halz001/ftpcastlsmechanism.htm
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 36
Many of the previous settings also apply to the z/OS FTP client z/OS FTP clients use a search order for their settings The order also depends upon whether the TSO or z/OS UNIX FTP client is used If not overridden by the client then it defaults to the TCPIP.DATA dataset
specified in the FTP proc’s SYSTCPD DD card http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?top
ic=%2Fcom.ibm.zos.r13.halz001%2Fcjesint.htm A z/OS FTP client can choose to override the encryption settings by
invoking the FTP with: -a never Which means give me an unencrypted outbound FTP session Enhancement 25972
▪ http://www.ibm.com/developerworks/rfe/execute?use_case=vie wRfe&CR_ID=25972 “z/OS V2R1 Communications Server provides a command exit for the FTP
client. The capability in this requirement can be achieved by using the exit to modify the FTP parameter list to prevent the specification of the "-a never" parameter.”
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 37
Necessary to allow FTP client to automagically use any CERTAUTH certificate that is in TRUST status Alternative: Keying Maintenance Hell!
Otherwise you will have a fun time with keyring maintenance for all of your FTP users You’ll be in RACDCERT CONNECT hell constantly
connecting in certificate authority certificates depending upon where someone needs to FTP.
Activate the RDATALIB class and define to it: CERTIFAUTH.IRR_VIRTUAL_KEYRING.LST Groups all certificate authority certificates with TRUST
status into a “virtual” ring
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 38
Keyring Isolation Required for Virtual Keyrings FACILITY IRR.DIGTCERT.LISTRING READ = See Your Keyring UPDATE = See All Keyrings
RDATALIB Only the users in this exact access list can access
the keyring or its private key Documented in the RACF Callable Services
Manual © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 39
User A extract User A's own private key READ ICH408I
User A extract User B's private key UPDATE NO ICH408I or type 80
User A extract SITE's private key CONTROL NO ICH408I or type 80
User A extract CERAUTH's private key CONTROL NO ICH408I or type 80
Just because you SETR RACLIST(RDATALIB) REFRESH *does not mean* the RDATALIB profile is installed properly
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 40
For CERTAUTH and SITE certificates: An application can extract the private key from a CERTAUTH or
SITE certificate if the following conditions are met: The certificate is connected to its key ring with the PERSONAL
usage option. One of the following three conditions is true:
▪ The caller's user ID is RACF special regardless of access checking method, or
▪ The caller's user ID has CONTROL authority to the IRR.DIGTCERT.GENCERT resource in the FACILITY class if the access to the key ring is through the checking on IRR.DIGITCERT.LISTRING in the FACILITY CLASS, or
▪ The caller's user ID has CONTROL authority to the: <ringOwner>.<ringName>.LST resource in the
RDATALIB class
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 41
Scenario: NDM actually needs CONTROL to its RDATALIB profile
The R_datalib service has a DataGetFirst and DataGetNext function. It was designed to do all the data pulls up front, loading it all into the workarea so that the DataGetNext calls are much faster. At this point, RACF does not know which of the available private keys are going to be requested.
RACF does not know at the time of access to the certificates keyring is requested what is the intended use of the certificate.
In the case of Connect Direct (NDM), it is up to the product to handle the exception.
Message CSPA202E received. http://www-01.ibm.com/support/docview.wss?uid=swg21554980
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 42
Monitoring all Started Task Access is noisy Recommendation: Monitor <10 violations per STC UserID Monitor all RACF Commands to RDATALIB class Run SMF report nightly or Monitor with SIEM & ISV software live in real time
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 43
SERVAUTH EZB.FTP.sysname.ftpdaemoname.PORTxxxx Controls ability to access FTP server based on SAF
user ID used to log in APPL class still works for this purpose too
SERVAUTH EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS Provides ability to generally restrict FTP user access
to the z/OS UNIX file system https://www.ibm.com/support/knowledgecenter
/SSLTBW_1.13.0/com.ibm.zos.r13.halz002/racf.htm%23racf
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 44
Activate SERVAUTH Class IBM Class Descriptor Table (CDT) SETR classact(SERVAUTH) audit(SERVAUTH) raclist(SERVAUTH) generic(SERVAUTH) ▪ RC of 4 class but be mindful of SYS1.TCPIP.PROFILE
▪ SERVAUTH profiles for DVIPA (Dynamic Virtual IP Address) ▪ EZD1313I -REQUIRED SAF SERVAUTH PROFILE NOT FOUND RACF profile name
RDEFINE RACGLIST SERVAUTH OWNER() IPL will not refresh in-storage RACF profiles Ensure Sysplex Consistency for RACF By Product…Performance Improvement SETR classact(RACGLIST) audit(RACGLIST) SETR RACLIST(…) REFRESH Builds RACGLIST profiles
© 2015, Joel M. Tilton SERVAUTH Port Access – November 2015 45
Protected by profiles with UACC(NONE) AUDIT(ALL(READ))?
Could someone FTP the RACF database? Would you know if this happened? SMF is great but real time notifications are key ▪ SIEMs (Security Information & Event Management) Tool
Is there really any reason for anyone to have even permanent READ to RACF anymore?
Recommend special access group with revoked group connection
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 46
Try not. Do…or do not. There is no try! Master Yoda
How do you tackle any project? One small step at a time…
Get SMF type 119 records cutting Evaluate FTP Parameters Safely migrate to encryption & away from Sha-1 Use AT TLS for stronger cryptography Use Virtual Keyrings Use SERVAUTH class z/OS FTP Security Engage!
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 47
Adam Klinger Amy Miu
John Reale Hayim Sokolsky William Vender
© 2016, Joel M. Tilton KDFAES – April 2016 48
And the Adventure Continues to Boldly Go Where No
Encryption Algorithm Has Gone Before …
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 49
Appendix E of the z/OS Communications Server IP Programmer’s Guide and Reference
http://publibfp.dhe.ibm.com/cgibin/bookmgr/BOOKS/F1A1D3B1/E.0?DT=20120118013946
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 50
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.halz001%2Fcjesint.htm
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=/com.ibm.zos.r13.halu001/jesintdiff.htm
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 51
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=/com.ibm.zos.r13.halz001/smfcfg.htm
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?tppic=/com.ibm.zos.r13.halz001/smfcfg.htm
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=/com.ibm.zos.r13.halz002/accounting.htm © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 52
https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_s02cpacf.html
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 53
http://www.ibm.com/support/knowledgecent
er/SSLTBW_2.1.0/com.ibm.zos.v2r1.ichd100/usgntrdata.htm%23usgntrdata?lang=en
http://publibz.boulder.ibm.com/epubs/pdf/ich2d100.pdf
http://www-01.ibm.com/support/docview.wss?uid=swg21554980
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 54
Security for the FTP server https://www.ibm.com/support/knowledgecenter/
SSLTBW_1.13.0/com.ibm.zos.r13.halz002/racf.htm%23racf
Local user access control to TCP/IP resources using SAF https://www.ibm.com/support/knowledgecente
r/SSLTBW_2.1.0/com.ibm.zos.v2r1.halz002/security_tcpip_resrcs_saf.htm
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 55