OS400 Can Block Secured FTP Access

 

 

New functionality in OS400 V6R1 and V5R4 + PTF SI236489 has been introduced by IBM which can block access to the IBM i, even when access is permitted by Bsafe/Enterprise Security.

 

The issue relates to secured FTP (FTP encrypted by SSL) for FTP server and FTP client only and does not apply to any other applications.

 

Version 6.1 and the v5.4 PTF allow the IBM exit point to be blocked by the system administrator. The blocking can be activated in Operations Navigator or at the green screen command line. The result of such blocking will be the receiving of message TCP3D0B when attempting to connect to the IBM i via secured FTP. The event will not appear in the Application Audit as the operating system rejects the request without it ever reaching the Bsafe exit program. The rejection can, however, be seen in the System Audit, action group *SECURITY, action type GR – generic record.

 

The status of the system can be verified either in Operations Navigator or by a native CL command.

 

In Navigator select as follows:

Application Administration > Local Settings > Host Applications > TCP/IP utilities for iSeries > File Transfer Protocol (FTP)

 

If the checkboxes for FTP Client and FTP Server are marked, access is permitted; if unmarked, access is blocked. See screen shot below.

 

Note that this functionality cannot permit access when blocked by Bsafe.

 

 

 

 

On the command line proceed as follows. Check the status as follows:

WRKFCNUSG  FCNID(QIBM_QTMF_SERVER_REQ_10)

WRKFCNUSG  FCNID(QIBM_QTMF_CLIENT_REQ_10)

 

Default authority should show as *ALLOWED. If not, you will need to change it as follows:

 

Change the value at the command line to allow access, as follows:

CHGFCNUSG  FCNID(QIBM_QTMF_SERVER_REQ_10)
DEFAULT(*ALLOWED)
ALLOBJAUT(*NOTUSED)

 

CHGFCNUSG  FCNID(QIBM_QTMF_CLIENT_REQ_10)
DEFAULT(*ALLOWED)
ALLOBJAUT(*NOTUSED)