AS400 FTP - Bsafe

FTP stands for file transfer protocol. It is the most widely used means of passing files from one computer to another via the internet even though it was devised in the 1960s, long before the internet was even thought of. The first official FTP standard was published in 1970, and even preceded the TCP/IP protocol, on which the internet revolves. AS400 FTP has been an important feature of OS400 connectivity throughout the AS400's development.

OS400's built-in FTP server is split into two: FTP server which handles requests from other computers to the AS400 and FTP client which handles requests originating on the AS400 and accessing other networked computers. Like other computers, the default port is 21, with port 20 being used as well in the communication session.

FTP support is built into Windows, making the FTP connection from a PC to the AS400 simple. On the Windows command line (Run > Cmd) type FTP followed by the IP address of your AS400. You will be prompted for an AS400 user profile, followed by the password. After successful authentication you will enter FTP mode, with an FTP command line in which you can enter FTP commands. Windows Explorer and other FTP clients provide FTP access in a more user friendly way.

The most commonly used FTP commands for the AS400 are MKDIR (CRTLIB), RMDIR (DLTLIB), CD (CHGCURLIB), TYPE (DSPLIB), DELETE (deletes an object), SEND or PUT (transfers a file to the AS400), GET or RECV (transfers file from the AS400), RENAME (renames an object) and QUOTE (execution of a CL command.), commonly used with the IBM extension to AS400 FTP, RCMD. These are the commands explicitly reported to the IBM exit points, but more of that later.

FTP access to your AS400 is a simple and powerful form of accessing your system but also a vulnerability which should be adequately protected. GET and SEND can download and replace entire files.

As with any other form of access to the AS400, user authentication and object authority are used in AS400 FTP connections as well. So a user needs to have sufficient permissions to access files using FTP, but this is not enough to ensure your data won't be compromised. A found, stolen or guessed user and password, however, can allow those permissions to fall into the wrong hands. Furthermore, a user who accesses files via an information system like accounts or salaries is restricted in what he can do with the system's files, whereas FTP gives the user a powerful set of capabilities (duplicating a sensitive file, for example, or replacing it with another file). OS400 doesn't log FTP activity so you have no audit path!

The most effective form of protection against unauthorized FTP access is shutting down your FTP server altogether. You can define whether your FTP server is to be included automatically in TCP/IP startup, using Operations Navigator or the green screen and you can also shut it down at any time. That way, you can start up FTP if and when you have the need.

To change the FTP autostart option to be excluded from TPC/IP startup, use the command as follows

CHGFTPA AUTOSTART(*NO)

The following AS400 commands start and end the AS400 FTP server.

STRTCPSVR SERVER(*FTP)
ENDTCPSVR SERVER(*FTP)

However, FTP is useful and many organizations find it inconvenient to start it and stop it in this way. Either way, when your FTP server is up and running, probably the best precaution you can take to ensure it's not abused is to use AS400 FTP exit programs.

OS400 has six exit points (including TFTP) that are involved in AS400 FTP communications, the most important of these being QIBM_QTMF_CLIENT_REQ and QIBM_QTMF_SERVER_REQ. The former handles FTP requests initiated on the AS400 with the latter handling FTP requests initiated on other computers. The exit points are used in the following way. A program must be written to receive the standard structure of parameters, defined by IBM and then ‘registered' on the appropriate exit point. When the operating system receives an FTP request, it will call the exit program first. The exit program will receive parameters including information about the user and the AS400 FTP request made and can do any processing the author wishes, including reading and updating database files, performing business logic and most importantly, determining whether the request should be allowed to continue. The return code parameter received from the exit program on its completion will indicate to the operating system whether the request will be allowed to continue, or be rejected.

An easy and cost effective way of implementing FTP protection is with a purpose-built AS400 security product which has exit programs all ready for FTP, integrated with a system of assigning permissions to users. Bsafe/Enterprise is such a product. It includes a multi-level system of permissions from a ‘system default' to user groups and down to individual users and comes with a powerful audit log which can list every AS400 FTP action made.

Permissions can be applied, as can be seen below under ‘Account Type', at different tiers of user grouping. The System Policy level is the default for anyone without a specified set of permissions and is normally devoid of permissions entirely. A single set of permissions can be defined for groups of users by selection, those having the same AS400 group profile and by generic name. AS400 FTP permissions can also be given to an individual user if so desired. A further option is to relate permission to an IP address.

For each set of AS400 FTP permissions, for a user, group or IP address, Bsafe/Enterprise Security gives you the added flexibility of restricting selected FTP actions on the AS400. FTP client and FTP server are defined separately. See below.

To enhance the control of AS400 FTP access, the product gives you the means to limit actions by library, object and IFS path. The screenshot below shows how certain libraries only can be allowed for a user or group.

For more information on Bsafe data security software: