FTPSERVE Fails When Given Only RACF READ Access Authority
APAR Identifier ...... PQ21409 Last Changed ........ 99/02/16 FTPSERVE FAILS WHEN GIVEN ONLY RACF READ ACCESS AUTHORITY Symptom ...... DD DOC Status ........... CLOSED DOC Severity ................... 4 Date Closed ......... 99/02/16 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 310 Fixed Release ............ Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: APARCLOSURE - APAR is being closed. PE PTF List: PTF List: Parent APAR: Child APAR list: ERROR DESCRIPTION: Customer followed the instructions provided in Appendix C of "TCP/IP Function Level 310 Planning and Customization." to enable the FTP server to use the RACROUTE facility. When completing Step 2, the customer issued: PERMIT ICHCONN CLASS(FACILITY) ID(FTPSERVE) ACCESS(READ) This command complete successfully. However when the FTP server was initialized, the following messages were issued: RACROUTE VERIFY call returns SafRc=00000004,RacfReas=00000020 RACROUTE cannot be used for minidisk authorization Command "SRVRFTP inactive 1800 racf anonymou" ended with rc 0. Issuing command "exec FTPDEXIT ABORT 0 SRVRFTP inactive 1800 racf anonymou"... After issuing a second PERMIT command to change the Access authority from "READ" to "UPDATE", FTP server initialization was successful. The existing documentation is not correct; the provided access authority MUST be "UPDATE". LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: Installations that plan to use the FTP * * server in a RACF ESM (External Security * * Manager) environment. * **************************************************************** * RECOMMENDATION: UPDATE DOCUMENTATION * **************************************************************** Information about RACF authorization requirements for the FTP server in "TCP/IP Function Level 310 Planning and Customization" is not correct. The documentation in "Appendix C", "RACF Authorization Requirements" of this publication incorrectly indicates that providing the FTP server with READ authority is sufficient when this server is enabled to use the RACROUTE facility. This is not the case; the FTP server MUST be given UPDATE authority, as indicated in the sample PERMIT command shown in this section. PROBLEM CONCLUSION: The revised information that follows will be included in any future updates to the following publication(s): SC24-5847-00 -- TCP/IP Function Level 310 Planning and Customization Appendix C, "Using TCP/IP with an External Security Manager", p. 513 In the section titled "RACF Authorization Requirements", for the second bullet or list item, which reads: "The FTP and NFS servers must be enabled to use the RACROUTE facility:" the text for "Step 2" is not correct. The existing text: 2. Give READ or UPDATE access authority to FTP servers: PERMIT ICHCONN CLASS(FACILITY) ID(userid | groupid) ACCESS(UPDATE) should instead be: 2. Give UPDATE access authority to FTP servers: PERMIT ICHCONN CLASS(FACILITY) ID(userid | groupid) ACCESS(UPDATE) TEMPORARY FIX: COMMENTS: MODULES/MACROS: SRLS: SC31584700 RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: