FTPSERVE Fails When Given Only RACF READ Access Authority
APAR Identifier ...... PQ21409 Last Changed ........ 99/02/16
FTPSERVE FAILS WHEN GIVEN ONLY RACF READ ACCESS AUTHORITY
Symptom ...... DD DOC Status ........... CLOSED DOC
Severity ................... 4 Date Closed ......... 99/02/16
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 310 Fixed Release ............
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: APARCLOSURE - APAR is being closed.
PE PTF List:
PTF List:
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
Customer followed the instructions provided in Appendix C of
"TCP/IP Function Level 310 Planning and Customization." to
enable the FTP server to use the RACROUTE facility. When
completing Step 2, the customer issued:
PERMIT ICHCONN CLASS(FACILITY) ID(FTPSERVE) ACCESS(READ)
This command complete successfully. However when the
FTP server was initialized, the following messages were
issued:
RACROUTE VERIFY call returns SafRc=00000004,RacfReas=00000020
RACROUTE cannot be used for minidisk authorization
Command "SRVRFTP inactive 1800 racf anonymou" ended with rc 0.
Issuing command "exec FTPDEXIT ABORT 0 SRVRFTP inactive 1800
racf anonymou"...
After issuing a second PERMIT command to change the Access
authority from "READ" to "UPDATE", FTP server initialization
was successful. The existing documentation is not correct; the
provided access authority MUST be "UPDATE".
LOCAL FIX:
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: Installations that plan to use the FTP *
* server in a RACF ESM (External Security *
* Manager) environment. *
****************************************************************
* RECOMMENDATION: UPDATE DOCUMENTATION *
****************************************************************
Information about RACF authorization requirements for the FTP
server in "TCP/IP Function Level 310 Planning and
Customization" is not correct.
The documentation in "Appendix C", "RACF Authorization
Requirements" of this publication incorrectly indicates that
providing the FTP server with READ authority is sufficient when
this server is enabled to use the RACROUTE facility. This is
not the case; the FTP server MUST be given UPDATE authority, as
indicated in the sample PERMIT command shown in this section.
PROBLEM CONCLUSION:
The revised information that follows will be included in any
future updates to the following publication(s):
SC24-5847-00 -- TCP/IP Function Level 310 Planning and
Customization
Appendix C, "Using TCP/IP with an External Security
Manager", p. 513
In the section titled "RACF Authorization Requirements", for
the second bullet or list item, which reads:
"The FTP and NFS servers must be enabled to use the RACROUTE
facility:"
the text for "Step 2" is not correct. The existing text:
2. Give READ or UPDATE access authority to FTP servers:
PERMIT ICHCONN CLASS(FACILITY) ID(userid | groupid)
ACCESS(UPDATE)
should instead be:
2. Give UPDATE access authority to FTP servers:
PERMIT ICHCONN CLASS(FACILITY) ID(userid | groupid)
ACCESS(UPDATE)
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS:
SRLS: SC31584700
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: