FTP Server Automation Module Description
FTP Server Automation, FTP SA, is
a comprehensive solution for securing and automating FTP
file transfer traffic with the OS/400 FTP Server. FTP SA
secures all use of the OS/400 FTP server - even if it comes
from the Windows FTP clients in the local network or from
the FTP clients behind the Internet.
FTP SA makes is possible to use your
AS/400 as a secured FTP server. For more information about
the security, see the chapter More about the FTP server
security later in this documentation.
FTP SA operates 'behind' the OS/400
FTP server feature, so it doesn't set any requirements
to the FTP clients. FTP SA is an optional module of the
Manycom Message product providing three main functions:
- Allows controlling the login requests
issued from the FTP clients. The FTP userid, password
and IP address combination must match to the pre-configured
values. Additionally, a unique timetable can be attached
to each FTP user to control the access.
- Allows controlling the FTP subcommand
requests and the related parameters (AS/400 resource
names such as libraries, directories and filenames) issued
from the FTP clients. The requested subcommands and parameter
values must match to those pre-configured for the user.
This control applies also to the 'remote command' subcommand.
- Allows attaching local tasks to the
configured FTP operations. The local task is executed
automatically after the specified FTP subcommand is issued
with the allowed parameters (AS/400 resource names) from
the FTP client. The local tasks can be started and executed
during the FTP session or as a scheduled batch job.
FTP SA always operates in the FTP server mode listening
the incoming calls from FTP clients, and responding to
the service requests (FTP client subcommands) entered from
the FTP clients. See the following figure.
Notice, that if your local AS/400 needs to be the FTP
client, which is calling the remote FTP servers, you should
select another module of MCM, the FTP Client Automation,
which makes it possible to secure and automate the FTP
client operations. FTP SA and FTP CA together provide an
extensive solution for automating all kinds of FTP file
More about the FTP server security
In a typical AS/400 environment all 'objects' including
database files are normally secured via applications, menus
and commands. The so called 'object security' is seldom
used because of the hard maintenance work due to the large
number of objects. Typically only the most important database
file, command, menu and program objects are secured also
on the 'object security' level with the object security
settings facilitated by the OS/400 operating system.
It is very important to know, that the OS/400 FTP server
feature (application) does not provide any 'application
level' security features or protect against unauthorized
use of the AS/400 resources (database files, commands,
programs, etc.)! The object security of the OS/400 is fully
supported by the OS/400 FTP server, but it is not enough
because, as mentioned above, the objects are seldom carefully
secured with object level settings.
For instance, if the OS/400 FTP server is activated, basically
any FTP client, which can establish a connection to the
OS/400 FTP server, can get access to all database files
with PUT, GET, DELETE and RENAME commands, if the objects
are not specifically and carefully protected. Additionally,
the FTP client can via the FTP 'remote command' run any
AS/400 command, if use of the command is not specifically
FTP SA is the 'missing' application to be used with the
OS/400 FTP server in order to secure the use of AS/400
resources on 'application level'. Notice, that even if
a hacker succeeds to login to your FTP server with the
valid pre-defined FTP userid and password, FTP SA allows
the hacker perform only those FTP operations and access
with those operations only those resources specified for
the FTP user. This restricts effectively the amount of
damage that a hacker could produce!
The security services provided by the FTP SA follow the
principle: What is not specifically allowed is denied!
FTP SA makes your AS/400 a secure FTP server!
For more information about how to prevent unauthorized
use and hackers connecting to your AS/400 FTP server, see
the manual MCM FTP Server Automation, Configuration Guide.
Login and resource security
Each user of the FTP server (FTP client), who wants to
login to the OS/400 FTP server, must be pre-configured
for the FTP SA. The FTP client, who is allowed to login,
can execute only those FTP subcommands (PUT, GET, DIR,
RENAME, DELETE, etc.) pre-configured for the user. With
each subcommand the user can access and process only those
AS/400 resources (libraries, directories and files), which
are pre-configured for the user. Additionally, the user
can start only those local tasks specifically attached
to the pre-configured subcommands.
All other FTP logins and use of resources are implicitly
prohibited, when the exit programs of FTP SA are activated.
FTP SA (actually the FTP server feature of OS/400) sends
the FTP client the standard RFC return codes and messages
telling if the use of the FTP subcommand with the issued
parameters was accepted or restricted.
FTP SA logs all the FTP subcommands - both accepted and
restricted - with a time stamp, FTP user, IP address, requested
FTP subcommand with the parameters (e.g. library/directory,
filename, and the requested remote command).
When a FTP file transfer ends and the received file is
successfully saved on AS/400 disk, or when the certain
FTP subcommand is entered from the FTP client, there is
usually a need to start a AS/400 application to process
the received file.
FTP SA allows attaching post-processes (CL commands and
creation of data queue entries) to the FTP client subcommands
for automatically starting the desired AS/400 tasks.
For instance, after a file containing orders has been
received and saved into the specified library and file
and renamed successfully into the specified filename, an
AS/400 order processing application can be called with
the file and library names.
FTP SA includes extensive logging functions in order to
save all service requests from the FTP clients in the log
file for operator control. All subcommands and the related
parameters are logged with the time stamps. The result
code of each subcommand (accepted or restricted) is also
logged with the FTP user ID and IP address.
FTP SA starts collecting log entries when FTP SA is activated.
This log has proved to be very useful also to 'reveal'
the unwanted internal use of the FTP server.
Other modules and user applications to attach
FTP SA uses the CL command and data queue entry interfaces
to automatically start the local tasks. This means that
you can attach and utilize also MCM Data File Conversion
and MCM Advanced Automation modules or any other software
when processing the files after receiving them or before