SECTCP home | Easy400 | IBM i home
Public-Source
 
Introduction
FTP settings
Quick start
Securing FTP
WRK user profiles
WRK directories
WRK IP addresses
Active Defense
Logging
VLDL vs USRPRF
User exit pgm
TELNET settings
Access-Reject Messages
HTTP logs
 
Download
 
 

 
previous page page 8 out of 16 next page
FTP settings (7/8)
8. Validation Lists versus User Profiles
To enable FTP logging you may use validation lists instead of user profiles. This is expecially convenient when you have a group of users that must undergo the same access restrictions.
The following explains how you can implement this feature.
  1. Create a validation list. Example:
    CRTVLDL VLDL(SECTCPDATA/GROUP1) TEXT('Validation list for FTP access via SECTCP') AUT(*USE)
    Note 1 - Any library name - not just SECTCPDATA - can be specified. However, grouping such validation lists in library SECTCPDATA may help in recalling what they are for.
    Note 2 - Make sure that at least AUT(*USE) is specified. In fact the default is AUT(*EXCLUDE) and that does not allow a validation list to be used by SECTCP.
  2. Add entries to this validation list.
    Each entry must specify a user-name and a password. Make sure that they are lowercase.
    You can maintain validation lists:
  3. Create a simple user profile for the FTP logon of all the users defined in one or more validation lists.
    Example:
    CRTUSRPRF USRPRF(LOGTOFTP) INLMNU(*SIGNOFF) AUT(*ALL)
  4. Use the appropriate SECTCP menu (see Figure 4) to define the FTP rights of this user profile.
    Example: 
                                      Secured FTP                                  
                            Work with User Profiles                             
                                                                                
  Type options and press Enter

   Options: 4=Remove

    User profile . . . . . . . . . . .  LOGTOFTP
      Substitute with user profile . .  __________
        and password . . . . . . . . .  __________ 
      Override NAMEFMT with  . . . . .  *PATH_       *SAME, *LIB, *PATH
      Override CURLIB with . . . . . .  __________ 
      Override HOMEDIR with  . . . . .  _________________________________________
_________________________________________________________________________________
                          ALLOW ... 0/1=No/Yes                                  
      FTP logon  . . . . . . . .  1      Receive Files  . . . . . .  1
      Exit Home Directory  . . .  0      Send Files . . . . . . . .  1
      Set Current Directory  . .  1      Rename Files . . . . . . .  1
      Create Directory/Lib . . .  0      Delete Files . . . . . . .  1
      Delete Directory/Lib . . .  0      Execute CL Command . . . .  0
      Directory/Lib Listing  . .  1
    (Please note that in this case we have restricted this user profile to stay within its home directory)
  5. The validation list and the SECTCP-defined user profile should now be "connected".
    There are two ways to implement such a connection:
    1. Use WSECTCP, the WEB front-end to control SECTCP.
      WSECTCP has a WEB page, named Work with VLDL connectors that makes this job very easy.
    2. Do it manually, as explained hereafter.
      Use DFU to add a record to file SECTCPDATA/VLDLS.
      Records of this file provide links between validation lists and user profiles.
      Example: 
       WORK WITH DATA IN A FILE                       Mode . . . . :   ENTRY
 Format . . . . :   VLDLRCD                     File . . . . :   VLDLS
                                                                      
 VLDL name:          GROUP1____                                           
 VLDL library name:  SECTCPDATA                                       
 Linked USRPRF name: LOGTOFTP__                                         
 Set home directory: Y
      1. VLDL name - Name of a validation list containing usernames/passwords fot FTP logon
      2. VLDL library name - Library name of this validation list
      3. Linked USRPRF name - Use profile that will be used for FTP logon
      4. Set home directory (Y or N) - Whether the initial current directory should be:
        /HOME/user_profile_name/validation_list_entry_user_name
        Example: /HOME/LOGTOFTP/jsmith
        Note 1. By setting the home directory in this way, and specifying "Exit Home Directory . . . 0" in the SECTCP properties for the user profile, the user can never get out from his assigned home directory.
        Note 2. This home directory is automatically created by SECTCP, if not yet existing.

The following describes the process of the FTP logon carried out by SECTCP:

  1. The user starts FTP
  2. The user logs on with a username and a password
  3. SECTCP searches such validation list entry (username & password) in all the validation lists documented in file SECTCPDATA/VLDLS.
    • If a matching validation list entry is found, then SECTCP logs to FTP with the user profile linked by the validation list and sets - if required - the proper home directory.
    • If no matching validation list entry is found, then the username & password are validated through the user profile system.
previous page next page
    Contact