Problem solve Get help with specific problems with your technologies, process and projects.

Locking down FTP from AS/400 to PC

Is there any to locked down FTP so that a person on a PC can't FTP a file from the AS/400 to their PC?

Is there any to locked down FTP so that a person on a PC can't FTP a file from the AS/400 to their PC?
There are several ways to accomplish this -- the best way is to use object-level security. In the case of files containing sensitive information, the best way is to change the application using the file to adopt authority and then set the file to *PUBLIC *EXCLUDE. Setting *PUBLIC to *EXCLUDE will prevent viewing and downloads through any interface -- FTP, ODBC, sockets, Web, command line, etc. (But since you've changed the application programs to adopt, the application will still work.)

Another, less robust (but free!) method is to configure the TCP/IP portion of Application Administration (which is a feature of iSeries Navigator) to disallow FTP functions for selected (or all) users. To get to Application Administration, open an iSeries Navigator session, right click on the system name and choose "Application Administration." Click on the "Host Applications" tab. Open "TCP/IP Utilities for iSeries" and then open "File Transfer Protocol." From here you can click on the service you want to allow or disallow and then click the Customize button. From here you can add users to allow or disallow. In V5R3 there are green screen commands such as Work with Function Usage (WRKFCNUSG) you can use to configure who can use FTP, but I find the Application Administration interface much easier to use.

The Application Administration approach is an all or nothing method, meaning if you want to allow users to download some files but not all files, this method is not granular enough. In this case you may want to check out one of the many vendors that provide exit program solutions, as they are all quite granular as to who can do what through exit programs (FTP, ODBC, DDM, etc.). The limitation is that the control is ONLY through exit programs that OS/400 and i5/OS have defined and, therefore, will not be in effect through interfaces such as Web applications, sockets or command-line access.

Dig Deeper on FTP

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.