Kisco Systems

Kisco U

FTP on IBM i

Home : Kisco U : FTP on IBM i

Check if FTP is active:

WRKACTJOB SBS(QSYSWRK) JOB(QTFT*)

Look for jobs listed named QTFTPnnnnn. If FTP is active, you will find several of these jobs shown.

In Nav: Network > Servers > TCP/IP Servers

Can you just disable FTP?
To turn the FTP server off, run the ENDTCPSVR command specifying the *FTP server option. Most systems come from IBM with the FTP server set to start automatically whenever TCP/IP is started. You can change this by running the Change FTP Attributes (CHGFTPA) command. Prompt it with the F4 key and check the first parameter. If it is set to *YES, then FTP is going to start automatically at every IPL. Changing this to *NO will stop this from happening.

IMPORTANT! FTP users are subject to OS security configuration.

Make sure there are no default passwords on your system.

In order for data to be accessible to FTP, it must have a minimum security setting of *USE. If you have a user profile that is regularly using FTP and there are concerns about access, make sure that they do not have a minimum setting of *USE for any objects you do not want them working with.

FTP permissions in Function Usage

Read more about Function Usage here.

Profile Swapping

A problem can easily come up when a user profile is used in different contexts. For example, when a user has access to certain sensitive objects for their daily work flow that are accessed by program control and that user is also an FTP user and logs in to do file transfers using FTP. Different contexts could create a security exposure. When this user signs on using FTP, they will still have access to the sensitive data files that they are authorized for from their daily work flow. If this situation exists, you need to address a way to deal with it.

The Sytem i OS also supports profile swapping, which could be another solution to this problem. Using swapping, the user signs on with one profile, but then the OS swaps their profile to look and act like a different profile.

Programs can swap profiles using a combination of two IBM i OS APIs. The APIs are QSYGETPH (Get Profile Handle) and then QWTSETP (Swap Profile). The swap requires that you use a profile handle rather than the user profile itself. Using this technique, you can make sure that the user has access to required objects without granting the full access.

FTP exit points

These exit points control FTP on IBM i:

  • *FTPClient [VLRQ0100]
    FTP Client Request Validation: This function is used whenever the IBM i is a client, issuing FTP commands to a remote system.

  • *FTPLOGON3 [TCPL0300]
    FTP Logon Server 3 - 300: This server is used any time the IBM i answers an FTP start request from another system or user. Default and primarily supported FTP Logon point for all OS levels V5R1 and above.

  • *FTPSERVER [VLRQ0100]
    FTP Server Request Validation: This function is used whenever the IBM i receives an FTP command it must act upon.

Read more about exit points here.

Our SafeNet/i product is a security solution that uses exit points to control inbound and outbound FTP.