Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Workspace z/OS
Created by Guest
Created on Oct 5, 2018

Increasing Security and Control for FTP JES Interface

Provide mechanisms for disabling and restricting the use of the FTP JES interface.
Add a JESINTERFACELEVEL=0 option in configuration file FTP.DATA to prohibit FTP users from interfacing with JES. Allowing access to JES from FTP introduces a security exposure where a user can submit jobs and issue TSO commands with a batch TMP from a userid without a TSO segment, run REXX (IRXJCL) and BPXBATCH shells and programs that try to exploit system vulnerabilities.
For those installations who choose to keep the default JESINTERFACELEVEL=1 or set this option to 2, add SAF resource authorization checks to govern its use. One SAF resource would control use of the SITE command to restrict who can specify FILETYPE=JES. Another would control use of PUT with SITE FILETYPE=JES to restrict who can submit jobs via FTP. Yet another would control use of GET to restrict who can retrieve output. An alternative would be to have one resource and different access levels (e.g., READ to use GET and UPDATE to use PUT). These resource checks allow for auditability as well as control. Updates to the desired permissions would be performed easily and dynamically via a RACF/SAF profile instead of a redesign and re-compile of the FTCHKCMD user exit and recycle of the FTP server.
To maintain compatibility with current functionality, FTP Server would only deny commands where RACF/SAF returns CC > 4. A non-existent profile would not prevent SITE FILETYPE=JES from executing.
FTP command “SITE FILETYPE=JES” on a system that has either JESINTERFACELEVEL=0 or that receives CC > 4 from RACF/SAF, denies the command and returns Server “500 Unknown Command”.
FTP command “SITE FILETYPE=JES” on a system that has either JESINTERFACELEVEL=1 or JESINTERFACELEVEL=2 and that receives CC <= 4 from RACF/SAF, permits the command and returns Server “200 Command Accepted”.

Idea priority Low
  • Guest
    Reply
    |
    May 12, 2022
    This requirement is addressed via APAR PH42618 which provides a SERVAUTH class resource to explicitly control user access to FTP JES mode. This is available on z/OS V2R3, V2R4, and V2R5.
  • Guest
    Reply
    |
    Apr 13, 2021

    This would be great however I need a way to allow those that are executing on the platform but not from off platform to be really effective. We have many process on the platform that use this function.

  • Guest
    Reply
    |
    Apr 13, 2021

    This would be great however I need a way to allow those that are executing on the platform but not from off platform to be really effective. We have many process on the platform that use this function.

  • Guest
    Reply
    |
    Feb 3, 2021

    this would be a really nice and necessary feature...