iSeries400 HTTP protection

Case name CASE01
Objective Validating a request versus an existing AS/400 user profile
Case
description		 We have an HTML source file, HTMLSEC in library WEBSECURE.
All the members in this file are to be made secure in the web environment (also in other environments, but we shall not discuss this point).
We want to enable web access to html member CASE01TRY (in file WEBSECURE/HTMLSEC) only to those users who are able to correctly spell the name and the password of a given user profile existing on this AS/400.
Solution We did the following:
  1. In the http directives, provide a shortcut path to this security sensitive file (this was not strictly necessary, but we wanted to test whether non only the real path, but also the shortcut path, are protected)
    Map /websechs/* /QSYS.LIB/WEBSECURE.LIB/HTMLSEC.FILE/*
    Take a look at our     http directives
  2. Then we used http server ADMIN to generate the http protection directives in the CONFIG configuration file of our DEFAULT http server.
    See below how we did it.

1. ADMIN

 Here is how we generated the protection http directives through ADMIN

Step 1
  1. Get ADMIN AS/400 Tasks page
  2. Click on IBM HTTP server for AS/400
  3. Click on Configuration and Administration
  4. Click on Configurations, then select the configuration name of the http server you want to maintain
  5. Click on Protection to get a sublist
  6. Click on Create a protection setup

Create protection setup

Configuration: Config
Specify a protection setup
Protection setup:
Autentication options:
     Always prompt for user/password
     Use SSL client authentication

Click on Next to go to Step 2

Step 2

Create protection setup

Configuration: Config
Protection setup: CASE01

Authentication

User/Password Authentication

Protection realm:
Choose one user/password authentication option:
Prompt for user/password using AS/400 profile
Prompt for user/password using validation list
Validation list:
Prompt for user/password using an LDAP server
LDAP server setup name:       

Authorization

User ID:
Group file:
Masks:
       DELETE:
       GET:
       POST:
       PUT:
       All:
Allow ACL files to override protection settings

Click on Apply to complete your protection setup
Comments on Step 2
  • The HTTP server supports a number of methods (such as GET, POST, HEAD, DELETE, PUT, etc.) to be performed on a URL request. See here to know more.
  • For mask subdirectives, see here.


Step 3

 Click on Document protection, to define the documents to be protected via this Protection Setup

Document protection

Configuration: Config

Index URL template Protection setup Server IP address or host name
Example /restricted/* WEB_MASTERS 9.83.29.4
Example /Usage/* PROT_ADMIN  
Example /Documents/*   host.ibm.com
Index: Insert before Replace
  Insert after Remove
URL template:
Define protection settings: In-line
  Named protection setup:
Server IP address or host name:
Authentication options for in-line document protection:
        Always prompt for user/password
        Use SSL client authentication

2a. HTTP protection directives

 ADMIN would add the following protection directives to our http directives
(you could have entered them manually in the http server configuration file, using WRKHTTPCFG command):
  • protection setup directives (yellow area)
  • Document Protection directives (green area)
Click on the underlined keywords to display the related specifications in publication
SC41-5434 HTTP Server for AS/400 Webmaster's Guide

Protection CASE01 {
       PasswdFile %%SYSTEM%%
       ACLOverride Off
       PostMask All
       GetMask All
       AuthType Basic
       ServerID CASE01_PROTECTION
       UserID WEBUSER01
}
Protect /websechs/case01try* CASE01
Comments on Protection subdirectives
  1. Mask subdirectives.
    Mask subdirectives may be used to specify valid user names, groups, and address templates for different types of request.
    See here for detail information.
  2. UserID subdirective.
    This subdirectives tells which AS/400 user profile the http server should use to complete the request.
    As an example,
        UserID WEBUSER01
    where WEBUSER01 is an existing AS/400 user profile having enough rights to access the protected pages.
      It would be wise to have WEBUSER01 being a user profile created just for http security, and being not available for anything else.
    In such a case, user profile WEBUSER01 should specify
    INLMNU(*SIGNOFF) SPCAUT(*USRCLS) PWDEXPITV(*NOMAX)
     When PasswdFile has the special value of %%SYSTEM%%, (the AS/400 user profile support is used to validate user names and passwords) there are two special values you can use on this subdirectives.
    • Entering %%CLIENT%% causes the server to use the profile returned in the dialog box from the remote client.
    • Entering %%SERVER%% causes the server to use the profile the http server is currently running with.
Comments on Document Protect directive
  1. Protect directives are case sensitive
  2. a Protect directive must be positioned before the corresponding Pass directive
  3. if an URL to be protected may be accessed through a shortcut path name (that is, there is a Map directive which allows the real path to be subsituted by a shortcut name), we recommend to insert also a Protect directive mentioning this shortcut URL.

2b. APACHE directives

 If you are running HTTP server (powered by Apache) you need to specify the following Apache directives in your httpd.conf configuration file:

<Location /websechs/case01try.*>
   AuthType Basic
   AuthName CASE01_PROTECTION
   PasswdFile %%SYSTEM%%
   UserID WEBUSER01
   Require valid-user
</Location>
For detail information about Apache directives, see here.

3. The result

As a result, the first time (since you opened your web browser) you try to access a document protected via this Protection setup,
you receive a dialog box like the following

You may try now.
When you receive the real dialog box, enter
  • User Name WEBUSER01 and password WEBUSER01
    or
  • any other name and password of an existing AS/400 user profile you know of
Username and Password Required
X

Enter username for CASE01_PROTECTION at nnn.nnn.nnn.nnn

User Name
Password
The following will happen:
  1. If the user name and the password are correct, those of user profile WEBUSER01, the http server will
    temporarily switch to user profile WEBUSER01 to complete the request
    • if the request is accepted, the secured page is displayed, and the dialog box is no longer requested (you will always enabled to access this page) until you restart your browser
    • if the request is not accepted, an error message is displayed, and the dialog box is no longer requested (you cannot access this page) until you restart your browser
  2. If the user name and/or the password are not correct
    1. you receive an error message
    2. on the next attemp you will receive again this dialog box

try to access an URL protected as discussed in this page