iSeries 400 HTTP protection

Case name CASE02
Objective Validating vs a validation list
Introduction Validation list objects are a new object type *VLDL since V4R1 that provide a method for applications to securely store user authentication information.
The Internet Connection Server (ICS) uses validation lists to implement the concept of an Internet user.
In performing user validation, the ICS can use the information from a validation list rather than require all users of the ICS to have an AS/400 user id and password.
To create and delete validation lists, you can use the CL commands Create Validation List (CRTVLDL) and the Delete Validation List (DLTVLDL), or use http server ADMIN to do the same.
Application Programming Interfaces (APIs) are also provided to allow applications to add, change, remove, verify (authenticate), and find entries in a validation list. For more information and examples, see OS/400 Security APIs, SC41-5872
Case
description		 We have an HTML source file, HTMLSEC in library WEBSECURE.
All the members in this file are to be made secure in the web environment
We want to enable web access to html member CASE02TRY (in file WEBSECURE/HTMLSEC) only to those users who belong to a given validation list.
Solution We did the following:
  1. We used command CRTVLDL to create validation list VLDL01 in library WEBSECURE.
    This validation list is
    • owned by used profile WEBUSER01
    • has autority *EXCLUDE to the *PUBLIC
    • has authority *USE for user profile QTMHHTTP
  2. Entries in a validation list can be easily maintained via ADMIN (see later).
    However, as we knew that ADMIN would request at least a pc object with extension .grp in a root directory, we created file group01.grp in directory /websecure.
    Look at its authorities:
    User Data Authority Object Authorities
    Exist Mgt Alter Ref
     *PUBLIC   *R
          X
     QSECOFR   *RWX
    X X X X

1. ADMIN

 Here is how we used ADMIN to fullfil our objective.

Step 1
  1. Get ADMIN AS/400 Tasks page
  2. Click on IBM HTTP server for AS/400
  3. Click on Configuration and Administration
  4. Click on Internet Users to get a sublist
  5. Click on Add Internet user

Add Internet user

Name:
Password:
Confirm password:
Comments:
Validation list:
Group file:
Group:
Click on Apply to add this internet user 		  Note on the group file
After adding this internet user, the contents of the group file /websecure/group01.grp are:
music: giovanni   


Step 2
  1. Click on Configurations, then select the configuration name of the http server you want to maintain
  2. Click on Protection to get a sublist
  3. Click on Create a protection setup

Create protection setup

Configuration: Config
Specify a protection setup
Protection setup:
Autentication options:
     Always prompt for user/password
     Use SSL client authentication

Click on Next to go to Step 3

Step 3

Create protection setup

Configuration: Config
Protection setup: CASE02

Authentication

User/Password Authentication

Protection realm:
Choose one user/password authentication option:
Prompt for user/password using AS/400 profile
Prompt for user/password using validation list
Validation list:
Prompt for user/password using an LDAP server
LDAP server setup name:       

Authorization

User ID:
Group file:
Masks:
       DELETE:
       GET:
       POST:
       PUT:
       All:
Allow ACL files to override protection settings

Click on Apply to complete your protection setup


Step 4
  Note. In this step we are going to use a shortcut name /websech/* for the path to file WEBSECURE/HTMLSEC.
See our http directives.
Click on Document protection, to define the documents to be protected via this Protection Setup

Document protection

Configuration: Config

Index URL template Protection setup Server IP address or host name
Example /restricted/* WEB_MASTERS 9.83.29.4
Example /Usage/* PROT_ADMIN  
Example /Documents/*   host.ibm.com
1 /websechs/case01try* CASE01  
Index: Insert before Replace
  Insert after Remove
URL template:
Define protection settings: In-line
  Named protection setup:
Server IP address or host name:
Authentication options for in-line document protection:
        Always prompt for user/password
        Use SSL client authentication

2a. HTTP directives

 ADMIN would add the following protection directives to our http directives
(you could have entered them manually in the http server configuration file, using WRKHTTPCFG command):
  • protection setup directives (yellow area)
  • Document Protection directives (green area)
Click on the underlined keywords to display the related specifications in publication
SC41-5434 HTTP Server for AS/400 Webmaster's Guide

Protection CASE02 {
       PasswdFile WEBSECURE/VLDL01
       ACLOverride Off
       PostMask All
       GetMask All
       AuthType Basic
       ServerID CASE02_PROTECTION
       UserID WEBUSER01
}
Protect /websechs/case02try* CASE02

2b. APACHE directives

 If you are running HTTP server (powered by Apache) you need to specify the following Apache directives in your httpd.conf configuration file:

<Location /websechs/case02try.*>
   AuthType Basic
   AuthName CASE02_PROTECTION
   PasswdFile WEBSECURE/VLDL01
   UserID WEBUSER01
   Require valid-user
</Location>
For detail information about Apache directives, see here.

3. The result

As a result, the first time (since you opened your web browser) you try to access a document protected via this Protection setup,
you receive a dialog box like the following

You may try now.
When you receive the real dialog box, enter
  • name and password of a user documented in validation list WEBSECURE/VLDL01
    for istance, user giovanni and password giovanni.
Username and Password Required
X

Enter username for CASE02_PROTECTION at nnn.nnn.nnn.nnn

User Name
Password
The following will happen:
  1. If the user name and the password are correct, the http server will
    temporarily switch to user profile WEBUSER01 to complete the request
    • if the request is accepted, the secured page is displayed, and the dialog box is no longer requested (you will always enabled to access this page) until you restart your browser
    • if the request is not accepted, an error message is displayed, and the dialog box is no longer requested (you cannot access this page) until you restart your browser
  2. If the user name and/or the password are not correct
    1. you receive an error message
    2. on the next attemp you will receive again this dialog box

try to access an URL protected as discussed in this page