iSeries 400 HTTP protection- Case04

iSeries 400 HTTP protection

Case name

CASE04

Objective

Protecting CGI programs through a validation list

Introduction

Please refer to Case02 for a small introduction to Validation lists.

Case
description

We want to allow execution of CGI program WEBSECURE/CASE04TRY (URL /websecp/case04try.pgm, see our http directives) only to the internet users enrolled in validation list WEBSECURE/CGI.

Solution

See how we used ADMIN http server to

create validation list WEBSECURE/CGI and group file /websecure/cgi.grp
enroll an internet user (named mary) in this validation list
create the protection setup
protect the url to our CGI through this new protection setup

Look at the authorities of our CGI program WEBSECURE/CASE04TRY:

User	Group	Object Authority
WEBUSER01		*ALL
*PUBLIC		*EXCLUDE

Please note that user profiles QTMHHTTP and QTMHHTP1 are not even mentioned.
This is because the http server, as a result of our protection setup, will adopt user profile WEBUSER01 to run this CGI.

1. ADMIN

Here is how we used ADMIN to fullfil our objective.

Step 1 - Add an internet user

Get ADMIN AS/400 Tasks page
Click on IBM HTTP server for AS/400
Click on Configuration and Administration
Click on Internet Users to get a sublist
Click on Add Internet user

Add Internet user

Name:
Password:
Confirm password:
Comments:
Validation list:
Group file:
Group:

Click on Apply

Notes

ADMIN
- creates validation list CGI in library WEBSECURE
- creates group file /websecure/cgi.grp
- then adds internet user mary
the contents of group file /websecure/cgi.grp are:

cgi: mary

Step 2 - Create a protection setup

Click on Configurations, then select the configuration name of the http server you want to maintain
Click on Protection to get a sublist
Click on Create a protection setup

Click on Next to go to Step 3

Step 3 - Create a protection setup (continued)

Create protection setup

Configuration: Config
Protection setup: CASE02

Authentication

User/Password Authentication

Protection realm:
Choose one user/password authentication option:

	Prompt for user/password using AS/400 profile
	Prompt for user/password using validation list Validation list:
	Prompt for user/password using an LDAP server LDAP server setup name:

Authorization

User ID:
Group file:
Masks:
DELETE:
GET:
POST:
PUT:
All:
Allow ACL files to override protection settings

Click on Apply to complete your protection setup

Step 4 - Protecting our CGI

Note. In this step we are going to mention the path name /websecp/* used in the Exec http directive. you may check our http directives.

Click on Document protection, to define the document to be protected via the newly defined Protection Setup CASE04.

Document protection

Configuration: Config

Index	URL template	Protection setup	Server IP address or host name
Example	/restricted/*	WEB_MASTERS	9.83.29.4
Example	/Usage/*	PROT_ADMIN
Example	/Documents/*		host.ibm.com
1	/websechs/case01try*	CASE01
2	/websechs/case02try*	CASE02
3	/websecf/case*	CASE03

Index:	Insert before	Replace
	Insert after	Remove

URL template:
Define protection settings:	In-line
	Named protection setup:
Server IP address or host name:
Authentication options for in-line document protection: Always prompt for user/password Use SSL client authentication

2a. HTTP directives

ADMIN would add the following protection directives to our http directives
(you could have entered them manually in the http server configuration file, using WRKHTTPCFG command):

protection setup directives (yellow area)
Document Protection directives (green area)

Click on the underlined keywords to display the related specifications in publication
SC41-5434 HTTP Server for AS/400 Webmaster's Guide

Protection CASE04 {
       PasswdFile WEBSECURE/CGI
       ACLOverride Off
       PostMask All
       GetMask All
       AuthType Basic
       ServerID CASE04_PROTECTION
       UserID WEBUSER01
}

Protect /websecp/case04try.pgm CASE04

2b. APACHE directives

If you are running HTTP server (powered by Apache) you need to specify the following Apache directives in your httpd.conf configuration file:

<Location /websecp/case04try.pgm>
   AuthType Basic
   AuthName CASE04_PROTECTION
   PasswdFile WEBSECURE/CGI
   UserID WEBUSER01
   Require valid-user
</Location>

For detail information about Apache directives, see here.

3. The result

As a result, the first time (since you opened your web browser) you try to run cgi program case04try in library websecure, you receive a dialog box like the following

Please note that the CGI could retrieve the name of the internet user from the environment variable "REMOTE_USER" and, if needed, perform further validation or customization process.

You may try now.
When you receive the real dialog box, enter

name and password of a user documented in validation list WEBSECURE/CGI
for istance, user mary and password mary.

Username and Password Required

Enter username for CASE04_PROTECTION at nnn.nnn.nnn.nnn

User Name

Password

try to access an URL protected as discussed in this page

4. CGI protection strategy

The following is just an example of protection strategy for your security sensitive CGI's. Depending on your needs you may of course develop different or more sophisticated strategies.

Divide your CGI's into omogeneous security cathegories. As an example:
- CGI's for exclusive use of personell department
- CGI's for exclusive use of purchasing department
- CGI's for exclusive use of production control department
- CGI's for use of all the three groups
Naming convention
Make sure that all CGI's in a cathegory begin with the same letters. As an example:
- Personnel CGI's always begin as prs
- Purchasing CGI's always begin as pch
- Prod Control CGI's always begin as pdc
- common CGI's always begin as com
Validation lists and groups
Create a single validation list and as many groups as the user groups. As an example:
1. validation list websecure/cgi
2. group /websecure/prs.grp
3. group /websecure/pch.grp
4. group /websecure/pdc.grp

Protection setup's and document protections
Create as many protections as CGI cathegories. As an example:

for personnel department CGI's

Protection PRS {
       GroupFile /websecure/prs.grp
       PasswdFile WEBSECURE/CGI
       ACLOverride Off
       PostMask All
       GetMask All
       AuthType Basic
       ServerID Personnel_Dept
       UserID WEBUSER01
}

Protect /websecp/prs* PRS

for purchasing department CGI's

Protection PCH {
       GroupFile /websecure/pch.grp
       PasswdFile WEBSECURE/CGI
       ACLOverride Off
       PostMask All
       GetMask All
       AuthType Basic
       ServerID Purchasing_Dept
       UserID WEBUSER01
}

Protect /websecp/pch* PCH

for production control department CGI's

Protection PDC {
       GroupFile /websecure/pdc.grp
       PasswdFile WEBSECURE/CGI
       ACLOverride Off
       PostMask All
       GetMask All
       AuthType Basic
       ServerID Prod_Ctrl_Dept
       UserID WEBUSER01
}

Protect /websecp/pdc* PDC

for CGI's common to all groups

Protection COM {
       PasswdFile WEBSECURE/CGI
       ACLOverride Off
       PostMask All
       GetMask All
       AuthType Basic
       ServerID Cross_Protection
       UserID WEBUSER01
}

Protect /websecp/com* COM

Internet users
Use ADMIN to add the following internet users:

user name	password	comments	validation list	group file	group
prs	...	user from personnel dept	WEBSECURE/CGI	/websecure/prs.grp	prs
pch	...	user from purchasing dept	WEBSECURE/CGI	/websecure/pch.grp	pch
pdc	...	user from prod-ctrl dept	WEBSECURE/CGI	/websecure/pdc.grp	pdc

Comments

You need to define just three internet users. Each of this internet users is allowed to
- access the common CGI's through protection COM (this protection just mentions the validation list, but no group)
- access the CGI's specific to his department through its specific protection (this protection mentions both the validation list, and a group)
Remember that your CGI's may retrieve the internet user name. As an example, your common CGI's could provide html responses customized to the current internet user name.