|
|
Our web application driven protection
applies only to web pages resulting from CGI programs.
- Security strategy
The following security strategy is required:
- All AS/400 application data (files, data areas, etc.)
specify AUT(*EXCLUDE) for
- the *public
- the http server user profiles
qtmhhttp and qtmhhtp1
- All the CGI programs that need to access the application data
- are owned by a user profile having appropriate rights
to such data
- we suggest a user profile with
INLMNU(*SIGNOFF)
- are created with
USRPRF(*OWNER)
- are granted
AUT(*USE)
to the http server user profile qtmhhtp1
This allows the CGIs to be run by the http server
and to access the application data.
- All the CGI programs must
- receive from the remote browser
a user name and a password
- (these pieces of information should be stored
in the response html as input hidden fields)
- validate user name and password
- perform the application logic
- provide an html response including
the received user name and password as hidden fields
to be re-sent to the next CGI for validation
What we provide
This is what we provide, on this subject, in library
WEBSECURE (that you may download):
- Internet users
- Internet users may be registered in our validation list
webusers in library websecure.
- Internet users are registered with a user name
and an encrypted password
- An internet user may be registered as
web security administrator.
A web security administrator can
- define new internet users
- disable/enable internet users
- change internet users passwords
- remove internet users
- The internet user acting as security officer
is named websecofr; this user
- has the same rights as a security administrator
- cannot be disabled
- cannot be removed
- Service program
We provide service program websecure
in library websecure/ to perform
internet user validation.
This is how you may take advantage of our service program.
Start your CGI including some definitions:
/copy WEBSECURE/brpglesrc,prototypes |
/copy WEBSECURE/brpglesrc,webproto |
/copy WEBSECURE/brpglesrc,qusec |
/copy WEBSECURE/brpglesrc,variables |
/copy WEBSECURE/brpglesrc,webvar |
|
Your CGIs should call this service program through
the following RPG IV statement:
C eval pwdret =ChkUsrPwd(usnam:uspwd) |
where:
- usnam
is the user name (char 10)
- uspwd
is the password (char 10)
- pwdret
is a feedback area of 22 char
(its definitions are included by the previous statement
/copy WEBSECURE/brpglesrc,webvar
)
D DS |
DPwdRet 1 22 |
DPwdAcp 1 1 |
* Y/N password accepted / not accepted |
Dusradm 2 2 |
* Y = security administrator |
Dmyusnampls 3 12 |
* user profile name |
* imbedded blanks |
* replaced by + 's |
Dmyuspwdpls 13 22 |
* user profile password |
* with imbedded blanks |
* replaced by + 's |
|
- If the service program does not validate the internet user,
it issues the html response before returning to the calling
CGI, so that your CGI doesn't have to provide any
html response.
- After three consecutive unsuccessful trials
(wrong passwords) an internet user is
temporarily disabled for 15 minutes.
- Internet users maintenance program
We provide a CGI program
(program wrkintusr in library websecure)
to maintain internet users as entries in our validation list.
This CGI, of course, checks what internet user
is running it; it takes a security administrator
to be authorized.
You can run this program from our
logon procedure, next topic.
- Sample logon CGI
We provide a sample logon CGI
(program logon in library websecure)
you may refer to for better understanding of how a CGI should be
designed.
This logon procedure also allows to maintain
internet users in our validation list,
when you sign on as a security administrator.
signing on as user
websecofr
and password
websecofr.
Please note that
- user names and password are case sensitive
Please avoid to remove existing users and to change passwords,
so that the next visitor can try as well.
- Prerequisites
- OS/400 V4R5M0 or subsequent
is necessary to save encrypted passwords into the
validation list entries,
so that password validation may take place
through our service program.
- Library QGY
(5769SS1 option 12 - Host servers)
- System value qretsvrsec must be set to 1
to have the ability to retrieve decrypted passwords
for validation.
- Sources
We provide of course all the sources used to develop
our prototype.
Here are the most important ones:
member |
file |
description |
webform |
qddssrc |
External DS for QtmhCvtDB API
|
logon |
qrpglesrc |
Sample logon CGI
|
logon |
htmlsrc |
Response html from pgm Logon
|
wrkintusr |
brpglesrc |
Work with internet users
|
wrkintusr |
htmlsrc |
Response html from pgm Wrkintusr
|
xxxchkpwd |
brpglesrc |
SrvPgm- user validation
|
xxxhtmlnls |
brpglesrc |
SrvPgm- Rtv special char
|
websecure |
brpglesrc |
SrvPgm- Driver module
|
xxxchkvldl |
brpglesrc |
SrvPgm- Chk vldl
|
xxxcurdate |
brpglesrc |
SrvPgm- Rtv curr date
|
xxxchkpwd |
htmlsrc |
Response html from SrvPgm (logon failed)
|
Download
To download library WEBSECURE containing
- tutorial on web external protection
- prototype of web application-driven protection
|
|
|