Prototype of web application driven protection

1. Security strategy
   The following security strategy is required:
   1. All AS/400 application data (files, data areas, etc.) specify AUT(*EXCLUDE) for
      • the *public
      • the http server user profiles qtmhhttp and qtmhhtp1
   2. All the CGI programs that need to access the application data
      • are owned by a user profile having appropriate rights to such data
        • we suggest a user profile with INLMNU(*SIGNOFF)
      • are created with USRPRF(*OWNER)
      • are granted AUT(*USE) to the http server user profile qtmhhtp1
      This allows the CGIs to be run by the http server and to access the application data.
   3. All the CGI programs must
      1. receive from the remote browser a user name and a password
         • (these pieces of information should be stored in the response html as input hidden fields)
      2. validate user name and password
      3. perform the application logic
      4. provide an html response including the received user name and password as hidden fields to be re-sent to the next CGI for validation
   
   
2. What we provide
   This is what we provide, on this subject, in library WEBSECURE (that you may download):
   • Internet users
     • Internet users may be registered in our validation list webusers in library websecure.
     • Internet users are registered with a user name and an encrypted password
     • An internet user may be registered as web security administrator. A web security administrator can
       • define new internet users
       • disable/enable internet users
       • change internet users passwords
       • remove internet users
     • The internet user acting as security officer is named websecofr; this user
       • has the same rights as a security administrator
       • cannot be disabled
       • cannot be removed
   • Service program
     We provide service program websecure in library websecure/ to perform internet user validation.
     This is how you may take advantage of our service program.
     Start your CGI including some definitions:

     /copy WEBSECURE/brpglesrc,prototypes /copy WEBSECURE/brpglesrc,webproto /copy WEBSECURE/brpglesrc,qusec /copy WEBSECURE/brpglesrc,variables /copy WEBSECURE/brpglesrc,webvar

     Your CGIs should call this service program through the following RPG IV statement:

     C eval pwdret =ChkUsrPwd(usnam:uspwd)

     where:
     • usnam is the user name (char 10)
     • uspwd is the password (char 10)
     • pwdret is a feedback area of 22 char (its definitions are included by the previous statement /copy WEBSECURE/brpglesrc,webvar )

     D DS DPwdRet 1 22 DPwdAcp 1 1 * Y/N password accepted / not accepted Dusradm 2 2 * Y = security administrator Dmyusnampls 3 12 * user profile name * imbedded blanks * replaced by + 's Dmyuspwdpls 13 22 * user profile password * with imbedded blanks * replaced by + 's

     • If the service program does not validate the internet user, it issues the html response before returning to the calling CGI, so that your CGI doesn't have to provide any html response.
     • After three consecutive unsuccessful trials (wrong passwords) an internet user is temporarily disabled for 15 minutes.
   • Internet users maintenance program
     We provide a CGI program (program wrkintusr in library websecure) to maintain internet users as entries in our validation list. This CGI, of course, checks what internet user is running it; it takes a security administrator to be authorized.
     You can run this program from our logon procedure, next topic.
   • Sample logon CGI
     We provide a sample logon CGI (program logon in library websecure) you may refer to for better understanding of how a CGI should be designed.
     This logon procedure also allows to maintain internet users in our validation list, when you sign on as a security administrator.

     You may

     TITLE="try our application-driven protection prototype">

     signing on as user websecofr and password websecofr.
     Please note that
     • user names and password are case sensitive
     Please avoid to remove existing users and to change passwords, so that the next visitor can try as well.
   • Prerequisites
     • OS/400 V4R5M0 or subsequent is necessary to save encrypted passwords into the validation list entries, so that password validation may take place through our service program.
     • Library QGY (5769SS1 option 12 - Host servers)
     • System value qretsvrsec must be set to 1 to have the ability to retrieve decrypted passwords for validation.
   • Sources We provide of course all the sources used to develop our prototype. Here are the most important ones:

     member	file	description
     webform	qddssrc	External DS for QtmhCvtDB API
     logon	qrpglesrc	Sample logon CGI
     logon	htmlsrc	Response html from pgm Logon
     wrkintusr	brpglesrc	Work with internet users
     wrkintusr	htmlsrc	Response html from pgm Wrkintusr
     xxxchkpwd	brpglesrc	SrvPgm- user validation
     xxxhtmlnls	brpglesrc	SrvPgm- Rtv special char
     websecure	brpglesrc	SrvPgm- Driver module
     xxxchkvldl	brpglesrc	SrvPgm- Chk vldl
     xxxcurdate	brpglesrc	SrvPgm- Rtv curr date
     xxxchkpwd	htmlsrc	Response html from SrvPgm (logon failed)

   
   
3. Download
   To download library WEBSECURE containing
   • tutorial on web external protection
   • prototype of web application-driven protection

   1.	make sure you have checked the prerequisites
   2.	press  TITLE="download now">