Skip to main content  
  Easy400   |       IBM i
Freeware
 
Overview
Upload - Type I
Copy file via ftp
 
Managing security
 
 

 
Managing Security

Built-in security features

  • Validation list protection.
    The installation procedure provides HTTP configuration directives (see Figure 1) implementing page protection through a validation list. Note that if such a protection is removed, the Toolkit would not work.

    Immediately after the installation, you should

    1. add your own internet user(s) to validation list webact in library webact.
      See Note 1 below for this operation.
    2. Once you have done this, remove the default internet user webact from validation list webact in library webact.
      See Note 1 below for this operation.
    Note 1. The Toolkit has a tool for maintaining validation lists. Please check out item Work with validation lists in the navigation bar of this Toolkit.

    Note 2. When adding internet user(s) and related password(s) you are recommended not to be obvious. These two fields are 20 char each, and you may use all the characters (not just the alphanumeric ones) on your keyboard. Imbedded blanks are also supported.

    Note 3. You should be aware that, as from the HTTP configuration in Figure 1, all programs of the Toolkit will be executed under user profile QTMHHTP1,
    and you have to run command
    CHGUSRPRF USRPRF(QTMHHTP1) SPCAUT(*SPLCTL).

    Should you need the tool to run under a different user profile, example: MYUSRPRF

    1. run command GRTOBJAUT OBJ(MYUSRPRF) OBJTYPE(*USRPRF) USER(QTMHHTTP) AUT(*USE)
    2. run command CHGUSRPRF USRPRF(MYUSRPRF) SPCAUT(*SPLCTL)
    3. replace the user profile QTMHHTP1 in HTTP directive UserID with your user profile name.
      Example: in the HTTP instance directives (See Figure 1) replace directives
         PasswdFile webact/webact
   UserID QTMHHTP1
      with directives
         PasswdFile %%SYSTEM%%
   UserID MYUSRPRF
    4. restart the HTTP instance WEBACT.

      
     #=========================================================================
 #  PART 1
 #=========================================================================
 ServerRoot /webact/http/conf
 DocumentRoot /webact/http/conf/hotdocs
 Listen 41941
 DefaultType text/html
 CGIConvMode %%EBCDIC/EBCDIC%%
 #=========================================================================
 #  PART 2
 #=========================================================================
 Options ExecCGI FollowSymLinks SymLinksIfOwnerMatch Includes
 ThreadsPerChild 50
 HostNameLookups off
 UseCanonicalName Off
 RuleCaseSense Off
 AlwaysDirectoryIndex On
 DirectoryIndex index.html welcome.html
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 CustomLog /webact/http/conf/logs/access_log common
 ErrorLog  /webact/http/conf/logs/error_log
 LogMaint  /webact/http/conf/logs/access_log 7 0
 LogMaint  /webact/http/conf/logs/error_log  7 0
 BrowserMatch "Mozilla/2" nokeepalive
 BrowserMatch "JDK/1\.0" force-response-1.0
 BrowserMatch "Java/1\.0" force-response-1.0
 BrowserMatch "RealPlayer 4\.0" force-response-1.0
 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
 #========================================================================
 #  PART 3
 #========================================================================
 #----        WEBACT directives
 AliasMatch /webacth/(.*)\.htm    /QSYS.LIB/WEBACT.LIB/HTMLSRC.FILE/$1.mbr
 AliasMatch /webacth/(.*)\.mbr    /QSYS.LIB/WEBACT.LIB/HTMLSRC.FILE/$1.mbr
 ScriptAliasMatch /webact/start   /qsys.lib/webact.lib/dsppage.pgm
 Alias /webact/      /webact/
 ScriptAliasMatch /webactx/(.*).pgm   /qsys.lib/webact.lib/$1.pgm
 ScriptAliasMatch /webactx/(.*).cgi   /qsys.lib/webact.lib/$1.pgm
 ScriptAliasMatch /webactp/(.*).pgm   /qsys.lib/webact.lib/$1.pgm
 ScriptAliasMatch /webactp/(.*).cgi   /qsys.lib/webact.lib/$1.pgm

 <Directory /webact>
    AllowOverride None
    Options None
    order allow,deny
    allow from all
 </Directory>

 <Directory /QSYS.LIB/WEBACT.LIB>
    AllowOverride None
    Options None
    order allow,deny
    allow from all
 </Directory>

 <Location /webactp*>
    AuthType Basic
    AuthName "IBM i WEB Access Toolkit"
    PasswdFile webact/webact
    UserID QTMHHTP1
    Require valid-user
 </Location>
    Figure 1

Additional security you may provide

  • Suspending / Resuming Toolkit operations.
    You may use command
           webact/sleep sleep(y)
    to suspend Toolkit operations. In this way the Toolkit will enter an "asleep" status, and would not accept any request.
    You may then use command
           webact/sleep sleep(n)
    to "wake up" the Toolkit.
    You may want to use these commands from a protected CGI of your own, to provide better security to your Toolkit access.
  • Using a separate server on a separate port.
    Running the Toolkit from a port other than the HTTP standard one (port 80) does not by itself provide more security (this can be easily found out by hackers). Howerver
    • If you are using a firewall, you could also have a chance of better defending the access to the ToolKit by defending its dedicated port.
    • Another advantage this provides is that you can shut down the Toolkit HTTP server any time you like, without impacting your production HTTP service.
  • Ending / starting your separate server.
    If you decide to run the Toolkit from a port other than the standard one (port 80), you may as well plan to start / end the Toolkit instance server under your control. By doing this, you would restrict the exposure time to the strict necessary. We suggest you to implement (on your regular WEB service) some reserved (that is, protected) page which would allow you to start and to end the Toolkit HTTP server at your own will.
  • Remapping the path to the CGIs.
    Assuming that this Toolkit is adopted by some thousand installations, you would not certainly like them to know the virtual path to your Toolkit CGI's.
    You may very well decide to change the provided webactp virtual path to the CGI's to another name. To implement this you have to:
    1. substitute the term webactp in the HTTP directives (see Figure 1) with a name of your choice (e.g. nextspring)
    2. update the data area pgmpath in library webact to contain such a name
      (e.g. nextspring)
    3. substitute the directive
      ScriptAliasMatch /webact/start /qsys.lib/webact.lib/dsppage.pgm
      with a new one of your choice, example
      ScriptAliasMatch /nextsummer /qsys.lib/webact.lib/dsppage.pgm
    4. do a similar substitution in directive
      <Location ... >
  • Digital certificates. You may get rid of user IDs and passwords by supporting client authentication through digital certificates. Please refer to the following IBM redbook: SG24-5659-00 AS/400 Internet Security: Developing a Digital Certificate Infrastructure.

    Contact