|
|
Built-in security features
- Validation list protection.
The installation procedure provides HTTP configuration
directives (see Figure 1)
implementing page protection
through a validation list.
Note that if such a protection is removed,
the Toolkit would not work.
Immediately after the installation, you should
- add your own internet user(s) to validation list
webact in library
webact.
See Note 1 below for this operation.
- Once you have done this,
remove the default internet user
webact from validation list
webact in library
webact.
See Note 1 below for this operation.
Note 1.
The Toolkit has a tool
for maintaining validation lists.
Please check out item
Work with validation lists
in the navigation bar of this Toolkit.
Note 2.
When adding internet user(s) and related password(s)
you are recommended not to be obvious.
These two fields are 20 char each, and you may use all the
characters (not just the alphanumeric ones) on your
keyboard. Imbedded blanks are also supported.
Note 3.
You should be aware that, as from the HTTP configuration
in Figure 1,
all programs of the Toolkit will be executed under user profile
QTMHHTP1,
and you have to run command
CHGUSRPRF USRPRF(QTMHHTP1) SPCAUT(*SPLCTL).
Should you need the tool to run under a different user profile, example: MYUSRPRF
- run command GRTOBJAUT OBJ(MYUSRPRF) OBJTYPE(*USRPRF) USER(QTMHHTTP) AUT(*USE)
- run command CHGUSRPRF USRPRF(MYUSRPRF) SPCAUT(*SPLCTL)
- replace the user profile QTMHHTP1 in HTTP directive UserID with your user profile name.
Example: in the HTTP instance directives (See Figure 1) replace directives
PasswdFile webact/webact
UserID QTMHHTP1 with directives
PasswdFile %%SYSTEM%%
UserID MYUSRPRF
- restart the HTTP instance WEBACT.
#=========================================================================
# PART 1
#=========================================================================
ServerRoot /webact/http/conf
DocumentRoot /webact/http/conf/hotdocs
Listen 41941
DefaultType text/html
CGIConvMode %%EBCDIC/EBCDIC%%
#=========================================================================
# PART 2
#=========================================================================
Options ExecCGI FollowSymLinks SymLinksIfOwnerMatch Includes
ThreadsPerChild 50
HostNameLookups off
UseCanonicalName Off
RuleCaseSense Off
AlwaysDirectoryIndex On
DirectoryIndex index.html welcome.html
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /webact/http/conf/logs/access_log common
ErrorLog /webact/http/conf/logs/error_log
LogMaint /webact/http/conf/logs/access_log 7 0
LogMaint /webact/http/conf/logs/error_log 7 0
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
#========================================================================
# PART 3
#========================================================================
#---- WEBACT directives
AliasMatch /webacth/(.*)\.htm /QSYS.LIB/WEBACT.LIB/HTMLSRC.FILE/$1.mbr
AliasMatch /webacth/(.*)\.mbr /QSYS.LIB/WEBACT.LIB/HTMLSRC.FILE/$1.mbr
ScriptAliasMatch /webact/start /qsys.lib/webact.lib/dsppage.pgm
Alias /webact/ /webact/
ScriptAliasMatch /webactx/(.*).pgm /qsys.lib/webact.lib/$1.pgm
ScriptAliasMatch /webactx/(.*).cgi /qsys.lib/webact.lib/$1.pgm
ScriptAliasMatch /webactp/(.*).pgm /qsys.lib/webact.lib/$1.pgm
ScriptAliasMatch /webactp/(.*).cgi /qsys.lib/webact.lib/$1.pgm
<Directory /webact>
AllowOverride None
Options None
order allow,deny
allow from all
</Directory>
<Directory /QSYS.LIB/WEBACT.LIB>
AllowOverride None
Options None
order allow,deny
allow from all
</Directory>
<Location /webactp*>
AuthType Basic
AuthName "IBM i WEB Access Toolkit"
PasswdFile webact/webact
UserID QTMHHTP1
Require valid-user
</Location>
|
|
Figure 1
Additional security you may provide
- Suspending / Resuming Toolkit operations.
You may use command
webact/sleep sleep(y)
to suspend Toolkit operations.
In this way the Toolkit will enter an "asleep" status,
and would not accept any request.
You may then use command
webact/sleep sleep(n)
to "wake up" the Toolkit.
You may want to use these commands from a protected
CGI of your own, to provide better security
to your Toolkit access.
- Using a separate server on a separate port.
Running the Toolkit from a port other than the HTTP
standard one (port 80) does not by itself provide
more security (this can be easily found out
by hackers). Howerver
- If you are using a firewall, you could also
have a chance of better defending the access to the ToolKit
by defending its dedicated port.
- Another advantage this provides is that
you can shut down the Toolkit HTTP server any time you like,
without impacting your production HTTP service.
- Ending / starting your separate server.
If you decide to run the Toolkit from
a port other than the standard one (port 80),
you may as well plan to start / end the Toolkit
instance server under your control.
By doing this, you would restrict the exposure time
to the strict necessary.
We suggest you to implement (on your regular WEB service)
some reserved (that is, protected) page which would allow
you to start and to end the Toolkit HTTP server at your
own will.
- Remapping the path to the CGIs.
Assuming that this Toolkit is adopted by some thousand
installations, you would not certainly like them
to know the virtual path to your Toolkit CGI's.
You may very well decide to change the provided
webactp virtual path to the
CGI's to another name.
To implement this you have to:
- substitute the term webactp
in the HTTP
directives (see Figure 1)
with a name of your choice
(e.g. nextspring)
- update the data area
pgmpath
in library
webact
to contain such a name
(e.g. nextspring)
- substitute the directive
ScriptAliasMatch /webact/start /qsys.lib/webact.lib/dsppage.pgm
with a new one of your choice, example
ScriptAliasMatch /nextsummer /qsys.lib/webact.lib/dsppage.pgm
- do a similar substitution in directive
<Location ... >
- Digital certificates.
You may get rid of user IDs and passwords
by supporting client authentication through
digital certificates.
Please refer to the following IBM redbook:
SG24-5659-00
AS/400 Internet Security: Developing a Digital
Certificate Infrastructure.
|
|
|
|