Skip to main content  
  Easy400   |       IBM i
Upload - Type I
Copy file via ftp
Managing security

Managing Security

Built-in security features

  • Validation list protection.
    The installation procedure provides HTTP configuration directives (see Figure 1) implementing page protection through a validation list. Note that if such a protection is removed, the Toolkit would not work.

    Immediately after the installation, you should

    1. add your own internet user(s) to validation list webact in library webact.
      See Note 1 below for this operation.
    2. Once you have done this, remove the default internet user webact from validation list webact in library webact.
      See Note 1 below for this operation.
    Note 1. The Toolkit has a tool for maintaining validation lists. Please check out item Work with validation lists in the navigation bar of this Toolkit.

    Note 2. When adding internet user(s) and related password(s) you are recommended not to be obvious. These two fields are 20 char each, and you may use all the characters (not just the alphanumeric ones) on your keyboard. Imbedded blanks are also supported.

    Note 3. You should be aware that, as from the HTTP configuration in Figure 1, all programs of the Toolkit will be executed under user profile QTMHHTP1,
    and you have to run command

    Should you need the tool to run under a different user profile, example: MYUSRPRF

    3. replace the user profile QTMHHTP1 in HTTP directive UserID with your user profile name.
      Example: in the HTTP instance directives (See Figure 1) replace directives
         PasswdFile webact/webact
         UserID QTMHHTP1
      with directives
         PasswdFile %%SYSTEM%%
         UserID MYUSRPRF
    4. restart the HTTP instance WEBACT.

     #  PART 1
     ServerRoot /webact/http/conf
     DocumentRoot /webact/http/conf/hotdocs
     Listen 41941
     DefaultType text/html
     CGIConvMode %%EBCDIC/EBCDIC%%
     #  PART 2
     Options ExecCGI FollowSymLinks SymLinksIfOwnerMatch Includes
     ThreadsPerChild 50
     HostNameLookups off
     UseCanonicalName Off
     RuleCaseSense Off
     AlwaysDirectoryIndex On
     DirectoryIndex index.html welcome.html
     LogFormat "%h %l %u %t \"%r\" %>s %b" common
     CustomLog /webact/http/conf/logs/access_log common
     ErrorLog  /webact/http/conf/logs/error_log
     LogMaint  /webact/http/conf/logs/access_log 7 0
     LogMaint  /webact/http/conf/logs/error_log  7 0
     BrowserMatch "Mozilla/2" nokeepalive
     BrowserMatch "JDK/1\.0" force-response-1.0
     BrowserMatch "Java/1\.0" force-response-1.0
     BrowserMatch "RealPlayer 4\.0" force-response-1.0
     BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
     #  PART 3
     #----        WEBACT directives
     AliasMatch /webacth/(.*)\.htm    /QSYS.LIB/WEBACT.LIB/HTMLSRC.FILE/$1.mbr
     AliasMatch /webacth/(.*)\.mbr    /QSYS.LIB/WEBACT.LIB/HTMLSRC.FILE/$1.mbr
     ScriptAliasMatch /webact/start   /qsys.lib/webact.lib/dsppage.pgm
     Alias /webact/      /webact/
     ScriptAliasMatch /webactx/(.*).pgm   /qsys.lib/webact.lib/$1.pgm
     ScriptAliasMatch /webactx/(.*).cgi   /qsys.lib/webact.lib/$1.pgm
     ScriptAliasMatch /webactp/(.*).pgm   /qsys.lib/webact.lib/$1.pgm
     ScriptAliasMatch /webactp/(.*).cgi   /qsys.lib/webact.lib/$1.pgm
     <Directory /webact>
        AllowOverride None
        Options None
        order allow,deny
        allow from all
     <Directory /QSYS.LIB/WEBACT.LIB>
        AllowOverride None
        Options None
        order allow,deny
        allow from all
     <Location /webactp*>
        AuthType Basic
        AuthName "IBM i WEB Access Toolkit"
        PasswdFile webact/webact
        UserID QTMHHTP1
        Require valid-user
    Figure 1

Additional security you may provide

  • Suspending / Resuming Toolkit operations.
    You may use command
           webact/sleep sleep(y)
    to suspend Toolkit operations. In this way the Toolkit will enter an "asleep" status, and would not accept any request.
    You may then use command
           webact/sleep sleep(n)
    to "wake up" the Toolkit.
    You may want to use these commands from a protected CGI of your own, to provide better security to your Toolkit access.
  • Using a separate server on a separate port.
    Running the Toolkit from a port other than the HTTP standard one (port 80) does not by itself provide more security (this can be easily found out by hackers). Howerver
    • If you are using a firewall, you could also have a chance of better defending the access to the ToolKit by defending its dedicated port.
    • Another advantage this provides is that you can shut down the Toolkit HTTP server any time you like, without impacting your production HTTP service.
  • Ending / starting your separate server.
    If you decide to run the Toolkit from a port other than the standard one (port 80), you may as well plan to start / end the Toolkit instance server under your control. By doing this, you would restrict the exposure time to the strict necessary. We suggest you to implement (on your regular WEB service) some reserved (that is, protected) page which would allow you to start and to end the Toolkit HTTP server at your own will.
  • Remapping the path to the CGIs.
    Assuming that this Toolkit is adopted by some thousand installations, you would not certainly like them to know the virtual path to your Toolkit CGI's.
    You may very well decide to change the provided webactp virtual path to the CGI's to another name. To implement this you have to:
    1. substitute the term webactp in the HTTP directives (see Figure 1) with a name of your choice (e.g. nextspring)
    2. update the data area pgmpath in library webact to contain such a name
      (e.g. nextspring)
    3. substitute the directive
      ScriptAliasMatch /webact/start /qsys.lib/webact.lib/dsppage.pgm
      with a new one of your choice, example
      ScriptAliasMatch /nextsummer /qsys.lib/webact.lib/dsppage.pgm
    4. do a similar substitution in directive
      <Location ... >
  • Digital certificates. You may get rid of user IDs and passwords by supporting client authentication through digital certificates. Please refer to the following IBM redbook: SG24-5659-00 AS/400 Internet Security: Developing a Digital Certificate Infrastructure.