Skip to main content  
        iSeries home   |   Easy400  
Why this utility
Basic Operations
Advanced Operations

Work vith Validation Lists
by Giovanni B. Perotti (Italy)

Restricting and validating access to WEB pages served by an IBM System i is implemented through some Apache HTTP instance directives.
There are two basic approaches: one based on system user profiles, the other based on validation lists.

Validation list objects (object type *VLDL) were specifically developed to support authentication of Internet users. With validation lists Internet users can be be permitted or denied access to the system from the web server, but have no authority to any system resources or authority to signon or run jobs. A system user profile is never created for the internet users.
A validation list is a collection of internet user entries. Each entry defines a unique user name, its encrypted password and some optional description. Validation list data are case sensitive. Use command crtvldl to create a validation list.

  • User profile validation is generally used in Intranet applications, while
  • Validation lists are generally used in Internet applications.

Figure 1 and Figure 2 provide examples of HTTP directives for restricting and validating access with user profiles and with validation lists.
Access validation is required whenever the request in the URL starts with /ordersp/ .
<LocationMatch ^/ordersp/(.*)$ >
AuthType Basic
PasswdFile %%SYSTEM%%
Require valid-user
Figure 1- Authentication through user profiles
<LocationMatch ^/ordersp/(.*)$ >
AuthType Basic
Require valid-user
Figure 2- Authentication through a validation list
About Figure 2, please note that:
  • MYLIB/MYVLDL is the validation list used for authentication.
  • MYUSRPRF is the user profile that the HTTP server will adopt to serve the validated requests.
Note also that, if validation lists are used in a HTTP instance,
  • User profile QTMHHTTP must have at least *use authority over all the validation lists mentioned in the HTTP instance directives.
  • The user profile starting the HTTP instance must have at least *use authority over all the validation lists mentioned in the HTTP instance directives.

1-Why this utility

The only tool available is within the *ADMIN HTTP server, under IBM Web Administration for the iSeries. Frankly speaking, in this area there is a lot of space for more brilliant utilities. However, in the IBM System i operating system there are no commands to maintain validation lists, and developing some utility is not easy, as the access to validation lists is only through a number of API's.

This is why, after developing our small WEB CGI utility for maintaining validation lists, we thought that it could be useful to other people, exspecially if also sources are made available.


  1. OS/400 release V5R2 or subsequent
  2. IBM HTTP Server for IBM System i, product 57xxDG1 (library QHTTPSVR)
  3. Compiler ILE RPG IV, product 57xxWDS, opt. 31, is required only during the installation phase.
  4. System value QRETSVRSEC must be set to 1 to enable HTTP to perform authentication through validation lists.
  5. utility MMAIL, if installed, allows to support the mailing facilities reported at page Advanced operations.


  • Download file from the Easy400 download page and unzip it.
  • Follow the Readme.txt instructions to upload and to restore library WRKVLDL.
  • On the IBM System i run the following procedure:
    It does the following:
    • creates service program WRKVLDL/WRKVLDL
    • creates programs
    • restores IFS directory /wrkvldl
  • Our utility is a Web utility, so you need an HTTP instance to run it.
    You have two choices:
    1. Add the following HTTP directives to an HTTP instance of yours:
      #----        WRKVLDL directives                                      
      ScriptAliasMatch ^/wrkvldl/start$   /qsys.lib/wrkvldl.lib/wrkvldl.pgm
      ScriptAliasMatch /wrkvldlp/(.*).pgm /qsys.lib/wrkvldl.lib/$1.pgm     
      Alias /wrkvldl/      /wrkvldl/                                       
      <Directory /QSYS.LIB/WRKVLDL.LIB>                                    
         AllowOverride None                                                
         Options None                                                      
         order allow,deny                                                  
         allow from all                                                    
         Options -ExecCGI                                                  
         CGIConvMode %%EBCDIC/EBCDIC%%                                     
      <Directory /wrkvldl>                                                 
         AllowOverride None                                                
         Options None                                                      
         order allow,deny                                                  
         allow from all                                                    
      <LocationMatch (^/wrkvldl/start$|^/wrkvldlp/(.*)$)>
      AuthType Basic                                     
      AuthName "Validation List Utility"                 
      PasswdFile %%SYSTEM%%                              
      UserID %%CLIENT%%                                  
      Require valid-user                                 
      Figure 3- HTTP directives for the WRKVLDL utility
        To run the WRKVLDL utility, use the following URL:
    2. Install our HTTP instance WRKVLDL which listens on port 8026.
      Press this to display its configuration directives.
      Run the following commands to install and to start it:
      Figure 4- Install and start the WRKVLDL HTTP instance
        To run the WRKVLDL utility, use the following URL:


To know about the latest updates to this tool, press this link.

next page