|
Restricting and validating access to WEB pages served by an IBM System i is implemented through some Apache HTTP instance directives.
There are two basic approaches: one based on system user profiles, the other based on validation lists.
Validation list objects (object type *VLDL) were specifically developed to support authentication of Internet users.
With validation lists Internet users can be be permitted or denied access to the system from the web server, but have
no authority to any system resources or authority to signon or run jobs. A system user profile is never created for the internet users.
A validation list is a collection of internet user entries. Each entry defines a unique user name, its encrypted password and some optional description.
Validation list data are case sensitive. Use command crtvldl to create a validation list.
- User profile validation is generally used in Intranet applications, while
- Validation lists are generally used in Internet applications.
Figure 1 and Figure 2 provide examples of HTTP directives for restricting and validating access with user profiles and with validation lists.
Access validation is required whenever the request in the URL starts with /ordersp/ .
|
<LocationMatch ^/ordersp/(.*)$ >
AuthType Basic
AuthName ORDER_ENTRY
PasswdFile %%SYSTEM%%
UserID %%CLIENT%%
Require valid-user
</LocationMatch> |
Figure 1- Authentication through user profiles
|
|
<LocationMatch ^/ordersp/(.*)$ >
AuthType Basic
AuthName ORDER_ENTRY
PasswdFile MYLIB/MYVLDL
UserID MYUSRPRF
Require valid-user
</LocationMatch> |
Figure 2- Authentication through a validation list
|
About Figure 2, please note that:
- MYLIB/MYVLDL is the validation list used for authentication.
- MYUSRPRF is the user profile that the HTTP server will adopt to serve the validated requests.
Note also that, if validation lists are used in a HTTP instance,
- User profile QTMHHTTP must have at least *use authority over all the validation lists mentioned in the HTTP instance directives.
- The user profile starting the HTTP instance must have at least *use authority over all the validation lists mentioned in the HTTP instance directives.
1-Why this utility
The only tool available is within the *ADMIN HTTP server, under IBM Web Administration for the iSeries.
Frankly speaking, in this area there is a lot of space for more brilliant utilities.
However, in the IBM System i operating system there are no commands to maintain validation lists, and developing some utility is not easy, as the
access to validation lists is only through a number of API's.
This is why, after developing our small WEB CGI utility for maintaining validation lists, we thought that it could be useful to other people,
exspecially if also sources are made available.
2-Prerequisites
- OS/400 release V5R2 or subsequent
- IBM HTTP Server for IBM System i, product 57xxDG1 (library QHTTPSVR)
- Compiler ILE RPG IV, product 57xxWDS, opt. 31, is required only during the installation phase.
- System value QRETSVRSEC must be set to 1 to enable HTTP to perform authentication through validation lists.
- Easy400.net utility MMAIL, if installed, allows to support the mailing facilities reported at page Advanced operations.
3-Installation
- Download file wrkvldl.zip from the Easy400 download page and unzip it.
- Follow the Readme.txt instructions to upload and to restore library WRKVLDL.
- On the IBM System i run the following procedure:
STRREXPRC SRCMBR(INSTALL) SRCFILE(WRKVLDL/QREXSRC)
It does the following:
- creates service program WRKVLDL/WRKVLDL
- creates programs
- restores IFS directory /wrkvldl
- Our utility is a Web utility, so you need an HTTP instance to run it.
You have two choices:
- Add the following HTTP directives to an HTTP instance of yours:
#---- WRKVLDL directives
ScriptAliasMatch ^/wrkvldl/start$ /qsys.lib/wrkvldl.lib/wrkvldl.pgm
ScriptAliasMatch /wrkvldlp/(.*).pgm /qsys.lib/wrkvldl.lib/$1.pgm
Alias /wrkvldl/ /wrkvldl/
<Directory /QSYS.LIB/WRKVLDL.LIB>
AllowOverride None
Options None
order allow,deny
allow from all
Options -ExecCGI
CGIConvMode %%EBCDIC/EBCDIC%%
</Directory>
<Directory /wrkvldl>
AllowOverride None
Options None
order allow,deny
allow from all
</Directory>
<LocationMatch (^/wrkvldl/start$|^/wrkvldlp/(.*)$)>
AuthType Basic
AuthName "Validation List Utility"
PasswdFile %%SYSTEM%%
UserID %%CLIENT%%
Require valid-user
</LocationMatch> |
Figure 3- HTTP directives for the WRKVLDL utility
| |
To run the WRKVLDL utility, use the following URL:
http://your_TCP_address/wrkvldl/start |
- Install our HTTP instance WRKVLDL which listens on port 8026.
Press this to display its configuration directives.
Run the following commands to install and to start it:
CPYF FROMFILE(WRKVLDL/QATMHINSTC) TOFILE(QUSRSYS/QATMHINSTC)
FROMMBR(WRKVLDL) TOMBR(WRKVLDL) MBROPT(*REPLACE) CRTFILE(*YES)
STRTCPSVR SERVER(*HTTP) HTTPSVR(WRKVLDL) |
Figure 4- Install and start the WRKVLDL HTTP instance
| |
To run the WRKVLDL utility, use the following URL:
http://your_TCP_address:8026/wrkvldl/start |
6-Updates
To know about the latest updates to this tool, press this link.
|
