fhg
Volume 10, Number 22 -- July 21, 2010

AAA Secures IBM i Server

Published: July 21, 2010

by Pi Guang Ming

The IBM HTTP Server for i, powered by Apache, has three distinct ways to handle whether a particular request for a resource will result in that resource actually being returned. These three techniques are access control, authentication, and authorization, or AAA.

In this article, I'll share how AAA works within IBM HTTP Server for i.


First A: Access Control

Access control refers to any means of controlling access to any resource. This A is distinct from authentication and authorization.

IBM HTTP Server for i uses Allow and Deny directives to implement the criteria of access control. The Order directive tells the order to apply the filters.

Let's see how the criteria access control works.

First, you need to create an HTTP server. With IBM Web Administration for i, you can quickly create an HTTP server. As to the details, see the section on "Create HTTP Server" in the IBM i information center.

After your HTTP server is created, check the configuration file, which should now appear as: /www/conf/<instancename>/httpd.conf. In your case, <instancename> will be the HTTP server name that you created.

You will see the following lines, which indicate that the HTTP server, by default, prevents any clients from seeing the entire file system. Whether these clients are valid or not does not matter. This proves that access control is a separate item from authentication and authorization.


   Order Deny, Allow
   Deny From all

Second A: Authentication

Authentication is any process by which you verify that someone is really who they claim they are. This usually involves a user name and a password.

IBM i uses validation lists to implement the criteria of authentication. A validation list is an IBM i object of type *VLDL. Each validation list contains a list of Internet users and their passwords. Each Internet user has one valid password defined for it.

In order to see how authentication works, we continue our example based on the HTTP server we created.

We must follow these three steps:

  1. Create a validation list
  2. Add Internet users
  3. Set the configuration to use this validation list

Here are two ways to create and delete validation lists.

  1. Use CL commands: Create Validation List CRTVLDL; Delete Validation List DLTVLDL.
  2. Use APIs: Application Programming Interfaces are also provided to allow applications to add, change, remove, verify (authenticate), and find entries in a validation list.

After a validation list is created, you can add an Internet user by using IBM Web Administrator for i.


Figure 1.

Figure 1 shows how to use the IBM Web Administrator for i to add an Internet user to the validation list. The fields of a validation list are as follows:

  • User name: Specify the Internet user to add into the validation list. The user name you define is case-sensitive. An IBM i user profile is never created for Internet users.
  • Password: Specify a valid password for the user. The password will be encrypted.
  • Confirm Password: Type the password again to confirm.
  • Validation list: Specify the name of the validation list to contain the Internet user. If you enter a validation list that does not exist, the system will create it for you.

The fields for Group File and Group will be covered in the Authorization section.

After creating the validation list and adding Internet users, the next action is to set the configuration to use this validation list.

In our example, the HTTP server we created is pigm. The particular resource that we need to protect is directory /www/pigm/proctected. Basic authentication, the simplest method of authentication, is adopted. The validation list we specify is QGPL/PIGM.

Edit the following lines in the HTTP server configuration file /www/conf/<instancename>/httpd.conf.


   Order Allow,Deny
   Allow From all
Require valid-user
   PasswdFile QGPL/PIGM
   AuthType Basic
   AuthName PIGM's Secret Area

The definitions of the directives are described below:

  • Require: The requirement(s) that must be satisfied in order to grant admission. The parameter valid-user means any valid user in validation list has the access.
  • PasswdFile: The location of the validation list.
  • AuthType: Authentication type being used. In this case, it will be set to Basic.
  • AuthName: The authentication name, or realm, will appear in the pop-up box, in order to identify what the user name and password are being requested for.

Now, let's take a look how basic authentication works.

When a particular resource has been protected using basic authentication, HTTP Server sends a 401 Authentication Required header with the response to the request, in order to notify the client that user credentials must be supplied in order for the resource to be returned as requested.

Upon receiving a 401 response header, the client's browser, if it supports basic authentication as IE and FireFox do, will pop up a box to ask the user to supply a user name and password to be sent back to the server. If the user name is in the validation list, and if the password supplied is correct, the resource will be returned to the client.

Apart from validation list authentication, the IBM HTTP Server for i also provides other authentication methods. IBM i user profile authentication is one of them.

You can specify IBM i user profile authentication by just replacing the following line:

PasswdFile QGPL/PIGM

The new line is:

PasswdFile %%SYSTEM%%

Using this value indicates that the server should use the IBM i User Profile support to validate user name and password.


Third A: Authorization

Authorization is any process by which someone, once identified, is permitted to use the resource.

In the example above, all of the valid users specified in the validation list have authority to access a protected resource, but can we only allow the specific person or group to access it?

The answer is yes. The IBM HTTP Server for i uses validation lists in conjunction with other resources, like group files, to limit access to server resources.

You can use validation lists in conjunction with group file to manage a group of people that have access to that resource. You can add and remove members, without having to edit the server configuration file and restart IBM HTTP Server for i each time.


Figure 2.

Next, we combine authentication and authorization by executing the following steps:

  1. Create a validation list
  2. Optionally, create a group file
  3. Add Internet users and specify group file
  4. v
  5. Set the configuration to use this validation list and group file

The first step is the same as above. The second step is optional. You can use the group file API to create the group file. For the third step, remember to specify the group file and group when you try to add Internet users. Figure 2 shows how to use IBM Web Administrator for i to add an Internet user to a group and a group file. If you enter a group file that does not exist, the system will create it for you.

I create a sample group file /home/pigm/groupfile, in which two groups--g1 and g2--are defined. Then I add three Internet users: PIGM, Bob (who belongs to group g1), and James (who belongs to g2). Here are the contents of the lists:

g1: PIGM, Bob
g2: James

The last step is to set the configuration to use this validation list and group file. Once this file has been created, we can require that someone be in a particular group, say g1 in our example, in order to get the requested resource. This is done with the GroupFile directive, as shown in the following example.

Again, edit the following lines in the HTTP server configuration file: /www/con/<instancename>/httpd.conf.


   Order Allow,Deny
   Allow From all
Require group g1
   PasswdFile QGPL/PIGM
GroupFile /home/pigm/groupfile
   AuthType Basic
   AuthName PIGM's Secret Area

The directives are defined as follows:

  • Require: The requirement(s) that must be satisfied in order to grant admission. The parameter valid-user means any valid user in validation list has the access.
  • PasswdFile: The location of the validation list.
  • GroupFile: The location of the group file, if any.
  • AuthType: Authentication type being used. In this case, it will be set to Basic.
  • AuthName: The authentication name, or realm, will appear in the pop-up box, in order to identify what the user name and password are being requested for.

In this example, we can see all of three users are defined in the validation list. However, only the user PIGM and Bob, both of whom belong to group g1, have authority to access the protected area, whereas the user James will be denied even though he also exists in the validation list. Here these two criteria, Authentication and Authorization, work together to limit access to server resources.

Now, you are armed with the knowledge of how to leverages Access control, Authentication, and Authorization, the AAA techniques to provide a powerful security module for IBM HTTP Server for i.


Pi Guang Ming is a software engineer for IBM's i Web integration development team at the China System and Technology Lab. The i Web integration development team's focus is on the Web-based management of middleware running on i, including WebSphere Application Server, WebSphere Portal Server, Integrated Web Services Server, Integrated Application Server, and the i HTTP server. Send your questions or comments for Jon to Ted Holt via the IT Jungle Contact page.




                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot


Sponsored By
WORKSRIGHT SOFTWARE

Do you need area code information?
Do you need ZIP Code information?
Do you need ZIP+4 information?
Do you need city name information?
Do you need county information?
Do you need a nearest dealer locator system?

We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

Just call us and we'll arrange for 30 days FREE use of either
ZIP/CITY or PER/ZIP4.

WorksRight Software, Inc.
Phone: 601-856-8337
Fax: 601-856-9432
E-mail: software@worksright.com
Web site: www.worksright.com


Senior Technical Editor: Ted Holt
Technical Editor: Joe Hertvik
Contributing Technical Editors: Erwin Earley, Brian Kelly, Michael Sansoterra
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Help/Systems:  Drive your enterprise with event-driven scheduling. FREE white paper!
PowerTech:  FREE Webinar! An Auditor's View: Assess Your IBM i in 15 Minutes. July 28, 10 a.m. CT
COMMON:  Join us at the Fall 2010 Conference & Expo, Oct. 4 - 6, in San Antonio, Texas


 

IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95


 
The Four Hundred
The Rest of the Power7 Lineup Is Coming August 17

Microsoft Azure: An AS/400 for Private and Public Clouds

Increase in IT Jobs Led by Contract Worker Demands

Mad Dog 21/21: Smart Cube Is IBM's Half-AS Imitation of Apple

QlikTech Soars in IPO

Four Hundred Stuff
'Birst'-ing Onto the Cloud-BI Scene

inFORM Introduces High Speed Batch Scanning

RTC Partners with Manthan to Sell BI to Retailers

10ZiG Welcomes WES 7 as New Thin Client OS

New GXS Analytics App to Live on Microsoft's Azure Cloud

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
July 10, 2010: Volume 12, Number 28

July 3, 2010: Volume 12, Number 27

June 26, 2010: Volume 12, Number 26

June 19, 2010: Volume 12, Number 25

June 12, 2010: Volume 12, Number 24

June 5, 2010: Volume 12, Number 23

TPM at The Register
IBM zEnterprise 196 mainframe due July 22

RNA rejiggers server memory pooling

HP, Red Hat chase Solaris shops

NASA and Rackspace open source cloud fluffer

Dell proposes settlement with SEC

AMD sales up but ink still red

Ellison loses bid for US basketball franchise

So long then, Windows 2000

Dell OEMs server management from Microsoft

Neon Software sells cut-down zPrime for IMS

IDC: Second quarter PC sales hit the bull's eye

Top Solaris developer flees Oracle

THIS ISSUE SPONSORED BY:

WorksRight Software
System i Developer
RJS Software Systems


Printer Friendly Version


TABLE OF CONTENTS
AAA Secures IBM i Server

It's My (De)fault That You're a Zero

Admin Alert: The Poor Manager's 5250 Single Sign-On

Four Hundred Guru

BACK ISSUES




 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2010 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement