OS/400 Alert: All About HTTP Server

by Shannon O'Donnell

In this issue, I will focus on the iSeries HTTP Server. If you are one of the many thousands of OS/400 shops still using the original HTTP server, you are in for a nasty surprise when IBM comes out with the next release of OS/400. If, on the other hand, you are already using the HTTP Server powered by Apache, there is good news for you about ways to improve iSeries Web-serving performance. And, finally, we have to tell you about a possible security hole in your HTTP Server.

Time to Get with the Apache HTTP Program

It's time to jump on the bandwagon, before it leaves the station without you. IBM has made it official: V5R2 will be the final OS/400 release to support the original HTTP server. After that, you are using the HTTP Server powered by Apache or you're not serving Web pages from your iSeries. It's that simple. Granted, this particular information was announced in March, but it has come to my attention recently that an inordinate number of shops are still using the original HTTP server on their V5R1 and V5R2 iSeries. I find this surprising, given that migrating to HTTP Server powered by Apache from the original HTTP server is usually no more complex than using IBM's HTTP migration tool.

However, you may be apprehensive and not yet ready to take the plunge because you feel the new-fangled Apache stuff is too complex. But if this is what you are concerned about, you needn't be. Although it is different, the Apache HTTP server is actually a lot easier to use than the original HTTP server.

In an effort to help you feel more comfortable with the Apache HTTP Server, take a look at a few of the more common original HTTP server directives and then take a look at their Apache HTTP Server counterparts.

The original HTTP server directives PASS and FAIL allow or deny access to an IFS Directory or QSYS.LIB library. For example:

- Pass  /*   
  Fail  /myifsdir/* 

The equivalent Apache directive is:

<Directory /*>
 Order allow,deny
 Allow from all
</Directory>

<Directory /myifsdir/*>
 Order deny, allow
 Deny from all
</Directory>

In the original HTTP server, the directives are read from top to bottom, based on their relative position in the HTTP configuration file. This means that if you happened to put the FAIL directive in this example before the Pass directive, the Pass directive would override the FAIL directive and allow access to the directory /myifsdir/*.

The Apache HTTP server does not care where in the configuration file the directive is found; it evaluates access to a given directory or QSYS.LIB library based on what it finds within the Directory brackets.

MAP maps a URL to an actual IFS directory. For example:

- Map /myDocs    /www/myhttpserver/htdocs
  

The equivalent Apache directive is:

AliasMatch  ^/myDocs/(.*) /www/myhttpserver/htdocs

As you can see, the directives are very similar in syntax in both HTTP server configurations.

The original HTTP directive Exec allows Common Gateway Interface (CGI) programs on your server to be executed from a browser. For example:

EXEC  /cgi-bin/* /QSYS.LIB/MYPROGS.LIB/*

The equivalent Apache directive is:

<Directory /QSYS.LIB/MYPROGS.LIB/* >
 Allow from all
 Options +ExecCGI
</Directory>
ScriptAlias /cgi-bin/   /QSYS.LIB/MYPROGS.LIB/$1

For this directive, the HTTP Server powered by Apache requires both the <Directory></Directory> structure and the ScriptAlias directive. Notice, within the <Directory> structure, the use of the Options +ExecCGI subdirective.

The original HTTP directive GET HEAD POST allows the PUT, GET, and HEAD directives to be issued from HTML forms to interact with CGI programs on your iSeries.

For example:

Enable GET
                  Enable HEAD
                  Enable POST

The equivalent Apache directive is:

<Location />
             <LimitExcept GET HEAD OPTIONS POST>
                  Order Allow,Deny
                  Deny from All
             </LimitExcept>

The directives shown here are the most commonly used HTTP server directives for most shops. As you have seen, most of the new Apache HTTP server directives are very similar to the original HTTP server directives; in fact, once you begin using the Apache HTTP server, you'll find that they are likely to be much easier to use. And if you take advantage of and use the HTTP migration wizard, which comes as part of the HTTP administration tool, shipped with your iSeries, you can migrate your original HTTP server to the HTTP Server powered by Apache with a minimum of effort.

This Week's Nasty Windows Worries

Backdoor.Hacarmy can give an attacker, who comes into your PC via an IRC server running on port 6666, the ability to completely take over your system.

PWSteal.Finero is a Trojan horse virus that mimics the online interfaces of certain Brazilian banks in order to steal account information. If you're keeping your money hidden from the IRS in Brazilian banks, you may need to be concerned about this one.

W32.HLLW.Kazwin--Are you downloading music from the KaZaA file-sharing network and getting your name on the lawsuit list with the recording industry? If so, you might be concerned about this little worm, which is spread by KaZaA and downloads bad things to your hard drive.

Enable File Compression for HTTP Server Powered by Apache

Looking for ways to improve the performance of iSeries Web pages? How about using file compression? File compression causes your HTTP server to compress HTML Web pages before sending them to the client browser, resulting in faster page load times. You can take advantage of this feature of the HTTP Server powered by Apache on your iSeries by applying the following PTFs:

OS/400 V5R1

PTF SI09223 or group PTF SF99156-15:

Documentation for file compression for HTTP Server (powered by Apache)

Documentation for module mod_deflate

OS/400 V5R2

PTF SI09224 or group PTF SF99098-10:

Documentation for file compression for HTTP Server (powered by Apache)

Documentation for module mod_deflate

PTFs and Fixes for OS/400 and Related Programs

IBM continues to recommend that you apply the latest cumulative packages, which came out on September 9 for V5R2 customers. The latest HIPER package was just released on September 16, so if you're not current on that one, you would be wise to grab it and load it. The Database Group PTF has not been updated since mid-August, so if you've applied one in the last few weeks, you're probably okay for the foreseeable future. For complete details on this week's recommended fixes, go to IBM's Web site.

This Week's PTF Highlights

V5R1:SI09154; V5R2:SI09155--These PTFs are for a vulnerability in the apr_psprintf function of the HTTP Powered by Apache server runtime. This hole allows remote attackers to cause a denial-of-service attack and, under certain conditions, may allow a remote attacker to execute arbitrary code on your Apache server. For complete details, click here.

V5R1:SI08600; V5R2:SI08601--These PTFs address a vulnerability in the HTTP Server powered by Apache that , when processing excessively long chunks of consecutive line feed characters, results in a denial-of-service attack, thereby crashing your HTTP Apache server. For complete details, click here.

Sponsored By PROFOUND LOGIC SOFTWARE

RPGsp users don't settle for less! Why settle for a tool that's just an application builder, or just a server, or just a designer, or just a green-screen converter? You need an integrated Web development tool that can do all of the above. And you need the best! RPGsp has what you need. Don't settle for less. Free trial and information at www.RPGsp.com