AAA Secures IBM i Server
July 21, 2010 Timothy Prickett Morgan
The IBM HTTP Server for i, powered by Apache, has three distinct ways to handle whether a particular request for a resource will result in that resource actually being returned. These three techniques are access control, authentication, and authorization, or AAA.
In this article, I’ll share how AAA works within IBM HTTP Server for i.
First A: Access Control
Access control refers to any means of controlling access to any resource. This A is distinct from authentication and authorization.
IBM HTTP Server for i uses Allow and Deny directives to implement the criteria of access control. The Order directive tells the order to apply the filters.
Let’s see how the criteria access control works.
First, you need to create an HTTP server. With IBM Web Administration for i, you can quickly create an HTTP server. As to the details, see the section on “Create HTTP Server” in the IBM i information center.
After your HTTP server is created, check the configuration file, which should now appear as: /www/conf/<instancename>/httpd.conf. In your case, <instancename> will be the HTTP server name that you created.
You will see the following lines, which indicate that the HTTP server, by default, prevents any clients from seeing the entire file system. Whether these clients are valid or not does not matter. This proves that access control is a separate item from authentication and authorization.
Second A: Authentication
Authentication is any process by which you verify that someone is really who they claim they are. This usually involves a user name and a password.
IBM i uses validation lists to implement the criteria of authentication. A validation list is an IBM i object of type *VLDL. Each validation list contains a list of Internet users and their passwords. Each Internet user has one valid password defined for it.
In order to see how authentication works, we continue our example based on the HTTP server we created.
We must follow these three steps:
Here are two ways to create and delete validation lists.
After a validation list is created, you can add an Internet user by using IBM Web Administrator for i.
Figure 1 shows how to use the IBM Web Administrator for i to add an Internet user to the validation list. The fields of a validation list are as follows:
The fields for Group File and Group will be covered in the Authorization section.
After creating the validation list and adding Internet users, the next action is to set the configuration to use this validation list.
In our example, the HTTP server we created is pigm. The particular resource that we need to protect is directory /www/pigm/proctected. Basic authentication, the simplest method of authentication, is adopted. The validation list we specify is QGPL/PIGM.
Edit the following lines in the HTTP server configuration file /www/conf/<instancename>/httpd.conf.
The definitions of the directives are described below:
Now, let’s take a look how basic authentication works.
When a particular resource has been protected using basic authentication, HTTP Server sends a 401 Authentication Required header with the response to the request, in order to notify the client that user credentials must be supplied in order for the resource to be returned as requested.
Upon receiving a 401 response header, the client’s browser, if it supports basic authentication as IE and FireFox do, will pop up a box to ask the user to supply a user name and password to be sent back to the server. If the user name is in the validation list, and if the password supplied is correct, the resource will be returned to the client.
Apart from validation list authentication, the IBM HTTP Server for i also provides other authentication methods. IBM i user profile authentication is one of them.
You can specify IBM i user profile authentication by just replacing the following line:
The new line is:
Using this value indicates that the server should use the IBM i User Profile support to validate user name and password.
Third A: Authorization
Authorization is any process by which someone, once identified, is permitted to use the resource.
In the example above, all of the valid users specified in the validation list have authority to access a protected resource, but can we only allow the specific person or group to access it?
The answer is yes. The IBM HTTP Server for i uses validation lists in conjunction with other resources, like group files, to limit access to server resources.
You can use validation lists in conjunction with group file to manage a group of people that have access to that resource. You can add and remove members, without having to edit the server configuration file and restart IBM HTTP Server for i each time.
Next, we combine authentication and authorization by executing the following steps:
The first step is the same as above. The second step is optional. You can use the group file API to create the group file. For the third step, remember to specify the group file and group when you try to add Internet users. Figure 2 shows how to use IBM Web Administrator for i to add an Internet user to a group and a group file. If you enter a group file that does not exist, the system will create it for you.
I create a sample group file /home/pigm/groupfile, in which two groups–g1 and g2–are defined. Then I add three Internet users: PIGM, Bob (who belongs to group g1), and James (who belongs to g2). Here are the contents of the lists:
g1: PIGM, Bob g2: James
The last step is to set the configuration to use this validation list and group file. Once this file has been created, we can require that someone be in a particular group, say g1 in our example, in order to get the requested resource. This is done with the GroupFile directive, as shown in the following example.
Again, edit the following lines in the HTTP server configuration file: /www/con/<instancename>/httpd.conf.
The directives are defined as follows:
In this example, we can see all of three users are defined in the validation list. However, only the user PIGM and Bob, both of whom belong to group g1, have authority to access the protected area, whereas the user James will be denied even though he also exists in the validation list. Here these two criteria, Authentication and Authorization, work together to limit access to server resources.
Now, you are armed with the knowledge of how to leverages Access control, Authentication, and Authorization, the AAA techniques to provide a powerful security module for IBM HTTP Server for i.
Pi Guang Ming is a software engineer for IBM’s i Web integration development team at the China System and Technology Lab. The i Web integration development team’s focus is on the Web-based management of middleware running on i, including WebSphere Application Server, WebSphere Portal Server, Integrated Web Services Server, Integrated Application Server, and the i HTTP server. Send your questions or comments for Jon to Ted Holt via the IT Jungle Contact page.