Cutting Through the Complexity
Making the leap from application security requirements to performing actual system configuration can seem like an enormous-and important-task. The options for authentication, authorization and network security seem endless. Realizing that this can be complex, IBM designed an HTTP server template (see Figure 1), which helps guide users through the key security considerations. The template translates security requirements into a properly configured, foolproof Web site using a repeatable process. The template is used with two common types of Web applications to illustrate making the right security decisions and moving forward to securing the applications in the HTTP server configuration. This article provides step-by-step instructions so you can see how easy it is to configure the server.
Some preparatory steps on your iSeries system are required before trying these example applications. You must create a few directories, files and user profiles, and then set some base iSeries authorities. For simplicity, these examples use basic static HTML files in place of real applications (e.g., CGI programs). If CGI programs or other types of applications are used, a few configuration directives would be different, although the configuration steps remain essentially the same. The directories used for storing the example Web files are:
Because each of the example files is secured differently, store them in these separate subdirectories.
The directories require *X authority for the QTMHHTTP user profile, which is the HTTP servers default user profile. The actual application file (e.g., HTML file, CGI program, etc.) should only provide authority to the user profile thats configured to access the application. This can either be a special application-specific user profile or the user profiles of the clients making the request. These user profiles also require *X authority to all parent directories.
The example exercises require several user profiles. Two are for performing HTTP server administration and digital certificate management. Information on what authorities these user profiles need can be found in the IBM iSeries Information Center.
It's best to practice these examples on a new HTTP server that won't interfere with your production Web-serving environment. Use the HTTP server configuration and administration Web pages to create a new server "powered by Apache" called SEC123 specifying port 8123. You can begin by starting the *ADMIN HTTP server and then pointing your Web browser to http://yourserver:2001. For these examples, specify a server root of /www/sec123 and a document root of /QIBM/UserData/apachelab/public/.
Using the template and this process provides a smoother transition from security requirements to implementation.