Electronic commerce, intra-company communications, and record keeping have made security a crucial issue. In the sections that are listed below, you will see how your IBM HTTP Server provides security options on a variety of levels. These items cover both the internal communication of your company and external communication with your clients.
You can use one of these types of protection by itself or use two or three of these together.
User name and password protection.
With user authentication, you specify user names that you want requesters to use to access your protected resources. The manage web user access section can be your first step in setting up user authentication.
Secure Sockets Layer (SSL) client authentication.
With this type of protection, you can configure the server to use the SSL security protocol for data encryption and client/server authentication. Use the secure communications section to help you set up SSL.
Address template protection.
With this type of protection, you use address templates to specify valid requester addresses for the different types of requests. Use the working with document protection section to help you set up address template protection.
Lightweight Directory Access Protocol (LDAP)
You might choose to use the LDAP server to store user identification and password information. Use the “Storing and querying information with LDAP” on page 53 to help.
Secure against denial-of-service attack
Choose the “Securing your server against a telnet denial-of-service attack” on page 55 section to learn how to set your default settings to detect such an attack.
Managing Internet users
When you take security precautions with your server you may want to limit the users who access your server. With user authentication you can configure your server to allow or deny these users access to specific resources on your system. These users can be defined as AS/400 user profiles, or they can be defined within AS/400 validation lists. Users defined within AS/400 validation lists are known as Internet users. You can create a validation list containing Internet users by adding an Internet user.
Validation lists reside in AS/400 libraries and are required when adding a user unless you are adding the user to a group file. If you enter a validation list that does not exist, the system will create it for you.
You can implement user authentication with a validation list, which can contain Internet users, or AS/400 user profiles and their passwords. For additional security you can use SSL client authentication, by itself, or in combination with user
authentication. Both user authentication and SSL client authentication are defined
in protection setups and access control lists. Consult the protected resource section for assistance in creating protection setups for user authentication and SSL client authentication.
Adding an Internet user
You can add user names and passwords for access to your server. Internet users exist independently of AS/400 user profiles, and only your IBM HTTP Server uses them.
Use the Configuration and Administration forms to add a user to your IBM HTTP Server.
1. Click Internet Users.
2. Click Add Internet user.
3. Complete the Add Internet user form that is provided.
4. Click the Apply button.
You will receive a message that tells you whether or not the task completed successfully.
Once you add an Internet user to your system, you can perform the following tasks:
v Change that user’s password. v Delete that user.
v List your Internet users.
v Create a protection setup for user authentication or SSL client authentication. You may also want to examine your communication security options as you expand the use of your Web server.
Deleting an Internet user
Before you choose to delete an Internet user from your server, you may want to look at a list of your current users. A deleted user cannot be retrieved; you can only add a user over again. You also have the option of changing a user password. You can delete an Internet user from a validation list, group file, group, all groups within a group file, or all of these at once. Internet users exist independently of AS/400 user profiles, and only your IBM HTTP Server uses them.
Use the Configuration and Administration forms to delete a user from your server.
1. Click Internet Users.
2. Click Delete Internet user.
3. Complete the Delete Internet user form that is provided, entering the user information.
4. Click Delete to remove the Internet user you selected.
You will receive a message that tells you whether or not the task completed successfully.
Changing Internet user passwords
For security reasons, it may become periodically necessary to change Internet user passwords in your IBM HTTP Server. Changing passwords is an easy way to
protect yourself and your clients. You can view the information you will want to change by listing your Internet users, if you wish.
Use the Configuration and Administration forms to change user passwords in your IBM HTTP Server.
1. Click Internet Users.
2. Click Change Internet user password.
3. Complete the Change Internet user password form that is provided.
4. Click the Apply button.
You will receive a message that tells you whether or not the task completed successfully.
Listing your Internet users
You will want to check the list of users to verify any changes you make. This function is also useful to keep you aware of who is on your user list.
Use the Configuration and Administration forms to list your server users.
1. Click Internet Users.
2. Click List Internet users.
3. Enter a validation list in the List Internet users form that is provided.
4. Click Next for a list of the Internet users in the validation list you specified. The system displays a list of Internet users for the validation list that you selected.
Protecting resources
Most likely, you will not want everyone to have access to all the information on your server. For example, you probably would not want everyone to have access to your common gateway interface (CGI) programs.
You can restrict access that is based on user name and password, the IP address, host name of the requester, validation lists, or client certificates.
You can use AS/400 object security to protect your CGI programs and your documents in the file system. The server will honor the AS/400 object security by swapping to the user profile you specify in your protection setup. User profile QTMHHTT1 is the default profile for CGI programs and QTMHHTTP is the default profile for all other resources.
Protection setups define how the server should control access to the resources being protected. These can be named to allow the same protection setup to protect multiple URLs on your server, or inlined to protect a single URL.
A Protect directive activates protection for a request. A protection setup is a group of protection subdirectives. The Protect directive identifies the protection setup that the server should use. It can also define the protection setup as part of the
directive. The subdirectives comprising a protection setup work together to define how the server should control access to the resources being protected.
v Work with document protection. v Create a protection setup.
v Delete a protection setup you have created.
v Change a protection setup.
You can use an ACL file to create specific authorizations to limit access to specific files on a directory that is already protected by a protection setup. You can use a protection setup to define the first level of access control, and then setup an ACL file to further limit access.
Working with document protection
With document protection, you can do the following: v Specify URLs to protect on your server.
v Specify which clients can use your server as a proxy. v Replace protection for URLs on your server.
v Remove protection for URLs on your server.
You can also activate different protection rules for a request that is based on the IP address or host on which the request arrives. For example, you might want to specify that a request beginning / cgi-bin/ received on address
9.67.106.79
is protected by the rules in a protection setup named
PROT-A.
You can specify that the same request received on address
9.83.1.191
is protected by the rules in a protection setup named
PROT-B.
Use the Configuration and Administration forms to work with your document protection setup.
1. Click Configurations.
2. Click Protection.
3. Click Document protection.
4. Complete the Document protection form that is provided.
5. Click the Apply button.
You will receive a message that tells you whether or not the task completed successfully.
Creating protection setups
A protection setup is a group of protection subdirectives. These subdirectives work together to define how the server should control access to the resources being protected. When the server receives a request that matches a protected URL request template, the server activates protection. The server goes to the protection setup that is associated with the matching template to determine how to control access to the protected resources.
When working with protection setups you may choose to restrict access based on HTTP method, client host name, client IP address, specific users or specific groups. You can use the Mask subdirectives on the protection setup forms to work with this type of protection.
Use the Configuration and Administration forms to create protection setups.
1. Click Configurations.
2. Click Protection.
3. Click Create protection setup.
4. Complete the Create protection setup form that is provided.
If you use “SSL” on page 100 client authentication, then the server requests certificates from any clients that make secure requests. The server establishes a secure connection whether or not the client has a valid certificate. You can protect your resources based on valid client certificates, certificates with particular
Distinguished Name (DN) information, certificates that you associate with AS/400 user profiles, and certificates that you associate with validation lists.
You will receive a message that tells you whether or not the task completed successfully.
Deleting protection setups
Deleting a protection setup will permanently remove the protection setup from the server configuration. To replace it, you will need to create another protection setup. Use the Configuration and Administration forms to delete protection setups.
1. Click Configurations.
2. From the menu in the navigation bar, select the configuration with which you want to work.
3. Click Protection.
4. Click Delete protection setup.
5. Select a protection setup in the configuration you chose from the list on the
Delete protection setup form that is provided.
6. Click Delete to remove the protection setup you selected.
You will receive a message that tells you whether or not the task completed successfully.
Changing protection setups
Changing a protection setup will change what server resources the setup protects as well as how the setup protects them.
Use the Configuration and Administration forms to change existing protection setups.
1. Click Configurations.
2. Click Protection.
3. Click Change protection setup.
4. Choose a protection setup from the list on the Change protection setup form that is provided.
You will receive a message that tells you whether or not the task completed successfully.
Creating access control lists
Access control provides directory level protection. The access control lists (ACL) form displays any ACL rules that are already specified for the ACL file. The form also allows you to add new rules as well as replace or remove existing rules. Use the Configuration and Administration forms to set up an ACL file.
1. Click Access Control lists..
2. Complete the Access Control lists form that is provided. You receive confirmation when your server processes the form.
Securing communications between users and Web sites
IBM HTTP Server provides HTTP secure (HTTPS) transactions with the “SSL” on page 100 protocol. This protocol ensures that data transferred between a client and a server remains private. It allows the client to authenticate the identity of the server and the server to authenticate the identity of the client.
You can work with SSL and specify SSL client authentication in protection setups and access control lists (ACL) on your Web server. Consult the protected resource section for assistance in creating protection setups for user authentication and SSL client authentication.
Once your server has a digital certificate, SSL-enabled browsers like the Netscape Navigator can communicate securely with your server by using SSL. To do this, you need to configure your server for secure serving. With SSL, you can easily establish a security-enabled Web site on the Internet or on your corporate intranet. You can also install digital certificates on the clients in your network so the server can authenticate connections without prompting for a user ID or password. In order to configure security, you will need one of the following IBM Cryptographic Access Provider products installed on your system. v Crypto Access Provider 40–bit for AS/400 (5769-AC1)
v Crypto Access Provider 56–bit for AS/400 (5769-AC2) v Cryptographic Access Provider 128–bit (5769-AC3)
You cannot run secure serving without one of these products.
Configuring your server for secure serving
To configure your server for secure Web serving, you need to use SSL. You must also obtain a digital server certificate to be used by SSL for your Web server instances. Digital Certificate Manager (DCM) can be used to obtain a new, or register an existing, certificate for any secure server instance of the IBM HTTP Server for AS/400. It should be noted, however, that DCM is a separately
installable product for the AS/400 and does not come with IBM HTTP Server. You can access DCM through your AS/400 Tasks page. For more information, look at DCM in the Information Center. Then use the Configuration and Administration forms to register HTTP Server with DCM (see “Using the Configuration and Administration forms” on page 16).
1. Click Configurations.
2. Click Security configuration.
4. Click the Apply button.You receive confirmation when your server processes the form. Filling in this form generates an Application ID which you will need in order to complete the security configuration.
5. Click Digital Certificate Manager.
6. Click Work with Applications.
7. Complete the Work with Applications form that is provided.
Using SSL with your server
You can provide secure Web serving when you run HTTP traffic over the “SSL” on page 100 protocol. To use SSL, your server must have a digital certificate.
This is how a retail company on the Internet allows users to look through the merchandise without security. These same users then fill out order forms and send their credit card numbers by using security.
A browser that does not support HTTPS cannot request URLs by using HTTP over SSL. The non-SSL browsers will not allow the submission of forms that need secure submission.
Storing and querying information with LDAP
Lightweight directory access protocol (LDAP) is a directory service protocol that provides access to a directory over a Transmission Control Protocol (TCP) or SSL connection. It lets you store information in that directory service and query it in a database fashion.
The LDAP directory service follows a client/server model where one or more LDAP servers contain the directory data. An LDAP client, for example IBM HTTP Server, connects to the LDAP server and makes a request. The LDAP Server performs the directory search and responds with the result. The LDAP server may be located on your AS/400 (AS/400 Directory Services) or on other systems. LDAP servers can be used by the IBM HTTP Server for server configuration or user authentication.
Using LDAP support allows multiple HTTP servers to share configuration information.
You can use LDAP to retrieve configuration information. You can create, change, or delete your LDAP server setup.
Using LDAP with configuration information
Storing information on an Lightweight Directory Access Protocol (LDAP) server allows applications to share the information.
Use the Configuration and Administration forms to specify the LDAP server setup and information necessary to retrieve configuration information from a LDAP server.
1. Click Configurations.
2. Click LDAP.
3. Click LDAP includes.
4. Complete the LDAP includes form that is provided.
5. Click the Apply button.
You will receive a message that tells you whether or not the task completed successfully.
Creating an LDAP server setup
Storing information on an Lightweight Directory Access Protocol (LDAP) server allows applications to share the information.
The server associates information on an LDAP server with server attributes. The server generates a query that is based on attributes and sends it to the LDAP server, and the LDAP server returns the respective values.
Use the Configuration and Administration forms to create your LDAP server setup.
1. Click Configurations.
2. Click LDAP.
3. Click Create LDAP server setup.
4. Complete page one of the Create LDAP server setup form that is provided.
5. Click the Next button.
6. Complete page two of the Create LDAP server setup form that is provided.
7. Click the Apply button.
You will receive a message that tells you whether or not the task completed successfully.
Changing an LDAP server setup
Storing information on an Lightweight Directory Access Protocol (LDAP) server allows applications to share the information.
The server associates information on an LDAP server with server attributes. The server generates a query that is based on attributes and sends it to the LDAP server, and the LDAP server returns the respective values.
Use the Configuration and Administration forms to change your LDAP server setup.
1. Click Configurations.
2. Click LDAP.
3. Click Change LDAP server setup.
4. Select a LDAP server setup from the list on page one of the Change LDAP server
setup form that is provided.
5. Click the Next button.
6. Complete page two of the Change LDAP server setup form that is provided.
7. Click the Apply button.
You will receive a message that tells you whether or not the task completed successfully.
Deleting an LDAP server setup
Storing information on an Lightweight Directory Access Protocol (LDAP) server allows applications to share the information.
The server associates information on an LDAP server with server attributes. The server generates a query that is based on attributes and sends it to the LDAP server, and the LDAP server returns the respective values.
Use the Configuration and Administration forms to delete your LDAP server setup.
1. Click Configurations.
2. Click LDAP.
3. Click Delete LDAP server setup.
4. Select a LDAP server setup from the list on the Delete LDAP server setup form that is provided.
5. Click Delete to remove the LDAP server setup you selected.
You will receive a message that tells you whether or not the task completed successfully.
Securing your server against a telnet denial-of-service attack
An attack could result in a denial of service to your Web server. The configuration to protect against attacks has default settings, but you may want to change them to suit your individual needs.
Your server can detect a denial-of-service attack by measuring the time-out of certain clients’ requests. If the server does not receive a request from the client, then your server determines that a telnet denial-of-service attack is in progress.