Setting up password protection on HTTP Server (powered by Apache)

 

In the IBM HTTP Server for i5/OS, you can set up password protection for resources on your HTTP Server with the IBM Web Administration for i5/OS interface.

You can protect Web resources by asking the user for a userid and password to gain access to these resources. Group files can be used to classify users into groups (for example: users and administrators). This allows you to limit access to those users that are defined in a group. If the user is listed in the group, then the userid and password are validated in one of the following ways:

 

Parent topic:

Security tasks

 

Group file password protection

The following steps explain how to add password protection (using groups) to a directory context.

  1. Create a group file with the following format:

    groupname: user1[, user2[, user3...]]

    groupname

    Any name you want to use to identify the group you are defining. This name can be used on subsequent group definitions within the same server group file.

    user1[, user2[, user3...]]

    This can be any combination of user names and group names. Separate each item with a comma.

    For example:

    ducks: webfoot, billface, swandude geese: goosegg, bagel 
    flock: ducks, geese

    In the above example, notice that once the groups named ducks and geese are defined, they can be included as part of the group named flock.

  2. Click the Manage tab.

  3. Click the HTTP Servers subtab.

  4. Select your HTTP Server (powered by Apache) from the Server list.

  5. Select the context you want to work with from the Server area list.

    Do not select Global configuration or Virtual Host. If the Authentication tab cannot be selected, select a different context to work with from the Server area list.

  6. Expand Server Properties.

  7. Click Security.

  8. Click the Authentication tab in the form.

  9. Select Use Internet users in validation list or Use OS/400® profile of client under User authentication method.

    Your selection should be based off of the incoming traffic your HTTP Server (powered by Apache) will receive. If incoming traffic is from outside of your local access network, using Internet users in a validation list would be more beneficial than using i5/OS™ profiles. If incoming traffic is from a local access network, using i5/OS profiles would be more beneficial than using Internet users in a validation list.

  10. Enter an authentication name or realm. The realm name is displayed on the login prompt.

  11. Add a user authentication method if necessary.

  12. Click OK.

After configuring authentication, configure control access.

  1. Select the same context you work with previously from the Server area list.

  2. Expand Server Properties.

  3. Click Security.

  4. Click the Control Access tab in the form.

  5. Select Specific users and groups.

  6. Click Add under the User and Group names table.

  7. Select Group from the list in the Type column.

  8. Enter the name of the group in the Name column.

  9. Enter the path/filename of the group file used above.

  10. Click OK.

Note that changes to existing group files take effect after the HTTP Server is restarted.

 

User profiles password protection

You can protect Web resources by asking the user for a userid and password to gain access to these resources. An iSeries user profile can be used to authenticate users.

To configure password protection using a user profile, do the following:

  1. Click the Manage tab.

  2. Click the HTTP Servers subtab.

  3. Select your HTTP Server (powered by Apache) from the Server list.

  4. Select the context you want to work with from the Server area list.

  5. Expand Server Properties.

  6. Click Security.

  7. Click the Authentication tab in the form.

    If the Authentication tab cannot be selected, select a different context to work with from the Server area list.

  8. Select Use OS/400 profile of client under User authentication method.

  9. Enter an authentication name or realm. The realm name is displayed on the login prompt.

  10. Choose one of the two methods below:

    Enter a user name in the OS/400 user profile to process requests field.

    Select a user name under OS/400 user profile to process requests. Select Default server profile to allow the HTTP Server profile (QTMHHTTP) to process requests.

  11. Click OK.

After configuring authentication, configure control access.

  1. Select the same context you work with previously from the Server area list.

  2. Expand Server Properties.

  3. Click Security.

  4. Click the Control Access tab in the form.

  5. Select All authenticated users (valid user name and password) under Control access based on who is making requests.

  6. Click OK.

 

LDAP password protection

You can protect Web resources by asking the user for a userid and password (to gain access to these resources). A Lightweight Directory Access Protocol (LDAP) server can be used to authenticate users.

LDAP is a directory service protocol that runs over TCP/IP, using non-secure or Secure Sockets Layer (SSL). The LDAP directory service follows a client/server model, where one or more LDAP servers contain the directory data. This allows any LDAP-enabled application to store information once (such as user authentication information). Other applications using the LDAP server are then able to request the stored information. The HTTP server (powered by Apache) can act as a LDAP client, making requests for information.

One of the advantages of using the LDAP server for authentication is that it allows the information to be shared by multiple LDAP clients, and stores the information in a platform independent fashion. This can help prevent information from being duplicated within a network.

The following steps explain how to add password protection (using LDAP) to a directory context.

  1. Click the Manage tab.

  2. Click the HTTP Servers subtab.

  3. Select your HTTP Server (powered by Apache) from the Server list.

  4. Select the context you want to work with from the Server area list.

  5. Expand Server Properties.

  6. Click Security.

  7. Click the Authentication tab in the form.

    If the Authentication tab cannot be selected, select a different context to work with from the Server area list.

  8. Select Use user entries in LDAP server under User authentication method.

  9. Enter an authentication name or realm. The realm name is displayed on the login prompt.

  10. Enter an LDAP configuration file.

  11. Enter an LDAP group name or filter.

  12. Click OK.

After configuring authentication, configure control access.

  1. Select the same context you work with previously from the Server area list.

  2. Expand Server Properties.

  3. Click Security.

  4. Click the Control Access tab in the form.

  5. Select one of the options for who can access this resource.

  6. Select one of the options for who can access this resource under Users and groups who can access this resource.

  7. Select Allow access to all, except the following under Control access based on where the request is coming from.

  8. Enter any domain names or IP address you do not want to allow access to.

  9. Click OK.