Security considerations for iSeries™ Access for Web include user authentication, specifying user access, object-level security, using a security protocol, and the use of exit programs.
iSeries Access for Web needs to have the user identity authenticated so that i5/OS® resources are accessed with the correct user profile. The methods of authenticating the user identity are different for the Web application and the portal application.
The Web application can be configured to authenticate users or to allow WebSphere® to authenticate users.
The Web application authenticates the user identity with i5/OS using a user profile and password. HTTP basic authentication is used to prompt for a user profile and password. HTTP basic authentication encodes the user profile and password, but does not encrypt them. To secure authentication information during transmission, secure HTTP (HTTPS) should be used.
WebSphere authenticates the user identity with the active user registry. WebSphere uses HTTP basic authentication or form-based authentication to prompt for the user ID and password. HTTP basic authentication encodes the user ID and password, but does not encrypt them. Form-based authentication sends the user ID and password in clear text. To secure authentication information during transmission, secure HTTP (HTTPS) should be used.
Allowing WebSphere to authenticate the user identity using form-based authentication enables the Web application to participate in WebSphere single sign-on (SSO) environments.
Once WebSphere has authenticated the user identity, the Web application uses Enterprise Identity Mapping (EIM) to map the authenticated WebSphere user identity to an i5/OS user identity.
For information on iSeries Access for Web and EIM, see the "Single sign-on considerations" topic.
For information on WebSphere single sign-on, see "Configure single sign-on" in the appropriate Information center version. Links to WebSphere information centers are in the IBM® WebSphere Application Server documentation.
The portal application relies on the portal server to authenticate the user identity.
Once the portal server has authenticated the user identity, the iSeries Access portlets can be used. Each portlet provides an option in edit mode for selecting the credential to use when accessing i5/OS resources. Select one of these options:
For information about how WebSphere Portal authenticates the user identity, see Securing your portal > Security Concepts > Authentication in the WebSphere Portal Information Center.
Users can be restricted from accessing iSeries Access for Web functions. Different methods of restricting access are used in the Web application and the portal application.
For information on restricting access to functions for the Web application, see the "Policies" topic.
For information on restricting access to functions for the portal application, see the "Portal roles" topic.
iSeries Access for Web uses object level security when accessing i5/OS resources. Users will not be able to access i5/OS resources if their i5/OS user profile does not have the proper authority.
You can configure the system to use a security protocol, called Secure Sockets Layer (SSL), for data encryption and client/server authentication. For information about SSL, HTTPS, and digital certificates, see the following:
iSeries Access for Web makes extensive use of the following Host Servers:
Exit programs that restrict access to these servers, especially Remote Command/Program Call, will cause all or portions of iSeries Access for Web to not function.
Related concepts
Browser considerations Policies Portal roles