ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvtcpadminhttp.htm

103 lines
6.2 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Administration considerations" />
<meta name="abstract" content="This article provides recommendations for securing the Internet server." />
<meta name="description" content="This article provides recommendations for securing the Internet server." />
<meta name="DC.Relation" scheme="URI" content="rzamvtcpcontrolhttp.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="tcpadminhttp" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Administration considerations</title>
</head>
<body id="tcpadminhttp"><a name="tcpadminhttp"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Administration considerations</h1>
<div><p>This article provides recommendations for securing the Internet
server.</p>
<p>Following are some security considerations for administering your Internet
server.</p>
<ul><li>You perform setup and configuration functions by using a Web browser and
the *ADMIN instance. For some functions, such as creating additional instances
on the server, you must use the *ADMIN server.</li>
<li>The default URL for the administration home page (the home page for the
*ADMIN server) is published in the documentation for products that provide
browser administration functions. Therefore, the default URL will probably
be known by hackers and published in hacker forums, just like the default
passwords for IBM-supplied user profiles are known and published. You can
protect yourself from this exposure in several ways:<ul><li>Only run the *ADMIN instance of the HTTP server when you need to perform
administrative functions. Do not have the *ADMIN instance running all the
time.</li>
<li>Activate SSL support for the *ADMIN instance (by using Digital Certificate
Manager). The *ADMIN instance uses HTTP protection directives to require a
user ID and password. When you use SSL, your user ID and password are encrypted
(along with all the other information about your configuration that appears
on the administration forms). </li>
<li>Use a firewall both to prevent access to the *ADMIN server from the Internet
and to hide your system and domain names, which are part of the URL.</li>
</ul>
</li>
<li>When you perform administration functions, you must sign on with a user
profile that has *IOSYSCFG special authority. You might also need authority
to specific objects on the system, such as the following:<ul><li>The libraries or directories that contain your HTML documents and CGI
programs. </li>
<li>Any user profiles that you plan to swap to within the directives for the
server. </li>
<li>The Access Control Lists (ACLs) for any directories that your directives
use. </li>
<li>A validation list object for creating and maintaining user IDs and passwords.</li>
</ul>
</li>
<li>With both the *ADMIN server and TELNET, you have the capability to perform
administration functions remotely, perhaps over an Internet connection. Be
aware that if you perform administration over a public link (the Internet),
you might be exposing a powerful user ID and password to sniffing. The ″sniffer″
can then use this user ID and password to attempt to access your system using,
for example, TELNET or FTP.</li>
<li>The HTTP directives provide the foundation for all activity on your server.
The shipped configuration provides the capability to serve a default Welcome
page. A client cannot view any documents except the Welcome page until the
server administrator defines directives for the server. To define directives,
use a Web browser and the *ADMIN server or the Work with HTTP Configuration
(<span class="cmdname">WRKHTTPCFG</span>) command. Both methods require *IOSYSCFG special
authority. When you connect your system to the Internet, it becomes
even more critical to evaluate and control the number of users in your organization
who have *IOSYSCFG special authority.</li>
</ul>
<div class="note"><span class="notetitle">Notes:</span> <ol><li>TELNET, the Sign On display is treated like any other display. Although
the password does not display when you type it, the system transmits it without
any encryption or encoding. </li>
<li>With the *ADMIN server, the password is encoded not encrypted. The encoding
scheme is an industry standard, and thus commonly known among the hacker community.
Although the encoding is not easily understood by the casual ″sniffer,″ a
sophisticated sniffer probably has tools to attempt to decode the password.</li>
</ol>
</div>
<div class="note"><span class="notetitle">Security tip:</span> If you plan to perform remote
administration over the Internet, you should use the *ADMIN instance with
SSL, so that your transmissions are encrypted. Do not use an insecure application.
If you are using the *ADMIN server across an intranet of trusted users, you
can safely use this for administration.</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpcontrolhttp.htm" title="This article discusses considerations for protecting the contents of your Web site.">Control access to the HTTP server</a></div>
</div>
</div>
</body>
</html>