friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaie_5.4.0.1/rzaiesetauth.htm

206 lines
13 KiB
HTML
Raw Normal View History

Add readme and dist folders
2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="topic" />
<meta name="DC.Title" content="User profiles and required authorities for HTTP Server" />
<meta name="abstract" content="This topic provides information about user profiles and required authorities for the HTTP Server." />
<meta name="description" content="This topic provides information about user profiles and required authorities for the HTTP Server." />
<meta name="DC.Relation" scheme="URI" content="rzaieconcepts.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiesetauth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>User profiles and required authorities for HTTP Server</title>
</head>
<body id="rzaiesetauth"><a name="rzaiesetauth"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">User profiles and required authorities for HTTP Server</h1>
<div><p>This topic provides information about user profiles and required
authorities for the HTTP Server.</p>
<div class="important"><span class="importanttitle">Important:</span> Information
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
It is recommended that you install the latest PTFs to upgrade to the latest
level of the HTTP Server for i5/OS. Some of the topics documented here are
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaieconcepts.htm" title="This topic provides concepts of functions on HTTP Server and IBM Web Administration for i5/OS interface.">Concepts of functions of HTTP Server</a></div>
</div>
</div><div class="nested1" id="pba"><a name="pba"><!-- --></a><h2 class="topictitle2">User profiles and required authorities for HTTP Server (powered by
Apache) </h2>
<div><p><strong>Webmaster user profile</strong></p>
<p>The Webmaster user profile must have read, write, and execute authority
to the directory path of the server root directory. This is necessary because
the HTTP Administration server swaps to the Webmaster user profile during
configuration and administration. If you are using the <strong>Create New HTTP
Server wizard</strong>, the default server root path is <tt>/www/server_name/</tt>,
where server_name is the name of HTTP Server. </p>
<p>If there are directories in the path which already exist, the Webmaster
user profile must have read, write, and execute authority to those directories
prior to executing the <strong>Create New HTTP Server wizard</strong>. Note that directory <em>www</em> already
exists when the product is shipped. If you plan to use the default server
root path of the <strong>Create New HTTP Server wizard</strong> then the authority to
directory <em>www</em> will need to be changed prior to executing the wizard. </p>
<p>The Webmaster user profile must have the following authorities to perform
configuration and administration tasks: </p>
<ul><li>*IOSYSCFG special authority </li>
<li>*SERVICE special authority if you plan to use the trace TCP application
(TRCTCPAPP) function </li>
<li>*CHANGE authority to the library object QUSRSYS </li>
<li>*ALL authority to the following objects:<ul><li>QUSRSYS/QATMHINSTA </li>
<li>QUSRSYS/QATMHINSTC </li>
</ul>
</li>
<li>*USE authority for the following command objects: <ul><li>CRTVLDL </li>
<li>STRTCPSVR </li>
<li>ENDTCPSVR </li>
</ul>
</li>
<li>*RX authority for root directory ("<tt>/</tt> ") and directory "<tt>/www</tt>",
including all subdirectories in the path</li>
<li>*RWX authority for directory "<tt>/www/server_name/</tt>"</li>
</ul>
<p>If the QPWFSERVER authorization list contains an entry that restricts *PUBLIC
access to *EXCLUDE, and one of the authorization list objects is QSYS.LIB,
an entry must be created to grant the webmaster profile *CHANGE authority,
Use the "DSPAUTL AUTL(QPWFSERVER)" command to display the authorization list.
The "ADDAUTLE AUTL(QPWFSERVER) USER(&lt;webmaster&gt;) AUT(*CHANGE)" command
can be used to grant the appropriate authority.</p>
<div class="note"><span class="notetitle">Note:</span> Granting *ALLOBJ authority to the Webmaster user profile is not recommended.
Using the QSECOFR user profile as the Webmaster user profile is not recommended. </div>
<p><strong>Server user profiles</strong></p>
<p>The QTMHHTTP user profile is the default user profile of HTTP Server. This
user profile is referred to as the server user profile. The server user profile
must have read and execute authority to the directory path of the server root
directory. If you are using the <strong>Create New HTTP Server wizard</strong>, the
default server root path is <tt>/www/server_name/</tt>, where server_name
is the name of the HTTP Server (powered by Apache). </p>
<p>The server user profile must have read, write, and execute authority to
the directory path where the log files are stored. If you are using the <strong>Create
New HTTP Server wizard</strong>, the default path is <tt>/www/server_name/logs/</tt>,
where server_name is the name of the HTTP Server (powered by Apache). The
log files could include any access, script, or rewrite logs. These logs may
or may not be configured to be stored in the <tt>/www/server_name/logs/</tt> directory.
Since log files could potentially contain sensitive information, the security
of the configuration and log files should be fully considered. The path of
the configuration and log files should only be accessible by the appropriate
user profiles. </p>
<p>The QTMHTTP1 user profile is the default user profile that HTTP Server
uses when running CGI programs. This user profile must have read and execute
authority to the location of any CGI program. User QTMHHTTP requires *RWX
(write) authority to directory '<em>/tmp</em>'.</p>
<p>You can optionally specify that the QTMHHTTP or QTMHHTP1 user profile swap
to another user profile as long as that user profile has the required authorities.
For more information, see <a href="rzaiemod_as_auth.htm#userid">UserID</a>.</p>
<ul><li>*RX authority for root directory ("<tt>/</tt> ") and directory "<tt>/www</tt>",
including all subdirectories in the path</li>
<li>*RWX authority for directory "<tt>/www/server_name/</tt>"</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> Granting *ALLOBJ authority to any server user profile is not recommended.</div>
<p><strong>ASF Jakarta Tomcat</strong></p>
<ul><li><strong>out-of-process</strong>: The user profile configuring the out-of-process
ASF Tomcat is the owner of the configuration files that are created. This
user profile must have:<ul><li>*JOBCTL authority </li>
<li>*ALL authority to the file QUSRSYS/QATMHASFT </li>
<li>*CHANGE authority to the library object QUSRSYS </li>
</ul>
<p>This configured user profile can, but will not necessarily, have the
following directories (with the given authorities) after going through the <span>IBM<sup>®</sup> Web Administration for i5/OS™ interface</span> to create a new ASF
Tomcat server.</p>
<p>/tomcat_home/conf - execute authority<br />
/tomcat_home/conf/server.xml - read authority<br />
/tomcat_home/webapps - read, write, and execute authority<br />
/tomcat_home/webapps/app1 -  read and execute authority<br />
/tomcat_home/webapps/app1/WEB-INF - read and execute authority<br />
/tomcat_home/webapps/app1/WEB-INF/classes - read and execute authority<br />
/tomcat_home/webapps/app1/WEB-INF/lib - read and execute authority<br />
/tomcat_home/webapps/app1/WEB-INF/web.xml - read authority<br />
/tomcat_home/webapps/app1/*.jsp - read authority<br />
/tomcat_home/webapps/some_war_file.war - read authority <br />
/tomcat_home/webapps/ROOT - read and execute authority<br />
/tomcat_home/work - read, write, and execute authority<br />
/tomcat_home/logs - read, write, and execute authority<br />
/tomcat_home/java - execute authority<br />
/tomcat_home/Java/Java/lib - read and execute authority </p>
<p>In addition the configuration process creates the tomcat_home directory
with public execute authority. The default out-of-process tomcat_home directory
is <tt>/ASFTomcat/tomcat_server_name</tt>. If any of these directories existed
prior to the ASF Tomcat configuration process, then the previous authorities
are left unchanged. </p>
</li>
<li>The user profile used to start the out-of-process ASF Tomcat must have: <ul><li>*USE authority to the file QUSRSYS/QATMHASFT </li>
<li>*USE authority to the profile associated with the server user profile
(this is QTMHHTTP by default) </li>
<li>*IOSYSCFG special authority </li>
</ul>
</li>
<li>By default the user profile that the out-of-process ASF Tomcat runs under
is the QTMHHTTP user profile, but you can configure this to be another user
profile. <p>This user profile must have *USE authority to the file QUSRSYS/QATMHASFT. </p>
<p>This
user profile must NOT have the following:</p>
<ul><li>*SECADM authority </li>
<li>*ALLOBJ authority (if the system is at security level 30 or greater). </li>
</ul>
</li>
<li><strong>in-process</strong>: in-process ASF Tomcat configurations have the following
authority considerations: <p>The server user profile (QTMHHTTP) can but will
not necessarily have all of the following directories with the given authorities
after going through the <span>IBM Web Administration for i5/OS interface</span> to
create a new ASF Tomcat. </p>
<p>/tomcat_home/conf - execute authority<br />
/tomcat_home/conf/server.xml - read authority<br />
/tomcat_home/conf/workers.properties - read authority<br />
/tomcat_home/webapps - read, write, and execute authority<br />
/tomcat_home/webapps/app1 - read and execute authority<br />
/tomcat_home/webapps/app1/WEB-INF - read and execute authority<br />
/tomcat_home/webapps/app1/WEB-INF/classes - read and execute authority<br />
/tomcat_home/webapps/app1/WEB-INF/lib - read and execute authority<br />
/tomcat_home/webapps/app1/WEB-INF/web.xml - read authority<br />
/tomcat_home/webapps/app1/*.jsp - read authority<br />
/tomcat_home/webapps/some_war_file.war - read authority <br />
/tomcat_home/webapps/ROOT - read and execute authority<br />
/tomcat_home/work - read, write, and execute authority<br />
/tomcat_home/logs - read, write, and execute authority<br />
/tomcat_home/Java - execute authority<br />
/tomcat_home/Java/lib - read and execute authority </p>
</li>
<li>In addition the configuration process creates the tomcat_home directory
with public execute authority. The default in-process tomcat_home directory
is <tt>/www/server_name/</tt>. </li>
<li>When running JSPs on an in-process ASF Tomcat, in order to assure that
the Java™ and
.class files resulting from the compilation process of a JSP are owned by
the configured profile for that server, the JSPs should be precompiled by
the server administrator under that configured profile. This will assure users
swapped to by HTTP Server are not the first to cause the JSP to be compiled
and thus become the owners of the Java and Class files that result. </li>
</ul>
<p>The Java virtual machine (JVM) used to run in-process and out-of-process
ASF Tomcat is by default set up to assign Public execute authority to any
new IFS directories that are created and Public exclude authority to any new
IFS files that are created by Java code running within the JVM.</p>
<p>If any of these directories existed prior to the ASF Tomcat configuration
process, then the previous authorities are left unchanged.</p>
<p>See <a href="../rbapk/rbapkpart.htm">Basic
system security and planning</a> for more information on how to work with
authorities.</p>
</div>
</div>
</body>
</html>
Reference in New Issue Copy Permalink