User profiles and required authorities for HTTP Server

Webmaster user profile

The Webmaster user profile must have read, write, and execute authority to the directory path of the server root directory. This is necessary because the HTTP Administration server swaps to the Webmaster user profile during configuration and administration. If you are using the Create New HTTP Server wizard, the default server root path is /www/server_name/, where server_name is the name of HTTP Server.

If there are directories in the path which already exist, the Webmaster user profile must have read, write, and execute authority to those directories prior to executing the Create New HTTP Server wizard. Note that directory www already exists when the product is shipped. If you plan to use the default server root path of the Create New HTTP Server wizard then the authority to directory www will need to be changed prior to executing the wizard.

The Webmaster user profile must have the following authorities to perform configuration and administration tasks:

• *IOSYSCFG special authority
• *SERVICE special authority if you plan to use the trace TCP application (TRCTCPAPP) function
• *CHANGE authority to the library object QUSRSYS
• *ALL authority to the following objects:
  • QUSRSYS/QATMHINSTA
  • QUSRSYS/QATMHINSTC
• *USE authority for the following command objects:
  • CRTVLDL
  • STRTCPSVR
  • ENDTCPSVR
• *RX authority for root directory ("/ ") and directory "/www", including all subdirectories in the path
• *RWX authority for directory "/www/server_name/"

If the QPWFSERVER authorization list contains an entry that restricts *PUBLIC access to *EXCLUDE, and one of the authorization list objects is QSYS.LIB, an entry must be created to grant the webmaster profile *CHANGE authority, Use the "DSPAUTL AUTL(QPWFSERVER)" command to display the authorization list. The "ADDAUTLE AUTL(QPWFSERVER) USER(<webmaster>) AUT(*CHANGE)" command can be used to grant the appropriate authority.

Server user profiles

The QTMHHTTP user profile is the default user profile of HTTP Server. This user profile is referred to as the server user profile. The server user profile must have read and execute authority to the directory path of the server root directory. If you are using the Create New HTTP Server wizard, the default server root path is /www/server_name/, where server_name is the name of the HTTP Server (powered by Apache).

The server user profile must have read, write, and execute authority to the directory path where the log files are stored. If you are using the Create New HTTP Server wizard, the default path is /www/server_name/logs/, where server_name is the name of the HTTP Server (powered by Apache). The log files could include any access, script, or rewrite logs. These logs may or may not be configured to be stored in the /www/server_name/logs/ directory. Since log files could potentially contain sensitive information, the security of the configuration and log files should be fully considered. The path of the configuration and log files should only be accessible by the appropriate user profiles.

The QTMHTTP1 user profile is the default user profile that HTTP Server uses when running CGI programs. This user profile must have read and execute authority to the location of any CGI program. User QTMHHTTP requires *RWX (write) authority to directory '/tmp'.

You can optionally specify that the QTMHHTTP or QTMHHTP1 user profile swap to another user profile as long as that user profile has the required authorities. For more information, see UserID.

• *RX authority for root directory ("/ ") and directory "/www", including all subdirectories in the path
• *RWX authority for directory "/www/server_name/"

ASF Jakarta Tomcat

• out-of-process: The user profile configuring the out-of-process ASF Tomcat is the owner of the configuration files that are created. This user profile must have:
  • *JOBCTL authority
  • *ALL authority to the file QUSRSYS/QATMHASFT
  • *CHANGE authority to the library object QUSRSYS

  This configured user profile can, but will not necessarily, have the following directories (with the given authorities) after going through the IBM^® Web Administration for i5/OS™ interface to create a new ASF Tomcat server.

  /tomcat_home/conf - execute authority
  /tomcat_home/conf/server.xml - read authority
  /tomcat_home/webapps - read, write, and execute authority
  /tomcat_home/webapps/app1 -  read and execute authority
  /tomcat_home/webapps/app1/WEB-INF - read and execute authority
  /tomcat_home/webapps/app1/WEB-INF/classes - read and execute authority
  /tomcat_home/webapps/app1/WEB-INF/lib - read and execute authority
  /tomcat_home/webapps/app1/WEB-INF/web.xml - read authority
  /tomcat_home/webapps/app1/*.jsp - read authority
  /tomcat_home/webapps/some_war_file.war - read authority
  /tomcat_home/webapps/ROOT - read and execute authority
  /tomcat_home/work - read, write, and execute authority
  /tomcat_home/logs - read, write, and execute authority
  /tomcat_home/java - execute authority
  /tomcat_home/Java/Java/lib - read and execute authority

  In addition the configuration process creates the tomcat_home directory with public execute authority. The default out-of-process tomcat_home directory is /ASFTomcat/tomcat_server_name. If any of these directories existed prior to the ASF Tomcat configuration process, then the previous authorities are left unchanged.

• The user profile used to start the out-of-process ASF Tomcat must have:
  • *USE authority to the file QUSRSYS/QATMHASFT
  • *USE authority to the profile associated with the server user profile (this is QTMHHTTP by default)
  • *IOSYSCFG special authority
• By default the user profile that the out-of-process ASF Tomcat runs under is the QTMHHTTP user profile, but you can configure this to be another user profile.

  This user profile must have *USE authority to the file QUSRSYS/QATMHASFT.

  This user profile must NOT have the following:

  • *SECADM authority
  • *ALLOBJ authority (if the system is at security level 30 or greater).
• in-process: in-process ASF Tomcat configurations have the following authority considerations:

  The server user profile (QTMHHTTP) can but will not necessarily have all of the following directories with the given authorities after going through the IBM Web Administration for i5/OS interface to create a new ASF Tomcat.

  /tomcat_home/conf - execute authority
  /tomcat_home/conf/server.xml - read authority
  /tomcat_home/conf/workers.properties - read authority
  /tomcat_home/webapps - read, write, and execute authority
  /tomcat_home/webapps/app1 - read and execute authority
  /tomcat_home/webapps/app1/WEB-INF - read and execute authority
  /tomcat_home/webapps/app1/WEB-INF/classes - read and execute authority
  /tomcat_home/webapps/app1/WEB-INF/lib - read and execute authority
  /tomcat_home/webapps/app1/WEB-INF/web.xml - read authority
  /tomcat_home/webapps/app1/*.jsp - read authority
  /tomcat_home/webapps/some_war_file.war - read authority
  /tomcat_home/webapps/ROOT - read and execute authority
  /tomcat_home/work - read, write, and execute authority
  /tomcat_home/logs - read, write, and execute authority
  /tomcat_home/Java - execute authority
  /tomcat_home/Java/lib - read and execute authority

• In addition the configuration process creates the tomcat_home directory with public execute authority. The default in-process tomcat_home directory is /www/server_name/.
• When running JSPs on an in-process ASF Tomcat, in order to assure that the Java™ and .class files resulting from the compilation process of a JSP are owned by the configured profile for that server, the JSPs should be precompiled by the server administrator under that configured profile. This will assure users swapped to by HTTP Server are not the first to cause the JSP to be compiled and thus become the owners of the Java and Class files that result.

The Java virtual machine (JVM) used to run in-process and out-of-process ASF Tomcat is by default set up to assign Public execute authority to any new IFS directories that are created and Public exclude authority to any new IFS files that are created by Java code running within the JVM.

If any of these directories existed prior to the ASF Tomcat configuration process, then the previous authorities are left unchanged.

See Basic system security and planning for more information on how to work with authorities.