Security considerations

This topic provides information about iSeries™ Access for Web security considerations.

Authentication

iSeries Access for Web needs to have the user identity authenticated so that i5/OS™ resources are accessed with the correct user profile. The methods of authenticating the user identity are different for the Web application and the portal application.

Web application

The Web application can be configured to authenticate users or to allow WebSphere^® to authenticate users.

The Web application authenticates the user identity with i5/OS using a user profile and password. HTTP basic authentication is used to prompt for a user profile and password. HTTP basic authentication encodes the user profile and password, but does not encrypt them. To secure authentication information during transmission, secure HTTP (HTTPS) should be used.

WebSphere authenticates the user identity with the active user registry. WebSphere uses HTTP basic authentication or form-based authentication to prompt for the user ID and password. HTTP basic authentication encodes the user ID and password, but does not encrypt them. Form-based authentication sends the user ID and password in clear text. To secure authentication information during transmission, secure HTTP (HTTPS) should be used.

Allowing WebSphere to authenticate the user identity using form-based authentication enables the Web application to participate in WebSphere single sign-on (SSO) environments.

Once WebSphere has authenticated the user identity, the Web application uses Enterprise Identity Mapping (EIM) to map the authenticated WebSphere user identity to an i5/OS user identity.

For information on iSeries Access for Web and EIM, see the "Single sign-on considerations" topic.

For information on WebSphere single sign-on, see "Configure single sign-on" in the appropriate Information center version. Links to WebSphere information centers are in the IBM^® WebSphere Application Server documentation.

Portal application

The portal application relies on the portal server to authenticate the user identity.

Once the portal server has authenticated the user identity, the iSeries Access portlets can be used. Each portlet provides an option in edit mode for selecting the credential to use when accessing i5/OS resources. Select one of these options:

Use credential specific to this portlet window: An i5/OS user profile and password are supplied for this portlet instance. This credential cannot be used by other portal users or other portlet instances for the current portal user.
Use credential set with iSeries Credentials portlet: An i5/OS user profile and password is selected from a list of credentials that were defined using the iSeries Credentials portlet. This credential can be used by other portlet instances for the current portal user, but cannot be used by other portal users.
Use system shared credential set by administrator: An i5/OS user profile and password is selected from a list of credentials that were defined by the portal administrator using the Credentials Vault administration function. This credential can be used by all portal users.
Use authenticated WebSphere credential: The authenticated portal environment user identity is mapped to an i5/OS user identity using EIM. For information about iSeries Access for Web and EIM, see the "Single sign-on considerations" topic.

For information about how WebSphere Portal authenticates the user identity, see Securing your portal > Security Concepts > Authentication in the WebSphere Portal Information Center.

Restricting access to functions

Users can be restricted from accessing iSeries Access for Web functions. Different methods of restricting access are used in the Web application and the portal application.

For information on restricting access to functions for the Web application, see the "Policies" topic.

For information on restricting access to functions for the portal application, see the "Portal roles" topic.

Object level security

iSeries Access for Web uses object level security when accessing i5/OS resources. Users will not be able to access i5/OS resources if their i5/OS user profile does not have the proper authority.

Secure HTTP (HTTPS)

You can configure the iSeries server to use a security protocol, called Secure Sockets Layer (SSL), for data encryption and client/server authentication. For information about SSL, HTTPS, and digital certificates, see the following:

Security and SSL information in the HTTP server documentation .
Security and SSL information in the WebSphere Application Server documentation .
Securing your portal in the WebSphere Portal information center.
Using digital certificates and the SSL to enable secure communications for many applications in the Digital Certificate Manager (DCM) topic.

Exit programs

iSeries Access for Web makes extensive use of the following Host Servers:

Signon
Central
Remote Command/Program Call
Database
File
Network Print

Exit programs that restrict access to these servers, especially Remote Command/Program Call, will cause all or portions of iSeries Access for Web to not function.