JKL Toy Company adds password protection for HTTP Server (powered by Apache)

This scenario discusses how to add password protection.

Important: Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm Link outside Information Center

for more information.

Scenario

The JKL Toy Company (a fictitious company) wants to protect a set of Web pages on its Web site so that they can only be viewed by visitors that have a password. In order to add password protection, JKL needs to decide what type of authentication method to use:

Internet user - requires an entry in a validation list.
User profile - requires an iSeries™ server user profile.
LDAP - requires an LDAP server.

JKL Toy Company chooses to use Internet users for the following reasons:

User profiles are not desirable since JKL does not want to create a user profile for each authenticated visitor to the Web site.
Since JKL only wants to implement authentication on one iSeries, validation lists will be used. LDAP is a better solution for multiple systems.

The Web page content to be protected is in the preexisting directory /www/jkltest/profiles/. The visitor's user name and passwords will be stored in a new validation list called users in library PROFILES. The first user name that we will enter is sjones with a password of dragon102.

Prerequisites

It is assumed you have read Scenarios for HTTP Server.
It is assumed you have read and completed JKL Toy Company creates an HTTP Server (powered by Apache) or you have an existing HTTP Server (powered by Apache) configuration.
It is assumed you have read and completed JKL Toy Company adds a new directory to HTTP Server (powered by Apache).
It is assumed you have access to or the correct authority to create an iSeries library.

Create a library for validation lists on your iSeries

Skip the following steps if you will be using an existing library on your iSeries for your validation list.

Start a 5250 session on your iSeries.
Enter CRTLIB on the command line.
Type the F4 key to prompt for additional parameters.
Enter a name for your library in the Library field.
Example: PROFILES
Optional: Edit the remaining fields as necessary or accept the default values.
Type the Enter key (or equivalent) to create your library.

Make sure the proper authorities and restrictions you want on the library are active before continuing.

Start the IBM^® Web Administration for i5/OS™ interface

Note: Enter your Webmaster user profile username and password when prompted.

Start a Web browser.
Enter http://[iSeries_hostname]:2001 in the location or URL field .
Example: http://jkl_server:2001

Note: If you have changed your port number for the IBM Web Administration for i5/OS interface, replace port 2001 with your port number.
Click IBM HTTP Server for iSeries.

Note: If the IBM Web Administration for i5/OS interface does not start, see Install and test the HTTP Server.

Set up password protection for a directory on HTTP Server (powered by Apache)

Click the Manage tab.
Click the HTTP Servers subtab.
Select your HTTP Server (powered by Apache) from the Server list.
Example: JKLTEST
Select Directory /www/[server_name]/[new_directory]/ from the Server area list.
Example: /www/jkltest/profiles/

Note: The new directory was created with the JKL Toy Company adds a new directory to HTTP Server (powered by Apache) scenario.
Expand Server Properties.
Click Security.
Click the Authentication tab in the form.
Select Use Internet users in validation lists.
Enter a descriptive name in the Authentication name or realm field.
Example: JKL Employee Profiles

Note: When users attempt to access a password protected resource, they are challenged for a username and password. The Authentication name or realm value is displayed in the login window, and should provide information regarding the resource the user is attempting to access.
Click Add under Validation lists table.
Enter [library]/[validation_list_name].
Example: profiles/users

Note: In the above example, profiles is the name of the iSeries library and users is the name of the validation list.
Click Continue.
Select Default server profile from the OS/400^® user profile to process requests list under Related information. When selected, the value %%SERVER%% will be placed in the field.
Click Apply.
Click the Control Access tab in the form.
Select All authenticated users (valid user name and password) under Control access based on who is making the requests.
Click OK.

Create a validation list for HTTP Server (powered by Apache)

Click the Advanced tab.
Click the Internet Users and Groups subtab.
Expand Internet Users and Groups.
Click Add Internet User.
Enter [username] into the User name field.
Example: sjones
Enter [password] into the Password field.
Example: dragon102
Enter the same password in the Confirm password field.
Optional: Enter comments for this Internet user.
Enter [library]/[validation_list_name] in the Validation list field.
Example: profiles/users

Note: In the above example, profiles is the name of the library and users is the name of the validation list.
Click Apply.

Restart your HTTP Server (powered by Apache)

Select one of the following methods below:

Manage one server

Click the Manage tab.
Click the HTTP Servers subtab.
Select your HTTP Server from the Server list.
Click the Stop icon if the server is running.
Click the Start icon.

Manage all servers

Click the Manage tab.
Click the HTTP Servers subtab.
Select All Servers from the Server list.
Click the All HTTP Servers tab.
Select your HTTP Server name in the table.
Example: JKLTEST
Click Stop if the server is running.
Click Start.

Note: If your HTTP Server (powered by Apache) does not start, see Troubleshoot.

Test your HTTP Server (powered by Apache)

Open a new Web browser.
Enter http://[iSeries_hostname]:[port]/[new_directory_alias]/in the location or URL field.
Example: http://jkl_server:1975/profiles/
Enter the username and password you created.

You will be asked to provide a valid username and password. Enter the username and password you entered in the validation list. It is suggested you limit *PUBLIC authority, but allow authority to the Web administrator user authority and QTMHHTTP.

View your HTTP Server (powered by Apache) configuration

Your configuration will look similar if you used the given example in this and previous examples.

Click the Manage tab.
Click the HTTP Servers subtab.
Select your HTTP Server (powered by Apache) from the Server list.
Example: JKLTEST
Expand Tools.
Click Display Configuration File.

Alias /profiles/ /www/jkltest/profiles/
Listen *:1975
DocumentRoot /www/jkltest/htdocs
ServerRoot /www/jkltest
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{Cookie}n \"%r\" %t" cookie
LogFormat "%{User-agent}i" agent
LogFormat "%{Referer}i -> %U" referer
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log combined
SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
<Directory />
	Order Deny,Allow
	Deny From all
</Directory>
<Directory /www/jkltest/profiles>
	Order Allow,Deny
	Allow From all
	Require valid-user
	PasswdFile profiles/users
	UserID %%SERVER%%
	AuthType Basic
	AuthName "JKL Employee Profiles"
</Directory>
<Directory /www/jkltest/htdocs>
	Order Allow,Deny
	Allow From all
</Directory>