User profiles and required authorities for HTTP Server

This topic provides information about user profiles and required authorities for the HTTP Server.

Important: Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm Link outside Information Center for more information.

User profiles and required authorities for HTTP Server (powered by Apache)

Webmaster user profile

The Webmaster user profile must have read, write, and execute authority to the directory path of the server root directory. This is necessary because the HTTP Administration server swaps to the Webmaster user profile during configuration and administration. If you are using the Create New HTTP Server wizard, the default server root path is /www/server_name/, where server_name is the name of HTTP Server.

If there are directories in the path which already exist, the Webmaster user profile must have read, write, and execute authority to those directories prior to executing the Create New HTTP Server wizard. Note that directory www already exists when the product is shipped. If you plan to use the default server root path of the Create New HTTP Server wizard then the authority to directory www will need to be changed prior to executing the wizard.

The Webmaster user profile must have the following authorities to perform configuration and administration tasks:

If the QPWFSERVER authorization list contains an entry that restricts *PUBLIC access to *EXCLUDE, and one of the authorization list objects is QSYS.LIB, an entry must be created to grant the webmaster profile *CHANGE authority, Use the "DSPAUTL AUTL(QPWFSERVER)" command to display the authorization list. The "ADDAUTLE AUTL(QPWFSERVER) USER(<webmaster>) AUT(*CHANGE)" command can be used to grant the appropriate authority.

Note: Granting *ALLOBJ authority to the Webmaster user profile is not recommended. Using the QSECOFR user profile as the Webmaster user profile is not recommended.

Server user profiles

The QTMHHTTP user profile is the default user profile of HTTP Server. This user profile is referred to as the server user profile. The server user profile must have read and execute authority to the directory path of the server root directory. If you are using the Create New HTTP Server wizard, the default server root path is /www/server_name/, where server_name is the name of the HTTP Server (powered by Apache).

The server user profile must have read, write, and execute authority to the directory path where the log files are stored. If you are using the Create New HTTP Server wizard, the default path is /www/server_name/logs/, where server_name is the name of the HTTP Server (powered by Apache). The log files could include any access, script, or rewrite logs. These logs may or may not be configured to be stored in the /www/server_name/logs/ directory. Since log files could potentially contain sensitive information, the security of the configuration and log files should be fully considered. The path of the configuration and log files should only be accessible by the appropriate user profiles.

The QTMHTTP1 user profile is the default user profile that HTTP Server uses when running CGI programs. This user profile must have read and execute authority to the location of any CGI program. User QTMHHTTP requires *RWX (write) authority to directory '/tmp'.

You can optionally specify that the QTMHHTTP or QTMHHTP1 user profile swap to another user profile as long as that user profile has the required authorities. For more information, see UserID.

Note: Granting *ALLOBJ authority to any server user profile is not recommended.

ASF Jakarta Tomcat

The Java virtual machine (JVM) used to run in-process and out-of-process ASF Tomcat is by default set up to assign Public execute authority to any new IFS directories that are created and Public exclude authority to any new IFS files that are created by Java code running within the JVM.

If any of these directories existed prior to the ASF Tomcat configuration process, then the previous authorities are left unchanged.

See Basic system security and planning for more information on how to work with authorities.