206 lines
13 KiB
HTML
206 lines
13 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE html
|
||
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
<html lang="en-us" xml:lang="en-us">
|
||
<head>
|
||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
<meta name="security" content="public" />
|
||
<meta name="Robots" content="index,follow" />
|
||
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
<meta name="DC.Type" content="topic" />
|
||
<meta name="DC.Title" content="User profiles and required authorities for HTTP Server" />
|
||
<meta name="abstract" content="This topic provides information about user profiles and required authorities for the HTTP Server." />
|
||
<meta name="description" content="This topic provides information about user profiles and required authorities for the HTTP Server." />
|
||
<meta name="DC.Relation" scheme="URI" content="rzaieconcepts.htm" />
|
||
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
<meta name="DC.Format" content="XHTML" />
|
||
<meta name="DC.Identifier" content="rzaiesetauth" />
|
||
<meta name="DC.Language" content="en-us" />
|
||
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
<!-- US Government Users Restricted Rights -->
|
||
<!-- Use, duplication or disclosure restricted by -->
|
||
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
<title>User profiles and required authorities for HTTP Server</title>
|
||
</head>
|
||
<body id="rzaiesetauth"><a name="rzaiesetauth"><!-- --></a>
|
||
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
<h1 class="topictitle1">User profiles and required authorities for HTTP Server</h1>
|
||
<div><p>This topic provides information about user profiles and required
|
||
authorities for the HTTP Server.</p>
|
||
<div class="important"><span class="importanttitle">Important:</span> Information
|
||
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
|
||
It is recommended that you install the latest PTFs to upgrade to the latest
|
||
level of the HTTP Server for i5/OS. Some of the topics documented here are
|
||
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
|
||
</div>
|
||
<div>
|
||
<div class="familylinks">
|
||
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaieconcepts.htm" title="This topic provides concepts of functions on HTTP Server and IBM Web Administration for i5/OS interface.">Concepts of functions of HTTP Server</a></div>
|
||
</div>
|
||
</div><div class="nested1" id="pba"><a name="pba"><!-- --></a><h2 class="topictitle2">User profiles and required authorities for HTTP Server (powered by
|
||
Apache) </h2>
|
||
<div><p><strong>Webmaster user profile</strong></p>
|
||
<p>The Webmaster user profile must have read, write, and execute authority
|
||
to the directory path of the server root directory. This is necessary because
|
||
the HTTP Administration server swaps to the Webmaster user profile during
|
||
configuration and administration. If you are using the <strong>Create New HTTP
|
||
Server wizard</strong>, the default server root path is <tt>/www/server_name/</tt>,
|
||
where server_name is the name of HTTP Server. </p>
|
||
<p>If there are directories in the path which already exist, the Webmaster
|
||
user profile must have read, write, and execute authority to those directories
|
||
prior to executing the <strong>Create New HTTP Server wizard</strong>. Note that directory <em>www</em> already
|
||
exists when the product is shipped. If you plan to use the default server
|
||
root path of the <strong>Create New HTTP Server wizard</strong> then the authority to
|
||
directory <em>www</em> will need to be changed prior to executing the wizard. </p>
|
||
<p>The Webmaster user profile must have the following authorities to perform
|
||
configuration and administration tasks: </p>
|
||
<ul><li>*IOSYSCFG special authority </li>
|
||
<li>*SERVICE special authority if you plan to use the trace TCP application
|
||
(TRCTCPAPP) function </li>
|
||
<li>*CHANGE authority to the library object QUSRSYS </li>
|
||
<li>*ALL authority to the following objects:<ul><li>QUSRSYS/QATMHINSTA </li>
|
||
<li>QUSRSYS/QATMHINSTC </li>
|
||
</ul>
|
||
</li>
|
||
<li>*USE authority for the following command objects: <ul><li>CRTVLDL </li>
|
||
<li>STRTCPSVR </li>
|
||
<li>ENDTCPSVR </li>
|
||
</ul>
|
||
</li>
|
||
<li>*RX authority for root directory ("<tt>/</tt> ") and directory "<tt>/www</tt>",
|
||
including all subdirectories in the path</li>
|
||
<li>*RWX authority for directory "<tt>/www/server_name/</tt>"</li>
|
||
</ul>
|
||
<p>If the QPWFSERVER authorization list contains an entry that restricts *PUBLIC
|
||
access to *EXCLUDE, and one of the authorization list objects is QSYS.LIB,
|
||
an entry must be created to grant the webmaster profile *CHANGE authority,
|
||
Use the "DSPAUTL AUTL(QPWFSERVER)" command to display the authorization list.
|
||
The "ADDAUTLE AUTL(QPWFSERVER) USER(<webmaster>) AUT(*CHANGE)" command
|
||
can be used to grant the appropriate authority.</p>
|
||
<div class="note"><span class="notetitle">Note:</span> Granting *ALLOBJ authority to the Webmaster user profile is not recommended.
|
||
Using the QSECOFR user profile as the Webmaster user profile is not recommended. </div>
|
||
<p><strong>Server user profiles</strong></p>
|
||
<p>The QTMHHTTP user profile is the default user profile of HTTP Server. This
|
||
user profile is referred to as the server user profile. The server user profile
|
||
must have read and execute authority to the directory path of the server root
|
||
directory. If you are using the <strong>Create New HTTP Server wizard</strong>, the
|
||
default server root path is <tt>/www/server_name/</tt>, where server_name
|
||
is the name of the HTTP Server (powered by Apache). </p>
|
||
<p>The server user profile must have read, write, and execute authority to
|
||
the directory path where the log files are stored. If you are using the <strong>Create
|
||
New HTTP Server wizard</strong>, the default path is <tt>/www/server_name/logs/</tt>,
|
||
where server_name is the name of the HTTP Server (powered by Apache). The
|
||
log files could include any access, script, or rewrite logs. These logs may
|
||
or may not be configured to be stored in the <tt>/www/server_name/logs/</tt> directory.
|
||
Since log files could potentially contain sensitive information, the security
|
||
of the configuration and log files should be fully considered. The path of
|
||
the configuration and log files should only be accessible by the appropriate
|
||
user profiles. </p>
|
||
<p>The QTMHTTP1 user profile is the default user profile that HTTP Server
|
||
uses when running CGI programs. This user profile must have read and execute
|
||
authority to the location of any CGI program. User QTMHHTTP requires *RWX
|
||
(write) authority to directory '<em>/tmp</em>'.</p>
|
||
<p>You can optionally specify that the QTMHHTTP or QTMHHTP1 user profile swap
|
||
to another user profile as long as that user profile has the required authorities.
|
||
For more information, see <a href="rzaiemod_as_auth.htm#userid">UserID</a>.</p>
|
||
<ul><li>*RX authority for root directory ("<tt>/</tt> ") and directory "<tt>/www</tt>",
|
||
including all subdirectories in the path</li>
|
||
<li>*RWX authority for directory "<tt>/www/server_name/</tt>"</li>
|
||
</ul>
|
||
<div class="note"><span class="notetitle">Note:</span> Granting *ALLOBJ authority to any server user profile is not recommended.</div>
|
||
<p><strong>ASF Jakarta Tomcat</strong></p>
|
||
<ul><li><strong>out-of-process</strong>: The user profile configuring the out-of-process
|
||
ASF Tomcat is the owner of the configuration files that are created. This
|
||
user profile must have:<ul><li>*JOBCTL authority </li>
|
||
<li>*ALL authority to the file QUSRSYS/QATMHASFT </li>
|
||
<li>*CHANGE authority to the library object QUSRSYS </li>
|
||
</ul>
|
||
<p>This configured user profile can, but will not necessarily, have the
|
||
following directories (with the given authorities) after going through the <span>IBM<sup>®</sup> Web Administration for i5/OS™ interface</span> to create a new ASF
|
||
Tomcat server.</p>
|
||
<p>/tomcat_home/conf - execute authority<br />
|
||
/tomcat_home/conf/server.xml - read authority<br />
|
||
/tomcat_home/webapps - read, write, and execute authority<br />
|
||
/tomcat_home/webapps/app1 - read and execute authority<br />
|
||
/tomcat_home/webapps/app1/WEB-INF - read and execute authority<br />
|
||
/tomcat_home/webapps/app1/WEB-INF/classes - read and execute authority<br />
|
||
/tomcat_home/webapps/app1/WEB-INF/lib - read and execute authority<br />
|
||
/tomcat_home/webapps/app1/WEB-INF/web.xml - read authority<br />
|
||
/tomcat_home/webapps/app1/*.jsp - read authority<br />
|
||
/tomcat_home/webapps/some_war_file.war - read authority <br />
|
||
/tomcat_home/webapps/ROOT - read and execute authority<br />
|
||
/tomcat_home/work - read, write, and execute authority<br />
|
||
/tomcat_home/logs - read, write, and execute authority<br />
|
||
/tomcat_home/java - execute authority<br />
|
||
/tomcat_home/Java/Java/lib - read and execute authority </p>
|
||
<p>In addition the configuration process creates the tomcat_home directory
|
||
with public execute authority. The default out-of-process tomcat_home directory
|
||
is <tt>/ASFTomcat/tomcat_server_name</tt>. If any of these directories existed
|
||
prior to the ASF Tomcat configuration process, then the previous authorities
|
||
are left unchanged. </p>
|
||
</li>
|
||
<li>The user profile used to start the out-of-process ASF Tomcat must have: <ul><li>*USE authority to the file QUSRSYS/QATMHASFT </li>
|
||
<li>*USE authority to the profile associated with the server user profile
|
||
(this is QTMHHTTP by default) </li>
|
||
<li>*IOSYSCFG special authority </li>
|
||
</ul>
|
||
</li>
|
||
<li>By default the user profile that the out-of-process ASF Tomcat runs under
|
||
is the QTMHHTTP user profile, but you can configure this to be another user
|
||
profile. <p>This user profile must have *USE authority to the file QUSRSYS/QATMHASFT. </p>
|
||
<p>This
|
||
user profile must NOT have the following:</p>
|
||
<ul><li>*SECADM authority </li>
|
||
<li>*ALLOBJ authority (if the system is at security level 30 or greater). </li>
|
||
</ul>
|
||
</li>
|
||
<li><strong>in-process</strong>: in-process ASF Tomcat configurations have the following
|
||
authority considerations: <p>The server user profile (QTMHHTTP) can but will
|
||
not necessarily have all of the following directories with the given authorities
|
||
after going through the <span>IBM Web Administration for i5/OS interface</span> to
|
||
create a new ASF Tomcat. </p>
|
||
<p>/tomcat_home/conf - execute authority<br />
|
||
/tomcat_home/conf/server.xml - read authority<br />
|
||
/tomcat_home/conf/workers.properties - read authority<br />
|
||
/tomcat_home/webapps - read, write, and execute authority<br />
|
||
/tomcat_home/webapps/app1 - read and execute authority<br />
|
||
/tomcat_home/webapps/app1/WEB-INF - read and execute authority<br />
|
||
/tomcat_home/webapps/app1/WEB-INF/classes - read and execute authority<br />
|
||
/tomcat_home/webapps/app1/WEB-INF/lib - read and execute authority<br />
|
||
/tomcat_home/webapps/app1/WEB-INF/web.xml - read authority<br />
|
||
/tomcat_home/webapps/app1/*.jsp - read authority<br />
|
||
/tomcat_home/webapps/some_war_file.war - read authority <br />
|
||
/tomcat_home/webapps/ROOT - read and execute authority<br />
|
||
/tomcat_home/work - read, write, and execute authority<br />
|
||
/tomcat_home/logs - read, write, and execute authority<br />
|
||
/tomcat_home/Java - execute authority<br />
|
||
/tomcat_home/Java/lib - read and execute authority </p>
|
||
</li>
|
||
<li>In addition the configuration process creates the tomcat_home directory
|
||
with public execute authority. The default in-process tomcat_home directory
|
||
is <tt>/www/server_name/</tt>. </li>
|
||
<li>When running JSPs on an in-process ASF Tomcat, in order to assure that
|
||
the Java™ and
|
||
.class files resulting from the compilation process of a JSP are owned by
|
||
the configured profile for that server, the JSPs should be precompiled by
|
||
the server administrator under that configured profile. This will assure users
|
||
swapped to by HTTP Server are not the first to cause the JSP to be compiled
|
||
and thus become the owners of the Java and Class files that result. </li>
|
||
</ul>
|
||
<p>The Java virtual machine (JVM) used to run in-process and out-of-process
|
||
ASF Tomcat is by default set up to assign Public execute authority to any
|
||
new IFS directories that are created and Public exclude authority to any new
|
||
IFS files that are created by Java code running within the JVM.</p>
|
||
<p>If any of these directories existed prior to the ASF Tomcat configuration
|
||
process, then the previous authorities are left unchanged.</p>
|
||
<p>See <a href="../rbapk/rbapkpart.htm">Basic
|
||
system security and planning</a> for more information on how to work with
|
||
authorities.</p>
|
||
</div>
|
||
</div>
|
||
|
||
</body>
|
||
</html> |