AIX Encrypted File Systems (EFS) and Application:
Now, we are going to use the encrypted file system "/aixefs" in our applications (Apache (httpd) web server
Scenario: Let's consider, Apache (httpd) web server is our application and the document root directory (web page contents) is located in the Encrypted File Systems (EFS) /aixefs. Let see how Apache (httpd) web server present the encrypted index.html file on the web page.
1. We need to install httpd rpm in our AIX system:
a. Download rpm.rte version 220.127.116.11 or later from the link :http://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/INSTALLP/ppc/
b. To install the rpm.rte in our AIX System:
# smitty installp
c. verify the updated version of the rpm.rte package in our AIX System:
# lslpp -l rpm.rte
d. Download and install the RPM packages from the yum_bundle.tar file from link below: https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/
e. Install the rpm's:
# tar -xvf yum_bundle.tar
# cd yum_bundle
# rpm -ivh *.rpm
f. To verify list of yum repositories enabled:
# yum repolist
g. To Install the Apache HTTP server:
# yum install httpd
source: https://www.ibm.com/developerworks/community/blogs/mhhaque/entry/Experience_on_YUM_in_AIX?lang=en &
2. We need to configure the httpd service in our AIX system:
a. To edit the httpd.conf file:
# vi /opt/freeware/etc/httpd/conf/httpd.conf
ScriptAlias /cgi-bin/ "/aixefs/www/cgi-bin/"
b. To edit the /etc/hosts file:
# vi /etc/hosts
172.29.153.188 AIXLPAR01 www.example.com
c. To copy the /var/www directory to /aixefs/:
# cp -r /var/www /aixefs/
d. To edit the /aixefs/www/htdocs/index.html file:
# vi /aixefs/www/htdocs/index.html
<html><body><h1>Hi Munshi, It works!</h1></body></html>
3. We need to encrypt the /aixefs/www/htdocs/index.html:
# efsmgr -c AES_192_ECB -e /aixefs/www/htdocs/index.html
# efsmgr -l /aixefs/www/htdocs/index.html
4. To start the httpd service in our AIX system:
# /opt/freeware/sbin/apachectl -k stop
# /opt/freeware/sbin/apachectl -k start
5. To verify the web pages, we can see the page:
Let's play with the encrypted file system with the apache web server:
1. Below screenshot shows user02 user also can read the encrypted /aixefs/www/htdocs/index.html file:
# ls /aixefs/www/htdocs
Because, group owner of the aixefs/www/htdocs/index.html file is system and as we know user02 user is a member of group01 group. And /aixefs/www/htdocs/index.html has two symmetric (AES) key for encrypt/decrypt the /aixefs/www/htdocs/index.html (See #3). One for the root user and other for the system group.
Note: group group01 has the access to the key of group system
In our previous activity (part – 2), we sent the access key of the "system" group to the "group01" group.
That’s why user02 user can read the
2. Now, I’m going decrypted (or remove the encryption) the /aixefs/www/htdocs/index.html as root.
Let change the owner of the /aixefs/www/htdocs/index.html file from root to user01. And give the write permission on /aixefs/www/htdocs for others, so that user01 can write on /aixefs/www/htdocs directory.
Now, going encrypt the /aixefs/www/htdocs/index.html file again as user01.
Note: in the who, the UID is 205. which is user user01.
Let’s verify the web pages, we cann’t see the page and there is a security issue in the httpd error log file:
httpd error_log file:
3. As we can remember, I have changed the owner of the /aixefs/www/htdocs/index.html file (user01), but the group owner is still the same (system).
Let me add the system group access to the /aixefs/www/htdocs/index.html file.
Let’s verify the web pages and we able to see the page again.
Hope this three sequence post will help you to understand the AIX Encrypted File Systems (EFS) and also help you to use it to secure you important data in AIX system.
Go back to: How to work with AIX Encrypted File Systems (EFS) – Part1
Go back to: How to work with AIX Encrypted File Systems (EFS) – Part2