Topic
  • 9 replies
  • Latest Post - ‏2015-03-29T18:32:31Z by SysopChris
SystemAdmin
SystemAdmin
535 Posts

Pinned topic How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

‏2012-10-17T22:15:48Z |
I have an RPGLE program that is currently running in the Apache HTTP server as a CGI program that currently receives an iseries userid and password (HTTPS only of course) and then calls the QWTSETP API to switch the job to the supplied user before executing any other code. When done, the program switches back to the original user when it was first invoked.

I am in the process of planning a modification to this program to add the ability for it to receive a kerberos token instead of the userid and password and then switch the user profile in the same manner as the QWTSETP API allows, but of course using kerberos instead.

I've read the "Windows-based Single Signon and the EIM framework redbook, but can not figure out what API(s) I need to use and in what sequence they need to be used, in order to switch to the user represented by the kerberos token.

In addition, the windows userid represented by the kerberos token is not the same as the iseries userid for the user so I believe that I will also need to mix in the right EIM api's in the right places as well.

Has anyone ever done something like this before or does anyone have any guidance on how to accomplish this?

All replies would be greatly appreciated.
Updated on 2012-11-30T19:11:46Z at 2012-11-30T19:11:46Z by SystemAdmin
  • scott_klement
    scott_klement
    259 Posts

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2012-10-25T06:40:51Z  
    I've never done this, but I'm replying since it's been over a week, and you haven't had any responses.

    I don't know the API to call. I do not work in a Kerberos environment.

    I can tell you, however, that the HTTP server has a built-in capability to authenticate to Kerberos and run your CGI jobs under the authenticated userid. So I wonder if you really code this by hand with an API? Or would it be okay to let Apache do it?

    To enable it within Apache, you can do this:
    
    <Directory /QSYS.LIB/YOURLIB.LIB> Require valid-user AuthType KERBEROS PasswdFile %%KERBEROS%% UserID %%CLIENT%% </DirectoryMatch>
    


    The "AuthType KERBEROS" and "PasswdFile %%KERBEROS%%" lines tell Apache to authenticate against the kerberos server. the "UserId %%CLIENT%%" line tells Apache to run your CGI program under this userID.

    There are variations on this theme, too... if you really want to swap to the userid in your program (instead of letting Apache do it) you can remove the "UserId" directive and add the "ProfileToken On" directive. Now a profile token will be generated from the Kerberos authentication, and your program can read that (from an environment variable) and use the QSYSETPT API (which is similar to the QWTSETP API) to set the userid to run under that authority.

    As I said... I haven't done this myself, but I've seen the directives in the docs... maybe it'll work for you? Unless, for some reason, it's important to handle the whole task inside your program?
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2012-10-25T12:21:28Z  
    Hi Scott,

    Thanks for the reply! I was beginning to lose hope in getting a response.

    I was not aware that the HTTP server handles Kerberos authentication. I will definitely look into this, it seems promising. This seems much less daunting then trying to figure out how to do the kerberos authentication myself.

    Hoppefully I can come up with a way to add this functionality without destroying the ability for the progrm to continue to work as is.
  • scjt2001
    scjt2001
    18 Posts

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2012-11-30T14:39:10Z  
    Hi Scott,

    Thanks for the reply! I was beginning to lose hope in getting a response.

    I was not aware that the HTTP server handles Kerberos authentication. I will definitely look into this, it seems promising. This seems much less daunting then trying to figure out how to do the kerberos authentication myself.

    Hoppefully I can come up with a way to add this functionality without destroying the ability for the progrm to continue to work as is.
    Once you enable kerberos for your web location in the HTTP server, you can use the REMOTE_USER enviroment variable to get the windows user name of the logged in person then you can call EIM api's to get the ISERIES user id.

    I have 3 files in the attachment, which shows how to use the EIM apis. utilityh3 and utilitym3 can be used to create a service program that has all EIM and LDAP functions, getuserid allows you to supply the windows userid and get ISERIES userid.

    utility3m also has procedure to get the windows userid,email address and other LDAP details for a ISERIES userid.

    Note: You will have to use your LDAP server name and EIM iseries domain in utility3m

    Attachments

  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2012-11-30T18:34:03Z  
    • scjt2001
    • ‏2012-11-30T14:39:10Z
    Once you enable kerberos for your web location in the HTTP server, you can use the REMOTE_USER enviroment variable to get the windows user name of the logged in person then you can call EIM api's to get the ISERIES user id.

    I have 3 files in the attachment, which shows how to use the EIM apis. utilityh3 and utilitym3 can be used to create a service program that has all EIM and LDAP functions, getuserid allows you to supply the windows userid and get ISERIES userid.

    utility3m also has procedure to get the windows userid,email address and other LDAP details for a ISERIES userid.

    Note: You will have to use your LDAP server name and EIM iseries domain in utility3m
    Thanks for the sample code scjt2001. I really appreciate it, but this leads me to a question:

    Assuming that the windows userid ID is different than the iSeries Userid and that the user authenticates to the network with their windows ID, wouldn't the kerberos login process that executes within apache do the EIM mapping and automatically log the user in under their correct iSeries userid such that I can get their iSeries userid from position 358 - 367 of the program status data structure in an RPG program?
  • scjt2001
    scjt2001
    18 Posts

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2012-11-30T19:06:24Z  
    Thanks for the sample code scjt2001. I really appreciate it, but this leads me to a question:

    Assuming that the windows userid ID is different than the iSeries Userid and that the user authenticates to the network with their windows ID, wouldn't the kerberos login process that executes within apache do the EIM mapping and automatically log the user in under their correct iSeries userid such that I can get their iSeries userid from position 358 - 367 of the program status data structure in an RPG program?
    I use PHP for web programing on ISERIES. If I call a rpg program using toolkit, it does not give the correct userid in that location of the program data stucture. If you using CGI-RPG than it will work.
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2012-11-30T19:11:46Z  
    • scjt2001
    • ‏2012-11-30T19:06:24Z
    I use PHP for web programing on ISERIES. If I call a rpg program using toolkit, it does not give the correct userid in that location of the program data stucture. If you using CGI-RPG than it will work.
    OK. Thanks. Based on some of the reading that I've been doing, I see that the Apache server is supposed to perform the EIM mapping and assuming it can find the translation, it is supposed to automatically log them in as the appropriate iSeries user. Which i believe will cause that information in the program data structure to be properly set to the iSeries Userid.

    Once again I do apprecate your input, as it did provide me with some very nice sample code that I can use in the future, if there is a need to do so.
  • dcmason
    dcmason
    1 Post

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2013-04-23T16:27:55Z  
    • scjt2001
    • ‏2012-11-30T14:39:10Z
    Once you enable kerberos for your web location in the HTTP server, you can use the REMOTE_USER enviroment variable to get the windows user name of the logged in person then you can call EIM api's to get the ISERIES user id.

    I have 3 files in the attachment, which shows how to use the EIM apis. utilityh3 and utilitym3 can be used to create a service program that has all EIM and LDAP functions, getuserid allows you to supply the windows userid and get ISERIES userid.

    utility3m also has procedure to get the windows userid,email address and other LDAP details for a ISERIES userid.

    Note: You will have to use your LDAP server name and EIM iseries domain in utility3m

    Hi: scjt2001:

    I read your reply about Kerberos and RPG CGI.  This is exactly what I need (Web running an RPG CGI program, use the windows id to get to the iSeries ID).

    I downloaded the 3 files you attached (UTILITYM3,UTILITYH3,GETUSERID)

    I created UTILITYM3 by:  ===> CRTRPGMOD MODULE(QGPL/UTILITYM3) SRCFILE(QGPL/QRPGSRC) BNDDIR(QGPL/UTILITYB3)

    CRTSRVPGM SRVPGM(QGPL/UTILITYM3) EXPORT(*ALL)

    When I go to compile the GETUSRID program, it gives me an error message - definition not found for reference CONNECTEIM, DISCONNECTEIM, GETIDENTIFIEREIM,GETPROFILEDETAIL, etc.

    Could you provide the correct compile statements for the examples?

    Thanks!

  • VernHamberg
    VernHamberg
    1 Post

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2013-06-03T22:06:11Z  
    • dcmason
    • ‏2013-04-23T16:27:55Z

    Hi: scjt2001:

    I read your reply about Kerberos and RPG CGI.  This is exactly what I need (Web running an RPG CGI program, use the windows id to get to the iSeries ID).

    I downloaded the 3 files you attached (UTILITYM3,UTILITYH3,GETUSERID)

    I created UTILITYM3 by:  ===> CRTRPGMOD MODULE(QGPL/UTILITYM3) SRCFILE(QGPL/QRPGSRC) BNDDIR(QGPL/UTILITYB3)

    CRTSRVPGM SRVPGM(QGPL/UTILITYM3) EXPORT(*ALL)

    When I go to compile the GETUSRID program, it gives me an error message - definition not found for reference CONNECTEIM, DISCONNECTEIM, GETIDENTIFIEREIM,GETPROFILEDETAIL, etc.

    Could you provide the correct compile statements for the examples?

    Thanks!

    I have actually done this for a product that had its own user and password system. The principle is the same, except I used an application level user registry in EIM.

    Have you set up EIM yet? It's the same setup you need for SSO with PC5250, for example.

    Have you set up Kerberos for HTTP yet? That's in the IBM i Navigator either under security or network servers. There's a wizard there. You will get a batch file to give to your Windows Doman administrator.

    The wizard will set up the EIM stuff, at least as far as putting in registries for your Windows user and your IBM i users. It does NOT put in any users - that's a manual process in the EIM config in Navigator, or IBM and Pat Botz have tools for doing this more automagically - individual entries for EIM gets painful after about 3 of them.

    REMOTE_USER will have the Windows user - it won't have the IBM i user, as I recall. I don't think there is an environment variable that gives you the user profile, but it's been a while.

    There's another environment variable that might be of interest - I forget its name, but something about the kind of authentication, like Basic or Kerberos.

    If you don't know, to see the environment variables, run the HTTP server instance in verbose mode - put '-vv' in the options - that is 2 Vees. Do this just before opening the web page, then shut down the HTTP instance when you are done. You will have a bunch of spooled files for QTMHHTTP or QTMHHTP1, and one of them has all the environment variables.

  • SysopChris
    SysopChris
    1 Post

    Re: How can I add kerberos capabilities to an RPGLE CGI program using QWTSETP?

    ‏2015-03-29T18:32:31Z  

      I am so thrilled to see that someone has looked into this already because before I found this post I didn't where to start except the LDAP RedBooks and the AS/400 user groups at LinkedIn.

    I have been asked to replace the JD Edwards password program P00CKPWD where it is used for the Requisition Approval program. Instead of that we want to use our newly implemented single sign-on & Kerberos to retrieve the Windows User Credentials.

    So what I want to do is not entirely like what's discussed here since at this time the HTTP server is not involved but I see that coming. I have downloaded the attached three programs and I'm just about to try to compile them though I'm not sure what all is needed. That's how I learn best, by example, so this is like finding gold, running across these RPG programs. It's actually the first code I have seen for RPG that works with LDAP.

    If I cannot get these to compile I'll be back...thnx

     

    Chris Lively

    Chattanooga, TN