Setting up password protection on HTTP Server

Edit online

Set up password protection for resources on your IBM HTTP Server for i instance using the IBM Web Administration for i interface.

You can protect Web resources by asking the user for a userid and password to gain access to these resources. Group files can be used to classify users into groups (for example: users and administrators). This allows you to limit access to those users that are defined in a group. If the user is listed in the group, then the userid and password are validated in one of the following ways:

  • Internet users in a validation list - This requires you to create a validation list that contains Internet users. You can create a validation list and Internet users through the Web Administration for i.
  • User profiles password protection - This requires that each user must have a system user profile.
  • LDAP password protection - This requires that you configure a LDAP server with the user entries.

Group file password protection

The following steps explain how to add password protection (using groups) to a directory context.

  1. Create a group file with the following format:

    groupname: user1[, user2[, user3...]]

    groupname
    Any name you want to use to identify the group you are defining. This name can be used on subsequent group definitions within the same server group file.
    user1[, user2[, user3...]]
    This can be any combination of user names and group names. Separate each item with a comma.

    For example:

    ducks: webfoot, billface, swandude
geese: goosegg, bagel 
flock: ducks, geese

    In the above example, notice that once the groups named ducks and geese are defined, they can be included as part of the group named flock.

    Group Profile support is available now.

    Assign one IBM i group profile name surrounded with key word % as a member of one HTTP group. Then all the members of this IBM i group profile will be collected and added into that HTTP group.

    For example:

    GROUPA: USER1 %GRP1% USER2

    If group profile GRP1 has two members USER3 and USER4, HTTP server will collect user profile USER3 and USER4 and add them into group GROUPA along with USER1 and USER2.

  2. Click the Manage tab.
  3. Click the HTTP Servers subtab.
  4. Select your HTTP Server from the Server list.
  5. Select the context you want to work with from the Server area list.
    Note: Do not select Global configuration or Virtual Host. If the Authentication tab cannot be selected, select a different context to work with from the Server area list.
  6. Expand Server Properties.
  7. Click Security.
  8. Click the Authentication tab in the form.
  9. Select Use Internet users in validation list or Use IBM i profile of client under User authentication method.
    Note: Your selection should be based off of the incoming traffic your HTTP Server will receive. If incoming traffic is from outside of your local access network, using Internet users in a validation list would be more beneficial than using IBM i profiles. If incoming traffic is from a local access network, using IBM i profiles would be more beneficial than using Internet users in a validation list.
  10. Enter an authentication name or realm. The realm name is displayed on the login prompt.
  11. Add a user authentication method if necessary.
  12. Click OK.

After configuring authentication, you must configure control access.

  1. Select the same context you work with previously from the Server area list.
  2. Expand Server Properties.
  3. Click Security.
  4. Click the Control Access tab in the form.
  5. Select Specific users and groups.
  6. Click Add under the User and Group names table.
  7. Select Group from the list in the Type column.
  8. Enter the name of the group in the Name column.
  9. Enter the path/filename of the group file used above.
  10. Click OK.

Note that changes to existing group files take effect after the HTTP Server is restarted.

User profiles password protection

You can protect Web resources by asking the user for a userid and password to gain access to these resources. An IBM i user profile can be used to authenticate users.

To configure password protection using a user profile, do the following:

  1. Click the Manage tab.
  2. Click the HTTP Servers subtab.
  3. Select your HTTP Server from the Server list.
  4. Select the context you want to work with from the Server area list.
  5. Expand Server Properties.
  6. Click Security.
  7. Click the Authentication tab in the form.
    Note: If the Authentication tab cannot be selected, select a different context to work with from the Server area list.
  8. Select Use IBM i profile of client under User authentication method.
  9. Enter an authentication name or realm. The realm name is displayed on the login prompt.
  10. Choose one of the two methods below:

    Enter a user name in the IBM i user profile to process requests field.

    Select a user name under IBM i user profile to process requests. Select Default server profile to allow the HTTP Server profile (QTMHHTTP) to process requests.

  11. Click OK.

After configuring authentication, you must configure control access.

  1. Select the same context you work with previously from the Server area list.
  2. Expand Server Properties.
  3. Click Security.
  4. Click the Control Access tab in the form.
  5. Select All authenticated users (valid user name and password) under Control access based on who is making requests.
  6. Click OK.

LDAP password protection

You can protect Web resources by asking the user for a userid and password (to gain access to these resources). A Lightweight Directory Access Protocol (LDAP) server can be used to authenticate users.

LDAP is a directory service protocol that runs over TCP/IP, using non-secure or Secure Sockets Layer (SSL). The LDAP directory service follows a client/server model, where one or more LDAP servers contain the directory data. This allows any LDAP-enabled application to store information once (such as user authentication information). Other applications using the LDAP server are then able to request the stored information. The HTTP server can act as a LDAP client, making requests for information.

One of the advantages of using the LDAP server for authentication is that it allows the information to be shared by multiple LDAP clients, and stores the information in a platform independent fashion. This can help prevent information from being duplicated within a network.

The following steps explain how to add password protection (using LDAP) to a directory context.

  1. Click the Manage tab.
  2. Click the HTTP Servers subtab.
  3. Select your HTTP Server from the Server list.
  4. Select the context you want to work with from the Server area list.
  5. Expand Server Properties.
  6. Click Security.
  7. Click the Authentication tab in the form.
    Note: If the Authentication tab cannot be selected, select a different context to work with from the Server area list.
  8. Select Use user entries in LDAP server under User authentication method.
  9. Enter an authentication name or realm. The realm name is displayed on the login prompt.
  10. Enter an LDAP configuration file.
  11. Enter an LDAP group name or filter.
  12. Click OK.

After configuring authentication, you must configure control access.

  1. Select the same context you work with previously from the Server area list.
  2. Expand Server Properties.
  3. Click Security.
  4. Click the Control Access tab in the form.
  5. Select one of the options for who can access this resource.
  6. Select one of the options for who can access this resource under Users and groups who can access this resource.
  7. Select Allow access to all, except the following under Control access based on where the request is coming from.
  8. Enter any domain names or IP address you do not want to allow access to.
  9. Click OK.