Using validation lists

Validation list objects provide a method for applications to securely store user-authentication information.

For example, the Internet Connection Server (ICS) uses validation lists to carry out the concept of an Internet user. The ICS can perform basic authentication before a Web page is served. Basic authentication requires users to provide some type of authentication information, such as a password, PIN, or account number. The name of the user and the authentication information can be stored securely in a validation list. The ICS can use the information from the validation list rather than require all users of the ICS to have a IBM® i user id and password.

An internet user can be permitted or denied access to the system from the Web server. The user, however, has no authority to any IBM i resources or authority to sign-on or run jobs. A IBM i user profile is never created for the internet users.

To create and delete validation lists, you can use the CL commands Create Validation List (CRTVLDL) and the Delete Validation List (DLTVLDL). Application Programming Interfaces (APIs) are also provided to allow applications to add, change, remove, verify (authenticate), and find entries in a validation list.

Validation list objects are available for all applications to use. For example, if an application requires a password, the application passwords can be stored in a validation list object rather than a database file. The application can use the validation list APIs to verify a user's password. Since the validation list is encrypted, this method is more secure than using the application alone to verify the user's password.

You can store the authentication information in a decryptable form. If a user has the appropriate security, the authentication information can be decrypted and returned to the user.