Solved

IBM iseries i5 web server authority issue

Posted on 2009-07-08
9
784 Views
Last Modified: 2013-12-06
On an IBM AS400 iSeries I am using Apache and PHP to issue system commands.  I am running into some authority issues.  If I do a "WRKJOBSCDE OUTPUT(*PRINT) PRTFMT(*FULL)" interactively using my login it works great and shows me all data.  If I do the same from within my PHP (via the Apache server) I get "CPF1630: Not authorized to job schedule entry" errors and some of the job entry information is missing from the output.  My Apache server is using username "QTMHHTTP".  Does anyone know of a way to give Apache the authority to do this and other commands without possibly sacrificing security?  Thank you!
0
Comment
Question by:richard_crist
  • 6
  • 3
9 Comments
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 500 total points
ID: 24809002
Well, it not the best practice to grant a bunch of authority to QTMHHTTP.  

One alternative is to start an instance of Apache that runs under a different profile, but this can be risky, too.

A method that I prefer is to create (CL generally) programs containing the commands that you want to run, creating them with adopted authority of a profile that is authorized to run the required commands.  Grant *USE rights to QTMHHTTP to the CL programs that you create, and you are in business (securely!).

CHGOBJOWN of the CL to the user with rights to run the command and then CHGPGM USER(*OWNER) to set the program to use adopted authority.
  Alternately, compile under the user with elevated rights, and specify USER(*OWNER) on CRTCLPGM.  Some profiles are configured to set object ownership to a group profile instead if the individual profile (the group is probably what you should use anyway), so check ownership and USER parameters before testing.

- Gary Patterson
0
 
LVL 3

Author Comment

by:richard_crist
ID: 24809201
Gary,

Thank you!  I am compiling with the *OWNER option.  I will let you know tomorrow how it goes.  Thanks for all your help today!
0
 
LVL 3

Author Comment

by:richard_crist
ID: 24823863
Gary,

I am still working on it.  I have tried compiling with *OWNER as well as CHGPGM to *OWNER but I have not got it to work yet.  Probably something I am doing.  When I have time I will provide details to see if you can find what I am doing wrong.

Thank you!
0
 
LVL 34

Assisted Solution

by:Gary Patterson
Gary Patterson earned 500 total points
ID: 24824611
Try using CHGOBJOWN first to make sure the object is owned by the correct profile, then use CHGPGM to change to USER(*OWNER).  If you are successful DSPPGM will show OWNER .... (desired target profile) and Use Adopted Authority .... *YES.

Of course the Owner profile neds to have adequate authority to run the desired commands.

- Gary Patterson
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 3

Author Comment

by:richard_crist
ID: 24925642
Please accept my apology for not updating this question in a timely manner.  I have been sidetracked with other stuff at work.  I am going to try these suggestions as soon as I can.  Thank you!
0
 
LVL 3

Author Comment

by:richard_crist
ID: 24979784
Gary,

I'm going to close this question and give you the points for helping me.  I just haven't been able to work on this particular issue at work yet.  I believe your answer is correct and I just need to make it work.  Thank you for your help with this question and other in the past.   :)
0
 
LVL 3

Author Closing Comment

by:richard_crist
ID: 31601348
Thanks for the help!   :)
0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 24980910
I'll continue to monitor the question in case you hit a snag.
0
 
LVL 3

Author Comment

by:richard_crist
ID: 24983788
Thank you!   :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
count download link and run update query 9 56
PHP get array item with custom id 4 23
Scope of $_SESSION 17 30
array_values - reorder after unset? 5 12
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now