IBM iseries i5 web server authority issue

On an IBM AS400 iSeries I am using Apache and PHP to issue system commands.  I am running into some authority issues.  If I do a "WRKJOBSCDE OUTPUT(*PRINT) PRTFMT(*FULL)" interactively using my login it works great and shows me all data.  If I do the same from within my PHP (via the Apache server) I get "CPF1630: Not authorized to job schedule entry" errors and some of the job entry information is missing from the output.  My Apache server is using username "QTMHHTTP".  Does anyone know of a way to give Apache the authority to do this and other commands without possibly sacrificing security?  Thank you!
LVL 3
richard_cristAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
Well, it not the best practice to grant a bunch of authority to QTMHHTTP.  

One alternative is to start an instance of Apache that runs under a different profile, but this can be risky, too.

A method that I prefer is to create (CL generally) programs containing the commands that you want to run, creating them with adopted authority of a profile that is authorized to run the required commands.  Grant *USE rights to QTMHHTTP to the CL programs that you create, and you are in business (securely!).

CHGOBJOWN of the CL to the user with rights to run the command and then CHGPGM USER(*OWNER) to set the program to use adopted authority.
  Alternately, compile under the user with elevated rights, and specify USER(*OWNER) on CRTCLPGM.  Some profiles are configured to set object ownership to a group profile instead if the individual profile (the group is probably what you should use anyway), so check ownership and USER parameters before testing.

- Gary Patterson
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
richard_cristAuthor Commented:
Gary,

Thank you!  I am compiling with the *OWNER option.  I will let you know tomorrow how it goes.  Thanks for all your help today!
0
richard_cristAuthor Commented:
Gary,

I am still working on it.  I have tried compiling with *OWNER as well as CHGPGM to *OWNER but I have not got it to work yet.  Probably something I am doing.  When I have time I will provide details to see if you can find what I am doing wrong.

Thank you!
0
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Gary PattersonVP Technology / Senior Consultant Commented:
Try using CHGOBJOWN first to make sure the object is owned by the correct profile, then use CHGPGM to change to USER(*OWNER).  If you are successful DSPPGM will show OWNER .... (desired target profile) and Use Adopted Authority .... *YES.

Of course the Owner profile neds to have adequate authority to run the desired commands.

- Gary Patterson
0
richard_cristAuthor Commented:
Please accept my apology for not updating this question in a timely manner.  I have been sidetracked with other stuff at work.  I am going to try these suggestions as soon as I can.  Thank you!
0
richard_cristAuthor Commented:
Gary,

I'm going to close this question and give you the points for helping me.  I just haven't been able to work on this particular issue at work yet.  I believe your answer is correct and I just need to make it work.  Thank you for your help with this question and other in the past.   :)
0
richard_cristAuthor Commented:
Thanks for the help!   :)
0
Gary PattersonVP Technology / Senior Consultant Commented:
I'll continue to monitor the question in case you hit a snag.
0
richard_cristAuthor Commented:
Thank you!   :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.