Logo: TUG TORONTO USERS GROUP for Midrange Systems
TUG
e -server magazine

November 1997: Volume 13, Number 2


IBM's New Web Server for AS/400

By Evelyn Porter  Photo: Evelyn Porter at the Colony Toronto Hotel

BM's new AS/400 Web server for Version 4 is a good news/bad new story. The good news: Version 4 Release 1 of OS/400 plugs some of the leaks in the IBM Internet Connection for OS/400 product. The bad news? If you just spent money installing a Web server on another platform because you needed some of the function missing from the AS/400 server under Version 3, you may be thinking up ways to justify that decision to your management, once they see what's included for free in V4R1.

The Holes in Version 3

Version 3 (Release 2 for CISC and Release 7 for RISC) included the first official issue of what is now known as Internet Connection for OS/400. This product, included at no charge with OS/400, let the AS/400 function as a World Wide Web server, a POP3 mail server and an anonymous FTP server. However, there were some functions missing in the Web server that are common functions in the rest of the Web industry. For instance, the Version 3 server only allowed one server instance to be active at a time. This doesn't seem like much of a problem until the day you want to have a test as well as a production server running on your system. Secure Sockets Layer (SSL) encryption was not supported on the Version 3 server, so if you wanted to be able to maintain confidentiality during a conversation between your Web server and a browser, you had to use a server like I/Net's Commerce Server/400. If you wanted to force users to enter a user name and password in order to access resources on your web server, well, you were out of luck there as well. Oh, by the way, did anyone ever manage to get their server running the first time they tried? Can you say "ERROR 403 - FORBIDDEN BY RULE"?

The new version of the Internet Connection server has solved all these problems and more. V4R1 provides multiple server instances, SSL encryption, access control, and a nice configuration interface that runs through your browser.  Figure 1: Internet Connection Server

Version 4 Features

Configuration:

The first thing you'll notice when using the Version 4 server is that you don't need the WRKHTTPCFG command any more. This command was a way to directly edit a physical file, and its line by line editing was a bit clunky. Version 4 is configured through your Web browser. There is a new server instance called ADMIN which runs at port 2001 (or 2010 for the SSL version). Pointing your browser at this port lets you choose between configuring the HTTP server, the new firewall and the IBM Network Station. Every server directive is now configured through easy to use HTML forms, with lots of help available just a mouse click away. In addition, the new AS/400 Webmaster's Guide is shipped as an HTML document that is accessible from the configuration screens.

Access Control:

The ability to control who can access resources on your Web server has been greatly improved with the addition of access control directives. In Version 3, access control was an all-or-nothing proposition - you could either let the server show a document or not, depending on how you configured your PASS directives. In Version 4, you can control which user can see which documents. You can also choose whether you want to use AS/400 user profiles to control access or if you would rather set up special user names and passwords for use only with Web server documents and directories.

SSL:

Secure Sockets Layer is an encryption method originally proposed by Netscape Communications. Both the server and the browser must support SSL in order for the session to be established. All of the current versions of the popular Web browsers like Netscape Navigator and Microsoft Internet Explorer are SSL-enabled, and now the AS/400 can support an SSL session with a client as well. When you enter an SSL session, all the traffic between your browser and the Web server is encrypted. This means that anyone who is electronically eavesdropping on your conversation can't understand what you are saying. This technology allows you to transmit sensitive information with confidence that it won't be intercepted and decoded by an unknown third party. Due to US government export controls, US companies are not permitted to export products that contain encryption keys longer than 40 bits. To comply with this requirement, IBM has two versions of the SSL server: the international version supports the 40 bit encryption key, and the domestic version for use in the US and Canada supports a 128 bit encryption key.  Figure 2: Configuration and Administration Forms

Multiple Server Instances, Multihoming and Certificate Generation

With the Version 4 Web server, you have the ability to run more than one copy of the Web server on the same system - something that was not possible under Version 3. This function is needed to support SSL, since the secure server runs as a separate instance. Not all your pages need to be secured; you can secure only those documents that need to remain private, and transmit the non-confidential material without encrypting it. It is a good practice to do this because it takes longer to transmit an encrypted page. The browser and the server first have to perform some session negotiations, called an SSL handshake, during which they agree on what key values will be used to encrypt this session. Using multiple server instances, you can combine secure and non-secure documents on the same AS/400 web server. You can also set up a test environment to run along with your production Web pages, or you can run multiple host names on the same AS/400. This means that if you do business under several different company names, you can have a web page set up for each of them and users don't need to know that they are all running on the same system.

Every SSL server needs a certificate before it can participate in an encrypted conversation with a browser. The certificate is like an electronic "seal of approval". It is issued by a third party that the browser trusts and certifies the identity of the server. The purpose of the certificate is to prevent unscrupulous individuals from setting up a server with your address or domain name, claiming to be you, and receiving all the confidential transmissions intended for your site. Netscape Navigator and Microsoft Inernet Explorer are pre-configured with the names of trusted certifying authorities, so that when you obtain and install a certificate from one of them (such as Verisign), the browser can establish a secure session. When you are testing your setup, or if you want to set up an Intranet, you may not want to pay the fee required to obtain a certificate from one of these certifying authorities.

Version 4 lets the AS/400 act as a certifying authority. This function lets you create a certificate for use within your own company so that you can test your SSL setup or run secure sessions on your Intranet.

Getting Started

The Version 4 ADMIN server instance is shipped already configured and ready to go. You won't face a frustrating 403-FORBIDDEN BY RULE when you access the ADMIN server, but instead will be guided through the process of setting up and configuring your own server. If you have an existing HTTP configuration, you can migrate that to the new system. T < G