Maintaining Security

When you set up WebDocs, WebDocs' own security model - user, groups, folders, Document Types, and permissions - secures which documents users can access through the web interface.

Best Practices: To make sure that the WebDocs security model stays secure:

• Use LDAP or iSeries authentication for users' passwords to reduce the number of credentials you need to maintain.
• Regularly purge users' sessions so that users can only access documents they currently have permissions to.

However, the WebDocs security model is only internal to WebDocs. WebDocs itself resides on the operating system, and you need to make sure this operating system is secure as well.

Make sure that all of the following are secure:

• The IFS: WebDocs documents are stored on the IFS. On many systems, the IFS is not secured by default. To maintain document security, check the security settings for the IFS. There are two levels where you may need to secure the IFS:

• • Local: Restrict object access so that iSeries users who need access to the local IFS have it. Only the following iSeries users need *RWX authority to the IFS: QTMHHTTP, QTMHHTTP1, any dedicated user you have set up for WebDocs client applications (for example: RJSUSER), and any iSeries users associated with WebDocs users who are checking in and checking out documents.
  • Remote: If you are using NFS shares, the folder you mount the share to needs to have public *RWX authority. If this folder is directly under ROOT, users will have access to all that directory's contents. To avoid this risk, create a parent folder to mount the share, so you can restrict user access to items within the share.
• The RJSIMAGE library: All the metadata for WebDocs is stored in this library. Make sure that only iSeries users who need access to this library have it. Only the following iSeries users need *RWX authority to this library: QTMHHTTP, QTMHHTTP1, any dedicated user you have set up for WebDocs client applications (for example: RJSUSER), and any iSeries users associated with WebDocs users who are checking in and checking out documents.

• The Apache Server: WebDocs uses the Apache web server. Secure the Apache server in the following ways:

• • Use HTTPS to encrypt information from the Apache server. HTTPS requires SSL certificates, or your users will receive regular false-positive warning messages. Providing an SSL certificate requires you to purchase software. Your organization needs to discuss:

  • 1. Do you already have a way to provide SSL certificates that you can use?
    2. If not, are you willing to purchase one?
    3. If not, are you willing to receive false-positive warning messages?
    4. If not, you cannot use HTTPS. If you choose this option, be aware that your actions will pass along the network unencrypted.
  • Limit which programs can be accessed from the website. Put the following Apache directives in the WebDocs http configuration file (httpd.conf) to only allow the website to access the programs it needs (the 6 ScriptAliasMatch lines for the CGI programs DOC100R-DOC106R):

Listen *:1080 DocumentRoot /www/WEBDOCS/htdocs Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -Indexes -MultiViews LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combine LogFormat "%{Cookie}n \"%r\" %t" cookie LogFormat "%{User-agent}i" agent LogFormat "%{Referer}i -> %U" referer LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog logs/access_log combined LogMaint logs/access_log 7 0 LogMaint logs/error_log 7 0 # Deny requests for any file <Directory />  order deny,allow  deny from all </Directory> # Allow requests for files in document root <Directory /www/WEBDOCS/htdocs>  order allow,deny  allow from all </Directory> ScriptAliasMatch ^/IMAGESERVER/DOC100R /QSYS.LIB/RJSIMAGE.LIB/DOC100R.PGM ScriptAliasMatch ^/IMAGESERVER/DOC101R /QSYS.LIB/RJSIMAGE.LIB/DOC101R.PGM ScriptAliasMatch ^/IMAGESERVER/DOC102R /QSYS.LIB/RJSIMAGE.LIB/DOC102R.PGM ScriptAliasMatch ^/IMAGESERVER/DOC103R /QSYS.LIB/RJSIMAGE.LIB/DOC103R.PGM ScriptAliasMatch ^/IMAGESERVER/DOC104R /QSYS.LIB/RJSIMAGE.LIB/DOC104R.PGM ScriptAliasMatch ^/IMAGESERVER/DOC106R /QSYS.LIB/RJSIMAGE.LIB/DOC106R.PGM <Directory /QSYS.LIB/RJSIMAGE.LIB/>  SetHandler cgi-script  Options +ExecCGI  order allow,deny  allow from all  CgiConvMode %%EBCDIC/MIXED%% </Directory>

 

 

Copyright © HelpSystems, LLC.
All trademarks and registered trademarks are the property of their respective owners.
4.0 | 201802260747 | February, 2018