IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
     Home      Products      Services & solutions      Support & downloads      My account     
  IBM Wikis > PHP: Zend for i5/OS > ... > 07-00-00 Chapter 7. Security > 07-01-00 Security considerations
PHP: Zend for i5/OS Log In | Sign Up   View a printable version of the current page.
07-01-00 Security considerations
 Browse Space
Added by admin, last edited by Mike Schwartz on Mar 07, 2007  (view change)
Labels: 
(None)

Show/Hide Navigation Tree
Navigation Tree

TOC Previous Next

Security considerations

Securing your PHP applications on i5/OS requires some changes to the default environment. This section discusses some of the different areas you should scrutinize to ensure that your business applications that are written in PHP are secure.

Of course, there are many aspects to successfully securing data and applications on any platform, including i5/OS. The IBM Redbook IBM System i Security Guide for IBM i5/OS Version 5 Release 4, SG24-6668, is an excellent overall guide to help implement security on i5/OS:
http://www.redbooks.ibm.com/abstracts/sg246668.html?Open

SSL configuration

SSL (secure sockets layer) helps encrypt the data sent from your Web server to the user's browser. This makes it extremely difficult, if not impossible, for a third party to intercept the data stream and extract valuable information as it passes through the Internet. You must also ensure that proper authentication and authorization are in place to make sure you know who is accessing what parts of your Web server.

The main twist with using SSL together with Zend Core for i5/OS is that the SSL configuration must be done on the Apache server (called "zendcore") running in i5/OS. You cannot configure the "inner" Apache server (which runs in PASE for i5/OS) to do the SSL work.

For detailed information about configuring SSL on i5/OS, see IBM HTTP Server (powered by Apache): An Integrated Solution for IBM eSeries iSeries Servers, SG24-6716, available at:
http://www.redbooks.ibm.com/abstracts/sg246716.html?Open

Access to directory structure

Several directories are created when Zend Core for i5/OS installs:

  • /usr/local/Zend
  • /www/zendcore

We now discuss some of the important files in these directories that you should consider "locking down."

Configuration files

The main PHP configuration file (php.ini) is located in directory /usr/local/Zend/Core/etc. This file (and all others in this directory) can be edited by any user. You should probably modify the access attributes so that only specific administrators can change the files.

The same is true for the internal Apache server: Its configuration file (httpd.conf) is located in the directory /usr/local/Zend/apache2/conf.

The external Apache server configuration file (httpd.conf) is located in the /www/zendcore/conf directory. By default, *PUBLIC does not have write authority to this file.

PHP source files

By default, Zend Core for i5/OS has its document root as /www/zendcore/htdocs. All users have full access to all files in this directory - thus, any i5/OS user can by default create content that will be served up by the PHP server. Also, users can modify any existing scripts under this directory. It is very important that you change the default security attributes for this directory, and all directories and files contained within it.

Reverse proxy

There are two key reasons for using a proxy HTTP server:

  • The first reason is to improve performance.
    A proxy server is commonly used to pre-cache static Web pages into memory at the time the server starts. This allows the pages to be sent to the requesting client without having to retrieve the content from the file system.
    The second way performance can be improved is by having one proxy server that can forward requests to a number of other HTTP servers who are each configured to serve a given set of Web pages or Web applications. This can help by balancing the load of many requests across a number of internal servers.

  • The second feature of a proxy server is to improve security.
    By using a proxy server, you can control access outside your firewall and Demilitarized Zone (DMZ). This enables you to keep a production-level server inside your secured internal network. It also lets you hide internal servers completely from the requesting clients so they cannot know a server's name, IP address, and so forth. You can also use a proxy server to log activity and prevent denial of service attacks.

To clarify what a "reverse" proxy is: A reverse proxy accepts requests from the client and forwards them onto another server, receives the response from that other server, and returns the results to the client. The reverse proxy is the only server the client interfaces with.

ZENDCORE server instance

As discussed in Chapter 3, "Administration", a full instance of the IBM HTTP Server for i5/OS (called ZENDCORE) is installed by default by the Zend Core for i5/OS installation process. It listens on port 89, and forwards requests to the internal Apache server (which is running in PASE for i5/OS) on port 8000.

However, because these two HTTP servers are running on the same hardware platform, we do not achieve any of the security benefits (mainly a DMZ) that often are associated with a reverse proxy configuration. Therefore we strongly advise you to create a full DMZ as described in IBM HTTP Server (powered by Apache): An Integrated Solution for IBM eSeries iSeries Servers, SG24-6716. It is available at:
http://www.redbooks.ibm.com/abstracts/sg246716.html?Open

User profiles

As outlined in Chapter 3, "Administration", a user profile called NOBODY is created by the Zend Core for the i5/OS installation procedure. All PHP jobs run under this user profile, and it is not possible to specify that any given incoming request be executed under any other user profile.

When using the ibm_db2 driver and the Toolkit to access i5/OS data and resources, you can specify that the connection is made with a specific user profile. If no user ID and password is provided, the connection will be made using the NOBODY profile. If a user ID and password is provided, then the operations that are specified for that connection (for example, run an SQL query, or execute an i5/OS program) are executed under the specified user profile. Access to i5/OS objects follows normal i5/OS object security rules.

Basic authentication

 See 03-03-01 Basic Authentication Example for an example of how basic HTTP authentication can be added to your configuration.

More information

Visit these Web sites for more information about security considerations.

The following site describes Web security in general:
http://www.w3.org/Security/Faq/

This information is specific to PHP:
http://www.php.net/manual/en/security.php

TOC Previous Next

 Top 5 contributors
to this page
UserEdits
admin 2
Gary Mullen-Schultz 1
Mike Schwartz 1

The postings on this site solely reflect the personal views of the authors and do not necessarily represent the views, positions, strategies or opinions of IBM or IBM management.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.2.10 Build:#528 Nov 29, 2006)
    About IBM      Privacy      Contact