i5/OS has a built in packet filter firewall -- you configure this with
Ops. Navigator. It is quite effective. You should ensure that only the
required ports are open to the outside world. You can also restrict
connections to a limited number of IP addresses.
To be absolutely certain about your security, you should install
additional security based on exit programs. There are several of these
on the market place, indeed we market Fortress/400 ourselves. Check the
internet for OS/400 exit program security.
Now you need to secure your web pages. There are several ways of
achieving this. The obvious involves digital certificates, but I guess
the most important bit is that all users have logged on to the system.
With web applications, users do not need to have an i5/OS user profile,
instead, "virtual" user profiles can be implemented using a file
containing the userID/password combination. When you know who has logged
on to the system, you can then display pages appropriate for that user.
Each web conversation should have a "session". In the session you can
store information related to the conversation in question, including
whether or not the user is logged on.You create your own log on display.
Creating the control software just to handle user security, determine
who is authorised to which feature, etc. is time consumming. I use
IceBreak (see www.icebreak.org) which simplifies this process
considerably, primarily because of the biult in session management, web
exit program security (different to that mentioned above), and biult in
SQL features. This saves a lot of time and effort, and significantly
reduces development costs.
I use RPGLE on the i5 with JavaScript (ExtJs -- see www.extjs.com) on
the client. I have software that will do most of what you require. It is
a work in progress and is not documented, however, if you are interested
I can provide you with a copy of the code. It will only run with
IceBreak - it won't work with Apache because it relies heavily on
IceBreak features that don't exist in Apache.If you are interested let
me know.
Regards
Syd Nicholson
elehti@xxxxxxxxxxxxxxxxxx wrote:
My question to all of you who have public-facing, web-enabled IBM I
machines running your core applications.
How do you secure this machine against possible hacking attempts from
outsiders?
If your website has web apps like self-service for your customers and
suppliers, allowing people to view/change data that resides on your
system, how do you protect your machine?
Or do you keep your system off the internet, and web-enable a secondary
file-server machine instead?
I am aware that thousands of banks and credit unions running their
[censored] core banking applications on the IBM I use a "middleware web
server" that acts as a conduit between the bank customer web page and
the System I, thus enabling banking customers to transact their banking
business without needing a different IBM user profile for each bank
customer. The RPGIV programs running on the System I send and receive
customer-specific information via data queues out to the middleware web
server.
midrange.com
