i5_connect and security

General discussion on Zend Server for IBM System i

i5_connect and security

Postby pet09983 on Fri Mar 03, 2017 8:36 pm

hi guys,

i'm trying to make a little 'monitoring' webpage so i can see the current work in progress in our Distribution Center :
not really a big deal and the main idea is :
1. login with ibm-i-username and password
2a. monitor the progress in picking, scanning shipping dock, ... (the usual distrubution center stuff)
2b. write some logging every time this page is viewed

in step 2a i'll use some i5_commands (i5_program) to retrieve the data from our ibm i
in step 2b i want to log (in our DB2-database) that a request of data has been made

the i5_program will be a simple RPG-program that returns me the necessary data to show on the php-page (stap 2a)
in that i5_program i want also use the 'current user' (from the program-datastructure) to write the logging (step 2b)
so i want to avoid that the 'user' is passed as a parameter

regarding to these requirements i'll need to connect with "i5_connect" using an appropriate username and password that matches a valid userprofile on ibm i
so i can't connect to the ibm i/database with a "generic user and password" ... i hope this logic is all clear for u

but now i have an issue with the username and (specially) the password i need to pass to the i5_connect
both have to be passed in 'plain text' and that bothers me because it might cause a security issue

i guess there is no way to pass the password as a md5-encrypted password and let i5_connect know (using an option-parameter) that the password is md5-encrypted
however ... maybe it would be a great opportunity (without security-issues) if that might be possible in i5_connect

if that md5-encryption is not possible, i need to store the password somewhere on the system to pass it for every i5_connect i want to do
that password need to be stored as :

1. in plain text OR encrypted
2. as a cookie, in the database (and retrieve it with a generic user), in the file system, ...

in a security perspective, i guess that it must be stored encrypted without discussion
so i need a good/safe decryption-algorithm to convert back the encrypted password back to a plain password
only that way i can pass it to the i5_connect

nevertheless ... there is a point in the program where i can see/retrieve the password of every user that wants to connect
so also the password of the CEO won't be safe anymore doing this
if someone can access the 'logic' of the i5_connect-routine it might be easy to get the password

i guess i won't be the only one who has this problem
so my final question would be : how do u solve this at your company ?
or is there something i miss in the (php-)logic to make the connection ?

maybe i'm too anxious and there won't be a problem at all but if there is a real safe solution, that would be the answer to my doubts
thanks for your answers and willingness to discuss about this

pet0etie/pascal
pet09983
 
Posts: 1
Joined: Thu Mar 02, 2017 5:19 pm

Re: i5_connect and security

Postby sam3047 on Tue Mar 07, 2017 9:56 am

You would need to setup SSL access in HTTP web server in your IBMi machine (https://your_ibmi_server:10088). This way all the data that passed from browser to IBMi server is going to be encrypted.
sam3047
 
Posts: 8
Joined: Wed Nov 02, 2016 9:27 am


Return to Zend Server for IBM i

Who is online

Users browsing this forum: No registered users and 1 guest