Category Archives: Security

May 16

Pagination now added to log viewer

Posted on by

One of the tasks we left out in the initial release of the PHP Interface of FTP Guard4i was the ability to set the page size when viewing the log entries. What we wanted to do was allow the number of log records displayed to be preset by the user, this would allow the retrieval of records to the page to be carried out a lot quicker than if all of the records were to be displayed. As part of this exercise we also decided to add a search button for data stored in certain columns of the database, this would allow you to say filter the records based on a certain object or on a certain user etc. and still provide a paged output.

The following is a sample screen where the sort parameter is the date and time column, because we provided the sort capability we do not need a search capability as well so no search box is displayed.

Paged Log View

Paged Log View

Here is a sample screen showing the sort column being the Object information and the search value was QSYS.

Paged View with Search

Paged View with Search

We are constantly looking at ways to add new features and functionality to the FTP Guard4i product, if you have any questions or would like to see a demo please let us know.

Chris…

May 06

FTP Guard4i is available for download

Posted on by

FTP Guard4i is now completed and available for download. We have placed the manuals online as well as the objects required to install the product. You will need to sign in as a member to download the objects and once installed you will need a key to allow the product to function. The PHP interface is available and requires the Easycom i5_toolkit functions to allow connectivity to the IBM i. We have not tested it with the Zend Free toolkit at this time and would need to make some additional changes due to the lack of support for some objects. If this is needed we can work with you to make those changes.

FTP Security is something we have been looking at for a long time, our initial requirement was highlighted because of the access to the source code for our products by the developers. We needed to give them access to the code to allow them to carry out their activities but we did not want them to be able to copy the code to other systems. The original product we created also provided an FTP Client so we could make the object transfer a lot easier than the FTP Client provided by the OS but this release only provides the security aspects required.

As part of the rewrite we have made a number of improvements in the methods we used to control the access particularly around the accept and reject IP addresses set for individual users. This allows you to set a range of IP addresses a user can connect to and from in the same manner as you can set the connection accept and reject addresses. We have also changed the logging to a Database file which allows us to add much more meaningful data about the activities carried out. While the clean up routines we have provided only allow the log to be cleared, using standard SQL against the file will provide a lot more granular entry removal.

FTP Security is an area most IBM i shops ignore because they believe the IBM i is naturally more secure than other platforms, that is not true and as we see more and more IBM i systems being linked to a wider audience we could see more intrusions being logged. FTP Guard4i also has a very comprehensive logging feature so you can now see who connects to your server and what they did while they were connected.

If you need more information about FTP Guard4i or would like to see a working demo please let us know using the demo request forms on the website.

Chris…

Apr 29

FTP Guard4i interfaces completed

Posted on by

We have finished the PHP interfaces for FTP Guard4i. The 5250 interfaces are going to remain pretty much the same due to the limitations set by UIM (80 columns does not fit all of the data) but we hope to eventually add some new screens once we work out what makes sense. The PHP interface uses the i5_toolkit functions to extract the data from the IBM i, this allows us to run the Apache server on a separate server which is better suited to running an Apache web server than the IBM i. We also have the same processes running under iAMP on the IBM i for testing and demonstration purposes if you wish to see a total IBM i implementation.

Here is a quick overview of the pages and the data that they show.

1. FTP Guard4i Status screen

FTP Guard4i Status

FTP Guard4i Status

The list of users who are connected to the FTP server is a new feature which is only available in the PHP interface for the initial release due to the limitations imposed by the UIM (5250) screens. We did some testing with multiple users to see exactly what users were logged in and when which provided some interesting results.
The FTP Server is the job which is listening on port 21, the SSHD Server is the job which is listening on port 22. The log writer is the job which processes all of the request events which have been created as a result of user connections, this data is stored independently so even if the log writer is not running the events will be recorded waiting for the log writer to be started. We have also listed the exit points which have been correctly registered for FTP Guard4i, if any of these exit points are inactive no FTP activity will be logged until they are reset and the FTP Server restarted.

2. FTP Guard4i Server Users

FTP Guard4i Server Users

FTP Guard4i Server Users

Access to the FTP Server can be limited in many ways, the above image shows all of the configuration aspects of the users who are allowed to access the FTP Server and what limitations if any are set for that user. You can directly control all aspects of the FTP Server activity for a particular user such as when the can connect and where from, you can determine if they can move around the library/directory structure or if they are jailed to a specific one. If a user tries to connect to a directory/library which they are not allowed they will automatically be connected to the default directory/library. The list format and Name format are set regardless of the actual FTP Server settings.

3. FTP Guard4i Client settings

FTP Guard4i Client Users

FTP Guard4i Client Users

The FTP Client which is available on the IBM i is generally open to all users, this can be a major security exposure as a user with sufficient access can link a FTP Server to the system (a PC running FileZilla Server or similar) and transfer objects off to the PC without any trace. With FTP Guard4i all FTP activity is logged and can be reviewed to see what users did when using the services. The controls provided can limit the target Server (IP Address) and what activities the user can carry out, including the directory/libraries which can be accessed.

4. FTP Guard4i Accept IP Address

FTP Guard4i Accept IP config

FTP Guard4i Accept IP list

You can set the addresses which the users can connect to the FTP Server from, this is in addition to the IP addresses which can be set in the User settings which can provide a very simple to manage access tool. The process will check for an accept address and reject address entry, if an entry matches a specific accept entry the connection will be allowed even if a reject entry matches which is less specific. The User settings are checked after the connection to verify the user can connect from the IP address after this check.

5. FTP Guard4i Reject IP List

FTP Guard4i Reject IP

FTP Guard4i Reject IP List

The above shows a single entry which states that everything is rejected which does not match an Accept entry.

6. FTP Guard4i Log

FTP Guard4i Log

FTP Guard4i Log view

The level of logging can determine what log entries are placed into the log, if it is set to log all entries you will see an entry for every request made to the server including the actual files and directories which have been involved. This can be very important for auditors who need to view all of the transactions a user carried out via the FTP Services on the IBM i.

7. FTP Guard4i Config.

FTP Guard4i config

FTP Guard4i Config

There are various control files which determine how FTP Guard4i runs, the PHP interface provides the ability to view or update those files.

As you can see FTP Guard4i is pretty much completed, all we need to do now is carry out some additional testing before we move to the release stage of the process. We will also provide a manual which will give more details on the various configuration parameters and how to manage the data which is logged.

If you are interested in FTP Guard4i and the security of the IBM i FTP Services let us know. We can provide online demos of the product and show how effective it is in locking down user FTP activities. Don’t wait until your data has been stolen, act today and give us a call.

Chris…

Apr 24

FTP Guard4i Log Viewer

Posted on by

As promised we have now developed the log viewer which shows the events which have been logged by the FTP processes. The log view has a number of columns each of which is sortable but the default sort is done by the Date and Time with the latest entry at the top. Here is sample view of the log on our test server.

FTP Guard4i log view

A sample of the events logged by FTP Guard4i.

A couple of interesting things came about while generating the log, you will see that we deleted a file ‘/home/CHRISH/??_???????`%??>?>????????’, one of the issues we all come across from time to time is where a file in the IFS has a strange name, deleting the file using the normal IFS commands is not possible as it will always return ‘File not found’ errors. Using FTP (actually we used FileZilla) you can see that we successfully deleted the file in question. The log also shows a ‘Send File’ operation, that was actually a get operation from the FTP client but the event gets logged as a ‘Server Send File’ operation..

The PHP interface is now pretty much complete but we need to do some more work on the UIM interface to align the data store with the actual output to the UIM Manager. Once that is finished and we have done some more testing FTP Guard4i will be available for download.

Chris…

Apr 23

FTP Guard 4i Take 2

Posted on by

We had been discussing the FTP Guard 4i with a prospect and they mentioned that they would like to be able to monitor the FTP Server and SFTP Server from the FTP interface. So we have added a couple of new features to the status screen that allow the user to administer the FTP Server and the SSHD server which is used for the SFTP connections.

Here is the new status screen

New FTP Guard 4i status screen

FTP Guard 4i take 2

One of the things we did notice when we added the new features and checked they functioned was the SFTP connection takes on the QSECOFR profile in the job and drops the original user profile. We need to take a look at this to see exactly what effect this has? We don’t allow the QSECOFR profile to connect via FTP or SFTP so the security we have set for the user as far as FTP is concerned still applied.

Let us know if you are interested in this kind of solution and what if any additional features you would like to see. The Log viewer is coming along and will be the subject of our next post.

Chris…

Jul 16

How to see what locks are against an IFS object.

Posted on by

I had been looking around for a method to find out who was locking a specific IFS object, the problem came to light after some new programs we were developing crashed before closing the files (I thought when a program ended the file would be automatically released, but it looks like that may not be so with IFS and abnormal termination?) which resulted in the objects not being replicated by our replication software. There is no WRKLCK command or WRKIFSLCK etc so we needed a solution.

After some reading through the various API’s to determine what might be useful we did a quick search on Google. This came up with a very interesting solution, the article pointed to the QP0FPTOS API which is described in the manual with no reference to the call parameters the article suggested. So not being one to shy away we decided to give it a try. The command we ran was “CALL QP0FPTOS PARM(*LSTOBJREF ‘/home/ha4i/log/HA4I409_debug.dta’ *FORMAT2)”. This was pretty confusing because neither *LSTOBJREF was listed or the *FORMAT2 in the documentation! But it works! So if like us want to see what locks are against a particular IFS object give it a try! Just change the object to be checked of course :-) ..

The output is directed to a spool file which can be viewed, we had hoped to be able to get the data back in soft copy to allow us to take some action, but for now we at least have some visibility of who is locking the object. Maybe we will ask IBM for more information on the API and how else it can be used..

Chris…

Dec 06

New Password # tool.

Posted on by

One feature of passwords is that they are encrypted so you cannot pull back a password to see if it is the same across a couple of systems. As part of the HA4i product we replicate passwords between systems using the encrypted blocks of data we can retrieve using API’s, we can also compare the two passwords by checking that the encrypted block is the same on each system (It should be). Recently we had a problem where a password would constantly return an error when we checked the data returned by the API so we needed a separate process to allow us to see what the content is on each system when we change passwords via a save and restore and update method. This has resulted in a tool which allows the CRC which we build using the data returned via the API to be seen by the user on each system. The tool is available for download from the downloads page.

If you have any questions or concerns with using the tool let us know.

Chris…

Nov 30

Time taken for Password encryption

Posted on by

One of the recent posts showed how to connect to a remote IBM i system and store the password in a secure method in the session variables. As part of another development project we decided to add the process to the connection code to see what effect it would have. The time taken to make the connection and display the data seemed to take a much longer time. Not sure if the time was due to the data being collected or due to the connection process we decided to write a test page to see the actual time it took. The results were quite shocking, in effect the encryption process increased the connection time by a factor of 3. This meant every time we loaded a page of data it was 3 times slower than if we just did a normal unencrypted connection.

The connection is the same for every request so the additional time can only be associated with the time it took the system to encrypt and decrypt the password. The encryption is only done once on login but decryption is done every time a new set of data was requested. To prove the point we created a sample page that would show a login screen if no connection had been made and show the connection time if the connection was made. its a very simple page and the functions that back it up are just as simple. The encryption process is the same as published in the post mentioned above so it you want to see those functions go to the post.

Here is the page we used for the initial sign on.

<?php 
/*
Copyright © 2010, Shield Advanced Solutions Ltd
All rights reserved.

http://www.shieldadvanced.ca/

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

- Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.

- Neither the name of the Shield Advanced Solutions, nor the names of its
contributors may be used to endorse or promote products
derived from this software without specific prior written 
permission. 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE.

*/
// start the session to allow  session variables to be stored and addressed
session_start();
require_once("scripts/functions.php");
if(!isset($_SESSION['server'])) {
	load_config();
	}	
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Test PHP</title>
<!-- add the main CSS -->
<link rel="stylesheet" href="css/tst.css" type="text/css">
</head>

<body>
<?php
// if valid user is set connect using Private connection
if(isset($_SESSION['valid_usr'])) {
	$start_time = microtime();
	$conn = 0;
	if(!connect($conn)) {
		if(isset($_SESSION['Err_Msg'])) { 
			echo($_SESSION['Err_Msg']); $_SESSION['Err_Msg'] = "";
			}
		} 
	else {
		echo("Connected to " .$_SESSION['server'] ."using " .$_SESSION['conn_type']); 
		$end_time = microtime();
		$wire_time= control_microtime_used($start_time,$end_time)*1000000;
		printf("<br>total=%1.2f sec ",round($wire_time/1000000,2));
		echo("<br><a href='scripts/logout.php'>logout</a>");
		}
	}
else { ?>
        <form name=login method="post" action="scripts/login.php">
            <table width="20%" align="center" border="1" cellpadding="1">
                <tr><td><label>User ID :</label></td><td><input type="text" name="usr" /></td></tr>
                <tr><td>Password:</td><td><input type="password" name="pwd" /></td></tr>
                <tr><td colspan="2"><?php if(isset($_SESSION['Err_Msg'])) { echo($_SESSION['Err_Msg']); $_SESSION['Err_Msg'] = ''; } ?></td></tr>
                <tr><td><label>Connection type</label></td><td><select id="conn_type" name="conn_type"><option value="encrypt">Encrypted</option><option value="decrypt">Decrypted</option></select></td></tr>
                <tr><td colspan="2" align=center><input type="submit" value="Log in" /></td></tr><?php
                if(isset($_SESSION['Pwd_Err'])) {
                    if($_SESSION['Pwd_Err'] == 1) { ?>
                        <tr><td colspan="2" align=center>Sorry the credentials were rejected by the <?php echo($_SESSION['sys']); ?> System</td></tr><?php
                        $_SESSION['Pwd_Err'] = 0;
                        } 
                    } ?>
            </table>
        </form><?php
	} ?>
</body>
</html>

If the user information is correct and the connection is made the sign on screen is no longer displayed and the connection information is displayed.

This is the login script.

<?php 
/*
Copyright © 2010, Shield Advanced Solutions Ltd
All rights reserved.

http://www.shieldadvanced.ca/

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

- Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.

- Neither the name of the Shield Advanced Solutions, nor the names of its
contributors may be used to endorse or promote products
derived from this software without specific prior written 
permission. 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE.

*/

// allow session variables
session_start();
$conn = 0;
require_once"functions.php";
// make sure they are not trying to sign on with a system profile
$prf = strtoupper($_POST['usr']);
if(($prf == "QDBSHR") ||
	($prf == "QDOC") ||
	($prf == "QLPAUTO") ||
	($prf == "QLPINSTALL") ||
	($prf == "QRJE") ||
	($prf == "QSECOFR") ||
	($prf == "QSPL") ||
	($prf == "QDFTOWN") ||
	($prf == "QTSTRQS") ||
	($prf == "QSYS")) {
	$_SESSION['Err_Msg'] = "Cannot use user profile " .$_POST['usr'] ." for connection";
	header('Location: /index.php');
	exit(0);
	}
$_SESSION['usr'] = $_POST['usr'];
if($_POST['conn_type'] == 'encrypt') 
	e_pwd($_POST['pwd']);
else
   $_SESSION['pwd'] = $_POST['pwd'];	
$_SESSION['conn_type']  = $_POST['conn_type'];
// if failed to connect set the $_SESSION variables to empty
if(connect($conn) == -1) {
	$_SESSION['Pwd_Err'] = 1;
	$_SESSION['usr'] = "";
	$_SESSION['pwd'] = "";
	$_SESSION['valid_usr'] = NULL;
	header('Location: /index.php');	
	exit(0);
	}
// connect set the required session variables so just set the valid user variable	
$_SESSION['valid_usr'] = $_POST['usr'];	
header('Location: /index.php');	
exit(0);
?>

As you can see it is pretty simple in that it just determines the selected connection type and then calls the connect, if it succeeds it sets the relevant session variables.
For the connect function we have the following code 

function connect(&$conn) {
// reset the the ErrMsg variable
unset($_SESSION['ErrMsg']);
// connect to the i5
$conId = 0;
if (isset($_SESSION['ConnectionID'])) {
		$conId = $_SESSION['ConnectionID'];
		}
$server = $_SESSION['server'];	
$addlibl = array($_SESSION['install_lib']);
// options array for the private connection
$options = array(
      			I5_OPTIONS_PRIVATE_CONNECTION => $conId,
      			I5_OPTIONS_IDLE_TIMEOUT => $_SESSION['timeout'],
      			I5_OPTIONS_JOBNAME => 'PHPTSTSVR');
// connect to the system  
if($_SESSION['conn_type'] == 'encrypt')     			
	$conn = i5_pconnect($server,$_SESSION['usr'],d_pwd($_SESSION['pwd']),$options);
else
	$conn = i5_pconnect($server,$_SESSION['usr'],$_SESSION['pwd'],$options);
// if connect failed
if(is_bool($conn) && $conn == FALSE) {
	$errorTab = i5_error();
	if ($errorTab['cat'] == 9 && $errorTab['num'] == 285){
		$_SESSION['ConnectionID'] = 0;
  		$_SESSION['Err_Msg'] = "Failed to connect";
  		return -1;
 		} 
 	else {
 		//set the error message
 		$_SESSION['Err_Msg'] = "Connection Failed " .i5_errormsg();	
		// send back to the sign on screen 
		$_SESSION['ConnectionID'] = 0;
 		return -1;
 		}	
	}
return 1;
}

The only other function we use are the microtime() function and a function which calculates the time taken between the start and end time.
Here is the page information which was collected for a unencrypted connection.

Connected to shield3using decrypt
total=0.13 sec

and here are the results when we connect using encryption for the password.

Connected to shield3using encrypt
total=0.38 sec

As you can see it is nearly 3 times as long to make the connection when encrypting the password. So our challenge now is to see if we can find a better or should I say faster encryption method to use. If the connection is not important because the data is refreshed too often it should not be an issue especially when you consider just how much better the security is for the stored passwords, but you will have to weight up that with the user experience for slow connections.

If you can see anything we did wrong let us know and we will happily re-code and try it again. Sorry about the code layout but it is pretty hard to show correctly formatted code on the blog setup we have.

Chris…

Sep 21

Secure password storage for i5_connect connections.

Posted on by

One of the questions which gets asked a lot is how do I store passwords for connections to the IBM i. If I am doing internal development (does not require security to be too strict) I will usually store the password in plain text because for anyone to get to the passwords they would have to be able to access the IBM i IFS and look through the correct directory to find the appropriate session data to get to the password. Then they have to link that up with an appropriate profile! That is not something anyone in our company will spend the time doing or in most instances have the knowledge to do.

In a production application which could be exposed to outside influences we would need to harden up the security somewhat. Normal users may still have problems getting to the data but a determined hacker will not be phased by having to troll through the session variables.. So we have to come up with a way to store the data in an encrypted manner and which requires a number of session data variables to be combined to make it work. We would still strongly advise those of you who are walking down this route to consider additional security measures such as locking down the directory where the session variables are stored to PUBLIC *EXCLUDE, as a minimum.

PHP provides a number of encryption modules which have to be enabled for the following code to work, if you need help on setting this up there are plenty of links in Google to help you and it is beyond the scope of this post to add here. Once the modules are enabled and the servers re-started you can start to code up something similar to the following.

First of all we need a few functions which will be called to do the encryption for us. We have 3 functions defined, one to generate the initialization value and the unique key value we will use to encrypt and decrypt the data, another one to encrypt the plain text password and another to decrypt it.

Here is the code for the unique value generation.


/*
* function create hex value
* Used to create initialization variables and unique keys
* @parms
*
*/

function get_unique_key($len) {
// create a unique value in the string for the specified number of bytes
$data = '';
do {
$data .= hash('sha256', uniqid(mt_rand(), TRUE), TRUE) ;
} while ( strlen($data) < $len ) ;
return $data;
}

All it is doing is creating a unique string to the length passed in and returning that string to the calling function. The PHP manual gives you the information on the functions used and plenty of examples. We are passing in a random number as a prefix to the uniqid() function which generates a 23 character string that is hashed and appended to the previous request until the required minimum length is reached (in fact it will normally be exceeded unless the required length is an exact multiple of 23).

The next function will do the encryption.

/*
* function to encrypt password
*/

function e_pwd($pwd) {
$alg = MCRYPT_RIJNDAEL_256 ;
$m = MCRYPT_MODE_CBC ;

// get the length the initialization value
$_SESSION['i_len'] = mcrypt_get_iv_size($alg, $m);
$_SESSION['init_val'] = substr(get_unique_key($i_len), 0, $i_len) ;
// get the length the key needs to be for the encryption
$_SESSION['key_len'] = mcrypt_get_key_size($alg, $m);
// the returned value will be padded with 0's so strip off
$_SESSION['key'] = substr(get_unique_key($_SESSION['key_len']),0,$_SESSION['key_len']);
$_SESSION['pwd'] = mcrypt_encrypt($alg, $_SESSION['key'], $pwd, $m, $_SESSION['init_val']);
return;
}

The above code is using session variables to store the keys and lengths plus the encrypted password. The above function receives the plaintext password via the login script that is called when the form submit button is pressed. The password is passed to the script in a POST variable called 'pwd'. We store the various initialization and key values as SESSION variables in the above module so we can use them in the decrypt function.

Here is the decrypt function, as you can see it is very simple. We could store the algorithm and mode as well outside of the script but for this test it was not important. All we have to do is pass in the session variables to the decrypt() function and return the results.


/*
* function to de-encrypt password
*/

function d_pwd() {
$alg = MCRYPT_RIJNDAEL_256 ;
$m = MCRYPT_MODE_CBC ;

return mcrypt_decrypt($alg, $_SESSION['key'], $_SESSION['pwd'], $m, $_SESSION['init_val']);
}

So based on the above functions here is how we used them in our pages. First when a user logs in we have a form which has a password field and user field defined. This is only part of the script to generate the page, before this we have a check to see if the user is already signed on. We only show this bit so you can see where we manipulate the password data.

<h3>Sign On</h3>
<form name=login method="post" action="scripts/login.php">
<table width="20%" align="center" border="1" cellpadding="1">
<tr><td><label>User ID :</label></td><td><input type="text" name="usr" /></td></tr>
<tr><td>Password:</td><td><input type="password" name="pwd" /></td></tr>
<tr><td colspan="2" align=center><input type="submit" value="Log in" /></td></tr><?php
if(isset($_SESSION['Pwd_Err'])) {
if($_SESSION['Pwd_Err'] == 1) { ?>
<tr><td colspan="2" align=center>Sorry the credentials were rejected by the <?php echo($_SESSION['sys']); ?> System</td></tr><?php
$_SESSION['Pwd_Err'] = 0;
}
} ?>
</table>
</form>

Here is part of the login script that encrypts the password and stores the user name etc.

// store the user and password(encrypted)
$_SESSION['usr'] = $_POST['usr'];
e_pwd($_POST['pwd']);
$_SESSION['server'] = "ServerName";
// if failed to connect set the $_SESSION variables to empty
if(connect($conn) == -1) {
$_SESSION['Pwd_Err'] = 1;
$_SESSION['usr'] = "";
$_SESSION['pwd'] = "";
header('Location: /index.php');
exit(0);
}

And finally this is a function which does the connection.


function connect(&$conn) {
// connect to the i5
$conId = 0;
if (isset($_SESSION['ConnectionID'])) {
$conId = $_SESSION['ConnectionID'];
}
$server = $_SESSION['server'];
// options array for the private connection
$options = array(I5_OPTIONS_PRIVATE_CONNECTION => $conId,
I5_OPTIONS_IDLE_TIMEOUT => $_SESSION['timeout'],
I5_OPTIONS_JOBNAME => 'PHPTSTSVR');
// connect to the system
$conn = i5_pconnect($server,$_SESSION['usr'],d_pwd($_SESSION['pwd']),$options);
// if connect failed
if(is_bool($conn) && $conn == FALSE) {
$errorTab = i5_error();
if ($errorTab['cat'] == 9 && $errorTab['num'] == 285){
$_SESSION['ConnectionID'] = 0;
$_SESSION['Err_Msg'] = "Failed to connect";
return -1;
}
else {
//set the error message
$_SESSION['Err_Msg'] = "Connection Failed " .i5_errormsg();
// send back to the sign on screen
$_SESSION['ConnectionID'] = 0;
return -1;
}
}
return 1;
}

That's it, now when a user gets past the login screen the data is stored in session variables that can be retrieved and decrypted. We have used the i5_toolkit functions to do the connections because we use them for all data and object collection from the IBM i but, you could use the same principle for other connections as well. To force the user to sign back in you can use the session_destroy() function to remove all of the session variables at once.

Hope you find this interesting, if you have any questions or suggestions for improving the code let us know.

Chris...

Jul 12

Busy getting things into place for the new release.

Posted on by


I seem to get less and less time these days to do all the things that need to be done. I am sure everyone out there is feeling the same. We have just started the final testing of the next PTF for HA4i which has some pretty nice features added. This will probably be the last enhancement package for the current version as the new version is already under development and will hopefully appear before the end of the year. So whats in this PTF? Well here is a quick summary.

As usual we have added a number of bug fixes, none of them major issues but as usual customers always push the product into territory we have never imagined. The new features from the last PTF seem to have been a success with a number of new enhancements built on top of the technology.

Sync Manager is the process where we can synchronize a file using the journal as a marker for bringing the save copy into play. Previously we had locked the object from the time the request started right up to the object being restored. One customer in particular had a major issue with this, his 2MB link was so slow it was taking days (literally) to get files across the network. So one of the enhancements this PTF brings is a shorter lock time, the object is only locked for the period of the save operation and then released back to the users. HA4i now manages the lock status for the apply process to ensure the object is available when required on the target system. As part of this update we also added reloading of failed requests and a much better interface into the process so you can now see what is being processed and what stage in the process is it at. If the customer wants to bypass the network and use a save and restore process using tape etc HA4i now provides a sync point process which allows this to be carried out very easily and effectively plus adding new compression features to the save ensure the size of the Save Files we create have been significantly reduced. We added a new feature to the status screens on the target that not allow submission of failed objects via the source sync manager but also provides more data about the object which is in error such as its size, this is very important to determining what type of recovery you are going to use to re-sync the object.

Auditing is a safeguard that allows users to see that the replication processes are doing their job and the configurations are actually replicating everything that they should. Because HA4i is applying data at the receiver level it needs to have any data held in the attached receiver on the target system applied before the audit starts. A new audit process has been introduced which automatically applies the attached receivers data before the audit is started plus it allows a more granular approach to file auditing by allowing source and data files to be isolated in the audit. Because of the new features added to the sync process you can now sync audited objects via the sync manager using a single option so if an object is out of sync it is very easily brought back into a sync state.

Object replication requires objects to be available for saving, one of the major issues we see with this is the object lock state for newly created objects. Some objects will have notifications sent stating the new object exists that are available to be processed before the object is available. Even with delay processing the object cannot always be locked for the save so a failure is logged by HA4i. Over the course of a day in highly active systems this can result in a very large number of failures which need to be retried. As part of this PTF we introduced a number of new commands which allow automated retry processing for the Object and Spoolfile replication processes. When used via job schedule entries they ensure every attempt is made to replicate objects without impacting current object processing and logging those entries that were not processed because the object no longer exists, this can be important when looking at what object can be excluded from processing. Previously we added an entry for every object failure so an object which changed constantly could result in multiple failure requests, a new filtering feature ensure we only record one entry per object, if its a command we even check the command string to ensure its unique.

Role swaps are one area which every HA solution has to perform effectively. HA4i has provided a single command role swap capability for each system for sometime, but this PTF brings a new feature which allows the role swap to be carried out from a source system automatically carrying out the required processes on the target system. If the process fails you can start the process again from the source system or if needed start each side individually. We have also added exit points to the process which allow the customer to run additional processes which are not part of the HA4i role swap process such as starting subsystems, varying on communications lines etc.

HA4i is expected to run 24×7 without a break, this can result in some very big job logs and message queues. Even though job logs and message queues can be wrapped so they provide some size limitation of sorts, trawling through a job log of 6,000 plus pages can be a real drag! So we have now added a new feature which will automatically restart the processes every 24 hours keeping those joblogs to a manageable size. Messaging has also been reduced further to weed out a lot of the unnecessary messages sent to the message queues and processes, but putting the product into debug mode brings those messages back to the user so we can see exactly what is going on when required.

The next release is going to be a major change to the product, we have decided that we will provide our own apply process that will read the remote journal and apply the entries directly to the objects. The APYJRNCHG command does a great job but there are times when some of the features affect the customer experience and IBM is either unwilling or unable to effect a change that would make the process more acceptable. The IBM apply process will still be available though, so when you set up the product and configure the journals you will have the option to choose which apply process you want to use for the journal in question. This will open up a number of new options for auditing and object control, because we will be reading through the journal one entry at a time we will be able to provide a command processing feature allowing commands to be submitted in sequence with the data changes. We will also provide audit details at the record level without having to check all data has been applied to a particular point, the entry will carry the source audit information that should match exactly with the target data at that point in time.

We still have a long way to go with the next release but the early testing of the new apply process is going well. The feed back from customers is positive and we are hoping that the new features add even more value to their investment in out products. HA4i is a very viable HA solution and easily fits into the most constrained budget. If you need a HA solution or want to replace an existing one let us know, we are sure the price and functionality will meet with your approval. For those customers looking to replace an existing solution we have an offer for our JobQGenie product that makes the upgrade to HA4i even more attractive.

Chris…