Jan 7, 2011 - This is done differently on different versions of Windows. Prior to 2008 Server, the Windows Services for.
Technical Support
WebDocs Secure configuration of NFS on Windows 2008 Server for WebDocs iSeries Setting up NFS on Windows in a secure manner can be done, but it can be tricky as it requires translating authorities between UNIX-based and non-UNIX-based file systems. The way this is ultimately accomplished is by matching UIDs on the server and client operating systems. This is done differently on different versions of Windows. Prior to 2008 Server, the Windows Services for Unix (SFU) package provided a User Mapping utility which we will discuss next week when we address 2003 Server. With 2008 Server, the SFU package was rolled into the core operating system as the Subsystem for Unix-based Applications (SUA), but sans the User Mapping utility. In its place, assuming the existence of a domain and an Active Directory (AD) server, user IDs have a UNIX Attributes property which allows us to define a UNIX UID to use in for interactions with NFS shares. Configure NFS on Windows Server 2008 Create and configure user in Active Directory Create an NFS share Create and configure iSeries user Create IFS directory and mount share Configure WebDocs iSeries to use share Modify the Apache web server configuration Final considerations
WebDocs Technical Documentation Configure NFS on Windows Server 2008 These instructions assume that you already have an Active Directory Domain Controller configured elsewhere. On your file server Open Server Manager:
Start > Administrative Tools > Server Manager In the upper left, expand Roles. Select Add Roles Select File Services, and follow the prompts. Once the File Services role in installed, return to Server Manager, and select Add Role Services. You will want to add the Services for Network File System role service. You may need to restart the server. On the Active Directory server:
Start > Administrative Tools > Server Manager In the upper left, expand Roles. Select Add Role Services. You need to add Identity Management for UNIX and it’s sub-Role Services if they are not already installed.
Release date: 1/7/11
Page 2
WebDocs Technical Documentation Back on the file server: Open Server Manager, expand Roles, expand File Services and select Share and Storage Management. On the right, select Edit NFS configuration. This will present a wizard with the following steps:
Select an Identity Mapping Solution *
Set Up Domain Authorization *
Open Firewall Ports *
Use NFS to Share Folders *
Additional Information
We will only be handling the Identity Mapping here. This article will assume that Domain Authorization has been configured and that the appropriate firewall ports are open. Select the first step, and click the Identity Mapping Wizard button. You’re presented with three options.
Do not use an identity mapping solution is for configuring NFS to use anonymous access - we’re trying to avoid that.
Retrieve identity mappings from User Name Mapping asks for the hostname of a pre-Windows 2008 server with the SFU User Mapping configured.
We will go with the recommended method, Retrieve identity mappings from Active Directory.
Release date: 1/7/11
Page 3
WebDocs Technical Documentation Select your Active Directory domain.
Confirm the values and click Configure.
You should see Success. click Close.
Release date: 1/7/11
Page 4
WebDocs Technical Documentation Create and configure user in Active Directory These instructions assume that a UNIX Group GID and NIS domain have been created. On the Active Directory server: Create a user for WebDocs iSeries. We’ll call our user RJSNFS.
Start > Administrative Tools > Active Directory Users and Computers. Expand the domain, and select Users. Right click in the right pane and select New > User. Follow the prompts and click Finish. Select the user and right-click. Go to properties and select the UNIX Attributes tab.
Select the NIS domain from the dropdown. Select the appropriate group from the dropdown (Primary group name/GID). Choose a UID that is unique on both the iSeries and Active Directory. Select Apply > OK. For more information, please refer to Microsoft's Technet article on the subject.
Release date: 1/7/11
Page 5
WebDocs Technical Documentation Create an NFS share Create a folder on your file server to use as the share directory. For this example, we’ll use C:\RJSNFS. Right-click on the folder, go to Properties. Select the Security tab, and select Edit. Add the user you created in Step 2, with the Read, Write, Read & Execute and List folder contents authorities.
In Server Manager, expand Roles, expand File Services, select Share and Storage Management.
On the right, under actions. select Provision Share.
Release date: 1/7/11
Page 6
WebDocs Technical Documentation
Under Location, browse to C:\RJSNFS and select OK. Click Next.
Choose radio button: No, do not change NTFS permissions. Click Next.
Check NFS, create a Share name. Make a note of the share path (servername:/sharename). This is what will be used when you mount the share on the iSeries. Click Next.
Release date: 1/7/11
Page 7
WebDocs Technical Documentation Configure permissions. Click Add. Specify the host IP for the iSeries. Keep the Encoding as ANSI. Permissions should be Read-Write. Allow root access should be unchecked. You should now have two entries; one with your iSeries IP address, and one for ALL MACHINES. Edit the ALL MACHINES entry, and set it to No Access. Click Next.
Look over the settings, select Create.
Release date: 1/7/11
Page 8
WebDocs Technical Documentation
You should see success. Click Close.
You’ll now see the share listed under Share and Storage Management.
Release date: 1/7/11
Page 9
WebDocs Technical Documentation Create and configure iSeries user
Sign on to the iSeries as a security officer. At a command line, prompt on the CRTUSRPRF command. F10 will display additional parameters. Change the UID parameter from *GEN to the UID you specified in Step 2. The user must have the IOSYSCFG special authority in order to mount. Additionally, make sure that the user has appropriate authorities to the RJS libraries (RJSIMAGE in particular) and to the IFS. When ready, create the user account. For additional security, you may wish to set this user's initial program to SIGNOFF to prevent logins. The intent is that this user will be used to submit jobs that relate to WebDocs, and to mount the NFS share - this user is not intended for general system use.
Release date: 1/7/11
Page 10
WebDocs Technical Documentation Create IFS directory and mount share
WebDocs iSeries automatically creates an RJSIMAGEDOC folder under root (denoted by /) initially. We will create a subfolder underneath it for NFS. This is necessary, because in order to successfully mount an external file system, the IFS directory being mounted to must give PUBLIC *RWX rights. If this directory if immediately under /, then *any user with IFS access can read and write to the entire share. By mounting to a child directory which has *PUBLIC *RWX, we are still able to secure the IFS directory by locking down the parent. Only security officers and the iSeries user created in Step 4 should have access to /RJSIMAGEDOC, and they should have all rights to it.
MKDIR DIR('/RJSIMAGEDOC/NFS') OBJAUT(*RWX) Now you can mount the share to this directory (as the user created in Step 4, where 1.1.1.1 is the IP address of your NFS file server).
DOCMOUNT HOST('1.1.1.1') NFSSHARE('/RJSNFS') IFSDIR('/RJSIMAGEDOC/NFS')
Release date: 1/7/11
Page 11
WebDocs Technical Documentation Configure WebDocs iSeries to use share
ADDLIBLE RJSIMAGE GO RJSIMAGE Option 11 Put a 2 on all folders where you wish to save to the NFS share going forward. This does not move files already on the IFS - for information on moving existing documents to the NFS file server, please refer to this post on the subject. For each folder, modify the existing IFS path from /RJSIMAGEDOC to /RJSIMAGEDOC/NFS.
Release date: 1/7/11
Page 12
WebDocs Technical Documentation Modify the Apache web server configuration Modify the Apache web server configuration to use the user created in Step 4. This can be done from the 5250 emulator or via IBM’s Web Administration (on port 2001 by default, if it's running). Add the following line to your Apache configuration (line 28 in this example): 1
Listen *:80
2 3
DocumentRoot /www/WEBDOCS/htdocs
4 5
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -Indexes –MultiViews
6 7
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
8
LogFormat "%{Cookie}n \"%r\" %t" cookie
9
LogFormat "%{User-agent}i" agent
10
LogFormat "%{Referer}i -> %U" referrer
11
LogFormat "%h %l %u %t \"%r\" %>s %b" common
12
CustomLog logs/access_log combined
13
LogMaint logs/access_log 7 0
14
LogMaint logs/error_log 7 0
15 16
# Deny requests for any file
17
18
order deny,allow
19
deny from all
20
21 22
# Allow requests for files in document root
23
24
order allow,deny
25
allow from all
26
27 28
ServerUserID RJSNFS
29 30 31
ScriptAliasMatch ^/IMAGESERVER/(.*) /QSYS.LIB/RJSIMAGE.LIB/$1.PGM
32
Release date: 1/7/11
Page 13
WebDocs Technical Documentation 33
SetHandler cgi-script
34
Options +ExecCGI
35
order allow,deny
36
allow from all
37
CgiConvMode %%EBCDIC/MIXED%%
38
Restart the Apache web server instance. The web server instance jobs will still be owned by QTMHHTTP, but instead of calling programs and interacting with the IFS as QTMHHTP1 (the default CGI user), it will use our RJSNFS user instead.
Release date: 1/7/11
Page 14
WebDocs Technical Documentation Final considerations In closing, there are a few peculiar advantages and concerns to this method that deserve highlighting. First, since we have provided read and write authority appropriately on the share, subdirectories on the share may be created using the standard iSeries commands, manually or from a custom CL. The structure of the command is the same; simply specify the path that the share is mounted to, with the subfolder you wish to create (in our example, it will be called 2011). MKDIR DIR('/RJSIMAGEDOC/NFS/2011') Second, in the Configure WebDocs iSeries to use share section above, we assumed that only the user created in the Create and configure iSeries user section would be used to check in documents. If documents are only entering WebDocs iSeries via the web interface, or Batch Report Server/400, the one user created in this document may be sufficient. Even if your input methods expand to include applications such as Scan Workstation and Tray Capture Utility, this same user may be used to check in documents to WebDocs iSeries. While this method is technically correct, it may invalidate the security you just set up. To maintain security, additional users may be configured in the same manner as the first, but setting up user ID mappings between existing iSeries and Active Directory users is difficult and sometimes intractable. A simpler and more elegant approach may be to use a staging process for storage: A staging process is where documents are checked into a local IFS directory immediately, and a scheduled job periodically moves documents older than a set date to the NFS server. The advantage to this method is that only the user running this scheduled job, and the CGI user need to be mapped appropriately; all other users would use standard IFS security. A how-to article on this method, with sample source code is forthcoming. A reference to this article will be added to this document when it has been published. Finally, there have been concerns amidst those who have a massive number of documents regarding maximum object ownership limits per iSeries user. Testing on this issue is still in process, and this article will be updated with methods for handling object ownership limits when testing is completed. Feedback is welcomed, please email Jordan Peacock at
[email protected] with any questions or requests for clarification.
Release date: 1/7/11
Page 15
