Secure configuration of NFS on Windows 2008 Server for WebDocs iseries



Similar documents
Real Vision Software, Inc.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

Security Guidelines for MapInfo Discovery 1.1

Instructions for Configuring a SAS Metadata Server for Use with JMP Clinical

ECA IIS Instructions. January 2005

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

WEB2CS INSTALLATION GUIDE

Sophos Anti-Virus for NetApp Storage Systems startup guide

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Active Directory Software Deployment

Microsoft Virtual Labs. Administering the IIS 7 File Transfer Protocol (FTP) Server

Installing SQL Express. For CribMaster 9.2 and Later

Management Utilities Configuration for UAC Environments

Configuring and Launching ANSYS FLUENT Distributed using IBM Platform MPI or Intel MPI

LPR for Windows 95/98/Me/2000/XP TCP/IP Printing User s Guide. Rev. 03 (November, 2001)

Using LDAP Authentication in a PowerCenter Domain

Chapter 2 Editor s Note:

Using Device Discovery

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Installation Instruction STATISTICA Enterprise Small Business

ProjectWise Mobile Access Server, Product Preview v1.1

BusinessLink Software Support

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

Installation and Deployment

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

SSL Installing your new Certificate

AXIS 70U - Using Scan-to-File

Installation Instruction STATISTICA Enterprise Server

Web Deployment on Windows 2012 Server. Updated: August 28, 2013

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

DP-313 Wireless Print Server

To install the SMTP service:

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Sharpdesk V3.5. Push Installation Guide for system administrator Version

Ascend Interface Service Installation

ilaw Server Migration Guide

FaxCore Ev5 -To-Fax Setup Guide

Active Directory integration with CloudByte ElastiStor

Browser-based Support Console

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Sage Peachtree Installation Instructions

CTERA Cloud Onramp for IBM Tivoli Storage Manager

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

SSL Enablement of the DB2 Web Query for System i Server

Quick Start Guide. User Manual. 1 March 2012

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Implementing a SAS Metadata Server Configuration for Use with SAS Enterprise Guide

Organizer db Browser Manual

Promap V4 ActiveX MSI File

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Exchange 2010 PKI Configuration Guide

SQL Tuning and Maintenance for the Altiris Deployment Server express database.

Appendix E. Captioning Manager system requirements. Installing the Captioning Manager

dotdefender v5.10 for IIS Installation Guide Applicure Web Application Firewall Applicure Technologies Ltd. 1 of 14 support@applicure.

SMART Sync Windows operating systems. System administrator s guide

Redatam+SP REtrieval of DATa for Small Areas by Microcomputer

SellerDeck. IIS6 Setup Guide. Detailing the setup Windows 2003 (IIS6) Server

BASIC CLASSWEB.LINK INSTALLATION MANUAL

Setting up and Automating a MS Dynamics AX Job in JAMS

Moving the TRITON Reporting Databases

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

SECURE MOBILE ACCESS MODULE USER GUIDE EFT 2013

Trend Micro PC-cillin Internet Security 2006

Installing a Browser Security Certificate for PowerChute Business Edition Agent

October, Install/Uninstall Xerox Print Drivers & Apps Best Practices for Windows 8, 8.1, and 10 Customer Tip

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Using Microsoft s CA Server with SonicWALL Devices

AT&T Global Network Client v6.8.0 and Passport IP Setup Instructions for Broadband VPN Access

Network Scanner Tool R3.1. User s Guide Version

NMR HTTP/FTP Data Download Package

Installation and Configuration Guide

Install the Production Treasury Root Certificate (Vista / Win 7)

Georgia State Longitudinal Data System

Canaveral iq WBT Add-on for Windows CE 2.12-based Wyse Terminals

ERserver. iseries. Networking TCP/IP Setup

ATX Document Manager. User Guide

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Drobo How-To Guide. Topics. What You Will Need. Prerequisites. Deploy Drobo B1200i with Microsoft Hyper-V Clustering

Scanning Guide for Current Colour Machines

Fiery EX4112/4127. Printing from Windows

Interact for Microsoft Office

Unity Error Message: Your voic box is almost full

XStream Remote Control: Configuring DCOM Connectivity

pcanywhere Advanced Configuration Guide

Integrating LANGuardian with Active Directory

Mail Attender Version

Microsoft Exchange 2010 and 2007

SWCS 4.2 Client Configuration Users Guide Revision /26/2012 Solatech, Inc.

Print Audit 6 Network Installation Guide

NSi Mobile Installation Guide. Version 6.2

Configuring Security Features of Session Recording

LPR for Windows 95 TCP/IP Printing User s Guide

FTP, IIS, and Firewall Reference and Troubleshooting

OrgPublisher Silverlight Configuration for Server 2008, IIS 7

3 Setting up Databases on a Microsoft SQL 7.0 Server

Transcription:

Technical Support WebDocs Secure configuration of NFS on Windows 2008 Server for WebDocs iseries Setting up NFS on Windows in a secure manner can be done, but it can be tricky as it requires translating authorities between UNIX-based and non-unix-based file systems. The way this is ultimately accomplished is by matching UIDs on the server and client operating systems. This is done differently on different versions of Windows. Prior to 2008 Server, the Windows Services for Unix (SFU) package provided a User Mapping utility which we will discuss next week when we address 2003 Server. With 2008 Server, the SFU package was rolled into the core operating system as the Subsystem for Unix-based Applications (SUA), but sans the User Mapping utility. In its place, assuming the existence of a domain and an Active Directory (AD) server, user IDs have a UNIX Attributes property which allows us to define a UNIX UID to use in for interactions with NFS shares. Configure NFS on Windows Server 2008 Create and configure user in Active Directory Create an NFS share Create and configure iseries user Create IFS directory and mount share Configure WebDocs iseries to use share Modify the Apache web server configuration Final considerations

Configure NFS on Windows Server 2008 These instructions assume that you already have an Active Directory Domain Controller configured elsewhere. On your file server Open Server Manager: Start > Administrative Tools > Server Manager In the upper left, expand Roles. Select Add Roles Select File Services, and follow the prompts. Once the File Services role in installed, return to Server Manager, and select Add Role Services. You will want to add the Services for Network File System role service. You may need to restart the server. On the Active Directory server: Start > Administrative Tools > Server Manager In the upper left, expand Roles. Select Add Role Services. You need to add Identity Management for UNIX and it s sub-role Services if they are not already installed. Release date: 1/7/11 Page 2

Back on the file server: Open Server Manager, expand Roles, expand File Services and select Share and Storage Management. On the right, select Edit NFS configuration. This will present a wizard with the following steps: Select an Identity Mapping Solution * Set Up Domain Authorization * Open Firewall Ports * Use NFS to Share Folders * Additional Information We will only be handling the Identity Mapping here. This article will assume that Domain Authorization has been configured and that the appropriate firewall ports are open. Select the first step, and click the Identity Mapping Wizard button. You re presented with three options. Do not use an identity mapping solution is for configuring NFS to use anonymous access - we re trying to avoid that. Retrieve identity mappings from User Name Mapping asks for the hostname of a pre-windows 2008 server with the SFU User Mapping configured. We will go with the recommended method, Retrieve identity mappings from Active Directory. Release date: 1/7/11 Page 3

Select your Active Directory domain. Confirm the values and click Configure. You should see Success. click Close. Release date: 1/7/11 Page 4

Create and configure user in Active Directory These instructions assume that a UNIX Group GID and NIS domain have been created. On the Active Directory server: Create a user for WebDocs iseries. We ll call our user RJSNFS. Start > Administrative Tools > Active Directory Users and Computers. Expand the domain, and select Users. Right click in the right pane and select New > User. Follow the prompts and click Finish. Select the user and right-click. Go to properties and select the UNIX Attributes tab. Select the NIS domain from the dropdown. Select the appropriate group from the dropdown (Primary group name/gid). Choose a UID that is unique on both the iseries and Active Directory. Select Apply > OK. For more information, please refer to Microsoft's Technet article on the subject. Release date: 1/7/11 Page 5

Create an NFS share Create a folder on your file server to use as the share directory. For this example, we ll use C:\RJSNFS. Right-click on the folder, go to Properties. Select the Security tab, and select Edit. Add the user you created in Step 2, with the Read, Write, Read & Execute and List folder contents authorities. In Server Manager, expand Roles, expand File Services, select Share and Storage Management. On the right, under actions. select Provision Share. Release date: 1/7/11 Page 6

Under Location, browse to C:\RJSNFS and select OK. Click Next. Choose radio button: No, do not change NTFS permissions. Click Next. Check NFS, create a Share name. Make a note of the share path (servername:/sharename). This is what will be used when you mount the share on the iseries. Click Next. Release date: 1/7/11 Page 7

Configure permissions. Click Add. Specify the host IP for the iseries. Keep the Encoding as ANSI. Permissions should be Read-Write. Allow root access should be unchecked. You should now have two entries; one with your iseries IP address, and one for ALL MACHINES. Edit the ALL MACHINES entry, and set it to No Access. Click Next. Look over the settings, select Create. Release date: 1/7/11 Page 8

You should see success. Click Close. You ll now see the share listed under Share and Storage Management. Release date: 1/7/11 Page 9

Create and configure iseries user Sign on to the iseries as a security officer. At a command line, prompt on the CRTUSRPRF command. F10 will display additional parameters. Change the UID parameter from *GEN to the UID you specified in Step 2. The user must have the IOSYSCFG special authority in order to mount. Additionally, make sure that the user has appropriate authorities to the RJS libraries (RJSIMAGE in particular) and to the IFS. When ready, create the user account. For additional security, you may wish to set this user's initial program to SIGNOFF to prevent logins. The intent is that this user will be used to submit jobs that relate to WebDocs, and to mount the NFS share - this user is not intended for general system use. Release date: 1/7/11 Page 10

Create IFS directory and mount share WebDocs iseries automatically creates an RJSIMAGEDOC folder under root (denoted by /) initially. We will create a subfolder underneath it for NFS. This is necessary, because in order to successfully mount an external file system, the IFS directory being mounted to must give PUBLIC *RWX rights. If this directory if immediately under /, then *any user with IFS access can read and write to the entire share. By mounting to a child directory which has *PUBLIC *RWX, we are still able to secure the IFS directory by locking down the parent. Only security officers and the iseries user created in Step 4 should have access to /RJSIMAGEDOC, and they should have all rights to it. MKDIR DIR('/RJSIMAGEDOC/NFS') OBJAUT(*RWX) Now you can mount the share to this directory (as the user created in Step 4, where 1.1.1.1 is the IP address of your NFS file server). DOCMOUNT HOST('1.1.1.1') NFSSHARE('/RJSNFS') IFSDIR('/RJSIMAGEDOC/NFS') Release date: 1/7/11 Page 11

Configure WebDocs iseries to use share ADDLIBLE RJSIMAGE GO RJSIMAGE Option 11 Put a 2 on all folders where you wish to save to the NFS share going forward. This does not move files already on the IFS - for information on moving existing documents to the NFS file server, please refer to this post on the subject. For each folder, modify the existing IFS path from /RJSIMAGEDOC to /RJSIMAGEDOC/NFS. Release date: 1/7/11 Page 12

Modify the Apache web server configuration Modify the Apache web server configuration to use the user created in Step 4. This can be done from the 5250 emulator or via IBM s Web Administration (on port 2001 by default, if it's running). Add the following line to your Apache configuration (line 28 in this example): 1 Listen *:80 2 3 DocumentRoot /www/webdocs/htdocs 4 5 Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -Indexes MultiViews 6 7 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 8 LogFormat "%{Cookie}n \"%r\" %t" cookie 9 LogFormat "%{User-agent}i" agent 10 LogFormat "%{Referer}i -> %U" referrer 11 LogFormat "%h %l %u %t \"%r\" %>s %b" common 12 CustomLog logs/access_log combined 13 LogMaint logs/access_log 7 0 14 LogMaint logs/error_log 7 0 15 16 # Deny requests for any file 17 <Directory /> 18 order deny,allow 19 deny from all 20 </Directory> 21 22 # Allow requests for files in document root 23 <Directory /www/webdocs/htdocs> 24 order allow,deny 25 allow from all 26 </Directory> 27 28 ServerUserID RJSNFS 29 30 31 ScriptAliasMatch ^/IMAGESERVER/(.*) /QSYS.LIB/RJSIMAGE.LIB/$1.PGM 32 <Directory /QSYS.LIB/RJSIMAGE.LIB/> Release date: 1/7/11 Page 13

33 SetHandler cgi-script 34 Options +ExecCGI 35 order allow,deny 36 allow from all 37 CgiConvMode %%EBCDIC/MIXED%% 38 </Directory> Restart the Apache web server instance. The web server instance jobs will still be owned by QTMHHTTP, but instead of calling programs and interacting with the IFS as QTMHHTP1 (the default CGI user), it will use our RJSNFS user instead. Release date: 1/7/11 Page 14

Final considerations In closing, there are a few peculiar advantages and concerns to this method that deserve highlighting. First, since we have provided read and write authority appropriately on the share, subdirectories on the share may be created using the standard iseries commands, manually or from a custom CL. The structure of the command is the same; simply specify the path that the share is mounted to, with the subfolder you wish to create (in our example, it will be called 2011). MKDIR DIR('/RJSIMAGEDOC/NFS/2011') Second, in the Configure WebDocs iseries to use share section above, we assumed that only the user created in the Create and configure iseries user section would be used to check in documents. If documents are only entering WebDocs iseries via the web interface, or Batch Report Server/400, the one user created in this document may be sufficient. Even if your input methods expand to include applications such as Scan Workstation and Tray Capture Utility, this same user may be used to check in documents to WebDocs iseries. While this method is technically correct, it may invalidate the security you just set up. To maintain security, additional users may be configured in the same manner as the first, but setting up user ID mappings between existing iseries and Active Directory users is difficult and sometimes intractable. A simpler and more elegant approach may be to use a staging process for storage: A staging process is where documents are checked into a local IFS directory immediately, and a scheduled job periodically moves documents older than a set date to the NFS server. The advantage to this method is that only the user running this scheduled job, and the CGI user need to be mapped appropriately; all other users would use standard IFS security. A how-to article on this method, with sample source code is forthcoming. A reference to this article will be added to this document when it has been published. Finally, there have been concerns amidst those who have a massive number of documents regarding maximum object ownership limits per iseries user. Testing on this issue is still in process, and this article will be updated with methods for handling object ownership limits when testing is completed. Feedback is welcomed, please email Jordan Peacock at jpeacock@rjssoftware.com with any questions or requests for clarification. Release date: 1/7/11 Page 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information