The Apache-based IBM HTTP Server for i is a vital defense in web and API security for IBM i. As such, it requires regular attention.
IBM Support’s PCI Compliance web page is a resource we use to help our clients protect their systems.
Even if your organization does not process, store, or transmit credit card information, applying the PTFs recommended for PCI compliance constitutes a general best practice for IBM i web and API security.
The Apache web server—included on IBM i as HTTP Server for i—contains a powerful feature known as mod_rewrite that can convert URLs (API or Web) from their original versions to any format you need.
This article offers a small taste of what URL Rewriting can do.
Open source saves the day once again.
When one of our open source support clients discovered that Tomcat plugin for Apache was not supported on their test IBM i 7.5 system, they needed a solution. They relied on Tomcat to serve their Java web applications.
A client asked for help addressing a Denial of Service (DoS) vulnerability that their security company discovered. The company found it could slow down the Apache web server by sending it incorrect headers. By sending an artificially high “Content-Length” header, they caused the web server to wait for data that would never come.
Speed is critical when serving APIs and web pages from IBM i. How can we measure our speed? The IBM HTTP Server (powered by Apache) for i can log the speed of each request, but this capability needs to be turned on.
Default values in the Apache access log include the request’s URL, the HTTP status code, size of the response in bytes, and the user agent (e.g. browser type), but not how long the request took. Let’s see how to add the timing.
A few months after we published the article Apache for IBM i: Where to Find Documentation, astute reader Paul Nicolay of Cegeka shared yet another hard-to-find Apache resource with us.
Paul recommends IBM Support’s IBM HTTP Server for i PCI Compliance page for organizations following the stringent PCI DSS security standard for accepting card payments. In addition to confirming that Apache on IBM i is a PCI-compliant web server, the page lists the IBM i PTFs required to fix known vulnerabilities.
Open source continues to gain traction in IBM i shops, and for good reason. It excels at delivering new interfaces and functionality for RPG and COBOL applications, plus it broadens the talent pool for your development team.
When it comes to finding information on HTTP Server for IBM i (based on Apache), Google is NOT the way to go!
Recently Calvin did a web search for Apache’s ServerUserID directive. It returned old forum posts that could have taken anyone down a rabbit hole—a waste of time at best.
HTTP Server for i (Powered by Apache) is the IBM i integrated web server. Although this unique implementation of Apache is well documented by IBM, that documentation can be hard to find. Internet searches often return outdated or irrelevant links.
Some key security measures, such as using TLS encryption (https://) are taken for granted. Others are often missed until they are flagged by a security scan.
Here are two easy changes that have helped some of our clients reduce perceived vulnerabilities. These changes, typically made in the Apache web server’s httpd.conf files, may stop unnecessary exposure of web server information, as well as satisfying security scanners.