secure configuration of nfs on windows 2008 server for

Technical Support

WebDocs

Secure configuration of NFS on Windows 2008 Server for

WebDocs iSeries

Setting up NFS on Windows in a secure manner can be done, but it can be tricky as it requires translating

authorities between UNIX-based and non-UNIX-based file systems. The way this is ultimately

accomplished is by matching UIDs on the server and client operating systems.

This is done differently on different versions of Windows. Prior to 2008 Server, the Windows Services for

Unix (SFU) package provided a User Mapping utility which we will discuss next week when we address

2003 Server. With 2008 Server, the SFU package was rolled into the core operating system as the

Subsystem for Unix-based Applications (SUA), but sans the User Mapping utility. In its place, assuming

the existence of a domain and an Active Directory (AD) server, user IDs have a UNIX Attributes property

which allows us to define a UNIX UID to use in for interactions with NFS shares.

Configure NFS on Windows Server 2008

Create and configure user in Active Directory

Create an NFS share

Create and configure iSeries user

Create IFS directory and mount share

Configure WebDocs iSeries to use share

Modify the Apache web server configuration

Final considerations

WebDocs Technical Documentation

Release date: 1/7/11

Configure NFS on Windows Server 2008

These instructions assume that you already have an Active Directory Domain Controller

configured elsewhere.

On your file server

Open Server Manager:

Start > Administrative Tools > Server Manager

In the upper left, expand Roles.

Select Add Roles

Select File Services, and follow the prompts.

Once the File Services role in installed, return to Server Manager, and select Add Role Services. You

will want to add the Services for Network File System role service.

You may need to restart the server.

On the Active Directory server:

Start > Administrative Tools > Server Manager

In the upper left, expand Roles.

Select Add Role Services. You need to add Identity Management for UNIX and it’s sub-Role Services

if they are not already installed.



Back on the file server:

Open Server Manager, expand Roles, expand File Services and select Share and Storage

Management.

On the right, select Edit NFS configuration. This will present a wizard with the following steps:

Select an Identity Mapping Solution *

Set Up Domain Authorization *

Open Firewall Ports *

Use NFS to Share Folders *

Additional Information

We will only be handling the Identity Mapping here. This article will assume that Domain Authorization

has been configured and that the appropriate firewall

ports are open.

Select the first step, and click the Identity Mapping

Wizard button.

You’re presented with three options.

Do not use an identity mapping solution is for

configuring NFS to use anonymous access - we’re

trying to avoid that.

Retrieve identity mappings from User Name

Mapping asks for the hostname of a pre-Windows

2008 server with the SFU User Mapping

configured.

We will go with the recommended method, Retrieve identity mappings from Active

Directory.



Select your Active Directory domain.

Confirm the values and click Configure.

You should see Success. click Close.



Create and configure user in Active Directory

These instructions assume that a UNIX Group GID and NIS domain have been created.

On the Active Directory server:

Create a user for WebDocs iSeries. We’ll call our

user RJSNFS.

Start > Administrative Tools > Active

Directory Users and Computers.

Expand the domain, and select Users. Right click in the right

pane and select New > User.

Follow the prompts and click Finish.

Select the user and right-click. Go to properties and select

the UNIX Attributes tab.

Select the NIS domain from the dropdown. Select the

appropriate group from the dropdown (Primary group

name/GID). Choose a UID that is unique on both the iSeries

and Active Directory.

Select Apply > OK.

For more information, please refer to Microsoft's Technet

article on the subject.

http://technet.microsoft.com/en-us/library/cc753302(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc753302(WS.10).aspx



Create an NFS share

Create a folder on your file server to use as the share directory. For this example, we’ll

use C:\RJSNFS. Right-click on the folder, go to

Properties.

Select the Security tab, and select Edit. Add the

user you created in Step 2, with the Read, Write,

Read & Execute and List folder contents authorities.

In Server Manager, expand Roles, expand File

Services, select Share and Storage Management.

On the right, under actions. select Provision Share.



Under Location, browse to C:\RJSNFS and select OK.

Click Next.

Choose radio button: No, do not change NTFS

permissions.

Click Next.

Check NFS, create a Share name.

Make a note of the share path

(servername:/sharename). This is what will be used

when you mount the share on the iSeries.

Click Next.



Configure permissions. Click Add. Specify the host

IP for the iSeries. Keep the Encoding as ANSI.

Permissions should be Read-Write. Allow root

access should be unchecked.

You should now have two entries; one with your

iSeries IP address, and one for ALL MACHINES. Edit

the ALL MACHINES entry, and set it to No Access.

Click Next.

Look over the settings, select Create.



You should see success. Click Close.

You’ll now see

the share listed

under Share and

Storage

Management.



Create and configure iSeries user

Sign on to the iSeries as a security officer.

At a command line, prompt on the CRTUSRPRF command. F10 will display additional parameters.

Change the UID parameter from *GEN to the UID you specified in Step 2.

The user must have the IOSYSCFG special authority in order to mount.

Additionally, make sure that the user has appropriate authorities to the RJS libraries (RJSIMAGE in

particular) and to the IFS. When ready, create the user account.

For additional security, you may wish to set this user's initial program to SIGNOFF to prevent logins.

The intent is that this user will be used to submit jobs that relate to WebDocs, and to mount the NFS

share - this user is not intended for general system use.

http://drupal.rjssoftware.com:9000/node/3817

http://publib.boulder.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=/cl/exportfs.htm



Create IFS directory and mount share

WebDocs iSeries automatically creates an RJSIMAGEDOC folder under root (denoted by /) initially. We

will create a subfolder underneath it for NFS. This is necessary, because in order to successfully mount

an external file system, the IFS directory being mounted to must give PUBLIC *RWX rights. If this

directory if immediately under /, then *any user with IFS access can read and write to the entire

share.

By mounting to a child directory which has *PUBLIC *RWX, we are still able to secure the IFS

directory by locking down the parent. Only security officers and the iSeries user created in Step

4 should have access to /RJSIMAGEDOC, and they should have all rights to it.

MKDIR DIR('/RJSIMAGEDOC/NFS')

OBJAUT(*RWX)

Now you can mount the share to this directory (as the user created in Step 4, where 1.1.1.1 is the IP

address of your NFS file server).

DOCMOUNT HOST('1.1.1.1')

NFSSHARE('/RJSNFS')

IFSDIR('/RJSIMAGEDOC/NFS')

http://en.wikipedia.org/wiki/Root_directory






Configure WebDocs iSeries to use share

ADDLIBLE RJSIMAGE

GO RJSIMAGE

Option 11

Put a 2 on all folders where you wish to save to the NFS share going forward. This does not move files

already on the IFS - for information on moving existing documents to the NFS file server, please refer

to this post on the subject.

For each folder, modify the existing IFS path from /RJSIMAGEDOC to /RJSIMAGEDOC/NFS.

http://blogs.rjssoftware.com/rjsinformer/index.php/2010/09/22/moving-documents-between-ifs-folders/



Modify the Apache web server configuration

Modify the Apache web server configuration to use the user created in Step 4.

This can be done from the 5250 emulator or via IBM’s Web Administration (on port 2001 by default, if

it's running).

Add the following line to your Apache configuration (line 28 in this example):

1 Listen *:80

2

3 DocumentRoot /www/WEBDOCS/htdocs

4

5 Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -Indexes –MultiViews

6

7 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

8 LogFormat "%{Cookie}n \"%r\" %t" cookie

9 LogFormat "%{User-agent}i" agent

10 LogFormat "%{Referer}i -> %U" referrer

11 LogFormat "%h %l %u %t \"%r\" %>s %b" common

12 CustomLog logs/access_log combined

13 LogMaint logs/access_log 7 0

14 LogMaint logs/error_log 7 0

15

16 # Deny requests for any file

17 <Directory />

18 order deny,allow

19 deny from all

20 </Directory>

21

22 # Allow requests for files in document root

23 <Directory /www/WEBDOCS/htdocs>

24 order allow,deny

25 allow from all

26 </Directory>

27

28 ServerUserID RJSNFS

29

30

31 ScriptAliasMatch ^/IMAGESERVER/(.*) /QSYS.LIB/RJSIMAGE.LIB/$1.PGM

32 <Directory /QSYS.LIB/RJSIMAGE.LIB/>




33 SetHandler cgi-script

34 Options +ExecCGI

35 order allow,deny

36 allow from all

37 CgiConvMode %%EBCDIC/MIXED%%

38 </Directory>

Restart the Apache web server instance.

The web server instance jobs will still be owned by QTMHHTTP, but instead of calling programs and

interacting with the IFS as QTMHHTP1 (the default CGI user), it will use our RJSNFS user instead.



Final considerations

In closing, there are a few peculiar advantages and concerns to this method that deserve highlighting.

First, since we have provided read and write authority appropriately on the share, subdirectories on

the share may be created using the standard iSeries commands, manually or from a custom CL. The

structure of the command is the same; simply specify the path that the share is mounted to, with the

subfolder you wish to create (in our example, it will be called 2011).

MKDIR DIR('/RJSIMAGEDOC/NFS/2011')

Second, in the Configure WebDocs iSeries to use share section above, we assumed that only the user

created in the Create and configure iSeries user section would be used to check in documents. If

documents are only entering WebDocs iSeries via the web interface, or Batch Report Server/400, the

one user created in this document may be sufficient. Even if your input methods expand to include

applications such as Scan Workstation and Tray Capture Utility, this same user may be used to check

in documents to WebDocs iSeries. While this method is technically correct, it may invalidate the

security you just set up.

To maintain security, additional users may be configured in the same manner as the first, but setting

up user ID mappings between existing iSeries and Active Directory users is difficult and sometimes

intractable.

A simpler and more elegant approach may be to use a staging process for storage:

A staging process is where documents are checked into a local IFS directory immediately, and a

scheduled job periodically moves documents older than a set date to the NFS server. The advantage

to this method is that only the user running this scheduled job, and the CGI user need to be mapped

appropriately; all other users would use standard IFS security. A how-to article on this method, with

sample source code is forthcoming. A reference to this article will be added to this document when it

has been published.

Finally, there have been concerns amidst those who have a massive number of documents regarding

maximum object ownership limits per iSeries user. Testing on this issue is still in process, and this

article will be updated with methods for handling object ownership limits when testing is completed.

Feedback is welcomed, please email Jordan Peacock at [email protected] with any questions

or requests for clarification.

mailto:[email protected]

secure configuration of nfs on windows 2008 server for

Documents