secure configuration of nfs on windows 2008 server for
TRANSCRIPT
Technical Support
WebDocs
Secure configuration of NFS on Windows 2008 Server for
WebDocs iSeries
Setting up NFS on Windows in a secure manner can be done, but it can be tricky as it requires translating
authorities between UNIX-based and non-UNIX-based file systems. The way this is ultimately
accomplished is by matching UIDs on the server and client operating systems.
This is done differently on different versions of Windows. Prior to 2008 Server, the Windows Services for
Unix (SFU) package provided a User Mapping utility which we will discuss next week when we address
2003 Server. With 2008 Server, the SFU package was rolled into the core operating system as the
Subsystem for Unix-based Applications (SUA), but sans the User Mapping utility. In its place, assuming
the existence of a domain and an Active Directory (AD) server, user IDs have a UNIX Attributes property
which allows us to define a UNIX UID to use in for interactions with NFS shares.
Configure NFS on Windows Server 2008
Create and configure user in Active Directory
Create an NFS share
Create and configure iSeries user
Create IFS directory and mount share
Configure WebDocs iSeries to use share
Modify the Apache web server configuration
Final considerations
WebDocs Technical Documentation
Release date: 1/7/11 Page 2
Configure NFS on Windows Server 2008
These instructions assume that you already have an Active Directory Domain Controller
configured elsewhere.
On your file server
Open Server Manager:
Start > Administrative Tools > Server Manager
In the upper left, expand Roles.
Select Add Roles
Select File Services, and follow the prompts.
Once the File Services role in installed, return to Server Manager, and select Add Role Services. You
will want to add the Services for Network File System role service.
You may need to restart the server.
On the Active Directory server:
Start > Administrative Tools > Server Manager
In the upper left, expand Roles.
Select Add Role Services. You need to add Identity Management for UNIX and it’s sub-Role Services
if they are not already installed.
WebDocs Technical Documentation
Release date: 1/7/11 Page 3
Back on the file server:
Open Server Manager, expand Roles, expand File Services and select Share and Storage
Management.
On the right, select Edit NFS configuration. This will present a wizard with the following steps:
Select an Identity Mapping Solution *
Set Up Domain Authorization *
Open Firewall Ports *
Use NFS to Share Folders *
Additional Information
We will only be handling the Identity Mapping here. This article will assume that Domain Authorization
has been configured and that the appropriate firewall
ports are open.
Select the first step, and click the Identity Mapping
Wizard button.
You’re presented with three options.
Do not use an identity mapping solution is for
configuring NFS to use anonymous access - we’re
trying to avoid that.
Retrieve identity mappings from User Name
Mapping asks for the hostname of a pre-Windows
2008 server with the SFU User Mapping
configured.
We will go with the recommended method, Retrieve identity mappings from Active
Directory.
WebDocs Technical Documentation
Release date: 1/7/11 Page 4
Select your Active Directory domain.
Confirm the values and click Configure.
You should see Success. click Close.
WebDocs Technical Documentation
Release date: 1/7/11 Page 5
Create and configure user in Active Directory
These instructions assume that a UNIX Group GID and NIS domain have been created.
On the Active Directory server:
Create a user for WebDocs iSeries. We’ll call our
user RJSNFS.
Start > Administrative Tools > Active
Directory Users and Computers.
Expand the domain, and select Users. Right click in the right
pane and select New > User.
Follow the prompts and click Finish.
Select the user and right-click. Go to properties and select
the UNIX Attributes tab.
Select the NIS domain from the dropdown. Select the
appropriate group from the dropdown (Primary group
name/GID). Choose a UID that is unique on both the iSeries
and Active Directory.
Select Apply > OK.
For more information, please refer to Microsoft's Technet
article on the subject.
WebDocs Technical Documentation
Release date: 1/7/11 Page 6
Create an NFS share
Create a folder on your file server to use as the share directory. For this example, we’ll
use C:\RJSNFS. Right-click on the folder, go to
Properties.
Select the Security tab, and select Edit. Add the
user you created in Step 2, with the Read, Write,
Read & Execute and List folder contents authorities.
In Server Manager, expand Roles, expand File
Services, select Share and Storage Management.
On the right, under actions. select Provision Share.
WebDocs Technical Documentation
Release date: 1/7/11 Page 7
Under Location, browse to C:\RJSNFS and select OK.
Click Next.
Choose radio button: No, do not change NTFS
permissions.
Click Next.
Check NFS, create a Share name.
Make a note of the share path
(servername:/sharename). This is what will be used
when you mount the share on the iSeries.
Click Next.
WebDocs Technical Documentation
Release date: 1/7/11 Page 8
Configure permissions. Click Add. Specify the host
IP for the iSeries. Keep the Encoding as ANSI.
Permissions should be Read-Write. Allow root
access should be unchecked.
You should now have two entries; one with your
iSeries IP address, and one for ALL MACHINES. Edit
the ALL MACHINES entry, and set it to No Access.
Click Next.
Look over the settings, select Create.
WebDocs Technical Documentation
Release date: 1/7/11 Page 9
You should see success. Click Close.
You’ll now see
the share listed
under Share and
Storage
Management.
WebDocs Technical Documentation
Release date: 1/7/11 Page 10
Create and configure iSeries user
Sign on to the iSeries as a security officer.
At a command line, prompt on the CRTUSRPRF command. F10 will display additional parameters.
Change the UID parameter from *GEN to the UID you specified in Step 2.
The user must have the IOSYSCFG special authority in order to mount.
Additionally, make sure that the user has appropriate authorities to the RJS libraries (RJSIMAGE in
particular) and to the IFS. When ready, create the user account.
For additional security, you may wish to set this user's initial program to SIGNOFF to prevent logins.
The intent is that this user will be used to submit jobs that relate to WebDocs, and to mount the NFS
share - this user is not intended for general system use.
WebDocs Technical Documentation
Release date: 1/7/11 Page 11
Create IFS directory and mount share
WebDocs iSeries automatically creates an RJSIMAGEDOC folder under root (denoted by /) initially. We
will create a subfolder underneath it for NFS. This is necessary, because in order to successfully mount
an external file system, the IFS directory being mounted to must give PUBLIC *RWX rights. If this
directory if immediately under /, then *any user with IFS access can read and write to the entire
share.
By mounting to a child directory which has *PUBLIC *RWX, we are still able to secure the IFS
directory by locking down the parent. Only security officers and the iSeries user created in Step
4 should have access to /RJSIMAGEDOC, and they should have all rights to it.
MKDIR DIR('/RJSIMAGEDOC/NFS')
OBJAUT(*RWX)
Now you can mount the share to this directory (as the user created in Step 4, where 1.1.1.1 is the IP
address of your NFS file server).
DOCMOUNT HOST('1.1.1.1')
NFSSHARE('/RJSNFS')
IFSDIR('/RJSIMAGEDOC/NFS')
WebDocs Technical Documentation
Release date: 1/7/11 Page 12
Configure WebDocs iSeries to use share
ADDLIBLE RJSIMAGE
GO RJSIMAGE
Option 11
Put a 2 on all folders where you wish to save to the NFS share going forward. This does not move files
already on the IFS - for information on moving existing documents to the NFS file server, please refer
to this post on the subject.
For each folder, modify the existing IFS path from /RJSIMAGEDOC to /RJSIMAGEDOC/NFS.
WebDocs Technical Documentation
Release date: 1/7/11 Page 13
Modify the Apache web server configuration
Modify the Apache web server configuration to use the user created in Step 4.
This can be done from the 5250 emulator or via IBM’s Web Administration (on port 2001 by default, if
it's running).
Add the following line to your Apache configuration (line 28 in this example):
1 Listen *:80
2
3 DocumentRoot /www/WEBDOCS/htdocs
4
5 Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -Indexes –MultiViews
6
7 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
8 LogFormat "%{Cookie}n \"%r\" %t" cookie
9 LogFormat "%{User-agent}i" agent
10 LogFormat "%{Referer}i -> %U" referrer
11 LogFormat "%h %l %u %t \"%r\" %>s %b" common
12 CustomLog logs/access_log combined
13 LogMaint logs/access_log 7 0
14 LogMaint logs/error_log 7 0
15
16 # Deny requests for any file
17 <Directory />
18 order deny,allow
19 deny from all
20 </Directory>
21
22 # Allow requests for files in document root
23 <Directory /www/WEBDOCS/htdocs>
24 order allow,deny
25 allow from all
26 </Directory>
27
28 ServerUserID RJSNFS
29
30
31 ScriptAliasMatch ^/IMAGESERVER/(.*) /QSYS.LIB/RJSIMAGE.LIB/$1.PGM
32 <Directory /QSYS.LIB/RJSIMAGE.LIB/>
WebDocs Technical Documentation
Release date: 1/7/11 Page 14
33 SetHandler cgi-script
34 Options +ExecCGI
35 order allow,deny
36 allow from all
37 CgiConvMode %%EBCDIC/MIXED%%
38 </Directory>
Restart the Apache web server instance.
The web server instance jobs will still be owned by QTMHHTTP, but instead of calling programs and
interacting with the IFS as QTMHHTP1 (the default CGI user), it will use our RJSNFS user instead.
WebDocs Technical Documentation
Release date: 1/7/11 Page 15
Final considerations
In closing, there are a few peculiar advantages and concerns to this method that deserve highlighting.
First, since we have provided read and write authority appropriately on the share, subdirectories on
the share may be created using the standard iSeries commands, manually or from a custom CL. The
structure of the command is the same; simply specify the path that the share is mounted to, with the
subfolder you wish to create (in our example, it will be called 2011).
MKDIR DIR('/RJSIMAGEDOC/NFS/2011')
Second, in the Configure WebDocs iSeries to use share section above, we assumed that only the user
created in the Create and configure iSeries user section would be used to check in documents. If
documents are only entering WebDocs iSeries via the web interface, or Batch Report Server/400, the
one user created in this document may be sufficient. Even if your input methods expand to include
applications such as Scan Workstation and Tray Capture Utility, this same user may be used to check
in documents to WebDocs iSeries. While this method is technically correct, it may invalidate the
security you just set up.
To maintain security, additional users may be configured in the same manner as the first, but setting
up user ID mappings between existing iSeries and Active Directory users is difficult and sometimes
intractable.
A simpler and more elegant approach may be to use a staging process for storage:
A staging process is where documents are checked into a local IFS directory immediately, and a
scheduled job periodically moves documents older than a set date to the NFS server. The advantage
to this method is that only the user running this scheduled job, and the CGI user need to be mapped
appropriately; all other users would use standard IFS security. A how-to article on this method, with
sample source code is forthcoming. A reference to this article will be added to this document when it
has been published.
Finally, there have been concerns amidst those who have a massive number of documents regarding
maximum object ownership limits per iSeries user. Testing on this issue is still in process, and this
article will be updated with methods for handling object ownership limits when testing is completed.
Feedback is welcomed, please email Jordan Peacock at [email protected] with any questions
or requests for clarification.