Example: Adjusting Access for Profound UI Programs



Introduction

In this example, we'll show you how to go about adjusting user access to Profound UI components. This particular example explains how to allow only certain users to access the Profound UI "Welcome" page as well as the License Key pages. You can find more information regarding which Profound UI programs contain which components here. It's important to note that this example assumes that the instance name is "profoundui". If this is not the name of your instance, you should change this anywhere we indicate the name in red.

Step-by-step Instructions

Step 1: Create an ASCII file (CCSID 819) to store the group info in:

You can use the following command to create an ASCII file:

QSH CMD('touch -C 819 /www/profoundui/conf/groups.txt')

Step 2: Create an ADMIN group containing the user profiles allowed to use the welcome and keys pages:

This can be done from a mapped drive with a tool like Notepad or RDi, or it can be done from green-screen with the EDTF tool. The filename is the same as the one in the previous step, so from green-screen you might do:

EDTF STMF('/www/profoundui/conf/groups.txt')

Add one line to the file that contains the group name, followed by a colon, followed by all of the users allowed, separated by spaces.  For example, this ADMIN group allows USER1, QPGMR and USER2 to access the welcome and key pages:

ADMIN: USER1 QPGMR USER2

Be sure to save your changes after this step.

Step 3: Modify the Apache configuration to use the groups file. 

The configuration file is called httpd.conf. This is located in /www/MY-INSTANCE/conf directory of the IFS. You can edit this with any text editor or you can use IBM's Web Administration tool, it has an "edit configuration file" option. Find the following code in the file:

<DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI000(11.{2}|22.{2}|4.{3})\.PGM">

    Require valid-user

    AuthType Basic

    AuthName "Profound UI"

    PasswdFile %%SYSTEM%%

    UserID %%CLIENT%%

</DirectoryMatch>

This is using regular expressions (a type of wildcard) to control who can access programs named PUI00011xx, PUI00022xx or PUI0004xxx.  We want to leave the 1100 series and 2200 series programs alone, but move the 4000 series programs so that they are authenticated differently. To do that, we copied and pasted the above code so that it is in the file twice, removed the 4.{3} part from the first section, and removed the 1100/2200 from the second section. Then, we edited the second section to require the ADMIN group. The result is below:

<DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI000(11.{2}|22.{2})\.PGM">

    Require valid-user

    AuthType Basic

    AuthName "Profound UI"

    PasswdFile %%SYSTEM%%

    UserID %%CLIENT%%

</DirectoryMatch>

 

<DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI0004.{3}\.PGM">

    AuthType Basic

    AuthName "Profound UI"

    Require group ADMIN

    GroupFile "/www/profoundui/conf/groups.txt"

    PasswdFile %%SYSTEM%%

    UserID %%CLIENT%%

</DirectoryMatch>

Notice that the above code assumes that the library and HTTP instance are both called "PROFOUNDUI".  If your's is installed in a different library or IFS directory, you'll need to adjust that in the above examples.

Save your changes and exit the editor.

Step 4: Restart the HTTP Server

Any time changes are made to the httpd.conf file, you must restart the HTTP server in order for the changes to take effect.  An easy way to do that from the command-line is:

ENDTCPSVR SERVER(*HTTP) HTTPSVR(PROFOUNDUI)

WRKACTJOB JOB(PROFOUNDUI)   (Keep hitting F5 to refresh until there are no more jobs running)

STRTCPSVR SERVER(*HTTP) HTTPSVR(PROFOUNDUI)

Step 5: Test!

As with anything, you should test this to make sure it’s working!  

If you had trouble starting the instance, WRKSPLF SELECT(QTMHHTTP *ALL *ALL PROFOUNDUI) will find the job logs with errors in them.  

If you received errors from Apache you should look in the most recent /www/profoundui/logs/error_log.xxxxx file to see what the error is.