Validation List



A validation list is a special object type within IBM i. Validation lists are used to store user credentials in a secure encrypted object. A validation list can be used to authenticate a web user without creating an actual IBM i user profile. This grants no object authorities to the user. If a user logs in to a web application under a user name from a validation list, they have the same authority as the QTMHHTP1 user profile.

Creating a Validation List and Users

Creating a validation list is as simple as adding a user to the list. If the validation list does not already exist, it will be created for you.

First, you must start the *ADMIN server using the command
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

The *ADMIN server provides a number of browser-based HTTP configuration tools served from port 2001. To access these tools, go to:

http://iSeriesServer:2001/

If you are on a version of IBM i before 6.1, you will use the IBM Web Administration for i5/OS option.

If you are running 6.1 or above, IBM Web Administration is found under the Internet Configurations option in the i5/OS Management section.

You will then enter the HTTP Admin interface.

You then should navigate to the Advanced tab and then the Internet Users and Groups subtab.

From here you will find options to add, change, delete, and list internet users on the left hand side of the screen. Take the option to Add Internet User to get to this interface:

On this screen enter the following items:

  • User Name - Enter a user name for your validation list user.

  • Password - Enter a password for your validation list user.

  • Confirm Password - Reenter password.

  • Comments - Enter any additional comments about the user.

  • Validation List - Enter the name of the validation list to add the user to. You should enter this name in LIBRARY/LIST format. This is case sensitive so it is recommended to use all caps. (Once again, if the validation list does not exist, it will be created.)

The group file and group parameters will not be used in this situation and should be left blank.

Repeat this process to add additional users as needed.

Enabling Validation Lists for Profound UI

The directives needed to configure Profound UI to use validation lists are already in your httpd.conf configuration file, but they are commented out. To enable, open your httpd.conf file for editing. You can do so from a command line by entering:

EDTF '/www/profoundui/conf/httpd.conf'

First, you will need to find the following directives:

# Use the following section for IBM i profile authentication. <DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI000(3.{3})\.PGM"> Require valid-user AuthType Basic AuthName "Profound UI" PasswdFile %%SYSTEM%% UserID %%CLIENT%% ProfileToken On </DirectoryMatch> <LocationMatch "^/profoundui/auth/(.*)"> Require valid-user AuthType Basic AuthName "Profound UI" PasswdFile %%SYSTEM%% UserID %%CLIENT%% ProfileToken On </LocationMatch>

These directives tell the web server to use IBM i user names and passwords for authentication. Comment these lines out by inserting the # symbol at the beginning of each line.

Next, you will look for these directives:

# Use this section for authentication against a validation list. # This environment variable must be set to reference the validation # list object specified on the PasswdFile directive. #SetEnv PUI_VLDL PROFOUNDUI/PUIVLDL #<DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI000(3.{3})\.PGM"> # AuthType Basic # AuthName "Profound UI" # Require valid-user # PasswdFile PROFOUNDUI/PUIVLDL #</DirectoryMatch> #<LocationMatch "^/profoundui/auth/(.*)"> # AuthType Basic # AuthName "Profound UI" # Require valid-user # PasswdFile PROFOUNDUI/PUIVLDL #</LocationMatch>

And uncomment all lines starting at the SetEnv directive by removing the # symbols before each line. The SetEnv PUI_VLDL directive will also need to be updated to point to your library and validation list. You will also update each instance of the PasswdFile directive with the validation list library and name.

As with any change to httpd.conf, a restart of the Profound UI webserver will be required for the changes to take effect.