TM Commerce Server/400 User's Guide Version 1.0 COPYRIGHT c 1996 I/NET, INC. Revision A Copyright c 1996 I/NET, Inc. All Rights Reserved. No part of this book may be reproduced in any form or by any means, electronic or mechanical, including photocopying without written permission from I/NET, Inc. Commerce Server/400 is a trademark of I/NET, Inc. Other brand and product names are trademarks or registered trademarks of their respective holders. Commerce Server/400 Table of Contents Table of Contents 1. GETTING STARTED .......................................10 1.1 MIGRATION ...........................................11 1.1.1 End Web Server/400 Before Installation ..........11 1.1.2 Migrating From Web Server/400 Version 1.2. ......11 1.1.3 Migrating From a Web Server/400 Version Prior to 1.2 ...................................................12 1.2 INSTALLATION ........................................13 1.2.1 Installing Web Server/400 or Commerce Server/400 13 1.2.2 Objects Installed ...............................15 1.3 HARDWARE CONFIGURATION ..............................17 1.3.1 Hardware Requirements ...........................17 1.3.2 Network Configurations ..........................17 1.3.3 Web Server/400 over a LAN .......................17 1.3.4 Web Server/400 over the Internet - LAN Router ...18 1.3.5 Non-Network Configurations ......................18 1.4 SOFTWARE CONFIGURATION ..............................19 1.5 TCP/IP CONFIGURATION TIPS ...........................20 1.5.1 TCP/IP Terms ....................................20 1.5.2 Assigning your AS/400 an IP Address .............21 1.5.3 Working with the OS/400 commands to configure TCP/IP ................................................22 1.5.4 Starting and Testing your TCP/IP Configuration ..24 1.5.5 Host Names ......................................24 1.6 STARTING THE SERVER .................................27 1.6.1 Starting Web Server/400 or Commerce Server/400 ..27 1.6.2 Accessing the Server ............................27 1.7 VIEWING WEB SERVER/400 DOCUMENTATION FROM A BROWSER .29 1.7.1 Accessing Document Files Directly ...............29 1.7.2 Accessing Documentation through Web Server/400 ..29 1.8 TESTING THE SETUP ...................................30 1.9 WHERE TO GO FROM HERE ...............................32 1.9.1 New since Web Server/400 Version 1.2 ............32 1.10 SETTING UP COMMERCE SERVER/400 .....................34 1.10.1 Overview .......................................34 1.10.2 Obtaining a Server Certificate .................34 1.10.3 Enabling Commerce Server/400 to do SSL .........38 1.10.4 Start the Server ...............................39 1.10.5 Testing the Server .............................39 1.10.6 Test and Evaluation Server Certificates ........40 2. USING COMMERCE SERVER/400 .............................43 2.1 WHAT IS A WEB SERVER? ...............................44 2.1.1 Introduction ....................................44 2.1.2 A Web Server's Role .............................44 2.1.3 Who Deals with a Web Server? ....................45 2.1.4 Hypertext Transfer Protocol Basics ..............46 2.2 WHAT IS A COMMERCE SERVER? ..........................47 2.2.1 Overview ........................................47 2.2.2 Commerce Serving Basics .........................48 Page 3 Commerce Server/400 Table of Contents 2.2.3 How Does Commerce Server/400 Do This? ...........50 2.3 URL LOCATIONS .......................................53 2.3.1 OS/400 File Systems .............................53 2.3.2 Uniform Resource Locator ........................53 2.3.3 How Web Server/400 Finds a Web Document .........54 2.3.4 Special URL-paths ...............................56 2.3.5 Root URL-Paths ..................................57 2.3.6 QDLS URL-Paths ..................................57 2.3.7 QSYS URL-Paths ..................................58 2.3.8 USF URL-Paths ...................................60 2.3.9 Spooled File URL-Paths ..........................61 2.3.10 Dynamic Indexing URL-Paths .....................61 2.3.11 OS/400 File Systems ............................63 2.3.12 Symbolic Links .................................64 2.4 ALIASES .............................................65 2.4.1 Mapping a URL-Path to a Different Location ......65 2.4.2 Using Aliases to Access Other File Systems ......66 2.4.3 Using Aliases to Access Special Web Documents ...67 2.4.4 Using Aliases to Redirect URLs to Different Servers67 2.4.5 Alias Matching ..................................68 2.5 NLS ARCHITECTURE ....................................71 2.5.1 NLS Definitions .................................71 2.5.2 Serving Content .................................72 2.5.3 Serving Webulator Screens .......................72 2.5.4 Reading Configuration Files .....................72 2.5.5 Conversion Methods ..............................72 2.5.6 CCSIDs and ISO character sets ...................73 2.5.7 Limitations .....................................73 2.5.8 Related Documentation ...........................74 2.5.9 Flow of Text Conversion .........................74 2.6 CREATING CONTENT ....................................77 2.6.1 Location for files on your AS/400 ...............77 2.6.2 Using FTP to Move Your Content ..................77 2.6.3 Client Access ...................................80 2.7 USER DIRECTORIES ....................................82 2.7.1 User Directory Example ..........................82 2.7.2 Home Directory ..................................83 2.8 ACCESSING DATABASE FILES ............................84 2.8.1 Database File Support ...........................84 2.8.2 Specifying keyword parameters ...................84 2.8.3 Accessing Source Physical Files .................85 2.8.4 Accessing Save Files ............................88 2.8.5 Accessing Physical and Logical Files ............90 2.9 CGI SCRIPTS ........................................102 2.9.1 Flow of a CGI Script ...........................102 2.9.2 Script Concepts ................................103 2.9.3 CGI Environment Variables ......................104 2.9.4 Script Inputs ..................................107 2.9.5 Script Outputs .................................110 2.9.6 Status Codes ...................................114 2.9.7 Script APIs ....................................115 2.9.8 Creating Script Programs .......................130 2.10 ACCESSING SPOOLED FILES ...........................134 2.10.1 Spooled File Support ..........................134 Page 4 Commerce Server/400 Table of Contents 2.10.2 Specifying a URL ..............................134 2.10.3 Determining Content Type ......................135 2.10.4 Authority .....................................135 2.10.5 Supported Keywords ............................136 2.10.6 Output Considerations .........................138 2.10.7 Restrictions ..................................138 2.10.8 Examples ......................................138 2.11 ULTIMEDIA SYSTEM FACILITIES .......................140 2.12 IMAGE MAPPING FEATURE .............................141 2.12.1 Including a Mapped Image ......................141 2.12.2 Configuration Issues ..........................141 2.12.3 Using Your Own Image Mapping ..................142 2.13 CONTENT TYPES .....................................143 2.14 DYNAMIC INDEXING ..................................144 2.14.1 Dynamic Indexing ..............................144 2.14.2 Disabling Dynamic Indexing ....................144 2.14.3 Features of Dynamic Indexing ..................145 2.15 PROTECTING YOUR AS/400 INFORMATION ................150 2.15.1 OS/400 Authority ..............................151 2.15.2 Web Server/400 Scope Control ..................151 2.15.3 Web Server/400 Access Control .................152 2.15.4 Further Information About Protecting Your AS/400153 2.15.5 Authentication User Storage ...................154 2.15.6 Access Control Tutorial .......................155 2.15.7 Access Control Example ........................159 2.15.8 How Limit Sections Are Evaluated ..............161 2.16 LOGS ..............................................163 2.16.1 Server User Profile Authority Considerations ..163 2.16.2 Migration Notes for Version 1.0 Customers Logging to Log Files within QSYS .............................164 2.16.3 Log Cycling ...................................164 2.16.4 Access Log ....................................166 2.16.5 Statistics Logs ...............................170 2.16.6 Error Log .....................................176 2.17 SERVER-SIDE INCLUDES ..............................179 2.17.1 What are Server-Side Includes? ................179 2.17.2 Which Files are Parsed? .......................179 2.17.3 Server-Side Include Format ....................179 2.17.4 Supported Tags ................................180 2.17.5 Time Format Special Characters ................186 2.18 ADMINISTRATION MODE ...............................187 2.18.1 What is the Administration Mode? ..............187 3. COMMANDS .............................................193 3.1 WEB SERVER COMMANDS ................................194 3.1.1 Web Server/400 Commands ........................194 3.2 OPERATIONAL COMMANDS ...............................197 3.2.1 STRWWW .........................................197 3.2.2 ENDWWW .........................................202 3.2.3 STRWWWRP .......................................204 3.2.4 ENDWWWRP .......................................205 3.3 CONFIGURATION COMMANDS .............................207 3.3.1 CHGWWWCFG ......................................207 Page 5 Commerce Server/400 Table of Contents 3.3.2 SETWWWCFG ......................................209 3.3.3 WRKWWWINCL .....................................210 3.3.4 ADDWWWINCL .....................................211 3.3.5 CHGWWWINCL .....................................211 3.3.6 WRKWWWICON .....................................212 3.3.7 ADDWWWICON .....................................213 3.3.8 CHGWWWICON .....................................213 3.3.9 WRKWWWMAP ......................................214 3.3.10 ADDWWWMAP .....................................215 3.3.11 CHGWWWMAP .....................................215 3.3.12 DLTWWWMAP .....................................215 3.3.13 WRKWWWSCPL ....................................216 3.3.14 ADDWWWSCPL ....................................216 3.3.15 CHGWWWSCPL ....................................217 3.3.16 WRKWWWALS .....................................217 3.3.17 ADDWWWALS .....................................218 3.3.18 CHGWWWALS .....................................218 3.3.19 DLTWWWALS .....................................218 3.3.20 WRKWWWCTP .....................................219 3.3.21 ADDWWWCTP .....................................220 3.3.22 CHGWWWCTP .....................................220 3.3.23 DLTWWWCTP .....................................220 3.3.24 WRKWWWUSR .....................................221 3.3.25 ADDWWWUSR .....................................221 3.3.26 CHGWWWUSR .....................................222 3.3.27 DLTWWWUSR .....................................222 3.3.28 MIGWWWUSR .....................................222 3.3.29 WRKWWWDIR .....................................224 3.3.30 WRKWWWLIM .....................................225 3.3.31 CHGWWWDIR .....................................226 3.3.32 Common Configuration Command Parameters .......227 3.4 COMMERCE SERVER COMMANDS ...........................230 4. CONFIGURATION VALUES .................................238 4.1 ALL CONFIGURATION VALUES BY CATEGORY ...............239 4.1.1 Access Control .................................239 4.1.2 Aliases ........................................239 4.1.3 Commerce Server Support ........................239 4.1.4 Content Types ..................................240 4.1.5 Document Locations .............................240 4.1.6 Dynamic Indexing ...............................240 4.1.7 Image Mapping ..................................240 4.1.8 Include Libraries ..............................240 4.1.9 Logs ...........................................240 4.1.10 Request Processing ............................241 4.1.11 Scripts .......................................241 4.1.12 Server Administration .........................241 4.1.13 User Directories ..............................242 4.1.14 Webulator Support .............................242 4.2 ACCESS CONTROL .....................................243 4.2.1 Administrative Access Control File Path Configuration ........................................243 4.2.2 Allow Hosts ....................................244 Page 6 Commerce Server/400 Table of Contents 4.2.3 Authentication Group Entry .....................245 4.2.4 Authentication Group File Configuration ........246 4.2.5 Authentication Realm Name Configuration ........247 4.2.6 Authentication Password Storage ................248 4.2.7 Authentication Type Configuration ..............249 4.2.8 Authentication User Entry ......................249 4.2.9 Authentication User File Configuration .........250 4.2.10 Deny Hosts ....................................251 4.2.11 Directory Section End .........................253 4.2.12 Directory Section Start .......................254 4.2.13 Directory Based Configuration File Path .......255 4.2.14 Limit Section End .............................256 4.2.15 Limit Section Start ...........................257 4.2.16 Order .........................................258 4.2.17 Require User Authentication Configuration .....259 4.3 ALIASES ............................................261 4.3.1 Alias ..........................................261 4.3.2 Alias File Path ................................262 4.4 COMMERCE SERVER SUPPORT ............................264 4.4.1 Commerce Key List File Path ....................264 4.4.2 Commerce Session Cache Size ....................265 4.4.3 Commerce Session Cache Timeout .................265 4.4.4 Commerce SSL Port ..............................266 4.4.5 SSL Version ....................................267 4.5 CONTENT TYPES ......................................269 4.5.1 Content Type Entry .............................269 4.5.2 Content Type File Path .........................270 4.6 DOCUMENT LOCATIONS .................................271 4.6.1 Default Content Type ...........................271 4.6.2 Document Root Path .............................271 4.6.3 Document Root QDLS .............................272 4.6.4 Document Root QSYS .............................273 4.6.5 Server Root Path ...............................274 4.6.6 System Icon Paths ..............................275 4.7 DYNAMIC INDEXING ...................................277 4.7.1 Add Description ................................277 4.7.2 Index Default View .............................278 4.7.3 Index Exclude ..................................279 4.7.4 Index Footer File Path .........................280 4.7.5 Index Header File Path .........................281 4.7.6 Index Icon Files ...............................282 4.7.7 Index Style ....................................284 4.7.8 Send Directory Content Length ..................285 4.8 IMAGE MAPPING ......................................287 4.8.1 Circle .........................................287 4.8.2 Default ........................................287 4.8.3 Image Map File Entry ...........................288 4.8.4 Image Map File Path ............................289 4.8.5 Point ..........................................289 4.8.6 Poly ...........................................290 4.8.7 Rect ...........................................291 4.9 INCLUDE LIBRARIES ..................................292 4.9.1 Include Library ................................292 4.10 LOGS ..............................................293 Page 7 Commerce Server/400 Table of Contents 4.10.1 Access Log Cycle Configuration ................293 4.10.2 Access Log File Path ..........................294 4.10.3 Error Log Cycle Configuration .................295 4.10.4 Error Log File Path ...........................297 4.10.5 Error Logging Level ...........................298 4.10.6 Statistics Log Cycle Configuration ............299 4.10.7 Statistics Log File Path ......................300 4.10.8 Statistics Raw Data Path Configuration ........301 4.11 REQUEST PROCESSING ................................303 4.11.1 Connection Queue Size .........................303 4.11.2 Initial Request Processors ....................303 4.11.3 Maximum Request Processors ....................304 4.11.4 Request Wait Timeout ..........................305 4.11.5 Timeout .......................................306 4.12 SCRIPTS ...........................................308 4.12.1 Enable Scripts ................................308 4.12.2 Script Library ................................309 4.13 SERVER ADMINISTRATION .............................310 4.13.1 Allowed Protocols .............................310 4.13.2 Content CCSID .................................311 4.13.3 Default Source Type ...........................311 4.13.4 Disable Server ................................312 4.13.5 Domain Name Lookup ............................313 4.13.6 File CCSID ....................................314 4.13.7 Index Name ....................................315 4.13.8 Initial Library List ..........................316 4.13.9 MultiHome .....................................317 4.13.10 Send File Content Length .....................319 4.13.11 Send File Modification Date ..................320 4.13.12 Send Server Version ..........................320 4.13.13 Server Host Name .............................321 4.13.14 Server Identifier ............................322 4.13.15 Server Protocols .............................323 4.13.16 Server Side Include Configuration ............324 4.13.17 Server User Profile ..........................324 4.13.18 Socket Port ..................................326 4.13.19 Temporary Directory ..........................326 4.14 USER DIRECTORIES ..................................328 4.14.1 Public User Directory .........................328 4.15 WEBULATOR SUPPORT .................................329 4.15.1 Maximum Sessions ..............................329 4.15.2 Webulator User File Path ......................329 4.15.3 Disable Webulator .............................330 5. CONFIGURATION FILES ..................................332 5.1 CONFIGURATION FILES ................................333 5.1.1 Creating a New Configuration File ..............333 5.1.2 Rules About Configuration Files in General .....333 5.1.3 Authority ......................................333 5.1.4 Specific Configuration Files ...................333 5.1.5 File Relationships .............................334 5.2 SIMPLE FILES .......................................336 5.2.1 Master Server Configuration File ...............336 Page 8 Commerce Server/400 Table of Contents 5.2.2 Alias Configuration File .......................339 5.2.3 Content Type Configuration File ................340 5.3 IMAGE MAPPING ......................................341 5.3.1 Global Image Map Configuration File ............341 5.3.2 Image Map Mapping File .........................341 5.4 ACCESS CONTROL .....................................343 5.4.1 Directory Based Configuration File .............343 5.4.2 Administrative Access Configuration File .......344 5.4.3 User Authenticaton User Stream File ............345 5.4.4 User Authenticaton User Database File ..........345 5.4.5 User Authentication Group Configuration File ...346 5.5 HOW TO CONFIGURE THE SERVER ........................347 5.5.1 Configuring the Server Through Commands ........347 5.5.2 Configuring the Server by Editing Configuration Files ................................................347 6. INDEX OF CONFIGURATION KEYWORDS ......................348 7. COMPLETE INDEX .......................................351 Page 9 Commerce Server/400 1.0 Getting Started 1. Getting Started Page 10 Commerce Server/400 1.0 Getting Started 1.1 Migration Note: If you are running Commerce Server/400, consider the references to Web Server/400 in this documentation to mean Commerce Server/400. Both products are interchangeable except for the security enhancements added to Commerce Server/400. 1.1.1 End Web Server/400 Before Installation All currently running Web servers must be ended with the ENDWWW command before installing the Web Server/400 or Commerce Server/400 upgrade. Also ensure that no product commands or menus are running. Use the WRKACTJOB command to verify there are no servers and commands running. You may see older version restored (CPF3722) messages in the joblog when migrating to the new version. These messages are normal and are generated because one or more of the product libraries have been backed up with a save command that had the update history (UPDHST) parameter set to *YES. 1.1.2 Migrating From Web Server/400 Version 1.2. This section should be read by all customers migrating from a previous version of Web Server/400. Evaluate authorization user storage If you are using user authentication, read about user storage (section 2.15.5 on page 154) and decide whether you want to migrate (section 3.3.28 on page 222) stream files to database files. Update the Content Type Configuration File A new content type was added to the content type configuration file. Using the WRKWWWCTP command, find the current entry for application/octet-stream and add the extensions using option 2. Content type Extensions --------------------------- ------------- application/octet-stream exe dll Evaluate default CCSIDs The Content CCSID (section 4.13.2 on page 311) default has changed from 850 to 819. The new File CCSID (section 4.13.6 on page 314) configuration value also defaults to 819. This should work better for most users than the old way. If you wish, you can override the defaults. Page 11 Commerce Server/400 1.0 Getting Started Server Administrator Address Has Been Removed This configuration value has been removed. As it was not being used previously, this should not be noticable to most users. If, however, you have a program which sets this value through the CHGWWWCFG (section 3.3.1 on page 207) command, you will need to change the program. Consider changing Domain name lookup (section 4.13.5 on page 313). The default for this is Normal, which looks up a host name for every request. For performance, we ship a configuration file to all new customers that sets this to Minimal. 1.1.3 Migrating From a Web Server/400 Version Prior to 1.2 This section should be read by all customers migrating from a version of Web Server/400 earlier than version 1.2. Make the changes below, then make the changes suggested for users of Web Server 1.2. Using a Server User Profile other than WWWUSER If you are using a server user profile other than the default of WWWUSER, then that user profile's job description needs to be changed to WWWSERVER/WWWJOBD. More information on this can be found under the STRWWW command. Updating the Content Type Configuration File A couple of new content types were added to the content type configuration file. Using the WRKWWWCTP command, find the current entry for each of the content types listed below and add the specified extensions using option 2. Content type Extensions --------------------------- ------------- application/octet-stream pcl text/html html3 ht3 Updating from Version 1.0 Customers updating directly from version 1.0 should follow the migration instructions provided separately. If you are not sure what version you are running, display the data area WWWSERVER/VERSION using the command DSPDTAARA WWWSERVER/VERSION. If this data area does not exist, you are probably running version 1.0. Page 12 Commerce Server/400 1.0 Getting Started 1.2 Installation 1.2.1 Installing Web Server/400 or Commerce Server/400 1.2.1.1 Important Pre-Installation Instructions Checking Your Tape Device We have identified a problem in V3R1 on systems that have migrated/slip-installed from V2R3 to V3R1. The new SAV and RST commands CPF with a CPF3768 (i.e., Device not valid for command) when a valid IFS path for the tape device is provided. Since the server installation uses the RST command, the following steps need to be performed to ensure a successful installation: 1.Use the following command to display the tape device using an IFS path: WRKLNK '/QSYS.LIB/xxxxx.DEVD' where xxxxx is your tape device (e.g., TAP01) 2.If the attribute of the tape device is set to TAP you are okay and can proceed with the installation. Otherwise you must delete and re-create the tape device. The system will set the attribute of the tape device to TAP when creating the new tape device. Be sure to write down the attributes of the tape device before deleting. The RST command requires that the tape device have a TAP attribute. OS/400 PTF Levels Web Server/400 and Commerce Server/400 have been tested with OS/400 cumulative PTF package TC96016 under V3R1 and TC96086 under V3R6. For best results, these packages or later packages should be applied to your systems. Additional V3R1 PTFs not included in the cumulative PTF package listed above should be applied to improve system stability. Please load the following PTFs on your system. . The PTFs MF10372, MF10794, MF10795, and MF11235 for the product 5763999 should be applied. Without these PTFs the Web server may, in rare circumstances, abend while calling a system TCP/IP function. . PTF SF26297 for the product 5763SS1 should be applied if you use scripts written in Rexx/400. Without this PTF, performing a SAY with no expression will cause the Rexx/400 script to cause an exception. Page 13 Commerce Server/400 1.0 Getting Started . PTF SF31797 for the product 5763SS1 should be applied if you use Client Access/400. Without this PTF, the system will assign a zero code page, which is invalid, to a file created in IFS when the user's CCSID is not set to 65535. Performance Problems Due to Domain Name Server Configuration Significant performance problems can occur due to an incorrect configuration of the remote name server (Remote Host Name Configuration on page 25) within the OS/400 TCP/IP. The remote name server, also known as a Domain Name Server (DNS), is used by the Web server to query the host name of a machine requesting a document. If this configuration specifies a search first parameter of *REMOTE and the remote DNS does not respond, the Web server will have to wait for the query to time-out (the number of retry attempts configured also extends the amount of time the request waits before failing). If you do not have a DNS available to you either from your Internet service provider or internally within your organization, you should leave the server address blank and specify *LOCAL for the search first parameter. This should correct your time-out delay, which in turn will increase the speed of the Web server. The only other side effect to this configuration change is that the access log file will contain the IP address of the machine requesting the document, not the host name. Problems Starting the Web server Due to Local Host Name Configuration The Web Server/400 and Commerce Server/400 products require a local host name to be set either through the TCP/IP configuration (Local Host Name Configuration on page 24), CFGTCP command option 12 (Change local domain and host names) or through the Web Server/400 server host name (section 4.13.13 on page 321) configuration value. The error message displayed on the STRWWW (section 3.2.1 on page 197) command indicating this error condition is: "The local host name could not be determined and was not explicitly set." 1.2.1.2 Installation Instructions If migrating from a previous version, please read the migration instructions (section 1.1 on page 11) before continuing with the installation. When upgrading from Web Server/400 to Commerce Server/400, the Web Server/400's code is replaced with the Commerce Server/400's code. Installing Web Server/400 or Commerce Server/400 on the AS/400 requires the following steps: 1.Sign on the AS/400 as QSECOFR or another user profile with a user class of *SECOFR. Special authorities are required to successfully install the server's objects (Objects Installed on page 15). Page 14 Commerce Server/400 1.0 Getting Started 2.Run the system command LODRUN to install the server from the supplied product tape. Note: Prompt the command to change the tape device if the default is not appropriate. The install should take approximately 10 to 30 minutes depending on the tape device and AS/400 model (NOTE: RISC AS/400s may take longer if not using a RISC installation tape due to the extra time it takes to convert IMPI programs to RISC programs). The install program displays a message when it is finished indicating the install was successful. If any problems occur during the install: 1. Check the joblog to determine the cause of the error. 2. Correct the problem. 3. Re-run the installation command. 4. If problems persist, please contact support. 1.2.2 Objects Installed The following objects were created/restored on the AS/400 by the installation program: . A user profile named WWWUSER was created. WWWUSER has no password, a user class of *USER, and no special authorities. The product user profile WWWUSER owns all of the objects installed. WWWUSER was also added to the system directory. . The product user profile WWWUSER was granted *USE authority to job queue QSYSNOMAX. . The product library WWWSERVER was restored. WWWSERVER contains all of the product code. Product commands, a message file, menus, and panel groups were copied into library QSYS. Two utility programs are provided in library WWWSERVER that can be used to maintain the product objects that are copied into QSYS: 1. CPYQSYS: Copies product commands, message file, menus, and panel groups into library QSYS. This program may be needed after installing a new release of OS/400. 2. RMVQSYS: Removes product objects from library QSYS. If the product objects are removed from QSYS, either WWWSERVER will need to be added to the library list to access commands and menus or the commands and menus must be fully-qualified with the product library. This program needs to be run after each installation of product code. Neither program requires any parameters. Both programs manipulate all I/NET Web product objects (i.e., Web Server/400, Commerce Server/400 and Webulator/400). Page 15 Commerce Server/400 1.0 Getting Started . A product job description named WWWJOBD was created in library WWWSERVER. The job description was setup to use the job queue QSYSNOMAX. The product user profile WWWUSER was changed to use the created job description. . The library WWWSAMPLES was restored. WWWSAMPLES contains sample documents that are used to demonstrate how objects in QSYS are accessed. . A folder named WEBDOCS was restored. WEBDOCS contains other folders and documents that are used to demonstrate accessing objects in QDLS. . A directory named WWWServ was restored into the root of the IFS file system. WWWServ contains many other directories and stream files. WWWServ contains the following directories: . Cfg directory contains server configuration files. The shipped configuration files are saved in a sub- directory named Shipped. . Logs directory is the default location of server log files. . WebDocs directory is the default server document root. The Shipped directory off of the WebDocs directory contains all of the server's publications and sample content organized in directories. The /WWWServer/WebDocs/ directory structure is as follows: Icons : Sub-directory containing product icons Shipped : Product sub-directory /Pubs : Server documentation /Samples : Sample content Important note: The server's sample content and publications will always be shipped in the 'Shipped' directory. Users should not place content in this directory for it may be deleted or over-written in the future. . WWWUser directory is WWWUSER's home directory. . Key directory is used by Commerce Server/400 to store commerce keys. . Tmp directory is used by Commerce Server/400 for caching. . The library WWWCGI was restored. WWWCGI is the default script library. Page 16 Commerce Server/400 1.0 Getting Started 1.3 Hardware Configuration 1.3.1 Hardware Requirements Listed below are the minimum hardware requirements needed to run Web Server/400. Basically, any AS/400 running V3R1M0 can run Web Server/400 just fine. The only challenging hardware configurations involved with Web Server/400 are the TCP/IP and Internet connections (Network Configurations on page 17). . Any AS/400 that is supported by OS/400 V3R1M0, V3R2M0, V3R6M0, or later supports Web Server/400. . The DASD, RAM, and processor levels chosen depends on individual capacity and performance requirements. . Optional: Workstation access to the Integrated File System and/or Shared Folders through PC Support/400 or Client Access/400. The creation and management of Web content is simplified with direct workstation access to stream files on the AS/400. 1.3.2 Network Configurations In order for Web Server/400 to be useful, TCP/IP connections to machines other than the AS/400 running the product must be available. This is typically done through a Local Area Network (LAN) or through X.25. The outside machines might be PCs on the LAN or Internet customers attached to your AS/400 through a TCP/IP router. Below are the most common network configurations that can be used by Web Server/400. 1.3.3 Web Server/400 over a LAN . Local Area Network (LAN) . Token Ring, Ethernet, or X.25. . AS/400 . Version 3 Release 1 Mod 0 or later. . Connected to Token Ring, Ethernet, or X.25 LAN . TCP/IP . Web Server/400 . Workstations . Connected to Token Ring or Ethernet LAN or over X.25 . TCP/IP . Web browser Page 17 Commerce Server/400 1.0 Getting Started . Client Access/400 (for Web content creators and administrators only) Optional. 1.3.4 Web Server/400 over the Internet - LAN Router . Local Area Network (LAN) . Token Ring, Ethernet, or X.25. . AS/400 . Version 3 Release 1 Mod 0 or later. . Connected to Token Ring, Ethernet, or X.25 LAN . TCP/IP . Web Server/400 . Workstations . Connected to Token Ring, Ethernet, or X.25 LAN . TCP/IP . Web browser . Client Access/400 (for Web content creators and administrators only) Optional. . Internet Access . Router connected to LAN using Token Ring, Ethernet, or X.25 . Telecommunication company connection from your router to access provider 1.3.5 Non-Network Configurations Currently, Web Server/400 is only useful if a Token Ring, Ethernet, or X.25 TCP/IP connection is available. A Web browser for the AS/400 is not available. If one were, then the content served by Web Server/400 could be accessed without a network connection. Also, direct dial-up Internet access is now available on the AS/400 with V3R2M0 of the OS/400 operating system. However, since the TCP/IP support on the AS/400 does not support IP Routing this machine cannot operate as an IP router or firewall for other machines downstream connected to the AS/400 through a different network connection (e.g. Token Ring or Ethernet). The direct dial-up only supports the SLIP (Serial Line Internet Protocol) protocol (no Point-to-Point Protocol PPP support). As of this document's publishing, the fastest line supported by SLIP on the AS/400 is 19.2K bits/second. The LAN connections discussed earlier in this document are the recommended means too obtain the peak performance of your AS/400 and I/NET's Web Server/400 on the Internet. Page 18 Commerce Server/400 1.0 Getting Started 1.4 Software Configuration Web Server/400 works without any changes to the installed configuration. However, not all features will be available in this default installation. Listed below are the software requirements for Web Server/400. . OS/400 V3R1, V3R2, V3R6 or later. The supported versions of OS/400 come with all of the TCP/IP components necessary to run Web Server/400. The separate product TCP/IP Connectivity Utilities/400 is not used by Web Server/400, but can be used in conjunction with Web Server/400. . TCP/IP connectivity with Web client machines. See TCP/IP configuration tips for more details. See Hardware configuration (section 1.3 on page 17) for network configuration details. . The latest cumulative PTF package. This is not necessary but highly recommended. The GA release and early cumulative PTF packages experienced some problems when IFS and TCP/IP interacted with each other. . Optional: Client Access/400 or PC Support/400 (or equivalent) for workstation access to the Integrated File System and/or Shared Folders for Web content creation and server management. . Optional: Ultimedia System Facilities (section 2.11 on page 140) (USF) a free option of OS/400 V3R1 or later. USF can be used to create, store, and manage multimedia content that can be directly accessed through the Web browser. USF only needs to be installed if serving Web content from within the USF multimedia repository is desired. Page 19 Commerce Server/400 1.0 Getting Started 1.5 TCP/IP Configuration Tips This section is intended to give some very basic background of TCP/IP terminology and some tips on how to configure TCP/IP on your AS/400 so that you can run the Web Server/400 product. All of the following information refers to TCP/IP for the V3R1M0 version of the OS/400 operating system. 1.5.1 TCP/IP Terms Internet Network An internet network is the term used to describe a network that contains a collection of machines communicating together using the internet protocol (IP). The term Internet with a capital "I" is considered THE Internet which is the largest implementation of a network running the internet protocol. All references to an internet network using a lower case "i" refers to a local network which may or may not be connected to the Internet. Host The term host is used to describe any machine with an IP address participating on an internet network. This includes workstations and machines running OS/400. Internet Protocol (IP) Address A 32 bit number broken up into 4 bytes (each 8 bits in size). The number will be represented as a decimal number with a "." separating each of the 4 bytes. In the decimal notation each of the four numbers can contain a value between 0 and 255. The values 0 and 255 are considered special values (broadcast and loopback) and should not be used when determining a host's IP Address. All machines on an internet network must have a unique IP address. IP addresses include a network and host portion. The network portion is used to determine which network the host resides on, and the host portion is used to uniquely identify the machine within that internet network. This concept can get complicated, especially if subnetting is taking place within your network. Gateway or Router A machine that is used to bridge two internet networks together. This is needed when you want to send/receive information outside of your local network. For example, if your AS/400 is going to be connected to the Internet you will need a router to connect your local network to one of the Internet backbone networks (or to a network Page 20 Commerce Server/400 1.0 Getting Started which is connected through other networks to one of the Internet backbone networks). Route A route is used to determine the IP address of a gateway. A route is not needed for information which is being sent to or received from machines which reside on the same internet network. Subnet Mask The subnet mask is used to determine what bits of the IP Address are used to assign the network portion. Any bits within the subnet mask that are set to 1 are used to determine the network. You will need additional information beyond this documentation if you intend to set up sub-networks within your internet network. However, we should note that the subnet mask is needed to configure TCP/IP on the AS/400 and further discussion will take place to assist you in setting this value. Ping A TCP/IP utility which sends test information and waits for the information to return. The utility displays the amount of data sent and received and the amount of time elapsed while doing so. The utility is very useful when testing the TCP/IP configuration. "Ping" is the name of the command. It accepts one parameter, the IP address or host name of the remote system to send/receive the data. 1.5.2 Assigning your AS/400 an IP Address If you plan on placing your Web Server on the Internet, you will need to discuss the assignment of the network portion of your IP address with your Internet access provider. If you are not planning on placing your AS/400 on the Internet or your Internet access provider does not currently have a permanent IP address for you, then you are not restricted to the address you want to use. However, as soon as your internet network connects to other internet networks your network's IP addresses must be unique throughout all of the networks connected. This value can be reconfigured at a later point if you want to the AS/400 to be accessible on the Internet and you don't currently have an Internet access provider or your provider does not have a permanent address that they can assign to you immediately. Note: all hosts on the same network require the same network portion of the IP address and only the host portion of the IP address will be unique per machine. Page 21 Commerce Server/400 1.0 Getting Started 1.5.2.1 Assigning the network portion of an IP Address In the case where the network portion of your IP address has not been assigned to you by a network administrator or an Internet access provider, you can use this section to better understand the network portion and assign one yourself. The most typical type of network address is a class 'C' address. A class 'C' address begins with the first byte having a value in the range of 192 to 223. For our example we will choose 200 for the first portion of the network address, which indicates that we are assigning a class 'C' address and that we expect to have less than 254 machines on our internet network. For the rest of the network portion we will choose values of 1. Therefore, we will use the address "200.1.1" as the network portion of our IP address. 1.5.2.2 Assigning the host portion of an IP Address For our discussion we are assuming that the network portion was defined to be a class 'C' address with no subnetworks defined. With a class 'C' address the last byte will be used for the host portion allowing the address of 1 - 254 to be used for these values. It would make sense for the administrator of this internet network to make all of the host portion assignments and to track these values in order to ensure that each machine is assigned a unique ID. 1.5.3 Working with the OS/400 commands to configure TCP/IP This section of the Web Server/400 documentation will assist the user in configuring the minimum TCP/IP features necessary to run the Web Server/400 product. The user must signon as QSECOFR or have equivalent authorities in order to be able to use the following commands effectively. Some of the commands will let you view the information but not change it if you do not have these authorities. The CFGTCP is an OS/400 command which gives the user a list of options available to configure the TCP/IP interface. Select the Work with TCP/IP interfaces option 1. The user will be presented with a screen that shows the current interfaces configured. An interface as it is presented on this screen refers to the line supporting the TCP/IP protocol and the IP address associated with that line. The *LOOPBACK line is a special line and is required for TCP/IP to operate properly. To add an interface use option 1 (also available directly as the ADDTCPIFC command). The three required parameters are: Page 22 Commerce Server/400 1.0 Getting Started Internet address The value required for this parameter is the IP address chosen for this AS/400. If the machine is acting as a gateway and has multiple lines being configured to support TCP/IP then this value is the IP address set for the line being configured. Line description V3R1 OS/400 TCP/IP does not support all types of line descriptions. Refer to the help information available from this parameter within the ADDTCPIFC command for detailed information about what line descriptions are supported. The typical line descriptions used when configuring a TCP/IP connection for use with the Web Server/400 product would include a permanent connection such as Token Ring or Ethernet LAN connections. This would allow the Web Server/400 product to be available 24 hours a day 7 days a week without incurring additional usage costs. If the Web Server/400 product were to be made available through an Internet connection then either the Token Ring or Ethernet connection could be used along with a router connected to a leased line. The leased line would be permanently connected to the Internet access provider and available 24 hours a day 7 days a week at a fixed rate. Subnet mask Set this value to 255.255.255.0 for a class 'C' address which has no subnetworks defined. For any other type of scenarios additional research will be required. Refer to the TCP/IP terms (Subnet Mask on page 21) section above for a basic definition of subnet mask. The other parameters should not require any changes for the basic setup. If you are just getting started or are not connected to any other internet networks then the OS/400 side of things are all up and running ready and are ready to be used. If you have an Internet connection or a connection with other internet networks, you will need to configure a route to the gateway for data to flow between these internet networks. The CFGTCP command option 2 Work with TCP/IP routes provides a list of already configured routes. Within this option you have the ability to add routes. You will want to add a default route that is used for all traffic that is not destined for the internet network that the AS/400 resides on (machines that contain a different IP Address network portion other than that set for this AS/400 machine). Choose option 1 (also available directly as the ADDTCPRTE command) to add the default route. The three required parameters are: Page 23 Commerce Server/400 1.0 Getting Started Route destination "*DFTROUTE" is the keyword used to indicate the default route. Subnet mask "*NONE" is the only valid value to specify for a default route. Next hop The IP address of the gateway (router) should be specified for the next hop parameter. This indicates that for the default route all of the information being sent out should next go the gateway machine. From there the gateway machine will use its routing tables to determine where to send the information. 1.5.4 Starting and Testing your TCP/IP Configuration The STRTCP command is used to start the TCP/IP services on the AS/400. After the TCP/IP services have been configured and started, you will want to test the configuration. The PING command is a good way to test the local and remote TCP/IP configurations. First use the PING command to test the local configuration by specifying the AS/400's IP address for the Remote system parameter. Check the results of the PING command by looking at the job log. If the job log shows that 100% of the packets sent were received successfully then the configuration on the AS/400 was a success. After verifying the local configuration the remote configurations can be tested. In order to test any remote configurations you need to have another machine configured and running TCP/IP on your internet network (your gateway is a good test if you have one configured and running). Use the PING command again this time specifying the remote system IP address or host name. Again check to ensure that 100% of the packets were successfully sent and received. 1.5.5 Host Names 1.5.5.1 Local Host Name Configuration Up to this point we have discussed the host machines by referencing them using a unique IP address. A second way to reference the host machines is to assign them a host name. A host name is an alternate meaningful name assigned to a host. For example, the host name of www.inetmi.com refers to the web server I/NET, Inc. is running to demonstrate the Web Server/400 product. The www portion of that name is the host Page 24 Commerce Server/400 1.0 Getting Started portion the inetmi.com portion is the domain name. The local host and domain name can be set using option 12 (Change local domain and host names). If you are planning on connecting to the Internet you should discuss registering a domain name for your internet network with your Internet access provider. Problems Starting the Web Server/400 Due to Local Host Name Configuration The Web Server/400 product requires a local host name to be set either through the TCP/IP configuration, CFGTCP command option 12 (Change local domain and host names) or through the Web Server/400 server host name (section 4.13.13 on page 321) configuration value. The error message displayed on the STRWWW (section 3.2.1 on page 197) command indicating this error condition is: "The local host name could not be determined and was not explicitly set." 1.5.5.2 Remote Host Name Configuration The CFGTCP command provides multiple ways to assign remote host names. The first way would be to update the local host table using option 10 (Work with TCP/IP host table entries) (this would allow you to map the IP address of the remote machine to a meaningful name). The drawback to doing it this way is that if you have a lot of machines that you would like to reference by name, you have to add them all to this table. A second way of configuring names would be to reference a remote host running the TCP/IP Domain Name Service (DNS) using option 13 (Change remote name server). By using a DNS server hosts can be added to your network with meaningful names without any additional configuration required to remote machines. V3R1 OS/400 TCP/IP does NOT include a the ability to act as a DNS. Performance Problems Due to Remote Name Server Configuration Significant performance problems can occur due to an incorrect configuration of the remote name server within the OS/400 TCP/IP. The remote name server, also known as a Domain Name Server (DNS), is used by the Web Server/400 product to query the host name of a machine requesting a document. If this configuration specifies a search first parameter of *REMOTE and the remote DNS does not respond, the Web server will have to wait for the query to time-out (the number of retry attempts configured also extends the amount of time the request waits before failing). If you do not have a DNS available to you either from your Internet service provider or internally within your organization, you should leave the server address blank and specify *LOCAL for the search first parameter. This should correct your time- out delay, which in turn will increase the speed of the Web server. The only other side effect to this configuration change is that the access log (section 2.16.4 on page 166) Page 25 Commerce Server/400 1.0 Getting Started file will contain the IP address of the machine requesting the document, not the host name. For additional information concerning the configuration of TCP/IP the user can reference the V3R1 OS/400 publications or the information provided online by the IBM Corporation. Page 26 Commerce Server/400 1.0 Getting Started 1.6 Starting the Server 1.6.1 Starting Web Server/400 or Commerce Server/400 The following steps should be followed to start Web Server/400. Note that these instructions also apply to starting Commerce Server/400 without support for secured transactions (additional steps (section 1.10 on page 34) are required to enable Commerce Server/400 to perform secured transactions). 1.Sign on the AS/400 with a user profile that has *ALLOBJ authority (e.g., QSECOFR). 2.Once TCP/IP has been configured on the AS/400, start TCP/IP support using the STRTCP command (if not already started). 3.Start the Web Server using the STRWWW (section 3.2.1 on page 197) command, which is accessible through the CMDWWW (Menus on page 196) menu. When starting the server for the first time perform the following steps: 1. Prompt the STRWWW command 2. Press enter (use the default master configuration file) 3. Press F10 to view additional parameters 4. Key in the product activation key provided to you by your supplier with the product tape and press enter. Contact your supplier if you did not receive an activation code or your activation code does not work. If the server does not start due to an error: 1. Check the joblog to determine the cause of the error. 2. Correct the problem. 3. Re-run the STRWWW command. 4. If problems persist, please contact support. Once the server is started, Web browsers can connect to the server and peruse the online publications and sample documents. The server can be stopped using the ENDWWW (section 3.2.2 on page 202) command. 1.6.2 Accessing the Server Start a Web browser on the workstation. In the Web browser's current URL edit field enter the following URL: http://server/ where, server is the fully qualified domain name of the AS/400. The server may be identified with an internet address (e.g., 200.0.0.1) or a configured host name for Page 27 Commerce Server/400 1.0 Getting Started the AS/400's internet address. See the person responsible for AS/400 TCP/IP configuration for the proper value. Processing this URL will return the Web Server/400's home page. From the home page the online pubs can be viewed to learn more about the Web Server/400 product. When using the default configuration, Commerce Server/400 acts just like Web Server/400. The above instructions will allow you to view online content unsecurely. Further steps (section 1.10 on page 34) are required to make Commerce Server/400 serve pages securely. Page 28 Commerce Server/400 1.0 Getting Started 1.7 Viewing Web Server/400 Documentation from a Browser All of the documentation is written in HTML (Hyper Text Markup Language) which will allow you to view it through a web browser in one of two ways: 1.7.1 Accessing Document Files Directly Connect to the AS/400 through a network drive and use a web browser which is written to work with Microsoft Windows 3.1 or OS/2. Upon installation, the Web Server/400 user guide documentation is located in the directory /WWWServ/WebDocs/Shipped/Pubs. Most web browsers have the ability to load and view HTML marked up files directly from a disk. Therefore, if your browser has this ability you can load the files through this means. The Client Access/400 for Windows 3.1 or Client Access/400 Optimized for OS/2 software packages allows you to connect to the IFS Root file system through a network drive definition. In order to reach the drive necessary you can either connect a drive directly to the /WWWServ/WebDocs/Shipped/Pubs directory or you can connect to the ROOT of the IFS file system and work your way through the path (/WWWServ/WebDocs/Shipped/Pubs) to reach the documentation. Since the documentation is an HTML marked up document there are many files which make up the entire documentation. The base document is named usrguide.htm. Access this file to start at the beginning of the document. 1.7.2 Accessing Documentation through Web Server/400 Once the Web Server/400 product is started, the documentation is available through the server. Upon installation, the Web Server/400 user guide documentation is located in the directory /WWWServ/WebDocs/Shipped/Pubs . If the Web Server/400 product is started with the shipped configuration the documentation can be accessed through the Web Server/400 product using the following URLs: /Shipped/pubs/ or /Shipped/pubs/usrguide.htm Page 29 Commerce Server/400 1.0 Getting Started 1.8 Testing the Setup The following is a list of tests which will help you determine if the server has been configured properly for access. The intention of the list is to check the basic areas of access and should not be considered to be a comprehensive set of tests. These tests also apply to Commerce Server/400 running as a regular HTTP server (i.e., not serving documents securely using SSL). Additional test cases (section 1.10 on page 34) are available for testing a site protected using SSL. In order to perform the following tests the server must be started on the AS/400 and a Web browser must be running on the workstation. Access to the IFS document root directory. The document root for the IFS file system is set to WWWServ/WebDocs in the default configuration. Attempt to access the URL http://your.system.name/ (/) substituting your AS/400 system's host name or IP address for the your.system.name part of the URL. The home page shipped with the Web Server/400 product should be displayed. The actual file brought back to the browser should be the index.htm file found in the WWWServ/WebDocs directory. Access the Web Server/400 User's Guide. The following URL should display the Web Server/400 User's Guide http://your.system.name/shipped/pubs/usrguide.htm (/shipped/pubs/usrguide.htm). Access to the QDLS file system. Attempt to access the http://your.system.name/QDLS/ (/QDLS/) URL substituting your AS/400 system's host name or IP address for the your.system.name part of the URL. This should bring up the Dynamic Indexing view of the directory /qdls/ found on your system. QDLS has been configured as an alias (section 2.4 on page 65) pointing to the /QDLS/ directory. See the URL Locations (section 2.3 on page 53) section for further explanation about why an alias is needed to access the /QDLS/ directory when the default source type is not set to *QDLS. The resultant dynamic index should contain a Samples/ directory which, if clicked on, should contain other sample file(s) to view. Access to the QSYS and QSYS/WWWSAMPLES library. Attempt to access the http://your.system.name/QSYS/ (/QSYS/) URL substituting your AS/400 system's host name or IP address for the your.system.name part of the URL. Page 30 Commerce Server/400 1.0 Getting Started This should result in a forbidden message indicating that the server is not configured to allow access to the QSYS library. Attempt to access the http://your.system.name/QSYS/WWWSAMPLES.LIB/ URL. This should bring up the a Dynamic Indexing (section 2.14 on page 144) view of the library WWWSAMPLES restored on your system through the Web Server/400 install. The dynamic index should show multiple files residing within the library. Both of the QSYS examples used the QSYS alias. See the URL Locations (section 2.3 on page 53) section for further explanation about why an alias is needed to access the QSYS directory when the default source type (section 4.13.3 on page 311) is not set to *QSYS. Also see the include libraries (section 4.9.1 on page 292) configuration section to determine how to allow access to other libraries. View server log files. Once the server has been ended with the ENDWWW (section 3.2.2 on page 202) command, there are 3 log files that could be available for viewing: the access log, the statistics log (section 2.16.5 on page 170), and the error log (section 2.16.6 on page 176). The error log file will not exist in the case where no errors were logged. The default directory for these logs is the /WWWServ/Logs/. Page 31 Commerce Server/400 1.0 Getting Started 1.9 Where to Go from Here Now that the product is installed and running, it is time to find out more about what can be done with the Web Server/400 product. This page suggests some of the more important sections to read and some of the changes that have been made to the product since version 1.2. Below are some useful sections to read before going much further with Web Server/400. . What is a Web Server? (section 2.1 on page 44) . URL Locations (section 2.3 on page 53) . Aliases (section 2.4 on page 65) . Logs (section 2.16 on page 163) . Commands (section 3.1 on page 194) . Configuration Values (section 4.1 on page 239) 1.9.1 New since Web Server/400 Version 1.2 Natonal Language Support Support for serving double- and mixed-byte content has now been included in the product. IFS File CCSID Override Abilities (section 4.13.6 on page 314) Support for mixed byte files and the ability to override incorrect IFS code pages is now included. Authentication User Storage (section 2.15.5 on page 154) Previous versions of Web Server/400 allowed for the storage of authentication user information in stream files. You can now choose to store users in stream files or database files (for authentication only, not for Webulator/400). The way that user passwords are stored (for authentication only, not for Webulator/400) has also changed since the availability of Web Server/400 version 1.2. The Web Server can be configured to use the new Normalized mode of password encoding. Server Identification Support (section 4.13.14 on page 322) Used to identify and describe a server. The server identifier is used in the naming of the server jobs (Server Jobs on page 200) and objects, and is supported by the server start and end commands (Operational Commands on page 194). Page 32 Commerce Server/400 1.0 Getting Started Server Start and End Command Enhancements. Used particularly during the start of operations for an AS/400, or for the start of TCP/IP operations, the STRWWW command (section 3.2.1 on page 197) now has enhanced functionality that waits for TCP/IP to be active before beginning server activity. In addition, it is now possible to end all Web Server/400 activity via the ENDWWW command (section 3.2.2 on page 202). Server Performance Many enhancements have been included to achieve improved performance by incorporating more efficient processes and calls to system functions. Server performance (Server Performance on page 202) can be affected by many factors. Advanced configuration (Advanced Configuration on page 202) provides information that can be used to customize how the server runs on your system. Page 33 Commerce Server/400 1.0 Getting Started 1.10 Setting Up Commerce Server/400 NOTE: The discussion contained here is only applicable to owners of Commerce Server/400. Web Server/400 owners cannot perform secured transactions. 1.10.1 Overview With the unmodified, default configuration files shipped with Commerce Server/400, the server runs the same as Web Server/400. That is, by default, the server does not do secured transactions. Below are the steps that need to be accomplished before secured transactions can be performed. Please read through all the instructions presented here before proceeding. 1.Install (section 1.2 on page 13) Commerce Server/400. 2.Obtain a Server Certificate. 1. Enroll with the Certification Authority 2. Create a Public Key, Private Key, and a certificate request. 3. Submit the certificate request to a Certification Authority. 4. Install certificate received from the Certification Authority. 3.Change Commerce Server/400 Configuration Values. 1. Set the Keylist Database File. 2. Set the Protocols configuration value to SSL. 3. Set the Allowed Protocols directory based configuration value to SSL for the root directory. 4.Start the server (or re-start a running server). 1.10.2 Obtaining a Server Certificate This step is the most time consuming step since it requires interacting with a new entity: a Certification Authority (CA). Customer's of Commerce Server/400 are able to easily obtain server certificates from the Certification Authority VeriSign, Inc. (http://www.verisign.com/) VeriSign, Inc. supplies server certificates (or Digital IDs ) for a variety of security enhanced products. You will become a customer of VeriSign once you purchase a server certificate from them. VeriSign will also assist you with any special needs you may have concerning your server certificate. Below are sources of additional information about VeriSign and server certificates: Page 34 Commerce Server/400 1.0 Getting Started . Introduction to Cryptography (http://www.verisign.com/docs/pk_intro.html) . Frequently Asked Questions (Digital IDs) (http://digitalid.verisign.com/id_faqs.htm) . Frequently Asked Questions (Server Digital IDs) (http://www.verisign.com/faqs/cert_faq.html) . General Cryptography FAQ (http://www.rsa.com/rsalabs/faq) from RSA Data Security, Inc. . VeriSign's Price Schedule . Additional instructions for international (non- US/Canadian) customers or Japanese customers Server certificates are required for Commerce Server/400 to serve secure documents. The certificate will provide proof to your site's visitors that they are indeed communicating with your company, and it will provide browsers with your company's public key. This public key allows secure communications to be initiated between your server and your visitor's browsers. VeriSign provides an enrollment process that must be followed to receive a certificate. This allows VeriSign to validate your identity to ensure some other entity is not masquerading as your company. The entire process may take several days to complete and you cannot perform secure (SSL) transactions until everything is finished. 1.10.2.1 VeriSign Enrollment VeriSign provides an on-line enrollment process. To obtain a server certificate for Commerce Server/400 from VeriSign, go to the URL http://www.verisign.com/inet (http://www.verisign.com/inet). To do this, you will need a browser that is attached to the Internet and capable of performing SSL requests. The above page will provide introductory information about the enrollment process. After reading this information, select the Begin button. The Enrollment Form will be displayed. Carefully read and follow the instructions provided on this page. You will be asked to supply information on your distinguished name, your company, payment information, and contacts. Submit this form using the Continue button. The server will return an error page if anything was missing or not entered correctly. If you receive errors, follow the instructions to fix them. Page 35 Commerce Server/400 1.0 Getting Started 1.10.2.2 VeriSign Authorization Letter Continuing with the VeriSign enrollment process, the VeriSign Secure Server Authorization Letter page should be displayed on your browser. You must fill in this form and acknowledge its contents before proceeding. 1.10.2.3 Creating a Public Key, Private Key, and Certificate Request The next stage in the enrollment process is to generate a certificate request. Here are some specific instructions for generating a server certificate for Commerce Server/400, in addition to the instructions listed on the Generate a Request page. The keylist database file and certificate request file are created by running the command CRTWWWKEY. Please follow the instructions for CRTWWWKEY when running this command. CRTWWWKEY will produce a keylist database file and a certificate request file. The certificate request file will be given to the Certification Authority to produce your server certificate. By default, this file is put in the document root of the Web server. This makes it easy to cut and paste the contents into an HTML form or an e-mail message (see below). The keylist database file contains your public and private keys. These are used by the server to perform encryption and digital signing tasks. The keylist database file is encrypted using the password you provide. WARNING: The keys are randomly generated and cannot be re- created if the file is lost or if the password is forgotten. If you lose access to this file, you must obtain a new certificate from VeriSign (for an additional fee) by repeating all of these instructions. IMPORTANT: The distinguished name entered into the CRTWWWKEY command must be exactly the same as the distinguished name entered in the VeriSign Enrollment Form. If possible, copy and paste this information from the VeriSign Authorization Letter into the command. You can use your browser's Back button to see the letter again. If this information is different in any way, the request will be rejected by VeriSign. 1.10.2.4 Submitting the Certificate Request Once the CRTWWWKEY command has successfully completed, a certificate request stream file will exist. The contents of this stream need to be e-mailed to VeriSign. The instructions below go through one way of e-mailing this information to VeriSign. These instructions assume that you Page 36 Commerce Server/400 1.0 Getting Started have Internet e-mail capabilities and Web browsing capabilities on the same machine. Step 1 From your browser, load the certificate request file generated using the CRTWWWKEY command. If you are using the defaults, you can load the URL: http://www.yourhost.com/certrqs.txt into your browser. Copy the entire page into your clipboard. Note: Your Web server needs to be running to access this file. Alternatively, you can load the certificate request file into a text editor and copy the contents into your clipboard from the text editor. If you have a drive assigned to the root file system of IFS and you are using the defaults for CRTWWWKEY and for the Web server, you can open the file /wwwserv/webdocs/certrqs.txt. If you only have shared folders access, have the CRTWWWKEY command write the certificate request file to a document in shared folders then load that document into a text editor. Step 2 Create a new Internet e-mail message addressed to inet- request-id@verisign.com Step 3 Paste the certificate request generated by CRTWWWKEY into the body of the e-mail message. Step 4 Send the message. 1.10.2.5 Installing the Certificate After you receive your certificate from VeriSign through e- mail, you are ready to install the certificate into Commerce Server/400. This is done by running the AS/400 command ADDWWWCERT (section 3.4.1.3 on page 234). Step 1 The e-mail message that contains your certificate needs to be saved in a stream file in the root file system of IFS or in QDLS (shared folders). If you have a drive connected to your AS/400 from your e-mail machine, save the message to a file directly on the AS/400. Otherwise, you can use FTP to transfer the file from your e-mail machine into QDLS on your AS/400. Step 2 Run the ADDWWWCERT command specifying the file created in Step 1 as the Signed Certificate File. For example, if you used FTP to get the file into QDLS on the AS/400 you may use a filename like /qdls/myfolder/cert.txt. Provide Page 37 Commerce Server/400 1.0 Getting Started the same password and keylist file that was supplied to the CRTWWWKEY command that generated the certificate request file for this certificate. Usually a PKCS10 formatted certificate is returned. You should now have a valid and usable keylist database file. Prior to this, trying to start Commerce Server/400 in a secure mode using this keylist file would fail. The keylist file needs both the public and private keys and the associated certificate to be valid. 1.10.3 Enabling Commerce Server/400 to do SSL The following three configuration values need to be changed in order to enable secure transactions through Commerce Server/400. After making these changes, all pages served by Commerce Server/400 will be encrypted. You may want to set up (HTTP and SSL on page 48) Commerce Server/400 to serve some content encrypted and some content unencrypted. You can also start two instances of Commerce Server/400 (combined on page 49); one that handles regular HTTP requests and one that handles SSL requests. 1.10.3.1 Set the Keylist Database File Using the command CHGWWWSEC (section 3.4.1.1 on page 230), the keylist database file can be set to the newly completed keylist file. By default this would be /WWWServ/Key/KeyList.Cfg. The other values can be left to their default values. 1.10.3.2 Set the Protocols Value Using the command CHGWWWCFG (section 3.3.1 on page 207), the Protocols configuration value can be changed from HTTP to SSL. 1.10.3.3 Set the Allowed Protocols Value Commerce Server/400 has a new Directory Based Configuration value: Allowed Protocols (section 4.13.1 on page 310). This tells Commerce Server/400 which protocol (SSL or HTTP) should be used to serve documents out of a directory and its subdirectories. This value should be set to SSL in the root directory so all documents served off of your AS/400 are served using SSL. Using the CHGWWWCFG (section 3.3.1 on page 207) command, set the Directory Based Configuration file (ACCGBLFILE) to /wwwserv/cfg/access.cfg. If this value is already set to your own configuration file, you don't need to do this. Page 38 Commerce Server/400 1.0 Getting Started Using the WRKWWWDIR (section 3.3.29 on page 224) command, add the directory "/" using option 1 (Add). If this directory is already present, you don't need to add it. Select option 14 (Change Commerce Server/400) on the "/" directory. Select SSL as the Allowed Protocols and make sure HTTP is not selected. 1.10.4 Start the Server The server should now be ready to start, using the STRWWW (section 3.2.1 on page 197) command. If the server is already running, you must end the server and re-start it to enable secure transactions. SSL cannot be enabled by reconfiguring the server since a password is now required. You must provide the Keylist Database File password on the STRWWW command now that SSL transactions are being handled. To access this server from your browser, you need to use the protocol identifier https instead of http. For instance, to open a new URL from your browser enter https://www.yourhost.com/. 1.10.5 Testing the Server The following information can help test whether documents are being served securely (encrypted and authenticated) by Commerce Server/400. Accessing a page secured with SSL From your browser, enter the following URL into the Open Document or Open URL entry box. This will bring down the Web site's home page securely. https://www.your.host.com/ The protocol to use is https for SSL pages. Substitute your host name for the www.your.host.com portion of the URL. When accessing pages from a server running a certificate from an untrusted Certification Authority (such as Northern Telecom's Entrust Demo Web Certification Authority), the browser will usually put up a dialog box indicating that the server's certificate could not be verified. Some browser's will let you continue after answering some questions. Netscape version 2.0, for instance, will display a series of dialog boxes explaining that the server's certificate could not be validated. These dialog boxes are not present if the server certificate is obtained from a Certification Authority that the browser trusts (such as VeriSign, Inc.). Page 39 Commerce Server/400 1.0 Getting Started How do I know my pages are secured? All SSL-enabled browsers provide a visual clue that the current page is protected using SSL. The clue is usually a picture of a key or a lock near the bottom of the browser's window. Also, most browsers have a menu option that allows you to view information about the server's certificate. Browser Support Only browsers that are enabled with SSL 2.0 or 3.0 support can be used to do secured transactions with Commerce Server/400. Known, popular browsers that work with Commerce Server/400: . Netscape Navigator version 1.1N, 2.x, or 3.0 . Microsoft Internet Explorer 2.0 or 3.0 . OS/2 Secure Web Explorer 1.0 or later. 1.10.6 Test and Evaluation Server Certificates If you are not running a production Web site yet and want to try out Commerce Server/400 without purchasing a validated certificate from VeriSign, or if you would like to start evaluating the software while you wait for your official server certificate, you can follow these instructions to obtain a test and evaluation server certificate. Northern Telecom provides free test and evaulation certificates for anyone that agrees to their terms. These are available from Northern Telecom's Web site through their service entitled Entrust Demo Web Certification Authority. Note: The Entrust Demo Web Certification Authority service is provided and supported by Northern Telecom. This service is currently available and works with Commerce Server/400. However, I/NET makes no claims that this service will always be available or appropriate for Commerce Server/400 customers. It is up to Northern Telecom to continue this service. Important: The certificate obtained from Northern Telecom should only be used for test and demonstration purposes and cannot be used for commercial purposes. Northern Telecom does not verify the identity or credentials of the certificate requester before issuing the certificate. This service is only meant to provide a quick, easy, and inexpensive way of obtaining demo server certificates. Please read the acknowledgement page on Northern Telecom's site and remember to include their disclaimer page on your Web site. Note: If any of the www.nortel.com hyperlinks in this document are no longer valid, they can be found off of the Page 40 Commerce Server/400 1.0 Getting Started page http://www.nortel.com/entrust (http://www.nortel.com/entrust). 1.10.6.1 Creating a Public Key, Private Key, and Certificate Request Follow the instructions given above (Creating a Public Key, Private Key, and Certificate Request on page 36) for creating a public and private key and certificate request for VeriSign. 1.10.6.2 Submitting the Certificate Request Once the CRTWWWKEY command has successfully completed, you can submit your request for a test server certificate to Northern Telecom's Entrust Demo Web Certification Authority Web site. Step 1 From your browser, load the certificate request file generated using the CRTWWWKEY command. If you are using the defaults, you can load the URL: http://www.yourhost.com/certrqs.txt into your browser. Copy the entire page into your clipboard. Note: Your Web server needs to be running to access this file. Step 2 Load Northern Telecom's Entrust Demo Web CA page into your browser: http://www.nortel.com/entprods/entrust/certificates/servc ert.html. You need to have Internet access from your browser to do this. Step 3 Select the "Proceed with a request" link. Read their acknowledgement page carefully. If you agree, select the "Acknowledged" link. Step 4 Fill in the entry fields on the form. Be sure to supply an accurate Internet e-mail address since this is how you will receive your certificate. Step 5 Paste your certificate request obtained in Step 1 into the Encoded Certificate Request entry field on the form. Step 6 If everything looks right, select the "Submit Request" button. Your certificate will be automatically sent to you by e- mail. This usually takes just a few minutes. If you submit Page 41 Commerce Server/400 1.0 Getting Started the request on a weekend or holiday, the certificate may not arrive until the next business day. 1.10.6.3 Installing the Certificate Follow the instructions given above (Installing the Certificate on page 37) for installing a certificate received from VeriSign. When you receive your real server certificate, simply change the keylist database file you are using for your server (using the CHGWWWSEC command) to the new keylist database file and re-start the server. Page 42 Commerce Server/400 2.0 Using Commerce Server/400 2. Using Commerce Server/400 Page 43 Commerce Server/400 2.0 Using Commerce Server/400 2.1 What is a Web Server? 2.1.1 Introduction TCP/IP, Internet, World Wide Web, Browsers, HTTP, HTML. Where does Web Server/400 fit with all these new terms flooding the corporate and private world? First take a look at the general meanings of these terms. TCP/IP A protocol used to carry data over a local or wide area network. Internet The name given to the now immensely popular, world-wide collection of networks-most of which are running TCP/IP. World Wide Web The term used to describe a collection of cooperating protocols that ride on top of the Internet and make it more accessible and powerful. Browsers The very visible end-user tool used to view the material that is available on the World Wide Web. HTTP The protocol (Hypertext Transfer Protocol) that allows Web browsers and Web servers to communicate over the World Wide Web. HTML The standard markup language (Hypertext Markup Language) that allows Web browsers to display the rich and user- friendly information stored on the World Wide Web. 2.1.2 A Web Server's Role A Web server is the caretaker of all the information that travels over the World Wide Web (WWW) to the Web browsers. A person interested in surfing the WWW would start up a browser and specify a place to start looking. Most all the information received while surfing comes from a Web server. A Web server is responsible for managing and delivering the content that an organization wishes to make available over the WWW. The Web server takes a large repository of information and makes it easily available to whomever wants to view it. This information can be in an almost endless number of different shapes, forms, and sizes. The most Page 44 Commerce Server/400 2.0 Using Commerce Server/400 popular of which include HTML, text, images, audios, and movies. 2.1.3 Who Deals with a Web Server? Who sees the Web server? Most users of the WWW never really see a Web server. Their view of the Web is the browser tool they are using and the information they obtain. The server end of the WWW is mostly seen by the person(s) that administers the Web server and the people that are responsible for providing the content for a Web site. 2.1.3.1 Administrators Every Web site will have one or more administrators of the Web server. Whether this is an official position or an informal one, at least one person will perform administrative tasks on the server. A popular title for people in this position is Webmaster. The administrator is responsible for installing the Web server, doing initial configuration, performing on-going configuration, monitoring the accesses to the server, monitoring errors, organizing at a high level where the content is stored, answering questions from end-users, and ensuring that the security and integrity of the machine is not compromised. These tasks are in addition to normal service tasks like backing up data, ensuring the machine is operating correctly, and ensuring that it is accessible. 2.1.3.2 Content Creators Making sure the Web server is running correctly and that it can be accessed by end-users, doesn't mean much if the server doesn't have anything to serve. The content creators are responsible for providing the information that the Web server will provide. Generally, this task is handled by many different people. Content creators may be from the company's marketing department, graphic arts department, technical staff, project management, or individual employees. Many times, talents from all of these areas need to be combined in order to create the best content. Content creators are responsible for deciding what goes on the Web server, creating the artwork, creating the HTML documents, organizing the information, making the content homogenous, keeping the content up-to-date, integrating existing or outside data with the Web server, and writing programs (scripts) that interact with browsers. Page 45 Commerce Server/400 2.0 Using Commerce Server/400 Notice that the descriptions of the administrators and content creators are quite different. It may not be easy to find one individual (or a set of individuals) that is well suited for both tasks. 2.1.4 Hypertext Transfer Protocol Basics You don't need to understand anything about the Hypertext Transfer Protocol (HTTP) in order to administer a server or create content for it. But knowing a little can be helpful to the administrator and essential for the more advanced content creator. On the WWW, a browser always initiates a conversation with a Web server. This happens every time someone clicks on a hyperlink in an HTML document or opens a new Uniform Resource Locator (Uniform Resource Locator on page 53) (URL). From the URL, the browser can determine which Web server to talk to. This is where the conversation begins. The browser asks that server for the document the user requested and also supplies some additional attributes about the request. This is the request. The most important part of the request is the document that is being requested. This takes the form of a URL-path (URL-path on page 54). The Web server accepts the conversation from the browser. Part of this, is receiving the URL-path. The server then decides what is being requested and how to handle the request. If everything is okay, the server sends back to the browser some attributes about what is being served, and then the server sends back the content of the document. Both sides then end the conversation. It is important to note that there is no login process with HTTP nor is there an on-going conversation between browser and server. Unlike other Internet protocols such as FTP and Telnet, a user does not, in normal operation, provide a userid and password, or start a user-specific job on the server machine. Also, each browser request is treated as a single entity. So, if a browser needed to get several documents from the same server, the browser would initiate a separate request for each document. Page 46 Commerce Server/400 2.0 Using Commerce Server/400 2.2 What is a Commerce Server? NOTE: The discussion contained here is only applicable to owners of Commerce Server/400. Web Server/400 owners cannot perform secured transactions. 2.2.1 Overview What does Commerce Server/400 provide you that Web Server/400 doesn't? 2.2.1.1 Encryption This allows private conversations over the public Internet. Using Commerce Server/400, you are able to have a browser obtain information off of your Web site in the same way that browsers access your Web Server/400 Web site today. But, when that data is transferred between machines, it is completely encrypted. Even someone that can tap the wire between the machines cannot understand the communications. The same is true for data typed into an HTML form such as credit card numbers, secret codes, personal information, or sensitive corporate information. This data is protected using strong encryption technologies. If you are using Webulator/400 today, you can install and configure Commerce Server/400 on your AS/400 and instantly have one of the most secure ways of accessing your AS/400 applications. Worried about signing on to your AS/400 over the Internet from home? With Commerce Server/400 encrypting your Webulator/400 session, you don't need to worry about someone grabbing your user ID and password or examining the screens you view. 2.2.1.2 Integrity Commerce Server/400 essentially guarantees that the data sent between the browser and server is unaltered during transmission. This would detect both transmission errors due to noisy communication lines and malicious modifications possibly made by someone in the middle of the server and browser. 2.2.1.3 Authentication Commerce Server/400 provides the visitors to your site confidence that they have reached your site and not someone else's site trying to impersonate your site. If someone were to make a purchase from you through your Web site, that Page 47 Commerce Server/400 2.0 Using Commerce Server/400 person can be confident that they are giving a known company their credit card number and not an imposter. 2.2.1.4 Nonrepudiation Commerce Server/400 provides proof that a document that is served off of your Web site was sent by you to the browser. For instance, this would allow you to provide a receipt for an online purchase, including the date of sale, promised delivery date, and price. The shopper can have confidence in this receipt because he or she can prove that your Web site knew of its contents before sending it. 2.2.2 Commerce Serving Basics In this section, a handful of concepts specific to doing secured transactions over the World Wide Web are discussed. These concepts should be clear to anyone administering a secure Web site. The following section gets into more detail about how security is implemented. Understanding these topics is not critical, however the entire picture would be much more clear if these topics are also mastered. 2.2.2.1 HTTP and SSL Commerce Server/400 can do everything Web Server/400 can do plus it can perform secured Web-based transactions. This means that if you own Commerce Server/400, there is no reason to also own Web Server/400 for the same machine. In fact, the two products install into the same location on the AS/400 so whichever product is installed last will be the one that is on your AS/400. Commerce Server/400 and Web Server/400 both serve documents using the Hypertext Transport Protocol (HTTP). This protocol does not perform encrypted transactions. The data sent between the browser and server is sent "in the clear," meaning that anyone that can tap into the wire connecting the two machines can eavesdrop on the conversation. In addition to HTTP, Commerce Server/400 can also be configured to encrypt the conversation by interfacing with the Secure Sockets Layer (SSL) protocol. If both the server and browser are communicating through SSL, then the HTTP conversation is done securely. The Secure Sockets Layer encrypts data as it leaves one machine and decrypts it as it arrives at the other. Three ways to set up Commerce Server/400 exist. Commerce Server/400 can be configured to behave just like Web Server/400. This means the HTTP communications between the server and browser would not be encrypted. Commerce Server/400 can also be configured to only communicate Page 48 Commerce Server/400 2.0 Using Commerce Server/400 securely with browsers using SSL. And lastly, Commerce Server/400 can be configured to serve some documents securely using SSL and some without encryption using only HTTP. This is done on a per-directory basis using the Allowed Protocols (section 4.13.1 on page 310) directory based configuration value. The first two methods can be combined to form a fourth option. You can start one instance of Commerce Server/400 to handle only regular HTTP requests and another to handle only SSL requests. This can be done by making a separate copies of the WEBSERV.CFG and ACCESS.CFG configuration files for the SSL server (e.g., SECURE.CFG and SACCESS.CFG). The HTTP- only server would set the Protocols configuration value to HTTP. The SSL-only server would set the Protocols value to SSL and probably change the Document Root, Include Libraries, Script Libraries, and possibly other configuration values. Also, the SSL-only server would need an Allowed Protocols of SSL in the root directory of the directory based configuration file (e.g., SACCESS.CFG). 2.2.2.2 Server Certificate Every server implementing secured transactions requires a server certificate. This is used to identify the Web site and to provide browsers with the Web site's Public Key. The public key is used to provide encryption, integrity, authentication and nonrepudiation. Server certificates are obtained from a Certification Authority such as VeriSign, Inc. A series of commands are provided to assist in the creation of a server certificate for a Web site. 2.2.2.3 Keylist Database File A Web site's security information is stored in the keylist database file. This file is encrypted using a user-supplied password. The file is reasonably protected by being encrypted, but it should also be physically guarded as much as possible. The server's certificate, public key, and private key are all stored in this file. The public and private keys are very large numbers that are used to perform the secure transactions. Only the private key needs to be closely guarded. The server's certificate and public key can be freely distributed. The server certificate, public key and private key are all interrelated and must be kept together in the same keylist database file. If a Web site has more than one certificate, then multiple keylist database files will be needed. This might be the case if a Web site is using Multi-home support to host multiple secure Web sites on the same machine. Each instance of the server could either share the same keylist database file (and certificate) or use its own. Page 49 Commerce Server/400 2.0 Using Commerce Server/400 2.2.3 How Does Commerce Server/400 Do This? The exact details of how secure electronic communications are done are not important, but a few of the pieces can be helpful. The above listed features of a trusted Web site are accomplished using 1) Server Certificates, 2) Private and Public Keys, 3) Public Key Cryptography, and 4) Bulk Encryption Algorithms. 2.2.3.1 Server Certificates Every Commerce Server/400 server requires a server certificate. This is used to both prove its identity and to exchange encrypted information with browsers. The certificate contains a distinguished name of the server which is used to uniquely identify the server to visitors, it contains the server's public key, and it contains a digital signature of a Certification Authority. Distinguished Name This consists of information that uniquely identifies your Web site. Values such as the Internet host name of the machine, the company's name, and the State and country of the company. The Certification Authority will validate this information before providing a company their server certificate. Public Key The public half of a Web site's encryption key. Visiting browsers use this value to communicate securely with the server. This is described more below. Certification Authority A Certification Authority (CA) provides server certificates. Before a company can begin doing secure transactions, they need to request a server certificate from a CA. The CA will verify the identity and validity of the company's request for a server certificate and then provide a digitally signed server certificate. The company will then install this certificate into their Web server software. Digital Signature Using sophisticated mathematical algorithms, a digital signature of a document can be created that proves the identity of the signer and verifies the contents of the document. In the case of a server certificate, if the CA digitally signs the distinguished name and public key portions of the certificate, then anyone that trusts the CA can be confident that the certificate has not been changed. Page 50 Commerce Server/400 2.0 Using Commerce Server/400 2.2.3.2 Private and Public Keys Part of the process of generating a server certificate is generating a pair of large numbers. One of these numbers, the public key, is shared with everyone who wants to communicate with the Web site. The other number, the private key, is only known to the Web site and its administrator(s). The private key is held in the strictest of confidence. Commerce Server/400 stores this in its keylist database file, encrypted using a user-supplied password. 2.2.3.3 Public Key Cryptography Public Key Cryptography is used to do two things: exchange bulk encryption keys and verify digital signatures. What is special about Public Key Cryptography is that anyone who knows a person's public key can use it to encrypt a message for that person that no one else can understand. The only way to decrypt that message is using the private key half of the public and private key. The opposite is also true: Something encrypted with a private key can only be decrypted with the public key. This allows two parties to communicate without previously exchanging a secret password. In terms of Web serving, the Web site's public key is provided to anyone that wants to securely communicate with that server. This is done by sending the server's certificate (which contains the public key) to a browser that wants information from the server. The browser then uses the server's public key to encrypt a password that will be used to encrypt the rest of the communication between the server and browser. Since the server is the only one that knows its private key that can decrypt something encrypted with its public key, the server is the only one that can successfully decrypt the password. Public Key Cryptography is also used to verify digital signatures. When a CA digitally signs a certificate, it is really encrypting a piece of the certificate data using the CA's private key. When a browser wishes to verify that signature, it decrypts the signature using the CA's public key and compares it to the certificate data. If they match then the digital signature is valid. 2.2.3.4 Bulk Encryption Algorithms In the discussion on Public Key Cryptography, the browser encrypted a pas