Administration Mode


What is the Administration Mode?

The Administration Mode provides a friendly view of the information that constitutes your Web site. It allows easy access to current configuration values, files that make up the content, access logs, error logs, dynamic performance statistics, and more. All of this is available through your Web browser.

Through a special URL and special protection mechanisms, an administrator can view any of the above information at any time. You can set this up to be available from a Web browser on any host machine or only from certain host machines. You can also protect this mode using user IDs and passwords. AS/400 object authority is also used to limit access. If the Server User Profile does not have authority to a file, directory, or library accessed through administration mode, then the server will not be able to serve data from that location even in this special mode.

Important: Because the Administration Mode of Web Server/400 provides so much access to the information related to your Web site and information stored on your AS/400, it is by default disabled. Administration mode can be easily enabled, piece-by-piece, through the administrative access control configuration file. See below for instructions on how to do this.

Administration Mode Main Menu

An HTML document is available as a starting point for access to all that the administration mode has to offer. This is an HTML document that can be viewed through a Web browser. It contains links to pertinent information. Once the Web server has been configured to enable administration mode, this menu can be accessed by entering the following URL:

http://www.server.com/wwwadmin

The www.server.com portion is the host address of the machine running the Web server. The wwwadmin portion is the special URL that puts Web Server/400 into administration mode. If nothing follows this portion of the URL, then the main menu is displayed. More path information can be included after the wwwadmin. See below for what effect this has.

Note: A subdirectory with the name wwwadmin off of the Document Root cannot be easily accessed and should be avoided.

Below is a description of what is available through the administration mode. The main menu consists of links to all this information. Some values can be configured to limit access. Selecting the restricted links will result in a forbidden or unauthorized message being displayed.

Administration Mode URL Access

The main menu can be bypassed and the content accessed directly with URLs that have the following form:

http://www.server.com/wwwadmin/URL-path

If a URL-path follows the wwwadmin keyword, then that path is treated as a regular URL-path except the path is taken relative to the root of IFS instead of relative to the root of the appropriate Document Root. Most any valid URL-path is treated the same as if it were entered without the wwwadmin keyword. User directories, database files, scripts, and so forth are all available through the administration mode if they follow the wwwadmin keyword. Three main differences exist.

  1. Paths are relative to the root of IFS instead of relative to a document root.

  2. A dynamic index is always displayed when a directory is requested even if an Index Name exists in that directory. This provides greater access to the Web content in the directory.

  3. Aliases are not expanded since aliases are relative to a document root but URL-paths are relative to the root of IFS in administration mode.

Since entering an empty URL-path results in the main menu, the query string Root is available to get a dynamic index of the root of IFS:

http://www.server.com/wwwadmin/?Root

Enabling Administration Mode

As a security precaution, administration mode is disabled in the default installation. Each installation that chooses to enable administration mode must perform the following steps.

NOTE: Users who are upgrading from version 1.1 and have not configured administration mode before, will need to remove the first line from the AdUser.cfg file listed below. This can be done by editing the AdUser.cfg file using a PC editor. Or, a new source physical file can be created (using CRTSRCPF) that is empty. The path of this source physical file (e.g., /QSYS.lib/MyLibrary.lib/MyFile.file/MyMbr.mbr) should then be used instead of /WWWServ/Cfg/AdUser.cfg.

Simple Steps for Configuring Administration Mode

  1. Change the Administrative Access Control Configuration
    Use the WRKWWWDIR command with the *ADMIN parameter to enable administrative access mode. Use option 2 to change the directory configuration values for the root directory ("/"). Change the User file path to /WWWServ/Cfg/AdUser.cfg. Press enter to apply the change.

  2. Change the Access Limits
    While still in the WRKWWWDIR command, use option 6 to work with limits. Use option 5 (Work with allow/deny/require) on the existing Access methods entry to modify the access limitations.

  3. Add an Administrator User to the User File
    One of the above steps sets the User file path to /WWWServ/Cfg/AdUser.cfg. By default, this file has no users in it. Add the user name entered on the require entry in the above step to this file (WWWAdmin). To add this user, along with a good password, use the command WRKWWWUSR or ADDWWWUSR.

  4. Start the Server or Reconfigure a Running Server
    If the Web server is not currently running, start the server and the administration mode should be available. If the server is currently running, reconfigure the server by issuing the SETWWWCFG command.

If you prefer, the file /WWWServ/Cfg/AdAccess.cfg can be edited directly with a stream file editor. Change the lines found at the end of this file to be as follows.

<Directory />

   AuthName WebServerAdmin
   AuthType Basic
   AuthUserFile /WWWServ/Cfg/AdUser.cfg

   <Limit GET PUT POST DELETE HEAD>
    require user WWWAdmin
   </Limit>

</Directory>

The next time the server is started or re-configured, administration mode will be accessible to those who can authenticate themselves as an administrator for this Web site.

Advanced Steps for Configuring Administration Mode

Note that the above configuration changes make all data on your AS/400 that the Server User Profile has access to available to those who can authenticate themselves properly. A more conservative setup would change the configuration to limit access to the current Server Root and its subdirectories only. The example below only allows users from the inetmi.com domain with the password for WWWAdmin to access files stored in the default Server Root and its subdirectories (but no other locations). All other users would be denied all access to the administrative mode.

The below discussion outlines the steps needed to set up the server to use this more elaborate configuration. Not all steps are given in detail. In addition to the following, a user and password needs to be added to the /WWWServ/Cfg/AdUser.cfg file.

  1. Add directory / using WRKWWWDIR. To prevent everyone from getting to the root directory and below, change this directory to have the following configuration values:
        Authentication realm:   WebServerAdmin
        Authentication type     *BASIC
        User file path          /WWWServ/Cfg/AdUser.cfg
        Group file path         *INHERIT
    

    Add a limit for GET POST PUT DELETE HEAD. Under this limit, add a deny all entry.

  2. Add directory /WWWServ using WRKWWWDIR. This subdirectory will inherit the correct realm, type, and user file path from the root ("/") directory.

    Add a limit for GET POST. Change the limit order to be deny,allow. Under this limit, add a deny all entry, an allow .inetmi.com entry, and a require user WWWAdmin entry. This will only allow access to users from the inetmi.com domain that can provide the correct password for WWWAdmin.

  3. Add directory /*META/ADMIN_MENU using WRKWWWDIR. This META directory will inherit the correct realm, type, and user file path from the root ("/") directory.

    Add a limit for GET POST. Change the limit order to be deny,allow. Under this limit, add a deny all entry, an allow .inetmi.com entry, and a require user WWWAdmin entry. This will only allow users from the inetmi.com domain that can provide the correct password for WWWAdmin to receive the administration mode main menu.

If you prefer, the file /WWWServ/Cfg/AdAccess.cfg can be edited directly with a stream file editor. The following lines are equivalent to the configuration described above.

<Directory />

   AuthName WebServerAdmin
   AuthType Basic
   AuthUserFile /WWWServ/Cfg/AdUser.cfg

   <Limit GET POST PUT DELETE HEAD>
    deny from all
   </Limit>

</Directory>

<Directory /WWWServ>

   AuthName WebServerAdmin
   AuthType Basic
   AuthUserFile /WWWServ/Cfg/AdUser.cfg

   <Limit GET POST>
    order deny, allow
    deny from all
    allow from .inetmi.com
    require user WWWAdmin
   </Limit>

</Directory>

<Directory /*META/ADMIN_MENU>

   AuthName WebServerAdmin
   AuthType Basic
   AuthUserFile /WWWServ/Cfg/AdUser.cfg

   <Limit GET POST>
    order deny, allow
    deny from all
    allow from .inetmi.com
    require user WWWAdmin
   </Limit>

</Directory>

Selectively Enabling Administration Mode

Selected areas of administration mode can be made available to different people if desired. By adding entries to the administrative access control file, different user names can have access to different areas on the AS/400. For instance, if you wanted to give a marketing representative access to the access log but not access to the configuration files, a different user name could be created and additional Limits could be added to the administrative access control configuration.

Access to dynamic statistics can be granted or denied in this way as well. By adding a Directory directive that protects the meta object /*META/STATS, the dynamic statistics can be viewed by more or fewer people than the rest of the data available through administration mode.