Sign On Methods

Webulator/400 requires a user profile and password to sign on to the AS/400. The sign on process can be configured within the session based configuration using one of available methods. Each Webulator URL specified within the session based configuration file allows one of the following methods to be configured:

Automatic Sign On

This method keeps all user profile names and passwords hidden from the user. The session based configuration file allows the WebMaster to configure a user profile name associated with a *WEBULATOR URL. In addition to specifying the user profile name within the session based configuration file, the person configuring the Webulator/400 product would also add the user profile name and the corresponding password to the Webulator User Configuration file. Since the password in this file is the AS/400 password, ensure that whenever the password is changed for this user profile that it is also changed within the Webulator/400 User Configuration file. If it is not, the URL will fail, the invalid sign on attempt will be logged in the system journals (if enabled), the user profile may be revoked (if the system values are enabled to do so), and the virtual terminal device will be varied off (if the system values are enabled to do so). Note that the password in this file is stored in plain text and should be protected from the Webulator/400 user profile and other non-authoritative (*PUBLIC) user profiles using AS/400 security.

You may allow the user to specify the initial program, menu or library through a query string if you enable the AllowSignonOverride option of the Signon Method configuration entry. Please refer to Query String Options for more information and ramifications of allowing signon values to be overridden using query string keywords.

User Authentication

This method uses the User Authentication user ID and password sent on the request from the browser as the AS/400 user profile name and password. The user ID and password are encoded using the base64 encoding of MIME (UUENCODED). Essentially it is the same algorithm used to encode an FTP or Telnet user ID and password. If you are not using the secured Webulator/400 sessions, this should not be considered a secure encoding algorithm, however it is better than sending the password across the network in plain text.

Webulator/400 contains a service program (WBLVAUTSRV) that checks the password and user profile passed from the browser to ensure that they are valid for your AS/400. This service program adopts QSYS authority to be able to call AS/400 system security APIs. If you choose to change this service program to no longer adopt authority you should do the following in order to keep the same Webulator/400 functionality with regards to the User Authentication signon method:

1. Give the server user profile specified within the Webulator/400 configuration (default value WBLUSER) *USE authority to the following programs:
   1. QSYS/QSYGETPH
   2. QSYS/QSYRLSPH
2. Change the owner of the WBLVAUTSRV service program to WBLUSER and remove authority adoption by using the following AS/400 commands:
   1. CHGOBJOWN OBJ(WEBULATOR/WBLVAUTSRV) OBJTYPE(*SRVPGM) NEWOWN(WBLUSER)
   2. CHGSRVPGM SRVPGM(WEBULATOR/WBLVAUTSRV) USRPRF(*USER)

In normal circumstances this method will not show the sign on screen during session initialization. Please note that a signon screen will appear when a valid user profile and password are used but the user profile is restricted from signing on to a virtual terminal. In this case, the signon screen will appear with an error message explaining that the user profile is not authorized to the workstation. This would occur if you have configured your AS/400 virtual terminal devices to only allow user profiles with limited authority to signon (limit QSECOFR QLMTSECOFR system value is a recommended security consideration). User profiles attempting to signon that have *ALLOBJ or *SERVICE special authorities would be the only users with this problem.

You may allow the user to specify the initial program, menu or library through a query string if you enable the AllowSignonOverride option of the Signon Method configuration entry. Please refer to Query String Options for more information and ramifications of allowing signon values to be overridden using query string keywords.

Sign On screen

This method initializes the virtual terminal and displays the sign on screen to the user through their browser. The user would fill in the user profile name and password. If you are not using secured Webulator/400 sessions, these values are sent across the network as plain text and therefore this method creates the most exposure to your system's user profile names and passwords.

Exit Program

This method offers the most flexibility if you wish to deploy a custom access control scheme. Webulator/400 will call a user written program that must determine if the current request should be allowed and if so, provide a valid user id and password for the session. Please see Sign On Exit Program for more information.

Access to each of the Webulator URLs can be protected using the access control directives within the Session Based Configuration File. However, it is worthy to note that if the access control directives are used in conjunction with the User Authentication sign on method, the user name and password must match a valid AS/400 user profile name and password. Both the access control directives and the Webulator/400 sign on would use the same authentication user ID and password passed on the request from the browser.