Issue

IBM HTTP Server provides for Apache Basic Authentication using IBM i user profiles.  When Basic Authentication is used in this way, the FastCGI child job running under Apache assumes the user profile of the requester, replacing the default QTMHHTTP profile for the duration of the request.  This can cause a fatal error for any Apache request if the user does not have authority to write to the Apache logs.  This can also cause a fatal error for PHP requests if the user does not have authority to the FastCGI socket.  This article tells how to assign permissions to the *PUBLIC user to prevent these errors.

Environment

Zend server for IBM i version 6 or higher, running on any supported version of IBM i, using IBM i user profiles for Basic Authentication.

The following article tells how to set up Basic Authentication with User Profiles:

IBM i Apache HTTP - Server Authentication using IBM i user profiles

Resolution

Make sure *PUBLIC can write to the Apache log files.  From a 5250 command line, logged in with a *SECOFR class user profile:

Versions Zend Server 2020.x,  Zend Server 2021.x and higher

CHGAUT OBJ('/www/zendphp74/logs') USER(*PUBLIC) DTAAUT(*RWX) SUBTREE(*ALL)

Versions Zend Server 9.1.x,  Zend Server 2018.x,  Zend Server 2019.x

CHGAUT OBJ('/www/zendphp7/logs') USER(*PUBLIC) DTAAUT(*RWX) SUBTREE(*ALL)

Zend Server Versions 6 - 8.5.x

CHGAUT OBJ('/www/zendsvr6/logs') USER(*PUBLIC) DTAAUT(*RWX) SUBTREE(*ALL)

To grant permissions for a specific user, just use the user profile name instead of *PUBLIC in the above command.


Make sure *PUBLIC can update the FastCGI socket:

Please back up this file, and then edit it:

Versions Zend Server 2020.x,  Zend Server 2021.x and higher

/www/zendphp74/conf/fastcgi.conf              

Versions Zend Server 9.1.x,  Zend Server 2018.x, Zend Server 2019.x

/www/zendphp7/conf/fastcgi.conf              

Versions 6 - 8.5.x

/www/zendsvr6/conf/fastcgi.conf   

At the end of the file, add this line:

IpcPublic *RWX

Save the file and restart Apache for the change to take effect.

For IBM i versions prior to 7.2, PTFs are required for this setting to have an effect.  The PTFs have been out for quite some time, so most customers are likely to have them.  Here is a list of the required PTFs:

Release             57**DG1 PTF         57**SS1 PASE PTF 

IBM i V7R1         SI41367, SI41706     SI41325

Verify that basic authentication works for a given profile.

Here is a simple script you can run that demonstrates how to retrieve the user profile and password in a PHP script.  (This also demonstrates that it is a really good idea to use SSL when using Basic Authentication.)  Call this script something like authinfo.php and place it in the document root for your Basic Authenticated virtual host.  When you access it in your browser, enter the user profile you would like to test in the prompt.  If it is all working, you will see your user profile and password displayed in the browser.

<?php
// Demonstrates access to user name and password when basic authorization is used
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Authorized Application"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
}
else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>