Midrange News for the IBM i Community


Posted by: TFisher
Securing web services
has no ratings.
Published: 06 Mar 2013
Revised: 06 Mar 2013 - 4040 days ago
Last viewed on: 28 Mar 2024 (5610 views) 

Using IBM i? Need to create Excel, CSV, HTML, JSON, PDF, SPOOL reports? Learn more about the fastest and least expensive tool for the job: SQL iQuery.

Securing web services Published by: TFisher on 06 Mar 2013 view comments(2)

Bob - I know you do a lot of web interfaces with the IBM i so I wanted to ask you (and anyone else with experience).  How secure is it to open up the system to the internet?

 

I am on a new team here that is responsible for building our new web site and we're going to be creating web services to handle most of the functionality needed to get data from the IBM i and to push data to the IBM i.  We have a couple of service gurus telling us that we cannot expose our IBM i web services to the internet.  They say that it's more secure if they create some sort of gateway on a server where they can control and limit access to these services as needed.  I am thinking that we can do the same thing on the IBM i, but I am not sure since I am really just getting into web services.

 

Do we really need another layer to provide the necessary security or are they just adding unnecessary complexity to the process and an additional point of failure?

Return to midrangenews.com home page.
Sort Ascend | Descend

COMMENTS

(Sign in to Post a Comment)
Posted by: bobcozzi
Site Admin ****
Chicagoland
Comment on: Securing web services
Posted: 11 years 23 days 13 hours 39 minutes ago

When  hackers attempt to sign onto the using ROOT as the user ID, I've seen the system reject and disable that profile. Other than that, they really don't have any big issues.

For Web Services most of my customers use a simple validation list or database file in which they store the valid use requests.

Of course my practice is the redirect any unauthorized users or blocked IP's to www.cia.gov and that tends to stop them pretty quick.

Posted by: Ringer
Premium member *
Comment on: Securing web services
Posted: 11 years 23 days 11 hours 59 minutes ago

I'm not a web security guru. But I would think using SSL and putting the user id and password encoded in the body of the request or as encoded HTTP headers would be secure. I wonder how google does this for their web services.

As a compromise, maybe you could expose your code/RPG as stored procedures and let the other box call them with java/php/etc.

Chris Ringer