Finding Security Fixes for Apache on IBM i

API and web security for IBM iThe Apache-based IBM HTTP Server for i is a vital defense in web and API security for IBM i. As such, it requires regular attention.

IBM Support’s PCI Compliance web page is a resource we use to help our clients protect their systems.

Even if your organization does not process, store, or transmit credit card information, applying the PTFs recommended for PCI compliance constitutes a general best practice for IBM i web and API security.

Read more

URL Rewriting with Apache Web Server

Apache HTTP Server ProjectThe Apache web server—included on IBM i as HTTP Server for i—contains a powerful feature known as mod_rewrite that can convert URLs (API or Web) from their original versions to any format you need.

This article offers a small taste of what URL Rewriting can do.

Read more

Rebuilding the Tomcat Plugin in IBM i 7.5

Apache Tomcat on IBM iOpen source saves the day once again.

When one of our open source support clients discovered that Tomcat plugin for Apache was not supported on their test IBM i 7.5 system, they needed a solution. They relied on Tomcat to serve their Java web applications.

Read more

IBM i Apache Security Setting: RequestReadTimeout

Apache HTTP Server ProjectA client asked for help addressing a Denial of Service (DoS) vulnerability that their security company discovered. The company found it could slow down the Apache web server by sending it incorrect headers. By sending an artificially high “Content-Length” header, they caused the web server to wait for data that would never come.

Read more

IBM i Apache Directives Measure Request Speeds

Apache HTTP Server ProjectSpeed is critical when serving APIs and web pages from IBM i. How can we measure our speed? The IBM HTTP Server (powered by Apache) for i can log the speed of each request, but this capability needs to be turned on.

Default values in the Apache access log include the request’s URL, the HTTP status code, size of the response in bytes, and the user agent (e.g. browser type), but not how long the request took. Let’s see how to add the timing.

Read more

IBM i Apache Security Fixes for PCI Compliance

Apache HTTP Server ProjectA few months after we published the article Apache for IBM i: Where to Find Documentation, astute reader Paul Nicolay of Cegeka shared yet another hard-to-find Apache resource with us.

Paul recommends IBM Support’s IBM HTTP Server for i PCI Compliance page for organizations following the stringent PCI DSS security standard for accepting card payments. In addition to confirming that Apache on IBM i is a PCI-compliant web server, the page lists the IBM i PTFs required to fix known vulnerabilities.

Read more

Use IBM’s Apache Directive Finder Instead of Google

Apache HTTP Server ProjectWhen it comes to finding information on HTTP Server for IBM i (based on Apache), Google is NOT the way to go!

Recently Calvin did a web search for Apache’s ServerUserID directive. It returned old forum posts that could have taken anyone down a rabbit hole—a waste of time at best.

Read more

Apache for IBM i: Where to Find Documentation

Apache HTTP Server ProjectHTTP Server for i (Powered by Apache) is the IBM i integrated web server. Although this unique implementation of Apache is well documented by IBM, that documentation can be hard to find. Internet searches often return outdated or irrelevant links.

Read more

Easy Security Improvements for Apache Websites

Apache HTTP Server ProjectSome key security measures, such as using TLS encryption (https://) are taken for granted. Others are often missed until they are flagged by a security scan.

Here are two easy changes that have helped some of our clients reduce perceived vulnerabilities.  These changes, typically made in the Apache web server’s httpd.conf files, may stop unnecessary exposure of web server information, as well as satisfying security scanners.

Read more

No, Apache Isn’t Vulnerable to the Log4j Vulnerability

Updated December 19, 2021

The Log4j Java library has been in the news recently. The details of vulnerability CVE-2021-44228 have been well documented by others, but to summarize, it allows arbitrary code execution through maliciously crafted messages. These messages cause the Java virtual machine to look up classes from an LDAP server and load them. This is obviously not good, but unless you’re familiar with Java, you might be concerned what is and isn’t vulnerable; this article aims to clarify that.

Read more