The following blog entry was written by Larry Nies, president of NSC, Inc. He has been working with PHP on the IBM i since 2005, when he installed his first open-source PHP stack. The following year, he switched to the Zend Technologies PHP application server for IBM i.
While working with a customer recently on a PHP application that we had developed to manage the customer’s server user IDs and passwords, it became apparent that the application was going to need stronger security and encryption to protect the stored data. The Password Vault application, as we call it, runs on the IBM i using the Zend Technologies Zend Server. It allows a user to collectively store user IDs and passwords for websites, PCs, servers, etc, and provides the ability to manage them individually or by vault category.
The original scope of the project dictated that we needed a method to document the access to various servers and websites, and to have that documented information located in a secured area for access by the IT staff. Like everything else in life, we all have a tendency to misplace or forget our passwords/user IDs especially on those servers or websites we don’t access often.
Writing the PHP application was the least of our issues as it involved some PHP, CSS, jQuery and AJAX. Then, voila, we were ready. As we wanted to assure that we had protected our precious data, some critical thinking to bring it all together was necessary. We discovered the Zend Server system includes built-in OpenSSL extension.
We began to look into using our PHP application with the Zend Server in conjunction with an IBM i Apache server instance to secure the data. From there we began adding to the Apache instance the ability to listen on Port 443 (the default port for SSL). When we made the changes to this HTTP instance, we also generated an application ID that we could use in the IBM Digital Certificate Manager. Now we could attach a local-generated certificate to that application ID. To verify our digital certificate credentials, we used the SSL Shopper website, which runs an SSL checker to determine if everything is lined up properly in your certificate. Once this was completed, we ran our PHP application using the HTTPS protocol, providing the protection we were looking for.
In the end, we used the Zend Server PHP application server, IBM’s Apache instance running the Zend Server and listening on Port 443 for our SSL, and last but not least IBM’s Digital Certificate Manager--all of this running on our IBM i. Just goes to show with a little bit of thought and planning you can get more out of your IBM i.
Kudos to Larry for this case study of what people can do on IBM i with PHP and SSL. Given that today's applications can be accessed from remote devices on insecure networks (i.e. internet cafes), SSL is a must.
Thanks for the tip about the "SSL Shopper" checker. I've helped many clients set up SSL/DCM but never used that site, which will help clear up any mistakes in the certificate.
Posted by: Alan Seiden | February 02, 2012 at 11:34 AM
Thanks for an interesting article. There is also an SSL Checker at
http://certlogik.com/sslchecker/
In addition to basic checks like signature, hostname listed, issued from a trusted CA etc, it will check if the certificate is using a Debian weak key.
Posted by: Phil | February 07, 2012 at 01:31 PM
Phil
Thanks for the additional SSL Checker website I will have to take a look at it. You can never have enough tools for testing.
Posted by: Larry Nies | February 07, 2012 at 02:21 PM