Tag Archives: ibmi

IBM HTTP Server For i (Apache) | IBMi v7r2 ROBOT Attack Mitigation

IBMi v7r2 ROBOT ATTACK  Mitigation

The best way to mitigate the vulnerability is to disable all SSL protocols apart from TLS 1.2. This will mean users with out of date operating systems and browsers will no longer be able to use the site but those will likely be minimal.

The Vulnerability

ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.

In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.

Using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.

https://robotattack.org/

From the 1st March 2018 Qualys SSL Labs will rate sites affected by ROBOT as F.

https://www.ssllabs.com/ssltest/analyze.html

Make the following changes to your servers http config. This can be done by editing the config file directly (EDTF) or starting the *ADMIN http server and editing from within IBM Web Administration for i (/HTTPAdmin)

The required changes should already be applied if using v7r3 and above. The changes can also be applied by changing the allowed ciphers system value (QSSLCSL) but is best to change for the application required and leave the system values to save hassle when the OS is updated (if value is not default the settings will carry over to the upgraded OS).

The following settings will allow an A+ grade on SSLlabs:-

Qualys sslLabs rating

ServerName (enables SNI) but requires SSLServerCert directive be set.

Header Strict-Transport-Security directive (required to enable HSTS – HTTP Strict Transport Security)

SSLCipherSpec directive – Must have allowed cipher for the denied ciphers to take effect.

Values which need to be changed in bold italics.

SSLEngine On
SSLAppName QIBM_HTTP_SERVER_[SERVERNAME]
SSLVersion TLSV1.2
SSLCipherSpec ALL -TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec ALL -TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL -TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec ALL -TLS_RSA_WITH_RC4_128_MD5
SSLCipherSpec ALL -TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL -TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ServerName servername.com
SSLServerCert Certificate_Name_In_DCM
Header set Strict-Transport-Security “max-age=31536000;includeSubDomains;preload”

RPGLE screen driven python on IBMi

By creating simple display files and corresponding RPGLE programs to display we can call Python programs to provide users with features that are either very complex or impossible to implement with pure RPGLE.

At the moment I have been calling a CL program from the RPGLE program. I plan to update this to use the QCMDEXC API and negate the need for a CL program.

We check the users input then call the CL program which in turn calls the python script

In this excerpt we use the users logon name to lookup an email address in our users table

DDsUSer 254 263
 DDUMPED S 1
 *
 DRDATE S LIKE(SYNUMB)
 DLsOkay S N
 DMSGNO S 10
 DMSGF S 10
 DMSGDTA S 256
 DFILDS3 DS 528
 DFILDS4 DS 684
 DFILDS5 DS 528
 DPDATE S 5A
 DSECURE S 3
 DSUSER S 10A
 DEMNAME S 35A
 DEMEMAIL S 100A
 **********************************************************************************************
 *
 C EVAL *IN90 = *ON
 C DOW *IN03 = *OFF
 C WRITE MSGCTL
 C EXFMT SCREEN
 C* MoveA '00000' *In(30)
 C* MOVEA '00' *IN(42)
 C* MOVEA '000' *IN(42)
 C* MOVEA '0000' *IN(42)
 C* Eval *In46 = *Off
 C* EVAL #VALID = 'YES'
 C EXSR CLEAR
 C IF *IN03 = *OFF
 C
 *
 C IF *IN30 = *OFF
 * Get users email address
 C/EXEC SQL
 C+ Select EMEMAIL, EMNAME into :EMEMAIL, :EMNAME from USERTABLE
 C+ Where EMUSER = :DsUSer
 C+ Fetch first row only
 C/End-exec
 C*
 C If SQLSTT = '00000'
 C* ENDIF
 C* MOVE DsUser SUSER
 C Call 'PROGEXCL'
 C Parm PDATE
 C Parm DsUSer
 C Parm EMEMAIL
 C*
 C Eval MSGNO = 'TRI0069'
 C Exsr WRTMSG
 C Clear SCREEN
 C* EVAL *IN30 = *ON
 C ENDIF
 C ENDIF
 C ENDIF
 C ENDDO
 C ENDIF
 C EVAL *INLR = *ON

Python on IBMi 5733OPS

IBM opening up System I with the addition of languages such as Python, Node.JS & Ruby is a major step forward and has helped us achieve some amazing results. Python has many library’s available that enable the programmer to perform complex operations with ease. It is also very easy to read Python code so it is always clear what’s going on, I don’t think we can say that with RPG code.

The best way of working with these new options is to create a subsystem for Openssh server (following the excellent IBM Redbook on Openssh Server it may be old but still relevant). QSH/PASE can be tedious.

 

Using Python we can extend native report programs to include formatted XLSX output.

Access to system services (programs,commands,database) is provided through the excellent XMLSERVICE library from Young i Professionals (http://yips.idevcloud.com/wiki/index.php/XMLService/XMLSERVICE)

"""
Configure:
  Requires XMSLERVICE library installed, see following link installation 
  http://yips.idevcloud.com/wiki/index.php/XMLService/XMLSERVICE
 
Transports:
  1) XMLSERVICE direct call (current job)
  from itoolkit.lib.ilibcall import *
  itransport = iLibCall()
 
  2) XMLSERVICE db2 call (QSQSRVR job)
  from itoolkit.db2.idb2call import *
  itransport = iDB2Call(config.user,config.password)
  -- or --
  conn = ibm_db.connect(database, user, password)
  itransport = iDB2Call(conn)
 
  3) XMLSERVICE http/rest/web call (Apache job)
  from itoolkit.rest.irestcall import *
  itransport = iRestCall(url, user, password)
"""
from itoolkit.lib.ilibcall import *
itransport = iLibCall()
from itoolkit import * 
 sQry = 'QUERY' 
 itool = iToolKit()
 itool.add(iSqlQuery('custquery', sQry))
 itool.add(iSqlFetch('custfetch'))
 itool.add(iSqlFree('custfree')) 
 # xmlservice
 itool.call(config.itransport)
 QCUSTCDT = itool.dict_out('custfetch')
 if 'error' in QCUSTCDT:
   print (QCUSTCDT['error'])
   exit()
 else: 
   # Loop record set