Trying to understand how folks open their iseries to the Internet

[HowardA]

I have an older application that was developed a long while ago. over the years, we've updated the front end a couple of times (screen scrapping, etc). We're now using Profound Logic's front end. My question is on opening up the iseries to the internet. Currently, we require the use of VPN to / from the iseries, but we're being pushed to find a way to open the app so VPN isn't required. We can use HTTPS but is that enough? Since the database is on the same LPAR that would be open to the internet, doesn't that present a security risk?
Is there a way to run the database on a different LPar (for an older application that wasn't written with that in mind) and still get reasonable response time? I recall in the distant past, using DDM files, but is there a better way? If using DDM, would that really provide the response needed for interactive work?

[Scott Klement]

Hi Howard,

You didn't say which of Profound's screen technologies you're using. I'll assume you're referring to the Rich Display environment of Profound UI (rather than Genie's 5250 display environment, RPGsp, or Profound.js)

I've noticed that many customers will set up a DMZ and place a reverse proxy in the DMZ. The idea is the outer firewall only allows the Profound UI port access to the DMZ, nothing else. The inner firewall only allows access from the DMZ machine to the Profound UI port on the production server. This makes a very secure firewall setup that's very hard to compromise. Even if someone manages to compromise the public IP, they only compromise a proxy server.

Assuming you do set this up and only the one port is available to the public, you still have to take care to disable anything on that port that isn't needed. For example, you probably don't want the public to be able to run the Visual Designer and be able to update or replace your screens. So you would set up a different instance of Profound UI for doing that sort of work, and make that instance available only to VPN (or local) users. Then disable Visual Designer access on the public port.

There are more thoughts about this sort of thing from our staff members here:
https://docs.profoundlogic.com/display/ ... nal+Access

[emhill]

I was about to ask the very same question and let me preface this by saying I am completely stupid when it comes to connectivity and security.

Scott... We have a client that currently has a web ordering system that was developed back in the mid-2000’s using PHP/HTML. It connects to the client’s IBMi system via an EXTRANET connection. That system is going away as the EXTRANET server is aging out. They currently have their entire system using the rich display environment of Profoundlogic UI (PUI). They love it.

I suggested to them using the anonymous program functionality of PUI for the web ordering and gave them an example of how it works. I created a unique sign-on screen based on an existing database that was used for the aforementioned old PHP system. I created screens using PUI/RPG and had them log in locally using their IBMi IP address and the anonymous program:

<system name>:8080/profoundui/start?pgm=lib/program

Here is where we run into problems. Their security team is asking me how we should let outside users into the system securely. I contacted PUI support and they gave me the link you posted above. I forwarded that to the client’s security team and they didn’t seem to understand what was needed. I have already created the separate instance of PUI and removed some of the functionality (visual designer, etc.).

I'm going to show them what you responded above and maybe that might ring a few bells with them. I don't know if this is possible but is there any way one of the customers that are currently doing this could contact me and give me the particulars on how they set this up?

Thanks!!!

[Scott Klement]

Hi Eric,

I hope that my description, above, helps. I would add that this is a web application, so exposing it to the Internet is something that your security team should understand, as it is not unusual to expose web applications. Sometimes when we jump into a lot of details of the specific mechanics, I think people can get confused and think that this is something different or special -- but, it is not. It it just a web application, no different than other web applications that you might've written in other environments such as the PHP one you have described.

Of course, you might have put it on a different port number or something like that, but it should be easy to adjust from the PHP port number to this one. Its just changing a number, after all.

Aside from that, the big thing that people tend to ask us is how to serve things from their DMZ. If you're not planning to use a DMZ, and haven't been in the past, that that discussion may not apply to you. But, its commonplace for other people to have an expectation that a separate web server will run in the DMZ and the code written in an environment such as PHP (or whatever else you can think of) will be on the server in the DMZ. Since Profound UI has to run on the IBM i, they get stuck... this is where the suggestion of the reverse proxy comes into play. Putting a reverse proxy in the DMZ allows you to have the same level of security as running the PHP code or whatever you choose in the DMZ, while still running Profound UI on the IBM i.

We do offer a Professional Service where we can work with your people to configure things. This is done by our staff for an extra fee (it is not included in the Support contract.) If that interests you, please contact us at support@profoundlogic.com.