|Understanding Strategi Websites, Zones, and Aliases|
When someone requests a webpage from a Strategi webserver, the file that is sent to them originates on the iSeries 400's IFS (Integrated File System). When attempting to make changes to a Strategi website it is important to understand the relationships between the URL that the person has requested and where the files served actually come from on your iSeries 400. It is also helpful to understand the way this layout can be manipulated, and how you can secure portions of your website.
The purpose of this document is to discuss three relevant concepts in understanding Strategi's website layout and security: Strategi Websites, Website Zones, and Aliases.
Note 1: All mentioned commands will have help text for all parameters.
Note 2: Any actual creations, changes, or deletions of Websites, Zones, and Aliases will require a Strategi restart to take effect.
When configuring the Strategi webserver, one creates or changes Strategi Websites. When a Website is created, one specifies a name and an IP address for that Website (or one can specify to use all available iSeries 400 addresses. For simplicity, we will deal with the case of a single, specific IP). The name of the Website can be anything you want.
Website Configuration and Usage
Once a Website is set up correctly, populated with HTML pages, and Strategi is started, one can access the Website simply by typing the IP address of that Website into a browser, provided the machine running the browser can make a TCP/IP connection to the iSeries 400 running Strategi. So for instance, if your site was set up to run on IP address "220.127.116.11", and you had placed "homepage.htm" in the root of the Website, "homepage.htm" could be accessed by typing:
into the browser's address bar. The actual file delivered, "homepage.htm", would have been retrieved from the iSeries 400's IFS directory:
where "STRATEGI" is the name of your STRATEGI IFS directory ("STRATEGI" by default), and "SITENAME" is the name of your Website.
For example, we could use CHGSGIWEB to change the DEFAULT Website to use IP address "18.104.22.168":
CHGSGIWEB SITE(DEFAULT) TEXT('My default site') IPADD('22.214.171.124' *NONE *NONE)We could create a second Website using CRTSGIWEB:
CRTSGIWEB SITE(EXAMPLE) TEXT('The example site') IPADD('126.96.36.199' *NONE)We would restart Strategi so that the Website changes would take effect. We would populate the sites with HTML, images, and/or other types of files, using Strategi's Webmaster utility. If we wanted to access the DEFAULT site's "/abc" directory, we would use the following URL:
which would correspond to IFS directory:
If we wanted to access the EXAMPLE site's "/def" directory, we would use the following URL:
which would correspond to IFS directory:
In conclusion, Strategi Websites allow you to serve different content from your iSeries 400 through different iSeries 400 IP addresses.
Note 1: Strategi's installation program creates a Website called DEFAULT, and if you only require one website it is fine to use the DEFAULT Website.
Note 2: The number of Websites that can run concurrently in Strategi is limited by your Strategi license. Therefore, before creating a new Website, be sure your license allows for the desired number of Websites.
Note 3: It will be tempting, knowing the location of the website files on the IFS, to place files there directly through a network drive mapping to the iSeries 400. This is not at all recommended, as authority problems, file lock problems, and more can result. Always use Strategi Webmaster to make changes to your Strategi website.
When managing a website, it can be very helpful to have some way of dividing the website in such a way that different areas have different security settings. For example, you may have content that you only want accessible if the requestor logs in, or if they use SSL when making the request. Or you may want different areas of the website to be maintained by different people.
Strategi allows you to do all of this and more through the use of Website Zones. A Zone is an assignment of security settings to a particular directory of a Strategi Website.
Zone Configuration and Usage
Whenever a Strategi Website is created, a Zone called "#ROOT" is created automatically. The #ROOT Zone contains everything within the Website. In other words, for the EXAMPLE site we used in the Strategi Website section, #ROOT contains everything after the "http://188.8.131.52/" in a URL, or everything within the "/STRATEGI/website/example/live" directory.
When you have one person maintaining all of the website's content and all of the content is intended to be publicly accessible, ie, with no requirements for SSL or login, then all of your content can be in the #ROOT zone. You can create subdirectories, and subdirectories within subdirectories. As long as the only Zone you have is #ROOT, everything on the Website is part of #ROOT.
What if you created a directory "/sales" that contained confidential information? You might decide you wanted only registered Strategi users to be able to view the content in that directory. In this case you would want to create a new zone using the CRTSGIZON command:
CRTSGIZON TYPE(*WEBSITE) DOMAIN(EXAMPLE) ZONE(SALESINFO) SUBDIR('/SALES') TEXT('Sales Information Zone') AUTHEN(*BASIC) DFTAUT(*READ) SSLKEY(*NONE)After a restart of Strategi, if one requested the following URL:
one would be required to log in as a Strategi user before the file would be retrieved.
You might decide that not only do you require login, but that you also want only specific Strategi users accessing the SALES Zone's contents. You would use the CHGSGIZON command to change the Zone so that the default authority was *EXCLUDE:
CHGSGIZON TYPE(*WEBSITE) DOMAIN(EXAMPLE) ZONE(SALESINFO) DFTAUT(*EXCLUDE)Now, in order for a user to actually view the content under the "/sales" directory, they would have to have been specifically added to the SALES Zone for *READ authority:
ADDSGIZNA TYPE(*WEBSITE) DOMAIN(EXAMPLE) ZONE(SALESINFO) USER(*USER (123)) AUT(*READ)Strategi User #123 would be able to view contents of the SALES Zone after they logged in. Other users would be shown a page telling them they did not have authority to the requested resources.
Zone Authority Requirements for Webmaster Access
In order for a Strategi User to be able to make changes to a Website Zone using Webmaster, that person must have *READWRITE authority to that Zone. Therefore, if you wanted User #5 to be able to make changes to the SALES Zone, you would also use the ADDSGIZNA command:
ADDSGIZNA TYPE(*WEBSITE) DOMAIN(EXAMPLE) ZONE(SALESINFO) USER(*USER (5)) AUT(*READWRITE)Zone Conclusion
In conclusion, Website Zone's give you a clean and easy way to segment your Strategi Website so that different security settings apply to different directories of that Website.
Note 1: A Zone contains everything within the specified directory for that Zone, except for directories beneath it that are set up as a separate Zone. In other words, in our EXAMPLE Website, the #ROOT Zone contains all directories within it except for the contents of the SALES Zone. So #ROOT does not technically contain a "/sales" directory.
When creating content for multiple websites, or even for just one website, often you may want content to be identical in several areas. For instance, you might want to display the content from the EXAMPLE Website's "/sales" directory when someone requests the DEFAULT Website's "/sales" directory. Or, perhaps you have an existing set of internet documents on your iSeries 400 that are not in a Strategi Website directory, but you would like to serve these documents from a Strategi Website, without moving them from their current location. All this can be achieved through the use of Strategi Aliases.
An Alias is a dynamic remapping from a virtual path within a Website to a real and unrelated physical path on the iSeries 400 IFS file system. The mechanism provides a means of including any part of the IFS as part of one, several or all Strategi Websites.
It is then possible to have resources located in a single place, but accessible through all Websites. Equally, an existing Website in one location could be immediately logically "relocated" to a different Strategi Website, without physically moving a thing.
Alias Configuration and Usage
So, to take the example of having the DEFAULT Websites' "/sales" directory remapped to the EXAMPLE Website's "/sales" directory, we would use the command CRTSGIALS:
CRTSGIALS RQSSITE(DEFAULT) RQSPATH('/sales') SUBTYPE(*WEBSITE) SUBDOMAIN(EXAMPLE) SUBPATH('/sales') STATUS(*ENABLED) TEXT('Default Sales comes from Example site')Once Strategi is restarted, if someone requests the "/sales" directory of the DEFAULT Website through the following URL:
they will in fact receive content from the "/sales" directory of the EXAMPLE Website. This will occur seamlessly as far as the user is concerned: they will have no indication that the content came from somewhere else. Also note that you could have just as easily set the RQSPATH to '/information'-- the RQSPATH and the SUBPATH do not need to be related in any way.
As another example, you might have HTML files or other web files on your IFS in some directory that is not part of a Strategi Website. Often you will have software that is interacting with those files, meaning you cannot easily move them into your Strategi Website directories.
For instance, you might have a "/procfiles/webcontent" directory on your IFS containing PDF and HTML files. You want to be able to serve these files when someone requests the DEFAULT Website's "/processedfiles" directory. You would create an Alias with a substitution type of IFS:
CRTSGIALS RQSSITE(DEFAULT) RQSPATH('/processedfiles') SUBTYPE(*IFS) SUBDOMAIN(*NONE) SUBPATH('/procfiles/webcontent') STATUS(*ENABLED) TEXT('Processed Files from IFS Dir') ZONE(*SOURCE)Once Strategi is restarted, if someone requests a file from the DEFAULT Website's "/processedfiles" directory through the following URL:
they would in fact be delivered "abcdef.html" from the IFS directory:
on your iSeries 400.
iSeries 400 IFS Directory Authority Issues
One concern when setting up IFS type Aliases is that SGIJOBCTL (the iSeries 400 user profile under which the Strategi jobs run) must have at least read and execute authority to the objects being accessed. This includes not only the requested file but the entire directory tree before it. In other words, in the above example, SGIJOBCTL must be given read and execute authority to the "abcdef.html" file, as well as the "/webcontent" directory, as well as the "/procfiles" directory (by this it is meant authority to the iSeries 400 objects themselves for the SGIJOBCTL user profile, not a Strategi authority for a Strategi User). To give SGIJOBCTL appropriate authority to access "abcdef.html", one could use the iSeries 400 command CHGAUT to change authority along the tree:
CHGAUT OBJ('/procfiles') USER(SGIJOBCTL) DTAAUT(*RX) CHGAUT OBJ('/procfiles/webcontent') USER(SGIJOBCTL) DTAAUT(*RX) CHGAUT OBJ('/procfiles/webcontent/abcdef.html') USER(SGIJOBCTL) DTAAUT(*RX)Now the "abcdef.html" would be accessible by Strategi and deliverable via the Alias. Note that you can, for the last CHGAUT, set OBJ to "/procfiles/webcontent/*". This will set authority for all objects within "/webcontent" except for subdirectories. Unfortunately the "*" does not cover subdirectories, which is why you cannot simply execute one CHGAUT with OBJ set to "/procfiles/*".
Zone Resolution in Aliases
It is also helpful to understand how Strategi Zone resolution is accomplished with Aliases. For instance, if DEFAULT's "/sales" directory is aliased to EXAMPLE's "/sales" directory, which authority settings apply-- the settings for EXAMPLE's SALES Zone, or settings for the DEFAULT Website's Zone?
This is governed by the ZONE parameter of the CRTSGIALS & CHGSGIALS commands. There are two possible settings: *SOURCE and *TARGET.
Setting ZONE to *SOURCE indicates that the Zone is resolved BEFORE Alias substitution occurs. In other words, in the example above, the Zone would be whatever Zone the DEFAULT Website's "/sales" directory was considered, since this is what was requested by the browser.
Setting ZONE to *TARGET indicates that the Zone is resolved AFTER Alias substitution occurs. So the Zone would actually be EXAMPLE's SALES Zone. This is obviously an important consideration, since any authority settings assigned to EXAMPLE's SALES Zone would apply to files requested from DEFAULT's "/sales" directory.
Aliasing to a iSeries 400 Document Folder
Using the Alias SUBTYPE(*IFS), one can Alias to an iSeries 400 Document Folder. This is possible because all Document Folders are actually subdirectories of the "/QDLS" directory on the IFS. For instance, if one had a Folder named "GRAPHICS" which contained jpeg images, and these images needed to be made available from the DEFAULT website, the following CRTSGIALS could be issued:
CRTSGIALS RQSSITE(DEFAULT) RQSPATH('/gfxflr') SUBTYPE(*IFS) SUBDOMAIN(*NONE) SUBPATH('/QDLS/GRAPHICS') STATUS(*ENABLED) TEXT('GRAPHICS Folder available from Web') ZONE(*SOURCE)It is also important that appropriate authority rights are set up for the SGIJOBCTL user profile. Instead of using the CHGAUT command as we did for normal IFS directories, Folders require that we use the iSeries 400 command CHGDLOAUT:
CHGDLOAUT DLO(*ALL) FLR(GRAPHICS) USRAUT((SGIJOBCTL USE))This will give SGIJOBCTL read and execute authority for everything within the GRAPHICS folder.
After a Strategi restart, an image in the GRAPHICS folder named "my.jpg" could be accessed from a browser by requesting:
In conclusion, Aliases allow for documents to be accessed through several Websites while being maintained in a single location. Additionally, they allow content anywhere on the iSeries 400 IFS to be served via the Strategi Webserver.
** End of Technical Support Bulletin **