Search code examples
phpauthenticationdb2-400db2-connect

Why does XMLSERVICE call not use authenticated user when running commands, calling programs?

We have Zend PHP 7.2 running on IBM i OS 7.2.

When making program calls or executing commands through the XML Service Toolkit, the execution of those is occurring under the QTMHHTTP profile and not the authenticated user for the connection. This is causing all sorts of authority issues.

The following code fails with an authentication error as it should. If I replace the user profile and password values with real ones, the output is properly created and the DSPJOB output shows the current user of the XMLSERVICE job is QTMHHTTP, and not the specified user.

<html>
  <head>
    <title>Connection Test</title>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
  </head>
  <body>
    <div class="container m-4">
      <h1>Connection Test</h1>
      <?php
        include_once zend_deployment_library_path('PHP Toolkit for IBMI i') . DIRECTORY_SEPARATOR . 'ToolkitService.php'; 
        $user = 'MYID'; $passwd = 'MYPWD';
        $options = array('i5_naming'=>DB2_I5_NAMING_ON);
        try { $connection = db2_connect('*LOCAL', $user, $passwd, $options); }
        catch (Exception $e) { echo  $e->getMessage(), "\n"; print db2_conn_errormsg(); exit(); }
        try { $toolkit = ToolkitService::getInstance($connection, DB2_I5_NAMING_ON); } 
        catch (Exception $e) { echo  $e->getMessage(), "\n"; exit(); } 
        $output = $toolkit->CLInteractiveCommand('DSPJOB');
        echo"<div class='alert alert-info alert-dismissible'>";
        echo "<button type='button' class='close' data-dismiss='alert'>&times;</button>";
        echo "<pre>"; print_r($output); echo "</pre>";
        echo "</div>";
      ?>
    </div>
  </body>
</html>

Clearly the authentication is occurring, as when credentials are supplied, they must be correct. However, I can get the same output by simply blanking the user profile and password fields, using the default 'QTMHHTTP' mode of connection.

What are we missing to get the functions to run under the authenticated user?

Note that the issue was found when we tried to call a system API and were getting authority errors that should not occur for the authenticated user (the same API called from 5250 by the same user worked).

Solution

  • This was solved with the help of the wonderful Alan Seiden (http://www.seidengroup.com) who pointed out the stateless/stateful connection choice.

    Specifically, by default a connection will be stateless and this means it runs under a common job on the server, under user QTMHHTTP. However, by specifying the following option on the Toolkit, a private, stateful server job is started. This means not only does it run under the authenticated user, but the job remains active and retains its file cursors, QTEMP contents, etc.

    $toolkit->setToolkitServiceParams(array('InternalKey'=>"/tmp/$user"));

    This is mentioned in Alan's slides here (p54): https://www.seidengroup.com/toolkit/