ServerUserId Directive Needed for Apache and QNTC

Resolving The Problem

The ServerUserID Directvie is required when using Apache Server to run CGI programs for QNTC, QFILESVR.400. There are three items about the ServerUserID directive:

1.	The ServerUserID is required because it is used to connect to the other server.
2.	The ServerUserID must have the same password on each system.
3.	Have the user sign on with that user ID, and view the qfilesvr.400 link. That user must have access to the remote files.

A sample working configuration that has the ServerUserID being used in Apache follows:

Example

# Configuration originally created by Create HTTP Server wizard on Wed  
Jul 11 14:49:46 CDT 2007                                                
Listen *:8088                                                          
DocumentRoot /www/ewsfilesvr/htdocs                                    
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes        
-IncludesNoExec -Indexes -MultiViews                                    
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
combined                                                                
LogFormat "%{Cookie}n \"%r\" %t" cookie                                
LogFormat "%{User-agent}i" agent                                        
LogFormat "%{Referer}i -> %U" referer                                  
LogFormat "%h %l %u %t \"%r\" %>s %b" common                            
CustomLog logs/access_log combined                                      
LogMaint logs/access_log 7 0                                            
LogMaint logs/error_log 7 0                                            
SetEnvIf "User-Agent" "Mozilla/2" nokeepalive                          
SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0                    
SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0                    
SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0              
SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive                        
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0                
<Directory />                                                          
   Order Deny,Allow                                                    
   Deny From all                                                        
</Directory>                                                            
<Directory /qfilesvr.400/RCHASK60/www/dancgi/htdocs>                    
   Order Allow,Deny                                                    
   Allow From all                                                      
</Directory>                                                            
<Directory /www/ewsfilesvr/htdocs>                                      
   Order Allow,Deny                                                    
   Allow From all                                                      
</Directory>                                                            
ServerUserID MYUSER                                                     
AliasMatch ^/test/(.*) /qfilesvr.400/RCHASK60/www/dancgi/htdocs/$1

Note: The ServerUserID is recommended to be set in the global context, not in a container. The reason for this is as follows:

Normally, when HTTP server receives a request, it will follow the steps below:

1. Validate the request.
2. Process the request (get a file, run CGI program, and so on)
3. Send response back to client.

a. If the ServerUserID MYUSER is set in global context:

When HTTP server is started, the worker threads (threads to handle request) are already running under the specified user profile MYUSER. This means all of the above three steps are run under MYUSER. All requests will be run under MYUSER in the whole life cycle of the HTTP server.

b. If the ServerUserID MYUSER is set in container context:

HTTP server will only temporarily swap to the specified user profile (MYUSER) to process the request and swap back to the default QTMHHTTP user profile immediately. That means Step 1 is processed under QTMHHTTP, then swaps to MYUSER and processes Step 2, and swaps back immediately to QTMHHTTP when processing Step 3. This is the design of how that directive works in a container context. (You should only swap to MYUSER when actually processing the request; other steps still run under default QTMHHTTP.)

Problems can occur during Step 1 when user ID is set in the container context. The HTTP server will fail to validate the request URI because the default HTTP server user profile QTMHHTTP does not have authority to access that file, so it will return a 404 (File not Found).

So, if you do not want all requests to run under MYUSER (set in global), which is a higher authority than default QTMHHTTP, some extra configuration must be done to let the HTTP server's default user profile QTMHHTTP have enough authority to access files in QNTC:

1.	Add the ServerUserID to the container in the httpd.conf: <Directory /QNTC/foldername> Order Allow,Deny Allow From all ServerUserID MYUSER </Directory>
2.	Remove all other ServerUserID MYUSER and UserID MYUSER directives from httd.conf.
3.	Change the password for QTMHHTTP user profile to a known value, and set up a new account on the Windows server for QTMHHTTP with the same password.
4.	Restart HTTP server and try again. Note: For Step 3, ensure QTMHHTTP can access files in QNTC to do the necessary validation step. Sign into a 5250 session with QTMHHTTP and check to see if you can navigate to the QNTC IFS path using the WRKLNK.