Tag Archives: Zend

Who is Rogue Wave Software?

Well that’s the first question that came to my head when i found they were going to acquire Zend.  Below are some links to dive deeper into understanding what they do and offer.  It looks like they are a real good fit for PHP’s future and High-Performance computing.

Website: http://www.roguewave.com/

Wiki: https://en.wikipedia.org/wiki/Rogue_Wave_Software

Crunchbase: https://www.crunchbase.com/organization/rogue-wave-software#/entity

Andi Guttman’s Linkedin message: https://www.linkedin.com/pulse/big-news-enterprise-php-andi-gutmans

Acquisitions

Klockwork – tool helps “developers create more secure and reliable software by analysing source code on-the-fly, simplifying peer code reviews, and extending the life of complex software.” – https://en.wikipedia.org/wiki/Klocwork
IBM’s ILOG Visualization for C++ Productshttp://www.roguewave.com/company/news/2012/rogue-wave-software-acquires-ilog-visualization
Acumem – “performance tuning tools for single- and multi-threaded applications”  – http://www.theregister.co.uk/2010/10/04/rogue_wave_acumem/
TotalView Debugger – insights into debugging high-performance computing (HPC) and supercomputing applications. – http://www.roguewave.com/products-services/totalview
Visual Numerics: advanced analytics software

Zend Acquisition PR

Geek Time’s Article

PHP CLI on IBMi PASE Memory Limit Problem (AIX OS via QP2TERM)

I ran into one of the hardest things to figure out the dreaded “Segmentation fault” and “Illegal instruction” while running php-cli in a QP2TERM session (a PASE/AIX/”IBMs unix” shell)The exact errors were:

php-cli[9]: 12345 Illegal instruction (coredump)  –when ran non-interactive

php-cli[9]: 12345 Segmentation fault(coredump) –when ran interactive

Note: php-cli is the shell script that calls the PHP interpreter on line 9 from the command line and 12345 is the AIX process id that had the issue.  Segmentation fault means you are addressing memory outside of your data segment which has a predefined size (256MB). coredump should be a data dump in the system log

In /usr/local/zendsvr/etc/php.ini I tried to increase the
memory_limit = 512M ; Maximum amount of memory a script may consume (512M). 

I tried to set the value in my script with
ini_set(‘memory_limit’, ‘512M’); 

I even tried to set it on the command line with the -d option
/usr/local/zendsvr/bin/php-cli -d memory_limit=512M myscript.php

I figured out the amount of memory my script was using by reducing the number of records it was processing and running the follow echo command to get the peak memory usage:

echo “Memory Peak Usage: “.(memory_get_peak_usage()/1024/1024).” MB”;

The actual memory bottle neck was happening further up the chain at the AIX process/job level.  The default memory limit of AIX process is 256MB with additional Data Segments of 256MB (Hex 0x10000000 2^8) with a max size of 8 additional data segments

Solution

Set the LDR_CNTRL environment variable in the parent process (PHP-CLI) to multiple data segments (in the example below 8 additional data segments of 256MB for 2.25GB of memory [this is the max…]) and then run your php script and then unset the memory limit so you don’t affect other processes.   Modify the shell script /usr/local/zendsvr/bin/php-cli and wrap the call to the php interpreter ($ZCE_PREFIX/bin/php “$@”) with the export and unsetting of LDR_CNTRL as shown below

export LDR_CNTRL=MAXDATA=0xB0000000@DSA
$ZCE_PREFIX/bin/php “$@”
unset LDR_CNTRL

putenv should probably not work because the parent process has to set LDR_CNTRL not the PHP script

putenv(“LDR_CNTRL=MAXDATA=0xB0000000@DSA”);

Use echo getenv(“LDR_CNTRL”); to see what its set to in your PHP script.

If you are using the FASTCGI w/ apache you can modify the config file (/www/zendsvr/conf/fastcgi.conf) and add to the end of  the line starting with Server type=”application/x-httpd-php” …

SetEnv=”LDR_CNTRL=MAXDATA=0xB0000000@DSA”

Caution

If you are hitting this limit you should probably look at the program you created because there may be something that is inefficiently using memory and that should be fixed instead of changing the memory limit.

What is this DSA

“The @DSA which can be appended to this value allows the boundary been private data and shared memory to be changed, allowing more segments to be used and the heap to start in segment 3. It also allows shared objects to be moved into segment 2 to give more contiguous space (See Figure 4).” – http://ibmsystemsmag.com/CMSTemplates/IBMSystemsMag/Print.aspx?path=/aix/administrator/systemsmanagement/Avoiding-Those–Segmentation-Fault–Failure-Messag

More info here: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.genprogc/lrg_prg_support.htm

These issues might also go away when we go from 32 bit to 64 bit.

DB2 PHP Security Exploit – Older versions of Zend Server for IBM i – Login under any user profile without a password

If you’re running an old version of Zend Server on the IBM i make sure you look at this article from Zend Support:

https://support.zend.com/hc/en-us/articles/203733853-db2-connect-may-allow-blank-password-with-user-entered

Basically you need to rename
/usr/local/zendsvr/lib/libdb400.a to /usr/local/zendsvr/lib/libdb400.a.bak

To do this Rod Flohr suggest you open a PASE shell and issue a mv command to rename the file.

5250 Terminal:

call qp2term

PASE:

mv /usr/local/zendsvr/lib/libdb400.a /usr/local/zendsvr/lib/libdb400.a.bak

If you pass in user supplied parameters to db2_connect function a person could log in as someone else with greater authorities possibly and go into pages or access data they aren’t authorized to use.

PHP Security on the IBM i – Locking down the IFS permissions – Best way to handle authorities in the web root and subdirectories.

Are you unable to modify another user’s PHP file on the IBM i? Do you constantly need to give QTMHHTTP read permissions to the new PHP you uploaded? After going through this guide you’ll fix these issues and streamline your PHP development on the IBM i while maintaining security of the IFS.

Overview of permissions on your Webroot folder for Zend Server:
*PUBLIC: DTAAUT ( *NONE)
PRIMARY GROUP: NOGROUP = DTAAUT (*RX)
OWNER: WEBCODERS= DTAAUT (*RWX)

Summary: Public gets no access, Primary Group is a group that the user QTMHHTTP is a part of and only has read access, and the owner is your development team group profile (WEBCODERS) with your web development team user profiles in that group.

As always test this on a development machine DON’T DO THIS IN PRODUCTION unless you’ve tested it

5 Steps to secure your PHP installation

1. Don’t give *PUBLIC access

CHGAUT OBJ('/www/zendsvr/htdocs/') USER(*PUBLIC) DTAAUT(*NONE) OBJAUT(*NONE) SUBTREE(*ALL)

I’ve heard many people who are insecurely using PHP on the IBM i. If you are giving *PUBLIC any access to your files under /www/zendsvr/htdocs you are giving too much access. You don’t want anyone with access to your IBM I to read your PHP files or your configuration files with database username and password. You should make sure *PUBLIC has no data authorities on all files under web root directory using the CHGAUT command recursively.

2. Set the Primary Group on the webroot (/www/zendsvr/htdocs) to a group with QTMHHTTP in it

CHGPGP OBJ('/www/zendsvr/htdocs') NEWPGP(NOGROUP) RVKOLDAUT(*NO) SUBTREE(*ALL)
CHGAUT OBJ('/www/zendsvr/htdocs/') USER(NOGROUP) DTAAUT(*RX) OBJAUT(*NONE) SUBTREE(*ALL)

Remember that each new object under a parent directory inherits the *PUBLIC authority, primary group authority and the owner authority of the parent. So you’ll want to set the primary group to NOGROUP and give it Read access. Make sure QTMHHTTP is a user of this group. This is the user that PHP is using to access the files and is typically called APACHE or NOBODY in linux systems.

3. Give access to a development team group profile so your web developers have write access to create new files and directories and read access to view the files on the server.  Unfortunately you’ll always have to re-run CHGAUT for WEBCODERS as when someone uploads a file they become the owner.  You may want to consider a daily job that automatically runs this or have your developers share the login information for WEBCODERS and always upload with that profile. 

CHGOWN OBJ('/www/zendsvr/htdocs/') NEWOWN(WEBCODERS) RVKOLDAUT(*NO) SUBTREE(*ALL)
CHGAUT OBJ('/www/zendsvr/htdocs/') USER(WEBCODERS) DTAAUT(*RWX) OBJAUT(*ALL) SUBTREE(*ALL)

4. Give write permissions to directories that QTMHHTTP needs write access.  If your PHP is saving a file or creating a file to the IFS it will need write permissions to that directory. 

CHGAUT OBJ('/www/zendsvr/writeable/uploads') USER(QTMHHTTP) DTAAUT(*RWX) OBJAUT(*NONE) SUBTREE(*NO)

Below are some shell functions you can use if you have bash or bourne shell

5. (Optional) Set the umask to set the default permissions given to new files created by a program (like FTP, SFTP, SSH).  In the example below the first 0 means give user rwx, 2 means give group rx, and 7 means give other nothing.

umask 027
#u=rwx,g=rx,o=

For SFTP you’d modify sshd_config to load a shell .profile that would then run the umask.  (replace * with the version number of openssh you’re using or find it by running find)

find / | grep sshd_config
vi /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-*.*p*/etc/sshd_config
# set ibmpaseforishell to your favorite shell (in this case bash)
ibmpaseforishell=/QOpenSys/opt/freeware/bin/bash
#set the umask in our .profile so it will always load by using this command to append 
umask 022 to the end of the file (.profile).
echo "umask 022" >> ~/.profile

#shout out to @aaronbartell for informing me of umask

Experiment using Authorization List: 

Now I looked into using Authorization lists but they don’t inherit from the parent directory IF you’re using the mkdir command API (different from ibm i command line mkdir alias).  That would be the best case scenario since then new objects would get the WEBDEVAUTL authorization list inherited and your development team would be in that list and everyone on your team could create new files and directories and everyone else could modify them later.  Below are the commands to create a AUTL, but remember it will only work if your NOT using the mkdir command

CRTAUTL AUTL(WEBDEVAUTL) TEXT(‘Auth List for Web Developers’)
ADDAUTLE AUTL(WEBDEVAUTL) USER(WEBDEV1 WEBDEV2) AUT(*ALL)
CHGAUT OBJ(‘/www/zendsvr/htdocs/’) AUTL(WEBDEVAUTL) DTAAUT(*RWX) OBJAUT(*ALL) SUBTREE(*ALL)

More info on Mkdir not inheriting from the parent directory here: https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014510624 .  Hopefully IBM will one day have mkdir have the same functionality as CRTDIR CL command.  Another good read about the IFS: http://publib.boulder.ibm.com/iseries/v5r1/ic2924/books/c415300522.htm

Support for long passwords may break your login page on Zend Server for IBM i

To keep up with security on the IBM i, your company will eventual support long passwords and more characters.  This means people can use symbols and lower case characters which will help increase the difficulty of guessing a password.  The problem you may run into with your PHP script is if you were using the strtoupper() function on your password and your username variable you’ll now have to remove that function because lower case symbols are now valid.   You’ll also warn your users that the login page is now case senstive.

FYI: In V5R1, the i5 added support for long passwords and by default it was set to off.  The QPWDLVL is what you need to change.  You can set the max length of the password using QPWDMAXLEN.   If you are using a custom login page you may need to rewrite it or switch to QSYS/QDSIGNON.  You will have to IPL the system after this change

Migrating from Zend Core for I to Zend Server for IBM I – My Experience

I’m currently working on migrating from Zend Core 2.6.0 to Zender Server 5.6  for IBM I.  Big thanks to Alan Seiden who has some very helpful blog posts on this topic.  I’d recommend checking out:

http://www.alanseiden.com/2010/04/21/differences-between-zend-core-and-zend-server-on-ibm-i/

and

http://www.alanseiden.com/2011/02/08/qa-upgrading-from-zend-core-to-zend-server/

Here’s my tip from migrating:

  1. If you were using the I5_* functions for database connections you can continue using AURA equipments toolkit, but I think long term you’d be better off using PHP db2_* functions.  Do not use the Zend Framework’s DB2 class since the db2_bind param doesn’t work.  The ZF team can’t implement it to work correctly right now and probably never will in the future.  I’ve been waiting 3 years now for them to make a change…
  2. Use http://as400:2001/HTTPAdmin to change the apache config for Zend Server and to start/stop the server
  3. You’ll need to trasfer your files from /www/zendcore to /www/zendsrv
  4. Give Permissions to QTMHHTTP.
    Run STRQSH
    cd /www/zendsvr/htdocs
    chmod –R 770
    chown -R qtmhhttp
  5. Modify the http.conf file and compare your old conf file to see if changes need to made
    /www/zendcore/conf/http.conf
    /www/zendsvr/conf/http.conf
  6. #–Check your system CCSID value ( dspsysval qccsid). if the value is 65535 then add the following two directives to Apache configuration file (/www/zendsvr/conf/httpd.conf) and then Stop and Start Apache:
    DefaultFsCCSID 37
    CGIJobCCSID 37
  7. Edit the php.ini file and add a different session path (edit /usr/local/zendsvr/etc/php.ini)
    session.save_path = “/tmp/ZS”
  8. Change scripts that reference www/zendcore to www/zendsvr
  9.  Recreate any NFS mounts since files might have moved into /www/zendsvr
  10. IF your using Zend Framework you might want to continue using the old version that Zend Core had, so modify your php.ini file include path to include it and not include the new version which is currently 1.11.10
    include_path = “.:/usr/local/Zend/ZendFramework/library:/usr/local/zendsvr/share/pear:/usr/local/ZendSvr/share/ToolkitApi”
Benefits of upgrading from Zend Core:
  1. PERFORMANCE!  I’m seeing scripts running between 18%-400% faster.  One script used to take 40 seconds now only takes 8 seconds.
  2. Only 1 apache configuration to worry about now
  3. Latest PHP