Zend Core for IBM iSecurity Considerations

Tony “Ranger” Cairns

Developers are seeing PHP benefits but,managers are worried about PHP security.

What can we do?

Option 1) Guarantee system security

Step 1) Unplug system.

Step 2) Lock in a vault.

Option 2) Start a security journey where valuable information assets may be used by authorized people for authorized purposes ...

• Protect against outsiders– Would be web hackers– Bumbling user input

• Protect against insiders– Would be corporate criminals– Careless programmers

but if you believe security is a journey not a destination, this may help.

An hour security pitch is not your answer...

Zend Core

Step 1) Understand what we get out of the box.

HTTP:89Server

(Reverse Proxy)

IBM i

DB2 UDB

HTTP:8000Server

I5_COMD

*PGM,

*SRVPGM

PASE

PHPModule

IFS

/www

• RSTLICPGM

• 5250 start / stop zend subsystem

• Dual Apache configuration

• i5 toolkit for program access (i5_COMD)

• Multiple direct PHP DB2 access methods 5250 zend

subsystemadmin tools

What to protect in Zend Core for IBM i?

• Internal Access (PHP)– Directories (web dirs)

• /www/zendcore• /usr/local/Zend

– Stream files (web pages / scripts)• /www/zendcore/htdocs• /usr/local/Zend/apache2/htdocs

– Programs (web call)• /qsys.lib/zendcore.lib• Toolkit called programs (RPG)

– User profiles• Nobody, NoGroup, etc.

• External Access (Web)– ILE Apache

• /www/zendcore/conf• httpd.conf

– PASE Apache• /usr/local/Zend/apache2/conf• httpd.conf

– PHP configuration• /usr/local/Zend/Core/etc• php.ini

– PHP programs (asset on ramp)• db2_connect()• i5_connect()

Zend Core for IBM i installed profiles

• NOBODY (*USER)– PHP Apache server– Zend Core jobs (ZENDCOREAP)– Group = NOGROUP– Special authorities = *NONE

• NOGROUP (*USER)– Group profile– For access to NOBODY

resources, other profiles may add • Group = NOGROUP

• MYSQL (*PGMR)– Mysql profile– Optional install– Special authorities = *NONE

• ZENDADMIN (*SECOFR)– Start/stop jobs in ZEND

subsystem– Pseudo random generator (prngd)– GROUP = *NONE– *ALL special authorities

• ZENDTECH (*USER)– Update PHP configuration– GROUP = *NONE– Special authorities = *NONE

Zend Core

Zend Core for IBM i access rights ...

HTTP:89Server

(Reverse Proxy)

DB2 UDB

HTTP:8000Server

I5_COMD

*PGM, *SRVPGM

CMD, ...

PASE

PHPModule

IFS

/www/zendcore

/usr/local/Zend

5250 zend subsystemadmin tools

QTMHHTTP

ZENDADMINZENDTECH

NOBODYNOGROUP

Execute Rights

Access Rights

*PUBLIC EXCLUDE

/www/zendcore

• Default secure as of ZC 2.6.1 ...– Access control is no public access

• /www/zendcore/* (drwxrws--- 5 nobody)– PUBLIC *EXCLUDE– NOBODY *RWX – Note: NOGROUP *RWX

• /www– PUBLIC *RX

– PUBLIC is not allowed access to PHP scripts or other information• Add group profile NOGROUP to other user profiles for access

– QTMHHTTP– Group = NOGROUP

Protect your PHP applications from public view

/usr/local/Zend

• Default secure as of ZC 2.6.1 ...– Access control standard web

• /usr/local/Zend (drwxr-sr-x 5 qsecofr)– PUBLIC *RX– QSECOFR *RWX (who install)– Note: NOGROUP *RX

• /usr• /usr/local

– PUBLIC *RX

– Public is allowed access to PHP from command line or RPG program, etc.

• More secure ...– Access control only PHP web

• /usr/local/Zend (drwxr-s--- 5 qsecofr)– PUBLIC *EXCLUDE

• /usr• /usr/local

– PUBLIC *USE

– Public will not be able to call PHP from command line or RPG program

• Add group profile NOGROUP to other user profiles for access

– QTMHHTTP– Group = NOGROUP

Protect Zend Core web server, programs, configuration and files.

• Default secure as of ZC 2.6.1– PUBLIC *RX– ZENDADMIN *RWX

• More secure ...– PUBLIC *EXCLUDE

• Only PHP administrator can access programs (adopt QSECOFR)

Protect Zend Core product library programs.

ZENDCORE

Apache configuration

/www/zendcore/conf/httpd.conf/usr/local/Zend/apache2/conf/httpd.conf

Dual Apache ZC 2.6.1 (default)

• ILE Apache:89– Responds to any browser– Reverse proxy

• to PASE Apache:8000

– Configuration • http://myi:2001/HTTPAdmin->ZENDCORE

– https is available

• PASE Apache:8000– Responds to any browser– Also Reverse proxy via Apache:89– Configuration (edit only)

• http://myi:2001/HTTPAdmin->PASENEW• /usr/local/Zend/apache2/conf/• httpd.conf

– https is available

HTTP:89Server

(Reverse Proxy)

HTTP:8000Server

PHPModule

Browserhttp://myi:89

Browserhttp://myi:8000

Comparison of the Two HTTP Servers

Main function: run the PHP application and return result

Main function: reverse proxy server

Https available, but certificates using PASE openssl tools (unfamiliar i5 folks)

Https available

Edit only configure the server using the IBM GUI (no tabs)

Configure server instance using IBM Web Administration Tool

Server runs in IBM i PASEServer runs in IBM i

Server instance created and configured automatically when Zend Core product is installed

ZENDCORE instance created and configured automatically when Zend Core product is installed

UNIX-based open source serverZENDCORE server instance; using 5722DG1 product

Apache ServerIBM HTTP Server

Apache degrees of security, a matter of choice ...

• PASE Apache:8000 (default)• ILE Apache:89 (default)

– Reverse proxy to 8000

• ILE Apache:89 (edit)– Reverse proxy 8000– 8000 only responds localhost

• PASE SSL enabled– Using openssl

• ILE Apache SSL enabled– Reverse proxy to 8000– 8000 only responds localhost

• Multiple systems– DMZ reverse proxy

Lower security

Higher security

PASE Apache Server (default)

• Listens on port 8000– Only receives URL requests

that are sent to that port

• Allows any user to make these requests

• All data flowing between the IBM HTTP Server (Reverse Proxy) and the Apache server is not encrypted

• All data flowing on the network between client and server is public

HTTP:8000Server

Browserhttp://myi:8000

PHPModule

HTTP:89Server

(Reverse Proxy)

Lower security

httpd.conf:User nobodyGroup nogroup

IBM HTTP Server Reverse Proxy (default)

• Server instance name is: ZENDCORE

• Listens on port 89– Only receives URL requests

that are sent to that port

• Users are denied access if requesting any other directory/files/applications

• Forwards on those requests to the Apache Server 8000

• Allows any user to make requests

• All data flowing on the network between client and server is public

Browserhttp://myi:89

HTTP:89Server

(Reverse Proxy)

Lower security

HTTP:8000Server

PHPModule

httpd.conf:QTMHHTTP(default)

IBM HTTP Server Reverse Proxy (default)Modify PASE Apache for localhost (edit)

• Leave HTTP Server:89 as is– Leave reverse proxy

• Modify PASE Apache– Change:

• Allow from all

– To• Allow from 127.0.0.1

• 127.0.0.1 == localhost

Browserhttp://myi:89

HTTP:89Server

(Reverse Proxy)

HTTP:8000Server

PHPModule

More security

httpd.conf:Allow from 127.0.0.1(localhost)

PASE Apache 443 (https)(short “self certificate” tutorial)• Make certificate (self)

– call qp2term– cd /usr/local/Zend/apache2/conf– openssl req -x509 -nodes -days 365 -subj

'/C=US/ST=Minnesota/L=Rochester/CN=www.myi.com' -newkey rsa:4096 -keyout server.key -out server.crt

– Note: CN correct for your site

• Go zendcore/zcmenu– 7. Additional Apache options– 2. PASE Apache Control

• /usr/local/...• http_ssl.conf• S = Start (E = Stop)

• https://myi5– Get certificate (not perm)– Note https is port 443 (conflict?)

Browserhttps://myi

HTTP:8000Server

PHPModule

Higher security

Encrypted

httpd_ssl.conf:Include conf/ssl.confssl_conf:SSLCertificateFile/usr.../server.crtSSLCertificateKeyFile/usr.../server.key

IBM HTTP Server 443

• HTTP 443 documented procedure– Web GUI (2001 port)

• Copy the reverse proxy lines into your new 443 instance– ProxyPass / http://127.0.0.1:8000– ProxyPassReverse / http://127.0.0.1:8000

• Change PASE Apache• Allow from all

– To• Allow from 127.0.0.1

Browserhttps://myi

HTTP:443Server

(Reverse Proxy)

HTTP:8000Server

PHPModule

Encrypted

Higher security

httpd.conf:Allow from 127.0.0.1(localhost)

DMZ System

“Reverse Proxy” HTTP Server

• Improves performance– Can cache static documents in

memory– Can aid with balancing requests to

a set of HTTP servers

• Improves security– Can control access at the front door– Can keep server in DMZ separate

from internal network– Hides the content server

environment– Can log activity

HTTP:89Server

(Reverse Proxy)

HTTP:8000Server

PHPModule

DB2 UDB

I5_COMD

*PGM, *SRVPGM

CMD, ...

IFS

/www/zendcore

/usr/local/Zend

HTTP:80Server

(Reverse Proxy)

FIREWALL

Tip: PASE Apache prefork start/stop

• Good PASE Apache settings– <IfModule prefork.c>

• StartServers 5• MinSpareServers 5• MaxSpareServers 25• MaxClients 25• MaxRequestsPerChild 0

– </IfModule>

• Keep the same– StartServers == MinSpareServers– MaxSpareServers == MaxClients

• Leave as zero or very high count– MaxRequestsPerChild 0

• Never end worker job

HTTP:89Server

(Reverse Proxy)

HTTP:8000Server

HTTP:8000Server

HTTP:8000Server

HTTP:8000Server

HTTP:8000Server

HTTP:8000Server

Avoid PASE Apache bad prefork settings.The machine will prefork to “death”!

Tip: Apache “chroot”

• Apache security consultants may recommend chroot to a new directory that can not access other commands on the system.

• This approach is not recommended for PASE Apache– The qsys file system will no longer be accessible

• PHP interoperability with ILE becomes increasingly difficult

– The /QOpenSys file system contains PASE “shared binaries” used by Apache• Chroot below /QOpenSys may be the only way to run without “difficult” copy of

runtime for your PASE Apache engine

Apache chroot not recommended, (security to failure)!

php.ini configuration

/usr/local/Zend/Core/etc/php.ini

php.ini Settings

• safe_mode = On/Off– Zend Core default: safe_mode = Off– By enabling safe_mode parameter, PHP scripts are able to access files only

when their owner is the owner of the PHP scripts. This is one of the most important security mechanisms built into the PHP. Effectively counteracts unauthorized attempts to access system files and adds many restrictions that make unauthorized access more difficult.

• safe_mode_gid = On/Off– Zend Core default: safe_mode_gid = Off– When safe_mode is turned on and safe_mode_gid is turned off, PHP scripts

are able to access files not only when UIDs are the same, but also when the group of the owner of the PHP script is the same as the group of the owner of the file.

–Utility concerns:• <?php echo shell_exec(“PASE utility steal system”); ?>• <?php echo `system ('call cmd steal from system')`; ?>

php.ini Settings

• open_basedir = directory[:...]– Zend Core default: not active (comment only in php.ini)– When the open_basedir parameter is enabled, PHP will be able to access

only those files, which are placed in the specified directories (and subdirectories).

• safe_mode_exec_dir = directory[:...]– Zend Core default: safe_mode_exec_dir = – When safe_mode is turned on, system(), exec() and other functions that

execute system programs will refuse to start those programs, if they are not placed in the specified directory.

– More utility concerns:• <?php echo $_POST('textFromEvilUseStealFromSystem');?>

– Where HTML form data (textarea) was ...» $_POST('textFromEvilUseStealFromSystem') = » “shell_exec('system('do something bad')')”;

php.ini Settings

• display_errors = On/Off– Zend Core default: display_errors = Off– If the display_errors parameter is turned off, PHP errors and warnings are not

being displayed. Because such warnings often reveal precious information like path names, SQL queries etc., it is strongly recommended to turn this parameter off on production servers

Do not turn display_errors On (default off), insteadcheck /usr/local/Zend/Core/logs/php_error_log

php.ini Settings

• log_errors = On– Zend Core default: log_errors = On– When log_errors is turned on, all the warnings and errors are logged into the file

that is specified by the error_log parameter. If this file is not accessible, information about warnings and errors are logged by the Apache server.

• error_log = filename– Zend Core default: error_log = /usr/local/Zend/Core/logs/php_error_log– This parameter specifies the name of the file, which will be used to store

information about warnings and errors (attention: this file must be writeable by the user or group apache).

Do not turn display_errors On (default off), error_log = /usr/local/Zend/Core/logs/php_error_log

php.ini Settings

• expose_php = On/Off– Zend Core default: expose_php = On – Turning off the "expose_php" parameter causes that PHP will not disclose

information about itself in HTTP headers that are being sent to clients in responses to web requests.

PHP security by obscurity.

php.ini Settings

• .register_globals = On/Off– Zend Core default: register_globals = Off– When the register_globals parameter is turned on, all the EGPCS

(Environment, GET, POST, Cookie and Server) variables are automatically registered as global variables. Because it can pose a serious security threat, it is strongly recommended to turn this parameter off (starting from the PHP version 4.2.0, this parameter is turned off by default)

// need a "register" global variable?gpost();$gvar = "Hi";echo "$gvar {$_POST['gvar']} {$GLOBALS['gvar']}";function gpost($var) { if(!array_key_exists($var,$_POST)) $_POST[$var]=''; $GLOBALS[$var]=&$_POST[$var]; }

PHP programming

/www/zendcore/htdocs/*

Programming APIs

• i5_*() APIs– Connect– CMD call– PGM/SRVPGM call– SQL access– Native file access– Data areas / queues– User space– Print/Spool– Job logs– Active jobs– Object list

• db2_*() APIs– Connect– Results– Commit/Rollback– Fetch– Statement– Stored procedure call– Meta Data

• Column• Table• Field• Info

Files or programs with PUBLIC *USE or *ALL, hacker's will have an easier job!

PHP general (information abounds)

• Most important rule: never trust user input– Always check user input HTML forms– Always check input to SQL

• There are many sites that explain PHP security practices that you can read to “know your enemy”– http://www.ipbwiki.com/Practical_PHP_Programming:Security_concerns– php.ini settings (previous section)– Don't use PHP eval on user data

• <?php eval $_POST('HackerDelight'); ?>

– Don't allow user to specify PHP include names• http://myi.php”• <?php include($_GET['include']); ?>

– Don't use include names that can be read by URL (.inc, etc.)• https://myi5/secretstuff.inc

– Don't allow user to SQL inject your database (db2 section)• db2_exec($_POST(“DropSchemaPayroll;...”');

Toolkit - i5_(p)connect()

• i5_pconnect(Server, User, Password [, array Options])– Server – “”, “localhost” or “127.0.0.1”– User - “”, or “uid”

• “” - NOBODY profile

– Password - “” or “password”– Options –

• I5_OPTIONS_PRIVATE_CONNECTION

• Return:– IBM i connection – or false on failure

• i5_pconnect(“”,””,””)– Fewer EASYCOM jobs

EASYCOMSRVPGM

PGM / CMDHTTP:8000

Server

HTTP:8000Server

HTTP:8000Server

EASYCOMSRVPGM

PGM / CMDEASYCOMSRVPGM

PGM / CMD

i5_pconnect(“”,””,””)

EASYCOMSRVPGM

PGM / CMD(PRIVATE)Use pconnect over connect

avoid start/stop job stress!

ibm_db2 - db2_(p)connect()

• db2_pconnect(Database, User, Password [, array Options] )– Database - “”, “*LOCAL”,

• “IASP”, “10.1.5.13”

– User - • “”, “NOBODY”, “SOMEUSER”

– Password - “”, “PASSWORD”

• Return:– IBM i DB2 connection – or false on failure

• db2_pconnect(“”,””,””)• No QSQSRV jobs

• db2_pconnect(...,”*NOBODY,””)• Shared QSQSRV jobs

HTTP:8000Server

HTTP:8000Server

HTTP:8000Server

QSQSRVR(NOBODY)

QSQSRVR(NOBODY)

DB2 UDB

db2_pconnect(“”,””,””)

QSQSRVR(NOBODY)

db2_pconnect(“*LOCAL”,”NOBODY”,””)

No “click” route, so do not commit across “clicks”!

... no “click” has a consistent route (TOM i5 private)

HTTP:89Server

(Reverse Proxy)

HTTP:8000ServerHTTP:89

Server(Reverse Proxy)HTTP:89

Server(Reverse Proxy)

EASYCOMUID: FRED

QSQSRVRUID: FRED

EASYCOM(private)

QSQSRVRUID: TOM

EASYCOMUID: FRED

EASYCOMUID: FRED

QSQSRVRUID: FRED

DB2QSQSRVRUID: JEN

DB2 QSQSRVRUID: Liza

Browsermyi:89

Browsermyi:8000

Browsermyi:8000

Browsermyi:89

HTTP:8000Server

HTTP:8000Server

QTMHHTTP

NOBODYNOGROUP

UID: LIZA

UID: JEN

UID: TOM

UID: FRED

i5_pconnect(“localhost”,”uid”,”pwd”)

db2_pconnect(“”,”uid”,”pwd”)

Apache “stateless” ...

FREDTOMJENLIZA

Connect *.inc best intentions, terrible results ...

/www/zendcore/htdocs/iconnect.inc

<?phpfunction db2ConnPayroll() { return db2_pconnect(“*LOCAL”,”PAY”,”RGFJ183G”); }function i5ConnectCreditCards(){ return i5_pconnect(“localhost”,”CREDIT”,”FDRS453Y”); }?>

• Browser http://myi:8000/iconnect.inc – Up pops the source code for iconnect.inc, because “*.inc” is just a

file not a PHP program– “You've been hacked!”

• Instead use ...– /www/zendcore/htdocs/iconnect.inc.php

• Also ... /www/zendcore/htdocs/*– PUBLIC *EXCLUDE

Better connect Apache env vars .../usr/local/Zend/apache2/conf/httpd.conf# Password PC should be encrypted (MCrypt)SetEnv UC CREDITSetEnv PC FDRS453Y

/www/zendcore/htdocs/iconnect.inc.php<?php$cc= $_SERVER['UC']; $pc = $_SERVER['PC'];function i5ConnectCreditCards(){ global $cc,$pc; return i5_pconnect(“localhost”,$cc,$pc); }?>

• /usr/local/Zend/apache2/conf/httpd.conf– VERY limited access and PUBLIC *EXCLUDE– Include conf/password.conf

• /www/zendcore/htdocs/iconnect.inc.php– For better security add encrypt / decrypt for $_SERVER['PC']

• See PECL extension MCrypt

db2_pconnect and library list ...

$uid= $_SERVER['DB2UID']; $pwd = $_SERVER['DB2PWD'];$opt=array(“i5_naming”=>DB2_I5_NAMING_ON);// who are you?if (isset($_SESSION['bigwig'])) array_push($opt, array(“i5_libl”=>'BIGDEAL LILDEAL”));else array_push($opt, array(“i5_libl”=>”LILDEAL”));$con=db2_pconnect(“*LOCAL”,$uid,$pwd,$opt);// access the correct data$result = $db2_exec($con, “select * from accounts”);

– “i5_libl”=>”BIGDEAL LILDEAL”• call qsys2.qcmdexc('cmd',len)• CHGLIBL LIBL(BIGDEAL LILDEAL) CURLIB(BIGDEAL)

– Query known based on $_SESSION['bigwig']What if our script dies during a BIGDEAL library list

query (or times out)? Hopefully, no other PHP script has “select * from accounts”

i5_pconnect and library list ...

$uid= $_SERVER['DB2UID']; $pwd = $_SERVER['DB2PWD']; $conn = i5_pconnect("localhost", $uid, $pwd); if (isset($_SESSION['bigwig'])) { i5_command("chglibl",array("libl"=>"BIGDEAL LILDEAL"),array(),$conn); } else { i5_command("chglibl",array("libl"=>"LILDEAL"),array(),$conn); }

– “libl”=>”BIGDEAL LILDEAL”• CHGLIBL

– Query known based on $_SESSION['bigwig']What if our script dies during a BIGDEAL library list

query (or times out)? Hopefully, no other PHP script has “select * from accounts”

“i5_naming”=> choice/problem ...

for ($i=1;$i<21;$i++){ $modulus = $i % 2; if (!$modulus) { $opt=array("i5_naming"=>DB2_I5_NAMING_ON, "i5_libl"=>"BIGDEAL"); $conn = db2_pconnect("*LOCAL", "DB2", "SECRET", $opt); } else { $opt=array("i5_naming"=>DB2_I5_NAMING_OFF, "i5_lib"=>"LILDEAL"); $conn = db2_pconnect("*LOCAL", "DB2", "SECRET", $opt); }

• Do not attempt to mix naming in the same profile– "i5_naming"=>DB2_I5_NAMING_ON (lib/table)– "i5_naming"=>DB2_I5_NAMING_OFF (lib.table)

• Use separate profiles for each naming – db2_pconnect("*LOCAL", "DB2NATIVE", "SECRET", $opt);– db2_pconnect("*LOCAL", "DB2SQL", "SECRET", $opt);

Use db2_prepare/db2_execute,(and i5_prepare/i5_execute)

// db2_exec is unsafe ... $statement = "select email, password, access from eaccounts where email='{$_POST['email']}' and password='{$_POST['password']}'"; $stmt = db2_exec($conn, $statement);// db2_prepare / db2_execute is safer ... $userData = array($_POST['email'], $_POST['password']); $statement = "select email, password, access from eaccounts where email='?' and password='?'"; $stmt = db2_prepare($conn, $statement); $isok = db2_execute($stmt, $userData);// db2_exec is hacked by “' or 1=1 --” and the first row returns (CTO's record) $row = db2_fetch_array($stmt);

• Hacked by single-line comment delimiter (--).

– $_POST['email'] = "' or 1=1 --";– $_POST['password'] = "";

• select email, password, access from eaccounts where email='' or 1=1 --' and password=''

• Let DB2 do basic analysis on the ? parameter markers to help avoid SQL injection attack (i5_query has inject detect)

Tip: PHP/DB2 with 65535

• Issue: PHP scripts getting “junk” back from their DB2 SQL queries. Root problem is often QCCSID setting 65535 (binary default from manufacturing)

• Change CCSID before starting Apache– 0) signon as QSECOFR– 1) go zendcore/zcmenu -> stop apache– 2) CHGJOB LANGID(ENU) CNTRYID(US) CCSID(37)– 3) go zendcore/zcmenu -> start apache

PHP/DB2 does not work well with the default 65535 (binary) CCSID setting. Most PHP applications experience what appears to be junk returning in SQL queries (VARCHAR, CHAR, etc.). Change your CCSID to something other than 65535 and restart the Zend Core Apache.

Tip: DB2 – Schema (info) …

• On DB2 UDB for iSeries, a schema is used to group related database objects. A DB2 UDB for iSeries schema is actually a collection of DB2 objects and OS/400 objects. When the CREATE SCHEMA statement is executed, the following objects are created:– OS/400 library– OS/400 journal and journal receiver– DB2 views containing schema-wide catalog

• This collection of objects in the schema provides the container for storing related DB2 objects and the journal objects needed for enabling recovery of database changes to these DB2 objects.

Use schemas (libraries), created with the SQL statement CREATE SCHEMA over CRTLIB to enable journaling. The ibm_db2 commit APIs will not function without journal enabled in the schema (library). In addition, some ibm_db2 BLOB/CLOB scenarios require journal enabled.

MySql quick management

• PhpMyAdmin – Manage MySql from the web– http://www.phpmyadmin.net/home_page/index.php

• Privileges tab– users/access rights

• Manage databases, tables, etc.

• MySql GUI tools client / server)– Configurations secure, tunnel, etc.

• http://forums.mysql.com/read.php?30,249779,249779

• Directory– Zend

• /usr/local/mysql

– Upgrades 5.1 recommend • /QopenSys/usr/local

Misc

• DB2 auditing– http://www.itjungle.com/fhg/fhg020806-story02.html– http://search400.techtarget.com/news/article/0,289142,sid3_gci1189820,00.html

• Tango/04

• PCI Apache PTFs– V5R4 - SF99114-20 SI35761, SI35762 Apache 2.0.63– V6R1 - SF99115-9 SI35767, SI35764, SI35768 Apache 2.2.11– Zend Core 2.6.1

8 IBM Corporation 1994-2006. All rights reserved.References in this document to IBM products or services do not imply that IBM intends to make them available in every country.

The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both:

Rational is a trademark of International Business Machines Corporation and Rational Software Corporation in the United States, other countries, or both.Intel, Intel Logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.Linux is a trademark of Linus Torvalds in the United States, other countries, or both.Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.UNIX is a registered trademark of The Open Group in the United States and other countries.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.Other company, product or service names may be trademarks or service marks of others.

Information is provided "AS IS" without warranty of any kind.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Contact your local IBM office or IBM authorized reseller for the full text of the specific Statement of Direction.

Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.

Trademarks and Disclaimers

ZendCoreiSeries

System i5IBM (logo)eServer

OS/400IBMAS/400e

IBM ie-business on demandAS/400