zend core on ibm i - security considerations
DESCRIPTION
Talk by Tony Cairns, IBM, at ZendCon 2009TRANSCRIPT
Zend Core for IBM iSecurity Considerations
Tony “Ranger” Cairns
Developers are seeing PHP benefits but,managers are worried about PHP security.
What can we do?
Option 1) Guarantee system security
Step 1) Unplug system.
Step 2) Lock in a vault.
Option 2) Start a security journey where valuable information assets may be used by authorized people for authorized purposes ...
• Protect against outsiders– Would be web hackers– Bumbling user input
• Protect against insiders– Would be corporate criminals– Careless programmers
but if you believe security is a journey not a destination, this may help.
An hour security pitch is not your answer...
Zend Core
Step 1) Understand what we get out of the box.
HTTP:89Server
(Reverse Proxy)
IBM i
DB2 UDB
HTTP:8000Server
I5_COMD
*PGM,
*SRVPGM
PASE
PHPModule
IFS
/www
• RSTLICPGM
• 5250 start / stop zend subsystem
• Dual Apache configuration
• i5 toolkit for program access (i5_COMD)
• Multiple direct PHP DB2 access methods 5250 zend
subsystemadmin tools
What to protect in Zend Core for IBM i?
• Internal Access (PHP)– Directories (web dirs)
• /www/zendcore• /usr/local/Zend
– Stream files (web pages / scripts)• /www/zendcore/htdocs• /usr/local/Zend/apache2/htdocs
– Programs (web call)• /qsys.lib/zendcore.lib• Toolkit called programs (RPG)
– User profiles• Nobody, NoGroup, etc.
• External Access (Web)– ILE Apache
• /www/zendcore/conf• httpd.conf
– PASE Apache• /usr/local/Zend/apache2/conf• httpd.conf
– PHP configuration• /usr/local/Zend/Core/etc• php.ini
– PHP programs (asset on ramp)• db2_connect()• i5_connect()
Zend Core for IBM i installed profiles
• NOBODY (*USER)– PHP Apache server– Zend Core jobs (ZENDCOREAP)– Group = NOGROUP– Special authorities = *NONE
• NOGROUP (*USER)– Group profile– For access to NOBODY
resources, other profiles may add • Group = NOGROUP
• MYSQL (*PGMR)– Mysql profile– Optional install– Special authorities = *NONE
• ZENDADMIN (*SECOFR)– Start/stop jobs in ZEND
subsystem– Pseudo random generator (prngd)– GROUP = *NONE– *ALL special authorities
• ZENDTECH (*USER)– Update PHP configuration– GROUP = *NONE– Special authorities = *NONE
Zend Core
Zend Core for IBM i access rights ...
HTTP:89Server
(Reverse Proxy)
DB2 UDB
HTTP:8000Server
I5_COMD
*PGM, *SRVPGM
CMD, ...
PASE
PHPModule
IFS
/www/zendcore
/usr/local/Zend
5250 zend subsystemadmin tools
QTMHHTTP
ZENDADMINZENDTECH
NOBODYNOGROUP
Execute Rights
Access Rights
*PUBLIC EXCLUDE
/www/zendcore
• Default secure as of ZC 2.6.1 ...– Access control is no public access
• /www/zendcore/* (drwxrws--- 5 nobody)– PUBLIC *EXCLUDE– NOBODY *RWX – Note: NOGROUP *RWX
• /www– PUBLIC *RX
– PUBLIC is not allowed access to PHP scripts or other information• Add group profile NOGROUP to other user profiles for access
– QTMHHTTP– Group = NOGROUP
Protect your PHP applications from public view
/usr/local/Zend
• Default secure as of ZC 2.6.1 ...– Access control standard web
• /usr/local/Zend (drwxr-sr-x 5 qsecofr)– PUBLIC *RX– QSECOFR *RWX (who install)– Note: NOGROUP *RX
• /usr• /usr/local
– PUBLIC *RX
– Public is allowed access to PHP from command line or RPG program, etc.
• More secure ...– Access control only PHP web
• /usr/local/Zend (drwxr-s--- 5 qsecofr)– PUBLIC *EXCLUDE
• /usr• /usr/local
– PUBLIC *USE
– Public will not be able to call PHP from command line or RPG program
• Add group profile NOGROUP to other user profiles for access
– QTMHHTTP– Group = NOGROUP
Protect Zend Core web server, programs, configuration and files.
• Default secure as of ZC 2.6.1– PUBLIC *RX– ZENDADMIN *RWX
• More secure ...– PUBLIC *EXCLUDE
• Only PHP administrator can access programs (adopt QSECOFR)
Protect Zend Core product library programs.
ZENDCORE
Apache configuration
/www/zendcore/conf/httpd.conf/usr/local/Zend/apache2/conf/httpd.conf
Dual Apache ZC 2.6.1 (default)
• ILE Apache:89– Responds to any browser– Reverse proxy
• to PASE Apache:8000
– Configuration • http://myi:2001/HTTPAdmin->ZENDCORE
– https is available
• PASE Apache:8000– Responds to any browser– Also Reverse proxy via Apache:89– Configuration (edit only)
• http://myi:2001/HTTPAdmin->PASENEW• /usr/local/Zend/apache2/conf/• httpd.conf
– https is available
HTTP:89Server
(Reverse Proxy)
HTTP:8000Server
PHPModule
Browserhttp://myi:89
Browserhttp://myi:8000
Comparison of the Two HTTP Servers
Main function: run the PHP application and return result
Main function: reverse proxy server
Https available, but certificates using PASE openssl tools (unfamiliar i5 folks)
Https available
Edit only configure the server using the IBM GUI (no tabs)
Configure server instance using IBM Web Administration Tool
Server runs in IBM i PASEServer runs in IBM i
Server instance created and configured automatically when Zend Core product is installed
ZENDCORE instance created and configured automatically when Zend Core product is installed
UNIX-based open source serverZENDCORE server instance; using 5722DG1 product
Apache ServerIBM HTTP Server
Apache degrees of security, a matter of choice ...
• PASE Apache:8000 (default)• ILE Apache:89 (default)
– Reverse proxy to 8000
• ILE Apache:89 (edit)– Reverse proxy 8000– 8000 only responds localhost
• PASE SSL enabled– Using openssl
• ILE Apache SSL enabled– Reverse proxy to 8000– 8000 only responds localhost
• Multiple systems– DMZ reverse proxy
Lower security
Higher security
PASE Apache Server (default)
• Listens on port 8000– Only receives URL requests
that are sent to that port
• Allows any user to make these requests
• All data flowing between the IBM HTTP Server (Reverse Proxy) and the Apache server is not encrypted
• All data flowing on the network between client and server is public
HTTP:8000Server
Browserhttp://myi:8000
PHPModule
HTTP:89Server
(Reverse Proxy)
Lower security
httpd.conf:User nobodyGroup nogroup
IBM HTTP Server Reverse Proxy (default)
• Server instance name is: ZENDCORE
• Listens on port 89– Only receives URL requests
that are sent to that port
• Users are denied access if requesting any other directory/files/applications
• Forwards on those requests to the Apache Server 8000
• Allows any user to make requests
• All data flowing on the network between client and server is public
Browserhttp://myi:89
HTTP:89Server
(Reverse Proxy)
Lower security
HTTP:8000Server
PHPModule
httpd.conf:QTMHHTTP(default)
IBM HTTP Server Reverse Proxy (default)Modify PASE Apache for localhost (edit)
• Leave HTTP Server:89 as is– Leave reverse proxy
• Modify PASE Apache– Change:
• Allow from all
– To• Allow from 127.0.0.1
• 127.0.0.1 == localhost
Browserhttp://myi:89
HTTP:89Server
(Reverse Proxy)
HTTP:8000Server
PHPModule
More security
httpd.conf:Allow from 127.0.0.1(localhost)
PASE Apache 443 (https)(short “self certificate” tutorial)• Make certificate (self)
– call qp2term– cd /usr/local/Zend/apache2/conf– openssl req -x509 -nodes -days 365 -subj
'/C=US/ST=Minnesota/L=Rochester/CN=www.myi.com' -newkey rsa:4096 -keyout server.key -out server.crt
– Note: CN correct for your site
• Go zendcore/zcmenu– 7. Additional Apache options– 2. PASE Apache Control
• /usr/local/...• http_ssl.conf• S = Start (E = Stop)
• https://myi5– Get certificate (not perm)– Note https is port 443 (conflict?)
Browserhttps://myi
HTTP:8000Server
PHPModule
Higher security
Encrypted
httpd_ssl.conf:Include conf/ssl.confssl_conf:SSLCertificateFile/usr.../server.crtSSLCertificateKeyFile/usr.../server.key
IBM HTTP Server 443
• HTTP 443 documented procedure– Web GUI (2001 port)
• Copy the reverse proxy lines into your new 443 instance– ProxyPass / http://127.0.0.1:8000– ProxyPassReverse / http://127.0.0.1:8000
• Change PASE Apache• Allow from all
– To• Allow from 127.0.0.1
Browserhttps://myi
HTTP:443Server
(Reverse Proxy)
HTTP:8000Server
PHPModule
Encrypted
Higher security
httpd.conf:Allow from 127.0.0.1(localhost)
DMZ System
“Reverse Proxy” HTTP Server
• Improves performance– Can cache static documents in
memory– Can aid with balancing requests to
a set of HTTP servers
• Improves security– Can control access at the front door– Can keep server in DMZ separate
from internal network– Hides the content server
environment– Can log activity
HTTP:89Server
(Reverse Proxy)
HTTP:8000Server
PHPModule
DB2 UDB
I5_COMD
*PGM, *SRVPGM
CMD, ...
IFS
/www/zendcore
/usr/local/Zend
HTTP:80Server
(Reverse Proxy)
FIREWALL
Tip: PASE Apache prefork start/stop
• Good PASE Apache settings– <IfModule prefork.c>
• StartServers 5• MinSpareServers 5• MaxSpareServers 25• MaxClients 25• MaxRequestsPerChild 0
– </IfModule>
• Keep the same– StartServers == MinSpareServers– MaxSpareServers == MaxClients
• Leave as zero or very high count– MaxRequestsPerChild 0
• Never end worker job
HTTP:89Server
(Reverse Proxy)
HTTP:8000Server
HTTP:8000Server
HTTP:8000Server
HTTP:8000Server
HTTP:8000Server
HTTP:8000Server
Avoid PASE Apache bad prefork settings.The machine will prefork to “death”!
Tip: Apache “chroot”
• Apache security consultants may recommend chroot to a new directory that can not access other commands on the system.
• This approach is not recommended for PASE Apache– The qsys file system will no longer be accessible
• PHP interoperability with ILE becomes increasingly difficult
– The /QOpenSys file system contains PASE “shared binaries” used by Apache• Chroot below /QOpenSys may be the only way to run without “difficult” copy of
runtime for your PASE Apache engine
Apache chroot not recommended, (security to failure)!
php.ini configuration
/usr/local/Zend/Core/etc/php.ini
php.ini Settings
• safe_mode = On/Off– Zend Core default: safe_mode = Off– By enabling safe_mode parameter, PHP scripts are able to access files only
when their owner is the owner of the PHP scripts. This is one of the most important security mechanisms built into the PHP. Effectively counteracts unauthorized attempts to access system files and adds many restrictions that make unauthorized access more difficult.
• safe_mode_gid = On/Off– Zend Core default: safe_mode_gid = Off– When safe_mode is turned on and safe_mode_gid is turned off, PHP scripts
are able to access files not only when UIDs are the same, but also when the group of the owner of the PHP script is the same as the group of the owner of the file.
–Utility concerns:• <?php echo shell_exec(“PASE utility steal system”); ?>• <?php echo `system ('call cmd steal from system')`; ?>
php.ini Settings
• open_basedir = directory[:...]– Zend Core default: not active (comment only in php.ini)– When the open_basedir parameter is enabled, PHP will be able to access
only those files, which are placed in the specified directories (and subdirectories).
• safe_mode_exec_dir = directory[:...]– Zend Core default: safe_mode_exec_dir = – When safe_mode is turned on, system(), exec() and other functions that
execute system programs will refuse to start those programs, if they are not placed in the specified directory.
– More utility concerns:• <?php echo $_POST('textFromEvilUseStealFromSystem');?>
– Where HTML form data (textarea) was ...» $_POST('textFromEvilUseStealFromSystem') = » “shell_exec('system('do something bad')')”;
php.ini Settings
• display_errors = On/Off– Zend Core default: display_errors = Off– If the display_errors parameter is turned off, PHP errors and warnings are not
being displayed. Because such warnings often reveal precious information like path names, SQL queries etc., it is strongly recommended to turn this parameter off on production servers
Do not turn display_errors On (default off), insteadcheck /usr/local/Zend/Core/logs/php_error_log
php.ini Settings
• log_errors = On– Zend Core default: log_errors = On– When log_errors is turned on, all the warnings and errors are logged into the file
that is specified by the error_log parameter. If this file is not accessible, information about warnings and errors are logged by the Apache server.
• error_log = filename– Zend Core default: error_log = /usr/local/Zend/Core/logs/php_error_log– This parameter specifies the name of the file, which will be used to store
information about warnings and errors (attention: this file must be writeable by the user or group apache).
Do not turn display_errors On (default off), error_log = /usr/local/Zend/Core/logs/php_error_log
php.ini Settings
• expose_php = On/Off– Zend Core default: expose_php = On – Turning off the "expose_php" parameter causes that PHP will not disclose
information about itself in HTTP headers that are being sent to clients in responses to web requests.
PHP security by obscurity.
php.ini Settings
• .register_globals = On/Off– Zend Core default: register_globals = Off– When the register_globals parameter is turned on, all the EGPCS
(Environment, GET, POST, Cookie and Server) variables are automatically registered as global variables. Because it can pose a serious security threat, it is strongly recommended to turn this parameter off (starting from the PHP version 4.2.0, this parameter is turned off by default)
// need a "register" global variable?gpost();$gvar = "Hi";echo "$gvar {$_POST['gvar']} {$GLOBALS['gvar']}";function gpost($var) { if(!array_key_exists($var,$_POST)) $_POST[$var]=''; $GLOBALS[$var]=&$_POST[$var]; }
PHP programming
/www/zendcore/htdocs/*
Programming APIs
• i5_*() APIs– Connect– CMD call– PGM/SRVPGM call– SQL access– Native file access– Data areas / queues– User space– Print/Spool– Job logs– Active jobs– Object list
• db2_*() APIs– Connect– Results– Commit/Rollback– Fetch– Statement– Stored procedure call– Meta Data
• Column• Table• Field• Info
Files or programs with PUBLIC *USE or *ALL, hacker's will have an easier job!
PHP general (information abounds)
• Most important rule: never trust user input– Always check user input HTML forms– Always check input to SQL
• There are many sites that explain PHP security practices that you can read to “know your enemy”– http://www.ipbwiki.com/Practical_PHP_Programming:Security_concerns– php.ini settings (previous section)– Don't use PHP eval on user data
• <?php eval $_POST('HackerDelight'); ?>
– Don't allow user to specify PHP include names• http://myi.php”• <?php include($_GET['include']); ?>
– Don't use include names that can be read by URL (.inc, etc.)• https://myi5/secretstuff.inc
– Don't allow user to SQL inject your database (db2 section)• db2_exec($_POST(“DropSchemaPayroll;...”');
Toolkit - i5_(p)connect()
• i5_pconnect(Server, User, Password [, array Options])– Server – “”, “localhost” or “127.0.0.1”– User - “”, or “uid”
• “” - NOBODY profile
– Password - “” or “password”– Options –
• I5_OPTIONS_PRIVATE_CONNECTION
• Return:– IBM i connection – or false on failure
• i5_pconnect(“”,””,””)– Fewer EASYCOM jobs
EASYCOMSRVPGM
PGM / CMDHTTP:8000
Server
HTTP:8000Server
HTTP:8000Server
EASYCOMSRVPGM
PGM / CMDEASYCOMSRVPGM
PGM / CMD
i5_pconnect(“”,””,””)
EASYCOMSRVPGM
PGM / CMD(PRIVATE)Use pconnect over connect
avoid start/stop job stress!
ibm_db2 - db2_(p)connect()
• db2_pconnect(Database, User, Password [, array Options] )– Database - “”, “*LOCAL”,
• “IASP”, “10.1.5.13”
– User - • “”, “NOBODY”, “SOMEUSER”
– Password - “”, “PASSWORD”
• Return:– IBM i DB2 connection – or false on failure
• db2_pconnect(“”,””,””)• No QSQSRV jobs
• db2_pconnect(...,”*NOBODY,””)• Shared QSQSRV jobs
HTTP:8000Server
HTTP:8000Server
HTTP:8000Server
QSQSRVR(NOBODY)
QSQSRVR(NOBODY)
DB2 UDB
db2_pconnect(“”,””,””)
QSQSRVR(NOBODY)
db2_pconnect(“*LOCAL”,”NOBODY”,””)
No “click” route, so do not commit across “clicks”!
... no “click” has a consistent route (TOM i5 private)
HTTP:89Server
(Reverse Proxy)
HTTP:8000ServerHTTP:89
Server(Reverse Proxy)HTTP:89
Server(Reverse Proxy)
EASYCOMUID: FRED
QSQSRVRUID: FRED
EASYCOM(private)
QSQSRVRUID: TOM
EASYCOMUID: FRED
EASYCOMUID: FRED
QSQSRVRUID: FRED
DB2QSQSRVRUID: JEN
DB2 QSQSRVRUID: Liza
Browsermyi:89
Browsermyi:8000
Browsermyi:8000
Browsermyi:89
HTTP:8000Server
HTTP:8000Server
QTMHHTTP
NOBODYNOGROUP
UID: LIZA
UID: JEN
UID: TOM
UID: FRED
i5_pconnect(“localhost”,”uid”,”pwd”)
db2_pconnect(“”,”uid”,”pwd”)
Apache “stateless” ...
FREDTOMJENLIZA
Connect *.inc best intentions, terrible results ...
/www/zendcore/htdocs/iconnect.inc
<?phpfunction db2ConnPayroll() { return db2_pconnect(“*LOCAL”,”PAY”,”RGFJ183G”); }function i5ConnectCreditCards(){ return i5_pconnect(“localhost”,”CREDIT”,”FDRS453Y”); }?>
• Browser http://myi:8000/iconnect.inc – Up pops the source code for iconnect.inc, because “*.inc” is just a
file not a PHP program– “You've been hacked!”
• Instead use ...– /www/zendcore/htdocs/iconnect.inc.php
• Also ... /www/zendcore/htdocs/*– PUBLIC *EXCLUDE
Better connect Apache env vars .../usr/local/Zend/apache2/conf/httpd.conf# Password PC should be encrypted (MCrypt)SetEnv UC CREDITSetEnv PC FDRS453Y
/www/zendcore/htdocs/iconnect.inc.php<?php$cc= $_SERVER['UC']; $pc = $_SERVER['PC'];function i5ConnectCreditCards(){ global $cc,$pc; return i5_pconnect(“localhost”,$cc,$pc); }?>
• /usr/local/Zend/apache2/conf/httpd.conf– VERY limited access and PUBLIC *EXCLUDE– Include conf/password.conf
• /www/zendcore/htdocs/iconnect.inc.php– For better security add encrypt / decrypt for $_SERVER['PC']
• See PECL extension MCrypt
db2_pconnect and library list ...
$uid= $_SERVER['DB2UID']; $pwd = $_SERVER['DB2PWD'];$opt=array(“i5_naming”=>DB2_I5_NAMING_ON);// who are you?if (isset($_SESSION['bigwig'])) array_push($opt, array(“i5_libl”=>'BIGDEAL LILDEAL”));else array_push($opt, array(“i5_libl”=>”LILDEAL”));$con=db2_pconnect(“*LOCAL”,$uid,$pwd,$opt);// access the correct data$result = $db2_exec($con, “select * from accounts”);
– “i5_libl”=>”BIGDEAL LILDEAL”• call qsys2.qcmdexc('cmd',len)• CHGLIBL LIBL(BIGDEAL LILDEAL) CURLIB(BIGDEAL)
– Query known based on $_SESSION['bigwig']What if our script dies during a BIGDEAL library list
query (or times out)? Hopefully, no other PHP script has “select * from accounts”
i5_pconnect and library list ...
$uid= $_SERVER['DB2UID']; $pwd = $_SERVER['DB2PWD']; $conn = i5_pconnect("localhost", $uid, $pwd); if (isset($_SESSION['bigwig'])) { i5_command("chglibl",array("libl"=>"BIGDEAL LILDEAL"),array(),$conn); } else { i5_command("chglibl",array("libl"=>"LILDEAL"),array(),$conn); }
– “libl”=>”BIGDEAL LILDEAL”• CHGLIBL
– Query known based on $_SESSION['bigwig']What if our script dies during a BIGDEAL library list
query (or times out)? Hopefully, no other PHP script has “select * from accounts”
“i5_naming”=> choice/problem ...
for ($i=1;$i<21;$i++){ $modulus = $i % 2; if (!$modulus) { $opt=array("i5_naming"=>DB2_I5_NAMING_ON, "i5_libl"=>"BIGDEAL"); $conn = db2_pconnect("*LOCAL", "DB2", "SECRET", $opt); } else { $opt=array("i5_naming"=>DB2_I5_NAMING_OFF, "i5_lib"=>"LILDEAL"); $conn = db2_pconnect("*LOCAL", "DB2", "SECRET", $opt); }
• Do not attempt to mix naming in the same profile– "i5_naming"=>DB2_I5_NAMING_ON (lib/table)– "i5_naming"=>DB2_I5_NAMING_OFF (lib.table)
• Use separate profiles for each naming – db2_pconnect("*LOCAL", "DB2NATIVE", "SECRET", $opt);– db2_pconnect("*LOCAL", "DB2SQL", "SECRET", $opt);
Use db2_prepare/db2_execute,(and i5_prepare/i5_execute)
// db2_exec is unsafe ... $statement = "select email, password, access from eaccounts where email='{$_POST['email']}' and password='{$_POST['password']}'"; $stmt = db2_exec($conn, $statement);// db2_prepare / db2_execute is safer ... $userData = array($_POST['email'], $_POST['password']); $statement = "select email, password, access from eaccounts where email='?' and password='?'"; $stmt = db2_prepare($conn, $statement); $isok = db2_execute($stmt, $userData);// db2_exec is hacked by “' or 1=1 --” and the first row returns (CTO's record) $row = db2_fetch_array($stmt);
• Hacked by single-line comment delimiter (--).
– $_POST['email'] = "' or 1=1 --";– $_POST['password'] = "";
• select email, password, access from eaccounts where email='' or 1=1 --' and password=''
• Let DB2 do basic analysis on the ? parameter markers to help avoid SQL injection attack (i5_query has inject detect)
Tip: PHP/DB2 with 65535
• Issue: PHP scripts getting “junk” back from their DB2 SQL queries. Root problem is often QCCSID setting 65535 (binary default from manufacturing)
• Change CCSID before starting Apache– 0) signon as QSECOFR– 1) go zendcore/zcmenu -> stop apache– 2) CHGJOB LANGID(ENU) CNTRYID(US) CCSID(37)– 3) go zendcore/zcmenu -> start apache
PHP/DB2 does not work well with the default 65535 (binary) CCSID setting. Most PHP applications experience what appears to be junk returning in SQL queries (VARCHAR, CHAR, etc.). Change your CCSID to something other than 65535 and restart the Zend Core Apache.
Tip: DB2 – Schema (info) …
• On DB2 UDB for iSeries, a schema is used to group related database objects. A DB2 UDB for iSeries schema is actually a collection of DB2 objects and OS/400 objects. When the CREATE SCHEMA statement is executed, the following objects are created:– OS/400 library– OS/400 journal and journal receiver– DB2 views containing schema-wide catalog
• This collection of objects in the schema provides the container for storing related DB2 objects and the journal objects needed for enabling recovery of database changes to these DB2 objects.
Use schemas (libraries), created with the SQL statement CREATE SCHEMA over CRTLIB to enable journaling. The ibm_db2 commit APIs will not function without journal enabled in the schema (library). In addition, some ibm_db2 BLOB/CLOB scenarios require journal enabled.
MySql quick management
• PhpMyAdmin – Manage MySql from the web– http://www.phpmyadmin.net/home_page/index.php
• Privileges tab– users/access rights
• Manage databases, tables, etc.
• MySql GUI tools client / server)– Configurations secure, tunnel, etc.
• http://forums.mysql.com/read.php?30,249779,249779
• Directory– Zend
• /usr/local/mysql
– Upgrades 5.1 recommend • /QopenSys/usr/local
Misc
• DB2 auditing– http://www.itjungle.com/fhg/fhg020806-story02.html– http://search400.techtarget.com/news/article/0,289142,sid3_gci1189820,00.html
• Tango/04
• PCI Apache PTFs– V5R4 - SF99114-20 SI35761, SI35762 Apache 2.0.63– V6R1 - SF99115-9 SI35767, SI35764, SI35768 Apache 2.2.11– Zend Core 2.6.1
8 IBM Corporation 1994-2006. All rights reserved.References in this document to IBM products or services do not imply that IBM intends to make them available in every country.
The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both:
Rational is a trademark of International Business Machines Corporation and Rational Software Corporation in the United States, other countries, or both.Intel, Intel Logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.Linux is a trademark of Linus Torvalds in the United States, other countries, or both.Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.UNIX is a registered trademark of The Open Group in the United States and other countries.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.Other company, product or service names may be trademarks or service marks of others.
Information is provided "AS IS" without warranty of any kind.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.
Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Contact your local IBM office or IBM authorized reseller for the full text of the specific Statement of Direction.
Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.
Trademarks and Disclaimers
ZendCoreiSeries
System i5IBM (logo)eServer
OS/400IBMAS/400e
IBM ie-business on demandAS/400