Skip Headers
Oracle® iPlanet Web Server Release Notes
Release 7.0.19

E18789-13
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

3 Product Documentation

The Oracle iPlanet Web Server 7.0 documentation is provided in the following formats:

Oracle iPlanet Web Server 7.0.9 is the last release for which the entire documentation set for 7.0 was updated. Subsequent to the 7.0.9 release, updates and corrections to Oracle iPlanet Web Server 7.0 documentation are provided in this Release Notes document; see Section 3.2, "Documentation Corrections, Enhancements, and Issues Resolved."

This chapter contains the following sections:

3.1 Web Server Documentation Set

The Web Server documentation set describes how to install and administer the Web Server.

For an introduction to Web Server, refer to the books in the order in which they are listed in Table 3-1.

Table 3-1 Web Server Documentation

Document Title Contents

Oracle iPlanet Web Server Release Notes (this document)

  • Late-breaking information about the software and documentation

  • Supported platforms and patch requirements for installing Web Server

Oracle iPlanet Web Server Installation and Migration Guide

Performing installation and migration tasks:

  • Installing Web Server and its various components

  • Migrating data from Sun ONE Web Server 6.0 or Sun Java System Web Server 6.1 to Oracle iPlanet Web Server 7.0

Oracle iPlanet Web Server Administrator's Guide

Performing the following administration tasks:

  • Using the Administration and command-line interfaces

  • Configuring server preferences

  • Using server instances

  • Monitoring and logging server activity

  • Using certificates and public key cryptography to secure the server

  • Configuring access control to secure the server

  • Using Java Platform, Enterprise Edition (Java EE) security features

  • Deploying applications

  • Managing virtual servers

  • Defining server workload and sizing the system to meet performance requirements

  • Searching the contents and attributes of server documents, and creating a text search interface

  • Configuring the server for content compression

  • Configuring the server for web publishing and content authoring using WebDAV

Oracle iPlanet Web Server Troubleshooting Guide

Using programming technologies and APIs to do the following:

  • Extending and modifying Web Server

  • Dynamically generating content in response to client requests and modifying the content of the server

Oracle iPlanet Web Server NSAPI Developer's Guide

Creating custom Netscape Server Application Programmer's Interface (NSAPI) plug-ins

Oracle iPlanet Web Server Developer's Guide for Java Web Applications

Implementing Java Servlets and JavaServer Pages (JSP) technology in Web Server

Oracle iPlanet Web Server Administrator's Configuration File Reference

Editing configuration files

Oracle iPlanet Web Server Performance Tuning, Sizing, and Scaling Guide

Tuning Web Server to optimize performance

Oracle iPlanet Web Server Command-Line Reference

Administration commands that allow you to administer Web Server through the CLI


3.2 Documentation Corrections, Enhancements, and Issues Resolved

The following table lists the corrections and enhancements to the Oracle iPlanet Web Server 7.0.9 documentation, and documentation issues resolved.

Issue ID Description

6932016

How to work around the Verisign EV cert chain issue with a new built-in CA root.

See Section 2.5.

6965828

Clustered instances must be synchronized before accepting a request after restarting.

See Section 3.2.4.

6968560

Document how to upgrade a certificate chain.

See Section 3.2.1.

6971148

Change security context for JDK libraries on SELinux.

See Appendix B.

6977258

CR6611067 in WS7.0 release notes not correct.

See Appendix B.

6977268

All request header names are returned as lowercase.

See Section 2.2.

6989578

Incorrect reference to remove SUNWlxml package from the system in 7.0 release notes.

See Section 1.3.5.1.1.

6989830

Link to "Supported Virtualization Technologies with Oracle Fusion Middleware" is not correct.

See Section 1.3.4.

6991930

GDD document has multiple typos in the "Hung or Unresponsive" chapter.

See Section 3.2.2.

6993379

Java ES installation and upgrade notes need a correction.

See Section 1.4.

6993705

Timeout parameter should be described in the http-client-config table list.

See Section 3.2.5.

6994415

%duration% measured in milliseconds in Red Hat Linux (doc mentions microseconds).

See Section 3.2.3.

6996370

Web Server 7.0 startup error when obj.conf has valid <If> fn="rewrite" <Else> inside.

See Section 2.2.

7022621

JDK versions supported for WS7

See Section 1.3.3.

12306447

Docs need to provide information on how to protect a resource.

See Section 3.2.11.

12777290

Doc has the incorrect -d "com.iplanet.ias.server.logging.serverlogmanager".

See Section 3.2.12.

12989862

Fix request for 6932016 should add info regarding 7003615.

See problem ID 6932016 in Table 2-5.

13011275

Add minimum required memory and minimum recommended disk space to release notes.

See Section 1.3.2.

13540300

Doc bug regarding default value of keep-alive threads.

See Section 3.2.13.

13560430

Description of limit queue length not correct.

See Section 3.2.14.

13889880

7.0.13 patch causes problems with F5-BigIP.

See Section 3.2.15.

14512832

Search collections does not support PDF 9.0.

See Section 3.2.16.

12068601

Information about the htpasswd command.

See Section 3.2.17.

14469503

Create .noStartOnBoot file to control autostart.

See Section 3.2.18.

14664654

The information about the parameter max-procs is no longer valid.

See Section 3.2.19.

16576024

The button to copy the configuration is called Dupliacte not Copy.

See Section 3.2.20

16589719

Information about the sticky cookie parameter.

See Section 3.2.21

16758897

Unable to create an ACL based on the incoming referrer header.

See Section 3.2.22


3.2.1 Updating a Certificate Chain

The information in the section "Installing a Certificate Chain" in Oracle iPlanet Web Server 7.0.9 Administrator's Guide is applicable to updating certification chains as well. So the title of the section should be "Installing or Updating a Certificate Chain".

3.2.2 Corrections to the Procedure for Gathering Debug Data on a Hung or Unresponsive Web Server Process

The Sun Gathering Debug Data for Sun Java System Web Server technical note contains errors in "To Gather Debug Data on a Hung or Unresponsive Web Server Process", specifically in Step 5 of the procedure.

The following is the corrected Step 5.

5. Run the following commands and save the output.

Solaris:

    ps -ef | grep server-root
    vmstat 5 5
    iostat [ -t ] [ interval [ count ] ]
    top
    uptime

HP-UX:

    ps -ef |grep server-root
    vmstat 5 5
    iostat [ -t ] [ interval [ count ] ]
    top
    sar

Linux:

    ps -aux | grep server-root
    vmstat 5 5
    top
    uptime
    sar

Windows:

  1. Obtain the WEB process PID:

    C:\windbg-root>tlist.exe
    
  2. Obtain the process details of the WEB running process PID:

    C:\windbg-root>tlist.exe web-pid
    

3.2.3 Clarification About Unit of Time Used for the%duration% Log Parameter

According to Appendix C "Using the Custom Log File Format" of Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference, the %duration% log parameter indicates the time Web Server spent handling the request in microseconds.

Note the following clarification:

  • On Solaris and AIX, Web Server calculates and records the time in microseconds.

  • However, on Windows, HP-UX, and Linux, Web Server calculates the time in milliseconds and records it in microseconds.

3.2.4 Additional Information About Configuring a Web Application for Session Replication

The "Configuring a Web Application for Session Replication" section of Oracle iPlanet Web Server 7.0.9 Administrator's Guide describes the procedure to enable the server to replicate sessions.

The first step in the procedure is to modify the session-manager element in the sun-web.xml configuration file. When doing so, you must, in addition, set the reapIntervalSeconds property to 1 second, as shown in the following example:

<sun-web-app>
   <session-config>
      <session-manager persistence-type="replicated">
         <manager-properties>
            <property name="reapIntervalSeconds" value="1"/>
         </manager-properties>
      </session-manager>
   </session-config>
</sun-web-app>

Setting reapIntervalSeconds to 1 second ensures that session data is not missed during session failover; that is, clustered instances are synchronized after restarting before new requests are accepted.

For more information about reapIntervalSeconds, see "manager-properties Element" in Oracle iPlanet Web Server 7.0.9 Developer's Guide to Java Web Applications.

3.2.5 Information About timeout Parameter of http-client-config

Table 7–60 "http-client-config Parameters" of Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference does not list the timeout parameter, which can be used to configure the Web Server to time out after a specified duration.

The timeout parameter can be configured by using the http-client-config ObjectType function in obj.conf as follows:

ObjectType fn="http-client-config" timeout="value"

This configuration parameter instructs the reverse proxy to close the connection to the origin server if the origin server does not respond to a request within the specified timeout period. Note that this parameter does not signify that the request has to be completed within the timeout period.

The default value of the timeout parameter is 300 seconds.

For more information about reverse proxy configuration, see http://docs.oracle.com/cd/E19146-01/821-1828/ghquv/index.html.

3.2.6 Introducing exclude-escape-chars Parameter in http-client-config

Oracle iPlanet Web Server escapes many characters. The exclude-escape-chars parameter can be used to avoid escaping specific characters such as, % & " < > \r \n + * '

The exclude-escape-chars parameter can be configured by using the http-client-config ObjectType function in obj.conf as follows:

ObjectType fn="http-client-config" exclude-escape-chars="+%"

3.2.7 PID File Disappears in Red Hat Linux

The PID file disappears in the Red Hat Linux operating system and the sever cannot be stopped. To overcome this situation, change the temp-path value in the server.xml file to a location where the server user has exclusive rights, as shown in the following example:

<temp-path>/var/tmp/https-test-73d21d24</temp-path>

Another option to resolve this situation is to exclude the temp-directory in the tmpwatch program.

3.2.8 Token Name

The token name that is used for password-file option in wadm CLI must be in small letters, as shown in the following example.

wadm_internal

3.2.9 Using SMF on Solaris 10

It is recommended that if you choose to use SMF to control the administration server, you must make sure that you have to use SMF for managing all other instances as well. This will enable all instances to be controlled independently.

3.2.10 Problem with set-cookie Header

Starting from the 7.0.9 release, the set-cookie header value is being appended by ;HttpOnly due to a security reason. However, if you do not wish to append ;HttpOnly to the set-cookie header, use the following process:

Set the httponly-session-cookie property of the servlet-container element in server.xml configuration file to false:

A new property named httponly-session-cookie has been added to servlet-container element of the server.xml configuration file. By default, this property is true and ;HttpOnly will be appended to set-cookie header. When this flag is set to false, ;HttpOnly is not appended. You can set this property by using the set-servlet-container-prop CLI command or the Servlet Container page of the administration console.

3.2.11 Information About Securing a URI Using an Authentication Database

Chapter 8 "Managing Users and Groups" in the Oracle iPlanet Web Server 7.0.9 Administrator's Guide describes how to create authentication databases and how to create users and groups. However, it does not describe how to use an authentication database to secure a URI.

To secure a URI (say /docs) by using an authentication database (say authdb_docs), create an ACL for the configuration, or for a virtual server, with /docs as the URI and authdb_docs as the authentication database, as described in http://docs.oracle.com/cd/E19146-01/821-1828/gczyo/index.html.

3.2.12 Correction to JVM Option Example

In the section "Adding a JVM Option" of the Oracle iPlanet Web Server 7.0.9 Administrator's Guide, the following JVM option that is provided as an example is incorrect:

-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager

The correct option is the following:

-Djava.util.logging.manager=com.sun.webserver.logging.ServerLogManager

3.2.13 Correction to Default Number of Keep-Alive Threads

The Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference shows the default value of the number of keep-alive threads as 1. That value is not correct.

The default value of the number of keep-alive threads is set to the number of processors in the system.

3.2.14 Clarification About the Limit Queue Length Shown in the perfdump Report

The Oracle iPlanet Web Server 7.0.9 Performance Tuning, Sizing, and Scaling Guide describes the Limit Queue Length parameter shown in the perfdump report, incorrectly, as "maximum size of the connection queue".

Note that Limit Queue Length is the limit on the maximum number of connections queued. This limit depends on the availability of file descriptors.

3.2.15 TLS Communication Through Certain Load Balancers Breaks in 7.0.13 and Later Releases

When you use certain load balancers, like F5 Networks' BIG-IP, to distribute client requests to Oracle iPlanet Web Server 7.0.13 (and later releases), TLS communication using CBC ciphers (such as TLS_RSA_WITH_AES_256_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA) breaks. BIG-IP and, possibly, other load balancers are unable to forward responses from the Oracle iPlanet Web Server instances to the clients.

The NSS version included in Oracle iPlanet Web Server release 7.0.13 (and later) implements split data packets. BIG-IP and some other load balancers might not be able to handle split data packets.

Workaround

Caution:

This workaround removes the fix introduced in release 7.0.13 for the CVE-2011-3389 security vulnerability.

  1. Stop the server.

  2. In the startserv script, set the environment variable NSS_SSL_CBC_RANDOM_IV to 0.

    The startserv script is located in the instance_dir/bin directory. On Windows, for example, add the following line in the startserv script:

    set NSS_SSL_CBC_RANDOM_IV=0
    
  3. Start the server.

3.2.16 Search Collections Does Not Support PDF 9.0

A search collection indexes and stores information about documents (.html,.htm,.txt and.PDF)on the server. Once the server administrator indexes all or some of a server's documents, information such as title, creation date, and author is available for searching.

Note that PDF documents of version 9.0 or later versions are not supported for search collections.

For more information, see the Oracle iPlanet Web Server 7.0.9 Administrator's Guide.

3.2.17 Information about the htpasswd Command

The htpasswd command is used to generate or modify a password file suitable for use with the htaccess access control mechanism.

The htpasswd usage is as follows:

htpasswd [-c] passwordfile username [password]

In this command, -c creates a new passwordfile (overwriting an old one if it exists). Without -c, the command modifies the existing file by either updating the user's password (if user already exists) or adding a new user with the given name. If the optional password argument is not specified, the command prompts interactively for the password.

Note:

htaccess is not the preferred access control mechanism in Web Server. Wherever possible, use ACLs instead.

3.2.18 Create .noStartOnBoot File to Control Autostart

By default, the scripts that are created, as described in the Oracle iPlanet Web Server 7.0.9 Installation and Migration Guide, will start up all web server instances.

You can control the automatic starting of a specific web server instance, by creating the file .noStartOnBoot under the root directory of that instance.

3.2.19 Invalid Information About the Parameter max-procs

The FastCGI section of Oracle iPlanet Web Server 7.0.9 Administrator's Guide contains information about the parameter max-procs:

This parameter is not valid. The information about the max-procs parameter should be ignored.

3.2.20 The Button to Copy the Configuration is called Duplicate not Copy

According to the section, "Resolving Service ID Conflicts on Windows" of the Oracle iPlanet Web Server 7.0.9 Installation and Migration Guide, the Copy button on the Admin Console Configurations page can be used to copy the configuration.

Note that the name of the button is Duplicate not Copy.

3.2.21 Information on the Sticky Cookie Parameter

The section "Configuring Reverse Proxy in Web Server" of the Oracle iPlanet Web Server 7.0.9 Migration Guide , contains information about the reverse proxy configuration. The following is the additional information on the sticky cookie parameter:

  • When you are configuring the sticky load balancing, you must correctly identify the name of the session cookie as used by the backend server, and use the same as the value to the sticky-cookie parameter to the set-origin-server SAF. The default value of sticky-cookie is JSESSIONID. If the backend server is using a different sticky cookie name, the sticky-cookie parameter value should be set accordingly and not use the default name.

  • An irregular HTTP response from a backend server can force the Route subsystem to assume the backend to have gone 'bad' and mark the it as offline. For example, a backend server sending a response with a mismatching content-length. In such a case the sticky cookie load balancing can break.

3.2.22 Unable to Create an ACL Based on the Incoming Referrer Header

According to the section "To Create an ACL" of the Oracle iPlanet Web Server 7.0.9 Developer's Guide, it is possible to create an ACL based on the 'Referer' header in the incoming request.

Note:

The header is called Referrer and not Referer.

When an ACL is configured within the Web Server to use the 'Referrer' header in the incoming request, the request fails and you get the following error message:

09/Jan/2013:08:32:55] security (18472): for host 1.2.3.4 trying to GET /index.html, acl-state reports: HTTP5187: access of/prods/web/709/https-referer_acl/docs/index.html denied because evaluation ofACL uri=/index.html directive 2 failed

Workaround:

The functionality to use the 'Referrer' header in an incoming request in the processing of an ACL is not built into the core functionality of the Web Server. The functionality is provided in one of the sample plugins that ship with the product:

For example, for Oracle iPlanet Web Server 7.0: /<server_root>/samples/nsacl.

With Oracle iPlanet Web Server 7.0, the samples are not installed by default. They have to be manually selected during the installation of the product. Do the following to install the NSAPI sample plugin:

  1. Build the NSAPI sample plugin nsacl. The environment must be setup with a compiler in the following path:

    1. cd /<server_root>/samples/nsacl

    2. gmake

  2. To install the sample plugin in the Web Server, do the following:

    1. Edit the magnus.conf file to include:

      Init fn="load-modules" shlib="/prods/web/709/samples/nsacl/example.so"

      funcs="las_ref_init"

      Init fn="acl-register-module" module="lasref" func="las_ref_init".

    2. Deploy the manual changes.

    3. Restart the Web Server.

  3. Create the ACL entry.

    1. To edit either the default.acl file or the acl file for the relevant virtual server, do the following:

      acl "uri=/index.html";
      authenticate (user,group)
      {database = "keyfile";
      method = "basic"; };
      deny (all)
      user = "anyone";
      allow (all)
      referrer = "test";
      
    2. Deploy the manual changes.

    3. Restart the Web Server

Note:

On Oracle iPlanet Web Server 7.0.16 and earlier versions, the lasref.c file needs to be edited with the following change:

Change line 75 from

rq->request_is_cacheable &= ~NSAPICacheAccelSafe;

To

rq->request_is_cacheable = 0;

This issue has been addressed in Oracle iPlanet Web Server 7.0.17.

3.3 Documentation, Support, and Training

The Oracle web site provides information about the following additional resources: