Oracle iPlanet Web Server 7.0.9 Release Notes

Features and Enhancements in 7.0 Update 7

Web Server 7.0 Update 7 introduces Kerberos/SPNEGO support. This release introduces a new ACL authentication method called gssapi. The gssapi authentication method works with a Kerberos user repository. This release also introduces a suitable auth-db of type kerberos for use with the gssapi authentication method.

For more information on configuring a Kerberos authentication, see Working With the Authentication Database in Oracle iPlanet Web Server 7.0.9 Administrator’s Guide


Note –

Kerberos enabled Web Server on Solaris are tested with clients such as IE on Windows 2003 and Firefox on RHEL 5.3.


Web Server 7.0 Update 7 supports Windows 2008 SP2 32 bit (x86) Enterprise Edition.

Web Server 7.0 Update 7 is bundled with JDK 6. There is an improvement in the performance in admin server.

Web Server 7.0 Update 7 is integrated with new Xerces C++ patch which fixes the vulnerability. For more information, see http://www.cert.fi/en/reports/2009/vulnerability2009085.html.


Note –

Web Server 7.0 Update 7 resolves a regression in LDAP authentication (6888100) accidentally introduced in Update 6. All customers using LDAP authentication are encouraged to upgrade to Update 7.


Deprecated Platforms


Note –

Platforms, Solaris 8 and Windows 2000 are deprecated. They will not be supported from Web Server 7.0 Update 9 onwards.


SSL/TLS Vulnerability Fix (CVE-2009-3555)

Web Server 7.0 Update 7 is upgraded to include NSS 3.12.5 which provides relief for the SSL/TLS renegotiation vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555

This vulnerability is a flaw in the current SSL/TLS renegotiation protocol definition. It is not a bug in the Web Server implementation. Due to this reason, there is no implementation-level fix for this vulnerability. The only workaround is to disable renegotiation entirely in order to protect the Web Server from attack.

Therefore, Web Server 7.0 Update 7 disables all use of SSL/TLS renegotiation. If either the client or the Web Server attempt to trigger renegotiation on an existing SSL/TLS session, the connection will fail.

Typically renegotiation was used to obtain a client certificate sometime after the SSL/TLS connection was first established. Web applications which attempt to obtain a client certificate in this fashion will now fail.

Obtaining a client certificate during the initial connection handshake will continue to work correctly. This mode can be configured by setting the client-auth element to 'required' in server.xml:


<http-listener>
   <ssl>
      <client-auth>required</client-auth>
   </ssl>
</http-listener>

A future update of Web Server 7 will implement a safe renegotiation protocol as soon as the IETF finalizes the design of the new protocol enhancement. It is possible to re-enable the vulnerable SSL/TLS renegotiation capability by setting the environment variable: NSS_SSL_ENABLE_RENEGOTIATION=1. This mode is known to be vulnerable to attack as described in CVE-2009-3555.

Java SE 5.0 and 6.0 Support

Web Server supports the 32–bit version of the Java Platform, Standard Edition (Java SE) 5.0 and Java Platform, Standard Edition (Java SE) 6. For the 64-bit version of Web Server, the 64–bit version of Java Development Kit (JDK) software support is available.

JDK 6.0 Update 17 is delivered on Solaris, Linux and Windows as part of Web Server 7.0 Update 8 release.

The following table lists the JDK versions supported on various platforms:

Table 15 Supported JDK Versions

Operating System 

Supported Java SE Version  

Whether Co-packaged With Web Server 

64–bit Support (Yes/No) 

Solaris SPARC 

1.5.0_22 

1.6.0_17 

No 

Yes 

Yes 

Solaris x86/AMD,AMD64 

1.5.0_22 

1.6.0_17 

No 

Yes 

Yes 

Linux (32–bit) 

Linux (64–bit) 

1.5.0_22 

1.6.0_17 

No 

Yes 

No 

Yes 

Windows 

1.5.0_22 

1.6.0_17 

No 

Yes 

No 

HP-UX 

1.5.0.16 (1.5.0.12–_21_mar_2008_11_52) 

1.6.0.04  

No 

No 

AIX 

1.5.0 pap32dev-20080315 (SR7) 

1.6.0 pap3260sr1–20080416_01(SR2) 

No 

No 

At the time of installation, you must specify a valid path for the JDK. To use the JDK version that is not co-packaged with the product, download the software from the following location:

JDK version 1.6.0: http://java.sun.com/javase/downloads/index.jsp

JDK version 1.5.0: http://www.hp.com/products1/unix/java/java2/jdkjre5_0/index.html

When you use JDK 1.5.0 on AIX platform, Administration server may fail to start and displays an error message “Unable to find/open the administration server's certificate database”. This is due to the restricted security policy on the installed JDK and limiting key size.

For more information about security information on SDKs, see: http://www.ibm.com/developerworks/java/jdk/security/50/

You can overcome this problem by downloading unrestricted security policy by clicking on “ IBM SDK Policy files”. The downloaded zip file is unpacked and the two JAR files are placed in the JRE directory (jre/lib/security/).