iPlanet Web Proxy Server 3.6
Release Notes
These notes were last updated February 19th, 2002.
These release notes contain information about new features, known problems,
and migration procedures for iPlanet Web Proxy Server 3.6.
These release notes contain the following sections:
Supported Platforms
iPlanet Web Proxy Server 3.6 is supported on the following platforms:
Table
1-1 Supported Platforms
Operating
System |
Architecture |
Sun
Solaris 8; Solaris 2.6 supported through binary compatibility |
UltraSPARC |
Microsoft
Windows NT 4.0 Server with Service Pack 6 |
Intel
Pentium |
Microsoft
Windows 2000 Server with Service Pack 1 |
Intel
Pentium |
Microsoft
Windows 2000 Advanced Server |
Intel
Pentium |
Hewlett-Packard
HP-UX 11.0 with the following restrictions/recommendations:
Make sure the maxfiles
and maxfiles_lim kernel parameters are at
least 2048 or the proxy server may exit.
|
PA-RISC |
IBM
AIX 4.3.3 |
Power
PC |
Required Patches
This section provides patch information for Solaris and Windows NT platforms.
Sun Solaris Patch Information
You should have installed the patches in Sun's recommended patch list.
For Sun's recommended patch list, see
http://sunsolve.sun.com/pubpatch.
For each patch, use the listed revision or a higher revision. For example,
if you need patch 111111-01, the later revision 111111-03
will also work.
To run iPlanet Web Proxy Server 3.6 on Solaris 2.6 you need patch 105529
rev09 or later.
Memory Information
Depending upon the platform, each process uses the following amount of
RAM when idle:
Table
1-2 Memory usage
Operating
System |
Memory usage
per process |
Sun
Solaris 8 |
5 MB per process (proxy
server default is set to 32 processes) |
Microsoft
Windows NT4 & 2000 Server or Advanced Server |
21 MB |
Hewlett-Packard
HP-UX 11.0 |
3.5 MB per process (proxy
server default is set to 32 processes) |
IBM
AIX 4.3.3 |
3 MB per process (proxy
server default is set to 32 processes) |
When a process is active, the amount of RAM it uses may increase over
a short period.
SSL Information
SSL information remains the same as in the previous version. The NT and
Windows 2000 versions of iPlanet Web Proxy Server 3.6 do not support SSL.
Installation Information
We strongly recommend that no other iPlanet product be installed into the
same UNIX directory path as the iPlanet Web Proxy Server product, as this
may disable critical functionality required for the correct operation of
the proxy server.
In addition, on a Windows NT or Windows 2000 machine, the proxy server
should be installed independently of any other iPlanet product to avoid
conflicts with DLLs.
Migration Information
This section includes migration information for installing iPlanet
Web Proxy Server 3.6.
If you used the virus scanning capability of Netscape Proxy Server 3.5x,
turn the virus scanning off before proceeding with the migration
operation. To turn the virus scanning off, select the form Filters
| Virus Screening and click Turn off Virus screening.
Migrating from Netscape Proxy Server 3.5x on NT
A file called NTmigration.htm and a script called cpProxyData.pl
are provided to upgrade Proxy Server from a 3.5x version to a 3.6 version,
keeping the same parameters and data. Please read NTmigration.htm
for information on how to use the script to migrate your data from Netscape
Proxy Server 3.5 to iPlanet Web Proxy Server 3.6.
Caution
Do not use the option "Migrate from previous version"
in the administration window. This link works only for Proxy Servers installed
on UNIX systems.
Migrating from Netscape Proxy Server on UNIX
You can use the option "Migrate from previous version" in the
administration window to migrate from Netscape Proxy Server 3.5x to iPlanet
Web Proxy Server 3.6.
Migrating Proxy Plug-ins on AIX
iPlanet Web Proxy Server 3.6 is built on AIX 4.3, which natively supports
runtime linking. Consequently, NSAPI plug-ins (which reference symbols
in the ns-proxy main executable) must be built using the -G
option which specifies that symbols must be resolved at runtime.
Previous versions of iPlanet Web Proxy Server were built on AIX 4.1,
which did not support native runtime linking. Plug-ins were enabled by
building Proxy Server with additional software provided by IBM AIX to Netscape.
No special runtime linking directives were required to build plug-ins.
Because of this, plug-ins which have been built for previous versions of
Proxy Server on AIX will not work with iPlanet Web Proxy Server 3.6 without
modification.
However, the plug-ins can easily be relinked to work with iPlanet Web
Proxy Server 3.6. iPlanet provides a script to relink existing plug-ins.
Only the existing plug-in itself is required to run the script, not the
original source and .o files. More specific comments are in the
script itself. Because all AIX versions from 4.2 onward natively support
runtime linking, we do not anticipate this issue being a problem again
for future iPlanet Web Proxy Server releases built on AIX.
Relink Script
The relink script, relink_36plugin, is located in the following
directory: server_root/plugins (See relink_36plugin script
for usage.)
#!/bin/ksh
#
# script to modify a plugin built for Netscape Proxy
Server 3.5 to
# work with iPlanet Web Proxy Server 3.6
#
# usage: relink_plugin
#
# Script will create .new that will work with iPlanet
Web Proxy Server 3.6
#
# If your was built with a specific default LIBPATH,
then
# you must modify the DEF_LIBPATH variable below.
Run the command
# "dump -H " and your existing default LIBPATH will
be listed
# as the PATH information by INDEX 0 under the ***Import
File Strings***
# section.
DEF_LIBPATH=/usr/lib/threads:/usr/ibmcxx/lib:/usr/lib:/lib
# If your has dependencies on other shared objects,
then you
# must modify the LIB variable below to include those
dependencies
# (e.g.
# if you need symbols from shared objects libusra.so,
libusrb.so, & libusrc.so;
# you would specify LIBS="-lusra -lusrb -lusrc")
# Run the command "dump -H " to see if your has
# any dependencies; they will be listed under the
***Import File Strings***
# section (Note: you don't have to specify system
library dependencies
# such as libc.a, libc_r.a, etc.)
LIBS=
# Note: the following warnings may appear, but you
can ignore them:
# ld: 0711-415 WARNING: Symbol __priority0x80000000
is already exported.
# ld: 0711-224 WARNING: Duplicate symbol: __priority0x80000000
# ld: 0711-224 WARNING: Duplicate symbol: .__priority0x80000000
# ld: 0711-345 Use the -bloadmap or -bnoquiet option
to obtain more information.
# Note: If you are running with the AIX CSet++ 3.1.4
compiler instead of
# the CSet++ 3.6.4 compiler, then replace all references
in this script
# to "ibmcxx" with "lpp/xlC".
/usr/bin/ld -bnso -r -o /tmp/obj.o $1
/usr/ibmcxx/bin/makeC++SharedLib_r -p 0 -G -blibpath:$DEF_LIBPATH
$LIBS \
/tmp/obj.o -o $1.new
Problem Corrected
This section lists bugs fixed with iPlanet Web Proxy Server 3.6:
-
#380223 Proxy Server appends LF instead of CRLF to host header.
Proxy Server was only adding the LF (\n) to the end of the host header
when it should have been adding CRLF (\r\n).
-
#379889 Proxy Server does not establish a secure connection with sites.
If the SSL server certificate used by CMS was signed with a key longer
than 1024 bits, Proxy Server was unable to verify the SSL server certificate's
digital signature.
-
#437750 Proxy Server does not load group attributes only to check existence.
When Proxy Server starts, it checks that the groups used in the ACL exist.
To do so, Proxy Server searches for the LDAP entry corresponding to each
group. This search no longer returns all the group attribute values, because
the values can be large for a group containing many members.
-
#386993 Proxy Server does not generate an error message when using "Unverified
User from client". When going through Proxy Server to a site that requires
authentication, the error "...remote-auth reports:missing parameter
to remote-auth (need type)" is not shown in the error log when you
check "Unverified User from client" under Server Status|Log
Preferences|Only log.
-
#519297 Proxy Server remains bound to LDAP server on default DN.
After each bind to the LDAP server for user authentication, Proxy Server
makes sure that it binds again as the default DN. This prevents some erroneous
cases of authentication failure.
-
#395408 Proxy Server changes the case of additional characters, and
as a result changes cookie content, when cookie text size is greater than
595 characters.
-
#342873 Proxy Server cannot upload to root directory. It
is now possible to get a file uploaded to the root directory through Proxy
Server.
-
#469690 Socks Server hangs. Socks Server no longer hangs when
the administrator changes default settings to increase the number of worker
threads or posted accepts.
-
#401845 Proxy Server on NT constantly restarts under heavy CPU load.
-
#512200 Proxy Server on NT sends extra <CR><LF> in POST request.
-
#531231 Proxy Server does not free 3 file descriptors at restart.
-
#533997 The keep-alive HTTP header is taken into account by the CONNECT
method.
-
#535449 Socks Server crashes when requests require LDAP authentication.
-
#538551 Socks Server cannot restart because bind to LDAP fails.
New Features
-
#383516 Proxy Server can now use LDAP dynamic groups for authentication.
Proxy
Server supports LDAP dynamic groups, in addition to LDAP static groups,
for authentication, access control, and user and group management.
Dynamic groups are managed via the LDAP server user interface. They are
used in Proxy Server administration in the same way as static groups (by
providing the name of the group to define ACLs)
This feature introduces two new configuration parameters in the configuration
file magnus.conf:
-
dyngroups. This parameter determines how Proxy Server handles
dynamic groups. It takes three values : off (default), on
and recursive.
-
When set to off (default), Proxy Server does not take dynamic
groups into account (it still takes into account users and static groups).
-
When set to on, Proxy Server evaluates dynamic groups but not
recursively: Therefore dynamic groups cannot have group members.
-
When set to recursive, Proxy Server evaluates dynamic groups recursively:
this option allows you to have static and dynamic groups that can include
static or dynamic groups. This is the most costly option in terms of CPU
consumption.
-
searchdepth. This parameter gives the maximum search depth in
groups (static or dynamic). It takes an integer, greater than zero.
By default, the value is set to 30. If the search process remains unsuccessful
within this limit, access is denied.
For example, when searchdepth is set to 2:
-
"user belongs to group1 which belongs to group2" is scanned
-
"user belongs to group1 which belongs to group2 which belongs to group3"
is not scanned
An example of the magnus.conf configuration file:
dyngroups recursive
searchdepth 10
-
#383712 Proxy Authentication/LDAP Caching on NT. Proxy Server can
now cache LDAP information in a simple hash-based proxy authentication
cache. LDAP caching reduces the load on your directory server and improves
performance. The proxy authentication cache stores user password and user
group information, which resides in memory. From the administration
user interface, you can enable and disable the authentication cache,
configure the hash table size, configure the number of entries the cache
holds, and set the entry expiration time.
Below is the obj.conf directive for enabling and disabling
this feature:
Init status=<on|off> hash-size=<size of hash table>
table-size=<size of entries table> expires=<expires time,
in seconds> fn="init-pauth-cache"
Example : Init status="on" hash-size="271" table-size="1355"
expire="3600" fn="init-pauth-cache"
-
#439049 Proxy handles LDAP server failover. Proxy Server provides
basic failover capability, so that it can serve requests when Directory
Server is not running. Directory Server still needs to be running to administer
Proxy Server through the administration console.
To add alternate LDAP servers, enter multiple host names in the Directory
Server field in the administration console of Proxy Server, separated by
a blank character. The LDAP port is common to all servers, so alternate
servers must use the same LDAP port as configured in the administration
console.
Proxy Server has two time-out values, one for the bind and one for
searches. When a time-out is raised, Proxy Server retries to contact the
failed LDAP server once. If Directory Server is unreachable, the current
LDAP operation fails and all opened connections on the failed server are
marked down. The next Proxy Server operation will use a new pool of connections
to the next alternate server. Proxy Server does not switch back to the
main LDAP server if it becomes available.
At start time, Proxy Server opens a set of connections to the LDAP
directory server (see LdapConnPool parameter). If the main server
is unreachable, Proxy Server tries to switch to an alternate server and
tries to open connections. If this procedure fails, an error is reported
to the log.
No failover is implemented in the console, so the primary directory
must be up and running to use the administration console.
You can configure server failover using two new parameters in the configuration
file, magnus.conf:
-
SearchTimeLimit (integer>0,
default=15). Specifies the time-out value, in seconds, for search operations
on the LDAP server.
-
BindTimeLimit (integer
> 0, default=30). Specifies the time-out value, in seconds, for bind operations
on the LDAP server.
Virus Scanning
Virus scanning is not supported in iPlanet Web Proxy Server 3.6.
Troubleshooting
-
Members of a proxy array cannot update configuration from the master.
There are two possible reasons for this problem:
1- When setting up a proxy array for the first time, be sure to use
a higher Configuration ID for the master than for the members. Otherwise,
members will not take into account the configuration they read from the
master. For example, set Configuration ID to 2 for the master and 1 for
members.
2- On UNIX only: if Administration Server and Proxy Server are running
under two different users, Proxy Server may not be able to update the parray.pat
file because this file is created by Administration Server with Administration
Server's write access.
-
I cannot view my access log file from the server manager.
The log files may have grown too big. To remedy this, manually rotate
the log files. In the server manager, select Server Status|Archive
Log and click on Archive button. A new set of empty log files
will be created and the previous ones are renamed. The old log files can
be deleted or backed up elsewhere.
To avoid this problem in the future:
-
Limit the amount of information stored in the access log file. To do so,
select
Server Status|Log Preferences, and check only information
fields corresponding to the information you want the access log file to
record.
-
Start a job to rotate log files regularly. To do so, choose Server
Status|Archive Log, check rotate log at and choose the hours
and days of access log rotations. To select more than one hour, keep the
ctrl
key pressed down while clicking on the hour menu. Click
OK.
-
On HP-UX, when I restart the Socks Server it simply stops running.
On a HP-UX box, an attempt to restart the Socks Server while requests
are being processed simply stops the Socks Server. Restart occurs each
time you click Save and Apply button in any Socks Server administration
screen.
The fix for bug #538551 prevents the Socks Server to stop
at restart but only if no request is being processed at the same time.
A simple workaround is to stop then start the Socks Server instead of performing
a restart.
Known Problems
-
Access control to log files on UNIX systems. Proxy access log files
and error log files are regular UNIX files. These files belong to the UNIX
user account Proxy Server uses. If your log file content is highly confidential,
use a dedicated UNIX user to run Proxy Server and set the proper permission
mode to log files.
Change the log file permission mode to deny access to anybody but the
owner:
$ chmod 600 access errors
$ ls -l access errors
-rw------- 1 <owner> <group>
327 Apr 9 15:10 access
-rw------- 1 <owner> <group>
258 Apr 9 16:29 errors
-
For other known problems see the Netscape Proxy Server 3.52 release notes.
Where to Go for More Information
For iPlanet Web Proxy Server 3.6 installation instructions, see the
Installation
Guide.
For iPlanet Web Proxy Server 3.6 administrator documentation, see the
online help that accompanies the product. The Administrator's
Guide and related documents are also posted at http://docs.iplanet.com/docs/manuals/proxy.html.
Contacting iPlanet Technical Support:
For product-specific technical support, please see the Product Support
Page for iPlanet Web Proxy Server at: http://www.iplanet.com/support/technical_resources/proxy
© Copyright 2001, 2002 Sun
Microsystems, Inc. Some preexisting portions Copyright © Netscape
Communications Corp. All rights reserved.