iPlanet Web Proxy Server 3.6
Release Notes

These release notes contain information about new features, known problems, and migration procedures for iPlanet Web Proxy Server 3.6.

These release notes contain the following sections:

• Supported Platforms
• Required Patches
• Memory Information
• Installation Information
• Migration Information
• Bugs Fixed
• New Features
• Virus Scanning
• Troubleshooting
• Known Problems
• How to Report Problems
• Where to Go for More Information

Supported Platforms

Required Patches

Sun Solaris Patch Information

For each patch, use the listed revision or a higher revision. For example, if you need patch 111111-01, the later revision 111111-03 will also work.

To run iPlanet Web Proxy Server 3.6 on Solaris 2.6 you need patch 105529 rev09 or later.

Memory Information

When a process is active, the amount of RAM it uses may increase over a short period.
 

SSL Information

Installation Information

In addition, on a Windows NT or Windows 2000 machine, the proxy server should be installed independently of any other iPlanet product to avoid conflicts with DLLs.

Migration Information

If you used the virus scanning capability of Netscape Proxy Server 3.5x, turn the virus scanning off before proceeding with the migration operation. To turn the virus scanning off, select the form Filters | Virus Screening and click Turn off Virus screening.

Migrating  from Netscape Proxy Server 3.5x on NT

Caution

Do not use the option "Migrate from previous version" in the administration window. This link works only for Proxy Servers installed on UNIX systems.

Migrating from Netscape Proxy Server on UNIX

Migrating Proxy Plug-ins on AIX

Previous versions of iPlanet Web Proxy Server were built on AIX 4.1, which did not support native runtime linking. Plug-ins were enabled by building Proxy Server with additional software provided by IBM AIX to Netscape. No special runtime linking directives were required to build plug-ins. Because of this, plug-ins which have been built for previous versions of Proxy Server on AIX will not work with iPlanet Web Proxy Server 3.6 without modification.

However, the plug-ins can easily be relinked to work with iPlanet Web Proxy Server 3.6. iPlanet provides a script to relink existing plug-ins. Only the existing plug-in itself is required to run the script, not the original source and .o files. More specific comments are in the script itself. Because all AIX versions from 4.2 onward natively support runtime linking, we do not anticipate this issue being a problem again for future iPlanet Web Proxy Server releases built on AIX.

Relink Script

#!/bin/ksh
#
# script to modify a plugin built for Netscape Proxy Server 3.5 to
# work with iPlanet Web Proxy Server 3.6
#
# usage: relink_plugin
#
# Script will create .new that will work with iPlanet Web Proxy Server 3.6
#
# If your was built with a specific default LIBPATH, then
# you must modify the DEF_LIBPATH variable below. Run the command
# "dump -H " and your existing default LIBPATH will be listed
# as the PATH information by INDEX 0 under the ***Import File Strings***
# section.

DEF_LIBPATH=/usr/lib/threads:/usr/ibmcxx/lib:/usr/lib:/lib

# If your has dependencies on other shared objects, then you
# must modify the LIB variable below to include those dependencies
# (e.g.
# if you need symbols from shared objects libusra.so, libusrb.so, & libusrc.so;
# you would specify LIBS="-lusra -lusrb -lusrc")
# Run the command "dump -H " to see if your has
# any dependencies; they will be listed under the ***Import File Strings***
# section (Note: you don't have to specify system library dependencies
# such as libc.a, libc_r.a, etc.)

LIBS=

# Note: the following warnings may appear, but you can ignore them:
# ld: 0711-415 WARNING: Symbol __priority0x80000000 is already exported.
# ld: 0711-224 WARNING: Duplicate symbol: __priority0x80000000
# ld: 0711-224 WARNING: Duplicate symbol: .__priority0x80000000
# ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.

# Note: If you are running with the AIX CSet++ 3.1.4 compiler instead of
# the CSet++ 3.6.4 compiler, then replace all references in this script
# to "ibmcxx" with "lpp/xlC".

/usr/bin/ld -bnso -r -o /tmp/obj.o $1
/usr/ibmcxx/bin/makeC++SharedLib_r -p 0 -G -blibpath:$DEF_LIBPATH $LIBS \
/tmp/obj.o -o $1.new

Problem Corrected

• #380223 Proxy Server appends LF instead of CRLF to host header. Proxy Server was only adding the LF (\n) to the end of the host header when it should have been adding CRLF (\r\n).

• #379889 Proxy Server does not establish a secure connection with sites.  If the SSL server certificate used by CMS was signed with a key longer than 1024 bits, Proxy Server was unable to verify the SSL server certificate's digital signature.

• #437750 Proxy Server does not load group attributes only to check existence. When Proxy Server starts, it checks that the groups used in the ACL exist. To do so, Proxy Server searches for the LDAP entry corresponding to each group. This search no longer returns all the group attribute values, because the values can be large for a group containing many members.

• #386993 Proxy Server does not generate an error message when using "Unverified User from client". When going through Proxy Server to a site that requires authentication, the  error "...remote-auth reports:missing parameter to remote-auth (need type)" is not shown in the error log when you check "Unverified User from client" under Server Status|Log Preferences|Only log.

• #519297 Proxy Server remains bound to LDAP server on default DN. After each bind to the LDAP server for user authentication, Proxy Server makes sure that it binds again as the default DN. This prevents some erroneous cases of authentication failure.

• #395408 Proxy Server changes the case of additional characters, and as a result changes cookie content, when cookie text size is greater than 595 characters.

• #342873 Proxy Server cannot upload to root directory. It is now possible to get a file uploaded to the root directory through Proxy Server.

• #469690 Socks Server hangs.  Socks Server no longer hangs when the administrator changes default settings to increase the number of worker threads or posted accepts.

• #401845 Proxy Server on NT constantly restarts under heavy CPU load.

• #512200 Proxy Server on NT sends extra <CR><LF> in POST request.

• #531231 Proxy Server does not free 3 file descriptors at restart.

• #533997 The keep-alive HTTP header is taken into account by the CONNECT method.

• #535449 Socks Server crashes when requests require LDAP  authentication.

• #538551 Socks Server cannot restart because bind to LDAP fails.

New Features

• #383516 Proxy Server can now use LDAP dynamic groups for authentication. Proxy Server supports LDAP dynamic groups, in addition to LDAP static groups, for authentication, access control, and user and group management.  Dynamic groups are managed via the LDAP server user interface. They are used in Proxy Server administration in the same way as static groups (by providing the name of the group to define ACLs)

This feature introduces two new configuration parameters in the configuration file magnus.conf:

• dyngroups. This parameter determines how Proxy Server handles dynamic groups.  It takes three values : off (default), on and recursive.
• When set to off (default), Proxy Server does not take dynamic groups into account (it still takes into account users and static groups).
• When set to on, Proxy Server evaluates dynamic groups but not recursively: Therefore  dynamic groups cannot have group members.
• When set to recursive, Proxy Server evaluates dynamic groups recursively: this option allows you to have static and dynamic groups that can include static or dynamic groups. This is the most costly option in terms of CPU consumption.

• searchdepth. This parameter gives the maximum search depth in groups (static or dynamic).  It takes an integer, greater than zero.  By default, the value is set to 30. If the search process remains unsuccessful within this limit, access is denied.
For example, when searchdepth is set to 2:
• "user belongs to group1 which belongs to group2" is scanned
• "user belongs to group1 which belongs to group2 which belongs to group3" is not scanned

An example of the magnus.conf configuration file:

dyngroups recursive
searchdepth 10

 
• #383712 Proxy Authentication/LDAP Caching on NT. Proxy Server can now cache LDAP information in a simple hash-based proxy authentication cache. LDAP caching reduces the load on your directory server and improves performance. The proxy authentication cache stores user password and user group information, which resides in memory.  From the administration user interface, you can enable and disable the authentication cache,  configure the hash table size, configure the number of entries the cache holds, and set the entry expiration time.

Below is the obj.conf directive for enabling and disabling this feature:

Init status=<on|off> hash-size=<size of hash table>
table-size=<size of entries table> expires=<expires time, in seconds> fn="init-pauth-cache"
Example :  Init status="on" hash-size="271" table-size="1355" expire="3600" fn="init-pauth-cache"

 
• #439049 Proxy handles LDAP server failover. Proxy Server provides basic failover capability, so that it can serve requests when Directory Server is not running. Directory Server still needs to be running to administer Proxy Server through the administration console.

To add alternate LDAP servers, enter multiple host names in the Directory Server field in the administration console of Proxy Server, separated by a blank character. The LDAP port is common to all servers, so alternate servers must use the same LDAP port as configured in the administration console.

Proxy Server has two time-out values, one for the bind and one for searches. When a time-out is raised, Proxy Server retries to contact the failed LDAP server once. If Directory Server is unreachable, the current LDAP operation fails and all opened connections on the failed server are marked down. The next Proxy Server operation will use a new pool of connections to the next alternate server. Proxy Server does not switch back to the main LDAP server if it becomes available.

At start time, Proxy Server opens a set of connections to the LDAP directory server (see LdapConnPool parameter). If the main server is unreachable, Proxy Server tries to switch to an alternate server and tries to open connections. If this procedure fails, an error is reported to the log.

No failover is implemented in the console, so the primary directory must be up and running to use the administration console.

You can configure server failover using two new parameters in the configuration file, magnus.conf:

• SearchTimeLimit (integer>0, default=15). Specifies the time-out value, in seconds, for search operations on the LDAP server.

• BindTimeLimit (integer > 0, default=30). Specifies the time-out value, in seconds, for bind operations on the LDAP server.

Virus Scanning

Troubleshooting

• Members of a proxy array cannot update configuration from the master.

There are two possible reasons for this problem:

1- When setting up a proxy array for the first time, be sure to use a higher Configuration ID for the master than for the members. Otherwise, members will not take into account the configuration they read from the master. For example, set Configuration ID to 2 for the master and 1 for members.

2- On UNIX only: if Administration Server and Proxy Server are running under two different users, Proxy Server may not be able to update the parray.pat file because this file is created by Administration Server with Administration Server's write access.

• I cannot view my access log file from the server manager.

The log files may have grown too big. To remedy this, manually rotate the log files. In the server manager, select Server Status|Archive Log and click on Archive button. A new set of empty log files will be created and the previous ones are renamed. The old log files can be deleted or backed up elsewhere.

To avoid this problem in the future:
• Limit the amount of information stored in the access log file. To do so, select Server Status|Log Preferences, and check only information fields corresponding to the information you want the access log file to record.
• Start a job to rotate log files regularly. To do so, choose Server Status|Archive Log, check rotate log at and choose the hours and days of access log rotations. To select more than one hour, keep the ctrl key pressed down while clicking on the hour menu. Click OK.

• On HP-UX, when I restart the Socks Server it simply stops running.

On a HP-UX box, an attempt to restart the Socks Server while requests are being processed simply stops the Socks Server. Restart occurs each time you click Save and Apply button in any Socks Server administration screen.

The fix for bug #538551 prevents the Socks Server to stop at restart but only if no request is being processed at the same time. A simple workaround is to stop then start the Socks Server instead of performing a restart.

Known Problems

• Access control to log files on UNIX systems. Proxy access log files and error log files are regular UNIX files. These files belong to the UNIX user account Proxy Server uses. If your log file content is highly confidential, use a dedicated UNIX user to run Proxy Server and set the proper permission mode to log files.

Change the log file permission mode to deny access to anybody but the owner:

$ chmod 600 access errors
$ ls -l access errors
-rw-------   1 <owner> <group>      327 Apr  9 15:10 access
-rw-------   1 <owner> <group>      258 Apr  9 16:29 errors

• For other known problems see the Netscape Proxy Server 3.52 release notes.

Where to Go for More Information

For iPlanet Web Proxy Server 3.6 administrator documentation, see the online help that accompanies the product. The Administrator's Guide and related documents are also posted at  http://docs.iplanet.com/docs/manuals/proxy.html.

Contacting iPlanet Technical Support:
For product-specific technical support, please see the Product Support Page for iPlanet Web Proxy Server at: http://www.iplanet.com/support/technical_resources/proxy