Release Notes for iPlanet Web Proxy Server
Version 3.6 Service Pack 1
Part Number: 816-6147-10
Updated September 25, 2002
These release notes contain information about new features, known limitations,and
migration procedures for iPlanet Web Proxy Server.
These release notes contain the following sections:
Supported Platforms
iPlanet Web Proxy Server 3.6
is supported on the following platforms:
Table 1-1 Supported
Platforms
Operating
System |
Architecture |
Sun Solaris 8; Solaris
2.6 supported through binary compatibility |
UltraSPARC |
Microsoft Windows NT 4.0
Server with Service Pack 6a |
Intel
Pentium |
Microsoft Windows 2000
Server with Service Pack 2 |
Intel
Pentium |
Microsoft Windows 2000
Advanced Server with Service Pack 2 |
Intel
Pentium |
Hewlett-Packard HP-UX
11.0 with the following restrictions/recommendations:
Make sure the maxfiles and maxfiles_lim kernel
parameters must at least 2048, or the proxy server may
exit. |
PA-RISC |
IBM AIX
4.3.3 |
Power
PC |
Required Patches
This section provides patch
information for Solaris.
Sun Solaris Patch Information
All patches on Sun's recommended patch
list should be installed. For Sun's recommended patch list, see http://sunsolve.sun.com/pubpatch.
For each patch, install the listed revision or a later revision. For example,
if patch 111111-01 is required, the later revision 111111-03
will also work.
iPlanet Web Proxy Server 3.6 on Solaris 2.6 requires patch 105529
rev09 or later.
Memory Information
Depending upon the platform, each
process uses the following amount of RAM when idle:
Table 1-2 Memory
usage
Operating
System |
Memory usage per process |
Sun Solaris
8 |
5 MB per process (proxy
server default is set to 32 processes) |
Microsoft Windows NT4
& 2000 Server or Advanced Server |
21 MB |
Hewlett-Packard HP-UX
11.0 |
3.5 MB per process (proxy
server default is set to 32 processes) |
IBM AIX
4.3.3 |
3 MB per process (proxy
server default is set to 32 processes) |
When a process is active, the amount of RAM it uses may increase over a short
period.
SSL Information
SSL information remains the same as in
the previous version. The NT and Windows 2000 versions of iPlanet Web Proxy
Server 3.6 do not support SSL.
Installation Information
We strongly
recommend that no other iPlanet product be installed into the same UNIX
directory path as the iPlanet Web Proxy Server product, as this may disable
critical functionality required for the correct operation of the proxy server.
In addition, on a Windows NT or Windows 2000 machine, the proxy server should
be installed independently of any other iPlanet product to avoid conflicts with
DLLs.
Migration Information
This section includes
migration information for installing iPlanet Web Proxy Server 3.6.
Note |
If you used the virus scanning capability of Netscape Proxy Server
3.5x, turn virus scanning off before proceeding with the
migration operation. To turn virus scanning off, select
Filters | Virus Screening and click Turn off Virus
screening. |
Migrating from Netscape Proxy Server 3.5x on NT
A file called
NTmigration.htm and a script called cpProxyData.pl are
provided to upgrade Proxy Server from a 3.5x version to a 3.6 version, keeping
the same parameters and data. Please read NTmigration.htm for
information on how to use the script to migrate your data from Netscape Proxy
Server 3.5 to iPlanet Web Proxy Server 3.6.
Caution |
Do not use the option "Migrate from previous version" in the
administration window. This link works only for Proxy Servers installed on
UNIX systems. |
Migrating from Netscape Proxy Server on UNIX
Use the option "Migrate
from previous version" in the administration window to migrate from
Netscape Proxy Server 3.5x to iPlanet Web Proxy Server 3.6.
Migrating Proxy Plug-ins on AIX
iPlanet Web Proxy Server 3.6 is built on
AIX 4.3, which natively supports runtime linking. Consequently, NSAPI plug-ins
(which reference symbols in the ns-proxy main executable) must be built
using the -G option which specifies that symbols must be resolved at
runtime.
Previous versions of iPlanet Web Proxy Server were built on AIX 4.1, which
did not support native runtime linking. Plug-ins were enabled by building Proxy
Server with additional software provided by IBM AIX to Netscape. No special
runtime linking directives were required to build plug-ins. Because of this,
plug-ins built for previous versions of Proxy Server on AIX will not work with
iPlanet Web Proxy Server 3.6 without modification.
However, these plug-ins can easily be relinked to work with iPlanet Web Proxy
Server 3.6. iPlanet provides a script to relink existing plug-ins. Only the
existing plug-in is required to run the script (not the original source and
.o files). Specific comments are provided within the script. Because
all AIX versions from 4.2 onward natively support runtime linking, we do not
anticipate this issue being a problem again for future iPlanet Web Proxy Server
releases built on AIX.
Relink Script
The relink script, relink_36plugin, is located in
the following directory: server_root/plugins (See
relink_36plugin script for usage.)
#!/bin/ksh
#
# script to modify a plugin built
for Netscape Proxy Server 3.5 to
# work with
iPlanet Web Proxy Server 3.6
#
# usage: relink_plugin
#
# Script will create .new that
will work with iPlanet Web Proxy Server 3.6
#
# If your plugin was built with a
specific default LIBPATH, then
# you must
modify the DEF_LIBPATH variable below. Run the command
# "dump -H " and your existing default LIBPATH will be
listed
# as the PATH information by INDEX 0
under the ***Import File Strings***
#
section.
DEF_LIBPATH=/usr/lib/threads:/usr/ibmcxx/lib:/usr/lib:/lib
# If your plugin has dependencies on other shared
objects, then you
# must modify the LIB
variable below to include those dependencies
# (e.g.
# if you need symbols from
shared objects libusra.so, libusrb.so, & libusrc.so;
# you would specify LIBS="-lusra -lusrb
-lusrc")
# Run the command "dump -H " to see
if your plugin has
# any dependencies; they
will be listed under the ***Import File Strings***
# section (Note: you don't have to specify system library
dependencies
# such as libc.a, libc_r.a,
etc.)
LIBS=
# Note: the following warnings may appear, but you can
ignore them:
# ld: 0711-415 WARNING: Symbol
__priority0x80000000 is already exported.
#
ld: 0711-224 WARNING: Duplicate symbol: __priority0x80000000
# ld: 0711-224 WARNING: Duplicate symbol:
.__priority0x80000000
# ld: 0711-345 Use the
-bloadmap or -bnoquiet option to obtain more information.
# Note: If you are running with the AIX CSet++ 3.1.4
compiler instead of
# the CSet++ 3.6.4
compiler, then replace all references in this script
# to "ibmcxx" with "lpp/xlC".
/usr/bin/ld -bnso -r -o /tmp/obj.o $1
/usr/ibmcxx/bin/makeC++SharedLib_r -p 0 -G
-blibpath:$DEF_LIBPATH $LIBS \
/tmp/obj.o -o
$1.new
Problems Corrected
iPlanet Web Proxy Server 3.6
includes fixes to the following known problems that occurred in earlier
releases:
- Proxy Server appends LF instead of CRLF to host header. (4588536)
Proxy Server was only adding LF (\n) to the end of the host header when it
should have been adding CRLF (\r\n).
- Proxy Server does not establish a secure connection with sites. (4588536)
If the SSL server certificate used by CMS was signed with a key longer
than 1024 bits, Proxy Server was unable to verify the SSL server certificate's
digital signature.
- Proxy Server does not load group attributes only to check existence.
(4575103)
When Proxy Server starts, it checks that the groups used in the
ACL exist. To do so, Proxy Server searches for the LDAP entry corresponding to
each group. This search no longer returns all the group attribute values,
because the values can be large for a group containing many members.
- Proxy Server does not generate an error message when using "Unverified
User from client". (4580723)
When going through Proxy Server to a site
that requires authentication, the error "...remote-auth reports:missing
parameter to remote-auth (need type)" is not shown in the error log when
you check "Unverified User from client" under Server Status|Log
Preferences|Only log.
- Proxy Server remains bound to LDAP server on default DN. (4586796)
After each bind to the LDAP server for user authentication, Proxy Server
makes sure that it binds again as the default DN. This prevents erroneous
cases of authentication failure.
- Proxy Server changes the case of additional characters, and as a result
changes cookie content, when cookie text size is greater than 595 characters.
(4572215)
- Proxy Server cannot upload to root directory. (4608854)
It is now
possible to upload a file to the root directory through Proxy Server.
- Socks Server hangs. (4576106)
Socks Server no longer hangs when the
administrator changes default settings to increase the number of worker
threads or posted accepts.
- Proxy Server on NT constantly restarts under heavy CPU load. (4579465)
- Proxy Server on NT sends extra <CR<LF in POST request. (4568138)
- Proxy Server does not free 3 file descriptors at restart. (4561522)
- The keep-alive HTTP header is taken into account by the CONNECT method.
(4562943)
- Socks Server crashes when requests require LDAP authentication. (4559696)
- Socks Server cannot restart because bind to LDAP fails. (4540806)
Problems Corrected in SP1
This section lists problems corrected in iPlanet Web Proxy Server 3.6 SP1:
- Proxy Crashes with very long URLs. (4563178)
In previous releases,
when a request was bigger than 4118 bytes, Proxy Server would crash due to a
problem with buffers in the flexlog. This problem has been corrected.
- Proxy processes consumed 100 CPU after executing log rotate command.
(4621100)
- Unable to configure ACL with large groups via HP-UX admin server.
(4624955)
This problem was specific to the HP-UX platform. When attempting
to set an ACL by specifying a large group (over 500 members) it failed with
the message "Incorrect usage:Bad user or group, this users/groups were not in
the database" (although they were in the database). This problem has been
corrected and an HP-UX proxy admin can hold large groups without problems.
- Error occurs when adding/modifying ACL if there are many ACLs. (4646267)
When adding or modifying a number of ACLs with specific large groups, the
following error occurred and inconsistencies occurred between genworks.*.acl
and generated.*acl. "System Error : Unable to create write ACL". This problem
was HP-UX specific and has been corrected.
- Clients are requested to input UID & PASSWORD. (4550626)
When
using client authentication through a secure reverse proxy, a temporary
failure or a crash on the LDAP directory caused a prompt (repeatedly asking
users for authentication).
A new magnus variable (LdapCheckUp) has been created to correct this
problem. In explanation, the proxy recycles child processes when they reach a
limit of having served 128 requests (ProcessLife). When a child process
reaches this limit, it sends a SIGCHLD signal to the daemon. When the daemon
receives this signal, it recycles the child process (respawns a new process)
and simultaneously calls a callback function that checks the sanity of the
LDAP connections. That is, the frequency of calls made by the daemon is a
function of the number of processes (ns-proxy), the value of the
ProcessLife variable and the load supported by the proxy. This function
simply compares dates from the present to the last call made. If the time
frame is bigger than LdapCheckUp, a sanity check is performed.
In summary, the time is now a parameter, set through the new
LdapCheckUp variable in magnus.conf. The default value of this variable
is 30 seconds.
Example:
LdapCheckUp 20 => This line in the magnus.conf means that the
variable has been set to 20 seconds.
- KeepAlive on Reverse Proxy does not work correctly. (4537319)
This fix
enables you to establish persistent connections against a non-secure reverse
proxy if the keep-alive feature is enabled in the Proxy and the
client browser sends an http header indicating a persistent connection. This
fix applies only to UNIX platforms.
- Can't cache some URL's. (4562322)
Requests with an erroneus
content-length header were not cached by the proxy (the error log showed
messages such as "incomplete cache file removed for..."). This was a
UNIX-specific problem (Win32 platforms were not affected).
- LANG="ja" prevents log rotation. (4550628)
- Proxy 3x/NT treats only last reverse mapping. (4539371)
This was a
Win32 platform specific problem (UNIX platforms were not affected).
- Unable to upload file size more than 4Mb under reverse proxy. (4538211)
Proxy was unable to upload (http method POST) a file bigger than 4 Mb
using reverse proxy under SSL.
Note: Uploading files larger than
10Mb is not supported by iPlanet Web Proxy Server 3.6.
- POST with enctype="multipart/form-data" fails sometimes. (4536787)
A
problem existed when uploading files (http method POST) through proxy in
secure mode from a WAN network. A new magnus.conf variable
(NetBufferSize) has been incorporated in the magnus.conf to control the
network buffer size. This variable prevents the error log message "cannot
buffer client data" from occurring.
The syntax of the variable is as follows:
NetBufferSize 4096 => This line in the magnus.conf indicates
that the network buffer has been set to 4096 bytes. The maximum value is
100000 bytes. If NetBufferSize is set to higher than 100000 bytes,
Proxsy Server uses its maximum size (100000 bytes).
In addition, a problem was detected with certain versions of Microsoft IIS
which returned a keep-alive header when the http request explicitly meant a
non-persistent connection. To solve this problem (which indirectly affects
proxy behavior) the following sample plugin can be used:
/*
*
* Copyright %G% Sun Microsystems, Inc. All Rights Reserved
*
*/
#include "base/pblock.h"
#include "base/session.h"
#include "frame/req.h"
#include "frame/log.h" /* log_error */
#include
#ifndef XP_WIN32
#include /* sleep */
#define NSAPI_PUBLIC
#else /* XP_WIN32 */
#include
#define NSAPI_PUBLIC __declspec(dllexport)
#endif /* XP_WIN32 */
/* these strings are part of an hidden API in the proxy */
#define FILTER_SVR_HDR_STR "filter-srv-hdrs"
#define FILTER_ACT_STR "filter-act"
#define FILTER_SUB_STR "filter-sub"
char *hstr = FILTER_SVR_HDR_STR;
char *astr = FILTER_ACT_STR;
char *sstr = FILTER_SUB_STR;
NSAPI_PUBLIC int replace_response_keep(pblock *pb, Session *sn, Request *rq)
{
/* store an action that will be executed by proxy-retrieve" */
/*log_error(LOG_INFORM,"replace_response_keep", sn, rq, "KEEPALIVE"); */
pblock_nvinsert(hstr, "Connection: Keep-Alive", rq->vars);
pblock_nvinsert(astr, "replace", rq->vars);
pblock_nvinsert(sstr, "Connection: close\r\n", rq->vars);
return REQ_NOACTION;
}
At configuration time, the following object must be added to the
obj.conf file: # Sun Microsystem - obj.conf
# You can edit this file, but comments and formatting changes
# might be lost when the admin server makes changes.
Init funcs="replace-response-keep" shlib="/usr/iplanet/suitespot/plugins/repl.so" fn="load-modules"
<Object name="default">
NameTrans fn="map" from="file:" to="ftp:" cont="yes"
....
Filter fn="replace-response-keep"
....
</Object>
For more information, see the iPlanet
Web Proxy Server 3.6 Administrator's Guide.
- 3.5x->3.6 migration breaks ACL. (4551161)
- Sagt process fails to respond. (4546947)
The SNMP sagt process in
Proxy Server did not respond properly if the octet number of an interface was
larger than 2^31. In addition, the sagt process sometimes crashed. This
problem has been fixed for all supported platforms.
- OULU encode test cause SNMP agent core dump. (4532320)
The
c06-snmpv1-req-enc-pr1 test suite from OULU caused the Admin Server SNMP
master agent magt to core dump. (For more information, see http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html).
- Instability of SOCKS daemon. (4535931)
The SOCKS daemon stopped every
time an attempt was made to load a large picture from the webserver through
the proxy, when the client connected to the server through a modem line.
- Failure: can't stat() cache partition. (4558738)
Proxy Server did not
disable partitions or urldbgen databases when global caching was disabled
within the proxy.
- Web Proxy 3.6 (reg) - No performance object for the Proxy in win perf
monitor. (4615444)
- accon and accallow become very slow and unable to
control ACL. (4639459)
This problem occurred only on the HP-UX platform.
When setting approximately 40 ACL's with groups that had several unique
members, the Proxy Admin Server was unable to control the ACL. The following
error occurred: "Internal error: The administration server was unable to
fulfill your request".
- Error 7024 and authentication problem. (4539275)
When using a local
LDAP database for users and groups within Proxy an "Error 7024" sometimes
appeared in the error log, followed by the error "password did not match
directory". Clients were rejected (they could not go through the proxy)
although the credentials they provided were correct. This was a file
descriptor problem (a consequence of the use of the local database). I/O
functions "fopen" and "open" have a limitation on the maximum number of file
descriptors. To overcome this problem, check the current system settings (see
the ulimit command).
- After a new OS patch, the proxy server hangs. (4552944)
This was a
SOLARIS-specific problem. After updating the OS from release 11 to release 26,
Proxy Server hung during peak hours generating several defunct processes. This
problem was a consequence of a bug in the Solaris libthread library. The
problem is corrected by applying Solaris patch (see iPlanet
knowledge base (article 7531) and Sunsolve).
- Proxy on NT permanently restarts. (4538284)
Limitations on the local
LDAP Proxy database under heavy loads caused the proxy to restart frequently.
To avoid this problem, it is highly recommended that you use an external
directory server.
- Default proxy timeout (4548270)
The Administrator's Guide and the
Online help state that the default value of a Proxy timeout is 20 minutes. The
correct value is 5 minutes.
- Multiple calls in the icp.conf file (4559457)
The Administrator's
Guide and the Online help state that multiple calls can be made to the
"server" function via the icp.conf file. This is true only for the following
functions: add_parent, add_sibling.
In the case of the "server"
function, only the last call is taken into account. The server function stands
for the configuration of the local proxy and there is only one.
- Doc & Code differ to add header in the response (4539178)
The
Administrator's Guide erroneously states that "the Request->srvhdrs
parameter block is the set of HTTP headers for the server to send back. This
parameter block can be modified by any function". This does not work. A Proxy
retrieve is mono-block and completely opaque. Content adaptation is not
possible. The solution is to add a header in the response, to use the filter
mechanisms (either pre-posted actions or a "pre-filter" forked process), or to
rewrite service_proxy_retrieve(!!). Note : The only pre-posted filter actions
supported by Proxy 3.x are "replace", "remove", and "reject". There is no
"add" action that can be used as a workaround. However, a workaround has been
coded that enables a custom plugin to add a header in the response. The filter
action API has been extended with an "add" action.
- Document bug for Proxy Server Cache erase (4547222)
The iPlanet
Web Proxy Server 3.6 Administrator's Guide provides the incorrect syntax
for the following command: cd proxy directory/cache
find s* -type f -exec rm {} \.;
This should be:
cd proxy directory/cache
find s* -type f -exec rm {} \;
On Windows platforms:
From a DOS prompt: cd <server_root>\cache
In addition, note the difference in the following command syntax:
del *. /s /p (--> will prompt for delete confirmation)
del *. /s /q (--> will not prompt for delete confirmation)
New Features
This section describes the new features and enhancements made in iPlanet Web
Proxy Server 3.6.
Use of LDAP dynamic groups for authentication (4570987)
Proxy Server supports LDAP dynamic groups, in addition to LDAP static groups,
for authentication, access control, and user and group management. Dynamic
groups are managed via the LDAP server user interface. They are used in Proxy
Server administration in the same way as static groups (by providing the name of
the group to define ACLs).
This feature introduces two new configuration parameters in the configuration
file magnus.conf:
- dyngroups. This parameter determines how Proxy Server handles
dynamic groups. It takes three values: off (default), on and
recursive.
- When set to off (default), Proxy Server does not take dynamic
groups into account (it still takes into account users and static groups).
- When set to on, Proxy Server evaluates dynamic groups but not
recursively. Therefore, dynamic groups cannot have group members.
- When set to recursive, Proxy Server evaluates dynamic groups
recursively. This option allows you to have static and dynamic groups that
can include static or dynamic groups. This is the most costly option in
terms of CPU consumption.
- searchdepth. This parameter provides the maximum search depth in
groups (static or dynamic). It takes an integer, greater than zero (the
default value is 30). If the search process remains unsuccessful within this
limit, access is denied.
For example, when searchdepth is set to 2:
- "user belongs to group1 which belongs to group2" is scanned.
- "user belongs to group1 which belongs to group2 which belongs to group3"
is not scanned.
The following is an example of the magnus.conf configuration file:
dyngroups recursive
searchdepth 10
Authentication/LDAP caching on NT (4571109)
Proxy Server can now cache LDAP information in a simple hash-based proxy
authentication cache. LDAP caching reduces the load on your directory server and
improves performance. The proxy authentication cache stores user password and
user group information, which resides in memory.
From the administration user interface, you can enable and disable the
authentication cache, configure the hash table size, configure the number of
entries the cache holds, and set the entry expiration time.
The following is the obj.conf directive for enabling and disabling
this feature:
Init status=<ON|OFF> hash-size=<SIZE table hash of>
table-size=<SIZE table of entries> expires=<EXPIRES seconds
in time,> fn="init-pauth-cache"
Example : Init status="on"
hash-size="271" table-size="1355" expire="3600" fn="init-pauth-cache"
Handling of LDAP server failover (4575151)
Proxy Server provides basic failover capability, so that it can serve
requests when Directory Server is not running. Directory Server must still be
running to administer Proxy Server through the administration console.
To add alternate LDAP servers, enter multiple host names in the Directory
Server field in the administration console of Proxy Server, separated by a blank
character. The LDAP port is common to all servers, so alternate servers must use
the same LDAP port as configured in the administration console.
Proxy Server has two time-out values, one for the bind and one for searches.
When a time-out is raised, Proxy Server retries to contact the failed LDAP
server once. If Directory Server is unreachable, the current LDAP operation
fails and all opened connections on the failed server are marked down. The next
Proxy Server operation will use a new pool of connections to the next alternate
server. Proxy Server does not switch back to the main LDAP server if it becomes
available.
At start time, Proxy Server opens a set of connections to the LDAP directory
server (see the LdapConnPool parameter). If the main server is
unreachable, Proxy Server tries to switch to an alternate server and tries to
open connections. If this procedure fails, an error is reported to the log.
No failover is implemented in the console, so the primary directory must be
up and running to use the administration console.
You can configure server failover using two new parameters in the
configuration file, magnus.conf:
- SearchTimeLimit (integer>0, default=15). Specifies the
time-out value, in seconds, for search operations on the LDAP server.
- BindTimeLimit (integer>0, default=30). Specifies the time-out
value, in seconds, for bind operations on the LDAP server.
New Features in SP1
This section describes the new features and enhancements in iPlanet Web Proxy
Server 3.6 Service Pack 1.
Handling Client Authentication With Digital Certificates (4543418)
Proxy Server now provides user authentication facilities using digital
authentication certificates. This is achieved with the certmap.conf
file. Specifically, this certificate-mapping file determines how a server should
look up a user entry in the LDAP directory. This file (located under
<server_root>/userdb) can be edited and entries added to match the
organization of your LDAP directory and to list the certificates you want your
users to have.
Specifically, the mapping file defines:
- Where in the LDAP tree the server should begin its search.
- Which certificate attributes the server should use as search criteria when
searching for the entry in the LDAP directory.
- Whether the server goes through an additional verification process.
A mapping has the following syntax:
certmap name issuerDN
name:property [value]
The first line specifies a name for the mapping. The name is arbitrary; you
can define it to be whatever you want. However, issuerDN must match the
distinguished name of the certificate authority who issued the client
certificate. For example, the following two issuerDN lines differ only in the
spaces separating the components, but the server treats these two entries as
different:
Certmap Iplanet1 ou=Red Certificate Authority,o=iPlanet,c=US
Certmap Iplanet2 ou=Red Certificate Authority, o=iPlanet, c=US
The second and subsequent lines in the named mapping match properties with
values. The certmap.conf file has six standard properties. You can use
the Certificate-Mapping API to create your own custom properties.
To enable/disable this feature, a new magnus.conf variable has been added
with two possible values (ON/OFF). The feature is disabled (OFF) by default. To
enable the feature, use the following syntax:
CertificateChecking ON
ACL's and Authentication with certificates
When you declare allowed users and/or groups, remember that the written ACL
file uses the UID field for authentication (basic or SSL) at a later stage. In
the case of SSL authentication, the client certificate is used for this purpose.
The proxy attempts to match the certificate presented by the user with the
credentials of the user stored in the LDAP Directory Server, following the
search criteria defined in the certmap.conf file. If this step was successful
the proxy attempts to match the UID extracted from the certificate with the name
of the user stored in the ACL file.
Therefore, the UID field must exist within the client certificate. If the UID
field is not found in the user certificate, the proxy will use the CN (Common
Name) field to match the name stored in the generated ACL file, by default.
Installation procedure of SP1 on Unix
To install the binary, proceed as follows:
- Shut down the Admin Server and all instances of the Proxy Server before
installation.
- Backup everything under <server-root>.
- Untar the SURF-Pack distribution.
- cd iproxy-3.6-us directory
- At the command line, enter: ./ns-setup
- When the installation script prompts you for your server root directory,
enter the name of the directory where your Proxy Server is installed. The
installation script will install the patched versions.
- Start up the Admin Server and all desired Proxy Server instances (if they
were not shut down and started up by the SURF-Pack installer).
Installation procedure of SP1 on
Windows
To install the binary, proceed as follows:
- Backup everything under <server root> (normally c:\WINNT\Netscape\SuitSpot).
Under this directory you should see the following:
- adminacl -> directory
- admin-serv -> directory
- alias -> directory
- bin -> directory
- extras -> directory
- httpacl -> directory
- include -> directory
- install -> directory
- lib -> directory
- manual -> directory
- nsapi -> directory
- ns-icons -> directory
- plugins -> directory
- proxy -> directory
- userdb -> directory
- proxy-"machine name" -> directory
- admserv -> file
- license.txt -> file
- Nyr -> file
- Proxy.txt -> file
- uninst.exe -> uninstall binary
This will create a copy of all configuration files, proxy instances, etc.
- Stop the Proxy and Admin Server. Uninstall the Proxy, using the binary <server
root>\uninst.exe. Uninstall the Admin Server.
- Remove everything under <server root> manually. Take care to remove
only the directories and files concerning the Proxy (in case the customer
is running additional Netscape applications). Refer to step (1) for more information.
- Reinstall the Proxy in the same directory as the old Proxy, using the binary
provided. Enter the same information as in the previous installation (the
same admin password, admin port, proxy port, and binding information to the
LDAP directory server, if applicable).
- After installation from a DOS prompt, stop the Proxy and Admin Server. Copy
all the configuration files from the back-up Proxy copy into the correct location
(admin config files, proxy config files, and acl files). This process can
be cumbersome, depending on the customer configuration. Not all the files
shown below must be copied (files to be copied depend on the customer configuration):
adminacl |
-> |
Admin acl files |
< tr>
admin-serv \config |
-> |
Admin config files |
< tr>
httpacl |
-> |
Proxy acl's |
< tr>
proxy-"name machine"\config\ |
-> |
Proxy config files (if there is more instances process must be repeated
with each of them) |
proxy\cache |
-> |
Cache of proxy |
< tr>
userdb |
-> |
If using local database instead of LDAP directory server |
< tr>
- Start the Admin Server, then start the Proxy Server.
Virus Scanning
Virus scanning is not supported in iPlanet Web Proxy Server 3.6.
Troubleshooting
- Members of a proxy array cannot update configuration from the master.
There are two possible reasons for this problem:
- When setting up a proxy array for the first time, be sure to use
a higher Configuration ID for the master than for the members. Otherwise,
members will not take into account the configuration they read from
the master. For example, set Configuration ID to 2 for the master
and 1 for members.
- On UNIX only, if Administration Server and Proxy Server are running
under two different users, Proxy Server may not be able to update
the parray.pat file because this file is created by Administration
Server with Administration Server's write access.
- I cannot view my access log file from the server manager.
The log files may have grown too big. To remedy this, manually rotate
the log files. In the server manager, select Server Status|Archive
Log and click the Archive button. A new set of empty log
files is created and the previous ones are renamed. The old log files
can be deleted or backed up elsewhere.
To avoid this problem in the future:
- Limit the amount of information stored in the access log file. To
do so, select Server Status|Log Preferences, and check only
information fields corresponding to the information you want the access
log file to record.
- Start a job to rotate log files regularly. To do so, choose Server
Status|Archive Log, check rotate log at and choose the
hours and days of access log rotations. To select more than one hour,
keep the ctrl key pressed down while clicking on the hour
menu. Click OK.
- On HP-UX, when I restart the Socks Server it simply stops running.
On an HP-UX box, an attempt to restart the Socks Server while requests
are being processed simply stops the Socks Server. Restart occurs each
time you click the Save and Apply button in any Socks Server
administration screen.
The fix for bug #538551 prevents the Socks Server from stopping at
restart but only if no request is being processed at the same time.
A simple workaround is to stop, then start the Socks Server instead
of performing a restart.
Known Problems
- Access control to log files on UNIX systems.
Proxy access log files and error log files are regular UNIX files.
These files belong to the UNIX user account that Proxy Server uses.
If your log file content is highly confidential, use a dedicated UNIX
user to run Proxy Server and set the proper permission mode to log files.
Change the log file permission mode to deny access to anybody but the
owner:
$ chmod 600 access errors
$ ls -l access errors
-rw------- 1 <owner><group>
327 Apr 9 15:10 access
-rw------- 1 <owner><group>
258 Apr 9 16:29 errors
- For other known problems see the Netscape Proxy Server 3.52 release
notes.
How to Report Problems
If you have problems with Sun ONE Proxy Server,
contact customer support at the following location:
So that we can best assist you in resolving problems,
please have the following information available when you contact support:
- Description of the problem, including the situation where the problem
occurs and its impact on your operation
- Machine type, operating system version, and product version, including
any patches and other software that might be affecting the problem
- Detailed steps on the methods you have used to reproduce the problem
- Any error logs or core dumps
For More Information
For more information on Sun ONE Web Proxy Server,
refer to the following documentation:
Further information can be found at the following
Internet locations:
Use of Sun ONE Web Proxy Server is
subject to the terms described in the license agreement accompanying it. Copyright
© 2002 Sun Microsystems, Inc. All rights
reserved.