Previous     Contents     Index          Next     
iPlanet Web Server, Enterprise Edition Administrator's Guide

Chapter 3   Setting Administration Preferences

You can configure your Administration Server using the pages on the Preferences and Global Settings tabs. Note that you must enable cookies in your browser to run the CGI programs necessary for configuring your server.

This chapter includes the following sections:

Shutting Down the Administration Server

Once the server is installed, it runs constantly, listening for and accepting HTTP requests. You might want to stop and restart your server if, for instance, you have just installed a Java Development Kit (JDK) or Directory Server, or if you have changed listen socket settings.

You can stop the server using one of the following methods:

  • Access the Administration Server, choose the Preferences tab, select the Shut Down link, and click "Shut down the administration server button!".

    For more information, seeThe Shut Down Page in the online help.

  • Use the Services window in the Control Panel (Windows NT).

  • Use stop, which shuts down the server completely, interrupting service until it is restarted.

After you shut down the server, it may take a few seconds for the server to complete its shut-down process and for the status to change to "Off."

Editing Listen Socket Settings

Before the server can process a request, it must accept the request via a listen socket, then direct the request to the correct connection group and virtual server. When you install iPlanet Web Server, one listen socket, ls1, is created automatically. This listen socket uses the IP address and the port number you specified as your HTTP server port number during installation (the default is 8888). You cannot delete the default listen socket.

You can edit your server's listen socket settings using the Administration Server's Listen Sockets Table. To access the table, perform the following steps:

  1. Access the Administration Server and click the Preferences tab.

  2. Click the Edit Listen Sockets link.

  3. Make the desired changes and click OK.

For more information, see Using Virtual Servers and the online help forThe Edit Listen Sockets Page .

Changing the User Account (Unix/Linux)

The Server Settings page allows you to change the user account for your web server on Unix and Linux machines. All the server's processes run as this user.

You do not need to specify a server user if you chose a port number greater than 1024 and are not running as the root user (in this case, you do not need to be logged on as root to start the server). If you do not specify a user account here, the server runs with the user account you start it with. Make sure that when you start the server, you use the correct user account.


If you do not know how to create a new user on your system, contact your system administrator or consult your system documentation.

Even if you start the server as root, you should not run the server as root all the time. You want the server to have restricted access to your system resources and run as a non-privileged user. The user name you enter as the server user should already exist as a normal Unix/Linux user account. After the server starts, it runs as this user.

If you want to avoid creating a new user account, you can choose the user nobody or an account used by another HTTP server running on the same host. On some systems, however, the user nobody can own files but not run programs.

To access the Server Settings page, perform the following steps:

  1. Access the Administration Server and choose the Preferences tab.

  2. Click the Server Settings link.

  3. Make the desired changes and click OK.

Changing the Superuser Settings

You can configure superuser access for your Administration Server. These settings affect only the superuser account. That is, if your Administration Server uses distributed administration, you need to set up additional access controls for the administrators you allow.


If you use iPlanet Directory Server to manage users and groups, you need to update the superuser entry in the directory before you change the superuser user name or password. If you don't update the directory first, you won't be able to access the Users & Groups forms in the Administration Server. To fix this, you'll need to either access the Administration Server with an administrator account that does have access to the directory, or you'll need to update the directory using the iPlanet Directory Server's Console or configuration files.

To change the superuser settings for the Administration Server, perform the following steps:

  1. Access the Administration Server and choose the Preferences tab.

  2. Click the Superuser Access Control link.

  3. Make the desired changes and click OK.

The superuser's user name and password are kept in a file called server_root/https-admserv/config/admpw. If you forget the user name, you can view this file to obtain the actual name; however, note that the password is encrypted and unreadable. The file has the format username:password. If you forget the password, you can edit the admpw file and simply delete the encrypted password. You can then go to the Server Manager forms and specify a new password.


Because you can edit the admpw file, it is very important that you keep the server computer in a secure place and restrict access to its file system:

  • On Unix/Linux systems, consider changing the file ownership so that it's writable only by root or whatever system user runs the Administration Server daemon.

  • On NT systems, restrict the file ownership to the user account Administration Server uses.

Allowing Multiple Administrators

Multiple administrators can change specific parts of the server through distributed administration. With distributed administration you have three levels of users:

  • superuser is the user listed in the file server_root/https-admserv/config/admpw. This is the user name (and password) you specified during installation. This user has full access to all forms in the Administration Server, except the Users & Groups forms, which depend on the superuser having a valid account in an LDAP server such as iPlanet Directory Server.

  • administrators go directly to the Server Manager forms for a specific server, including the Administration Server. The forms they see depend on the access control rules set up for them (usually done by the superuser). Administrators can perform limited administrative tasks and can make changes that affect other users, such as adding users or changing access control.

  • end users can view read-only data stored in the database. Additionally, end users may be granted access permissions to change only specific data.

For an in-depth discussion on access control, see What Is Access Control?.

To enable distributed administration, perform the following steps:

  1. Verify that you have installed a Directory Server.

  2. Access the Administration Server.

  3. One you've installed a Directory Server, you may also need to create an administration group, if you have not previously done so.

    To create a group, perform the following steps:

    1. Choose the Users & Groups tab.

    2. Click the New Group link.

    3. Create an "administrators" group in the LDAP directory and add the names of the users you want to have permission to configure the Administration Server, or any of the servers installed in its server root. All users in the "administrators" group have full access to the Administration Server, but you can use access control to limit the servers and forms they will be allowed to configure.


      Once you create an access-control list, the distributed administration group is added to that list. If you change the name of the "administrators" group, you must manually edit the access-control list to change the group it references.

  4. Choose the Preferences tab.

  5. Click the Distributed Admin link.

  6. Make the desired changes and click OK.

For more information, seeThe Distributed Administration Page

Specifying Log File Options

The Administration Server log files record data about the server, including the types of errors encountered and information about server access. Viewing these logs allows you to monitor server activity and troubleshoot problems by providing data like the type of error encountered and the time certain files were accessed.

You can specify the type and format of the data recorded in the Administration Server logs using the Log Preferences page. For instance, you can choose to log data about every client who accesses the Administration Server or you can omit certain clients from the log. In addition, you can choose the Common Logfile Format, which provides a fixed amount of information about the server, or you can create a custom log file format that better suits your requirements.

Access the Administration Server Log Preferences page by choosing the Preferences tab, then clicking the Logging Options link.

For more information, see The Logging Options Page in the online help, and Using Log Files.

Viewing Log Files

The Administration Server log files are located in admin/logs in your server root directory. For example, on Windows NT, the path to your log files might look like c:\iPlanet\server6\https-admserv\logs. You can view both the error log and the access log through the iPlanet Web Server console or using a text editor.

The Access Log File

The access log records information about requests to and responses from the server.

To view the access log file, perform the following steps:

  1. Access the Administration Server and choose the Preferences tab.

  2. Click the View Access Log link and click OK.

For more information, see The View Error Log Page in the online help, and Using Log Files.

The Error Log File

The error log lists all the errors the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log in to the server.

To view the error log file, perform the following steps:

  1. Access the Administration Server and choose the Preferences tab.

  2. Click the View Error Log link and click OK.

For more information, see The View Access Log Page in the online help, and Using Log Files.

Archiving Log Files

You can set up your log files to be automatically archived. At a certain time, or after a specified interval, iPlanet Web Server rotates your access logs. iPlanet Web Server saves the old log files and stamps the saved file with a name that includes the date and time they were saved.

For example, you can set up your files to rotate every hour, and iPlanet Web Server saves and names the file "access.199907152400," where "name|year|month|day|24-hour time" is concatenated together into a single character string. The exact format of the access log archive file varies depending upon which type of log rotation you set up.

Access log rotation is initialized at server startup. If rotation is turned on, iPlanet Web Server creates a time-stamped access log file and rotation starts at server startup.

Once the rotation starts, iPlanet Web Server creates a new time stamped access log file when there is a request that needs to be logged to the access log file and it occurs after the previously-scheduled "next rotate time."

Using Cron-based Log Rotation (Unix/Linux)

You can configure several features of your iPlanet Web Server to operate automatically and set to begin at specific times. The cron daemon checks the computer clock and then spawns processes at certain times. (These settings are stored in the ns-cron.conf file.)

This cron daemon controls scheduled tasks for your iPlanet Web Server and can be activated and deactivated from the Administration Server. The tasks performed by the cron process depends on the various servers. (Note that on NT platforms, the scheduling occurs within the individual servers.)

Some of the tasks that can be controlled by cron daemons include scheduling collection maintenance and archiving log files. You need to restart cron control whenever you change the settings for scheduled tasks.

To restart, start, or stop cron control, perform the following steps:

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Cron Control link.

  3. Click Restart, Start, or Stop to change the cron controls.

Note that any time you add a task to cron, you need to restart the daemon.

Configuring Directory Services

You can store and manage information such as the names and passwords of your users in a single Directory Server using an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). You can also configure the server to allow your users to retrieve directory information from multiple, easily accessible network locations.

To configure the directory services preferences, perform the following steps:

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Configure Directory Service link.

  3. Make the desired changes and click OK.

For more information, see The Configure Directory Service Page in the online help.

Restricting Server Access

You can control access to the entire server or to parts of the server (that is, directories, files, file types). When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access-control entries (ACEs), and then it uses the matching entries to determine if the request is allowed or denied. Each ACE specifies whether or not the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access-control list (ACL). When a request comes in to the server, the server looks in vsclass.obj.conf (where vsclass is the virtual server class name) for a reference to an ACL, which is then used to determine access. By default, the server has one ACL file that contains multiple ACLs.

You can set access control globally for all servers through the Administration Server or for a resource within a specific server instance through the Server Manager. For more information about setting access control for a resource, see Setting Access Control.

To restrict access to your iPlanet Web Servers, perform the following steps:

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Restrict Access link.

  3. Select the desired server and click Edit ACL.

    The Administration Server displays the access control rules for the server you specified.

  4. Make the desired access control changes and click OK.

For more information, see The Restrict Access Page in the online help.

Configuring JRE/JDK Paths

When you install iPlanet Web Server, you can choose to install the Java Runtime Environment (JRE), which is bundled with iPlanet Web Server, or you can specify a path to the Java Development Kit (JDK), which you must install separately. See the iPlanet Web Server Installation and Migration Guide for more information.

Regardless of whether you choose to install the JRE or specify a path to the JDK during installation, you can tell the iPlanet Web Server to switch to using either the JRE or JDK at any time by performing the following steps:

  1. Access the iPlanet Web Server Administration Server.

  2. Select the Global Settings tab.

  3. Click the Configure JRE/JDK Paths link.

    The Configure JRE/JDK Paths page appears.

  4. Click the radio button corresponding to the feature to enable.

    For instance, click JDK to supply the path to the Java Development Kit installed on your machine.

  5. Enter the appropriate information and click OK.

    You must restart your server for changes to become effective.

    See The Configure JRE/JDK Paths Page in the online help for more information.

Previous     Contents     Index          Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated May 09, 2002