Netscape Console 4.2
for Windows NT and Unix
These notes were last updated on March 21, 2001.
These release notes contain important information about Netscape Console
4.2. Please read these notes before using the product.
Installation Instructions and Release Notes for all 4.x versions of
Netscape servers are available online at this location: http://home.netscape.com/eng/server/.
Use of this product is subject to the terms detailed in the license
agreement accompanying it.
Netscape Console incorporates compression code by the Info-ZIP group.
There are no extra charges or costs due to the use of this code, and the
original compression sources are freely available from ftp://ftp.cdrom.com/pub/infozip/
on the Internet.
To determine which build of Netscape Console 4.2 you have installed,
do the following:
-
If Console is not running, start Console
-
In the Console Navigation Tree, single click the Netscape Administration
Server icon to highlight
-
The pane to the right of the Navigation Tree displays general information
about the highlighted server.
-
The value of the Build Number field reveals which build is installed
-
If the first 4 digits begin with "2001", you have the 2001 build of Console
and Administration Server 4.2.
-
If the first 4 digits begin with "2000", you have the 2000 build.
-
If the first 4 digits begin with "1999", you have the original 4.2 bits.
The release notes contain these explanations:
What's New in This Release
Netscape Console provides a unified administration interface to all the
intranet, extranet, client, and server software under an administrator's
control. The 4.2 version of Netscape Console includes the Administration
Express feature, and a Perl script for automatically changing the IP address
of the Administration Server host.
Administration Express
The Administration Express page is an HTML based server management console.
The Administration Express page allows you to quickly start or stop servers,
or to view server logs and configuration data without having to launch
Netscape Console. For more information, see the online manual located at
http://help.netscape.com/products/server/console/console.pdf.
Perl script for IP address changes
This Perl script is useful when the IP address for the Administration Server
host changes. The script automatically makes the appropriate IP address
change in both the Configuration Directory as well as in the Administration
Server configuration. For more information, see the online documentation
located at
http://docs.iplanet.com/docs/manuals/console/42/html/app_tool.htm#1011091.
Certificates using wildcards are accepted
You can now install certificates that use wild characters (such as *.airius.com).
When using server certificates containing wild characters, keep the following
in mind (390149):
-
Security utility programs (such as certutil and keyutil)
will not work.
-
You will not be able to use Netscape Communicator to run Administration
Express. If you want to access a server that is using a certificate containing
wild characters, use Netscape Console.
Potential Problems and Solutions
This section describes the following known problems and related solutions:
Installation
-
On Windows NT, if you are upgrading from an earlier version of Console,
do not choose the "Custom" option during installation. Doing so will cause
the installation to fail. (112554)
-
Netscape Server Products should be installed on a local disk drive. If
you install a Netscape Server Product on a networked drive, the product
may not work as designed. (336269)
-
On HP-UX for 64-bit architectures, if you plan to use a double-byte
Administration domain name, you must install patch PHSS_15840 before you
begin installing Netscape Console. Without this patch, the Netscape Server
Setup program will not work as designed (355492). Contact
Hewlett-Packard for detailed information on obtaining and installing this
patch.
-
You can save the install cache when you install Netscape Console. When
you save the install cache, all the values you specify during installation
are saved to a file. This file is useful when you want to perform subsequent
silent installations. To save the install cache, in the server root, enter
setup
-k . (339769) For more information on silent installation, see Chapter
4 of the Netscape Directory Server 4.0 Installation Guide.
-
If you log in from a remote HP workstation to OSF, and then run Netscape
Console, the Console may occasionally hang. To avoid this problem, both
install and run Netscape Console on an HP workstation. (341699)
-
If your configuration directory is running on Netscape Directory Server
4.0 or lower, you may receive an "error 14" message when performing Console
operations (392925). This is because Console 4.1 and higher require schema
updates to the directory. To fix this problem, install the latest version
of iPlanet Directory Server.
Loss of Network Connection
If you lose a network connection while Netscape Console
is running, Netscape Console may become inoperable. Re-establish your network
connection, then restart Netscape Console. (106714)
Admin Server Cannot Locate Directory Server
If you are running Windows NT, Netscape Directory
Server may start up after Netscape Administration Server. If this happens,
Administration Server will not be able to retrieve configuration information
from the directory. To solve the problem, restart Netscape Administration
Server from the Windows NT Services Control Panel. (394281)
Login Window
Is Hidden
When starting Netscape Console using some window managers (Enlightenment,
WindowMaker, or Gnome), the Login window may be hidden behind the Netscape
Console splash screen, and you will not be able to log in (345545). As
a workaround, start Netscape Console at the command line by entering
startconsole
-x nologo.
Proxied
Administration Not Supported
Netscape Console 4.1 does not support proxied administration.
Setting
Access Permissions for a Server
You can grant or deny server access to an individual
user, but you cannot grant or deny server access to a group. If you select
a server in the Netscape Console navigation tree, and attempt to use the
Set Access Permissions command to specify a group of users, the permissions
you set will not work as expected. (337487)
This is caused by an incorrectly defined Access
Control Instruction (ACI) under o=NetscapeRoot. To work around
this problem, use ldapmodify to patch this ACI with the following LDIF
content:
dn: o=NetscapeRoot
changetype: modify
delete: aci
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read,
search, compare)groupdnattr="ldap:///o=NetscapeRoot?uniquemember?sub";)
-
add: aci
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read,
search, compare)groupdnattr="uniquemember";)
If you are unfamiliar with ldapmodify and LDIF, refer
to the Netscape
Directory Server Administrator's Guide.
Setting
Access Permissions for a Server Task
If you create an ACI rule to grant or deny access
to a server task, the rule will not take effect until you restart both
the server (such as Directory Server or Messaging Server) as well as it's
Administration Server. (345956, 342786)
Specifying
Multiple User Directories for Failover Support
When you specify more than one User Directory for
failover purposes, do not use carriage returns to separate directory host
names. If you use carriage returns, you'll get an error message. Instead
of carriage returns, use spaces to separate host names. (345731) Example:
Eros.Airius.com:389
Zeus.Airius.com:389
Server Instance Names
Do not use a period (.) in server instance names.
If you use a period in a server instance name, Netscape Console will not
recognize the server
instance. For example, the server instance msg.airius.com
is not acceptable; msg-airius-com is acceptable. (311490)
Non Default Uid
When the default language requires a uid in a form
other than the default (user's first initial followed by last name), you
must manually override the nsuserformat attribute in the configuration
directory. (117507) To change the nsuseridformat attribute:
-
In the Netscape Console, open the Directory Server
that contains the configuration directory you want to modify.
-
In the Directory Server, click Directory.
-
Expand the navigation tree to follow this path: NetscapeRoot/[administration
domain]/Global Preferences.
-
In the navigation tree, select Global Preferences.
-
In the right pane double-click Common.
-
In the Property Editor window, locate the attribute
nsuseridformat
and enter one of the following values as appropriate:
-
firstletter_lastname (this is the default
value)
-
givenname_firstletter
-
lastname_givenname
-
givenname_lastname
-
Click OK.
-
Restart Netscape Console.
Changing a User's Password
If you create a user without indicating a password, selecting the user
and clicking on the Password button will allow you to assign a value for
the user's password attribute. If you try to change this value by clicking
on the Password button again, the new value will be stored alongside the
old value and the user will have two valid passwords. To work around this:
select the user, click on Edit, and then enter and confirm the new password
in the Edit Entry dialog box. Alternatively, you can choose to assign a
password when creating a new user. If you have already created a user with
multiple passwords, perform a new search for the user and enter a new password
using the Edit or Password button. This will discard any old values and
assign a single password for the user
8-bit Characters
When creating a new user or editing a user's personal
data, do not use 8-bit characters in the First Name and Last Name fields.
If you use 8-bit characters in the First Name or Last Name fields, the
user ID is not automatically generated for you. Instead, use ASCII characters
to enter the user's personal data. (117507)
Windows NT with
DHCP
You cannot install Administration Server 4.0 or Directory
Server 4.0 on Windows NT with DHCP. As a workaround, you can install successfully
using a static IP address. (105984)
Using Solaris
-
If you're using the Japanese version of Netscape Console, In the
Certificate Management window, when you click Edit to view certificate
information, the Edit Certificate window may not display as designed (348831).
To solve this problem, download the JRE 1.1.8 file from the SunSoft
website, and install it in the following directory: <Server_Root>\bin\base\jre.
-
On Solaris, when you run the startconsole command, you may get the following
error message (361080):
"You must install a Solaris patch to run this version of the Java runtime.
Please see the README and release note for more information."
If you get this message, go to the Sun Microsystems website for specific
patch information:
http://java.sun.com/products/jdk/1.1/packs/native-threads/README
Using HP-UX
-
If Netscape Console randomly crashes, make sure you
have the patch PHKL_14750 installed on your system. Contact Hewlett-Packard
for detailed information on obtaining this patch.
-
If you're using a multi-CPU system, you need to install
this patch: PHNE_16645. This addresses the Administration Server process
spinning problem. Contact Hewlett-Packard for detailed information on obtaining
the patch.
-
In the Japanese version, on HP-UX for 64-bit architectures, if you
use the Japanese Input Method Editor (IME) when searching and modifying
directory entries, Netscape Console will not accept the input. To solve
this problem, install patch PHSS_15397. Contact Hewlett-Packard
for detailed information on obtaining and installing this patch.
-
When using the Users and Groups Search Directory,
the screen may not draw properly. (291656) When this happens, click Search
to perform the search again.
Using AIX with jre 1.1.6
If Netscape Console crashes upon startup, you must disable JIT. (316827)
To disable JIT, invoke startconsole with the -nojit option.
Using Linux
If Netscape Console hangs during log in, it may be due to a problem
with NIS (349906). As a workaround, in /etc/nsswitch.conf, modify
the nis and dns lookup ordering in the the hosts entry. Make sure dns comes
before nis.
For example, change this entry:
hosts: files nisplus nis dns
to this entry:
hosts: files dns nisplus nis
Opening
Administration Server Results in Blank Window
If you log into Netscape Console using Administration Server 4.0 or
4.1, and then try to open an Administration Server 4.2 that is SSL-enabled,
the Administration Server 4.2 window will be blank. (353341) The problem
is due to an incompatibility between Netscape Console 4.2 and pre-4.2 SSL
libraries. There is no workaround at this time.
Downloading
a server's JAR files to Netscape Console
Generally, a server's JAR files used by Netscape Console are stored
in the Administration Server. However, in Netscape Console 4.2, a server's
JAR files can be stored on any HTTP server. If, for any reason, you choose
to store a server's JAR files in a location other than the default location
in the Administration Server, do not password protect the JAR files. Password
protection may cause authentication to fail, and you will not be able to
download the files to the Netscape Console. (357280)
Improving Administration
Express Performance
If the host computer for a server registered against the Configuration
Directory is experiencing network problems, there could be a long delay
when the Administration Express page tries to contact the server and create
a status page. (355354) To improve Administration Express performance,
in the file <Server_Root>/admin-serv/config/adm.conf, add the
following entry:
ExpressCGITimeout: x
In this entry, x is an integer representing how long
(in seconds) Administration Express should continue trying to reach the
remote server before timing out.
Can't
Start/Stop Local Windows NT Servers using Administration Express
When using Administration Express on Windows NT, you cannot start and
stop servers on the local machine. You can view, start, and stop servers
on UNIX machines and other Windows NT machines on the network. If you want
to start or stop a server on the local machine, use the command line or
Netscape Console. This problem does not affect you if you are using Administration
Express on UNIX. (389488)
Enabling
SSL on Directory Server 4.x using Console 4.2
After installing Administration Server and Console 4.2, if you enable SSL
on Netscape Directory Server 4.x, the directory server won't start. You
will see the following message in the error log:
"Failed to set SSL cipher preference information: unknown cipher
tls_rsa_export1024_with_rc4_56_sha!"
This message is generated because Console 4.2 includes two additional
cipher suites that Directory Server 4.x does not recognize.
To work around this problem, do the following with encryption enabled
and the directory not running:
-
Edit the dse.ldif file located in <server-root>/slapd-<server-name>/config/
as
follows:
Remove the two "-tls_" strings from the dse.ldif file.
These strings exist under the attribute name "nsssl3ciphers,"
which is found in the "cn=encryption, cn=config" node beneath
the affected server instance SIE.
-
Start the Directory Server from the command-line with start-slapd.
Once you have modified dse.ldif, you can disable and enable encryption
for Directory Server by manually modifying the "security on/off" setting
in slapd.conf. If you use Console to change your encryption settings
or disable and then re-enable encryption, you will have to edit dse.ldif
again.
On Windows NT, End-User
Page Not Accessible with SSL
On Windows NT, if you enable SSL on the Directory Server, you will not
be able to access the End-User Page (see illustration).
Using
Netscape Console with Netscape Certificate Server 1.x
When you use a Netscape 4.x server to request a server certificate from
a Netscape Certificate Server 1.x, do not use wildcards, punctuation marks,
or other special characters when specifying the server host name. If you
do, Certificate Server will display the following message "Invalid DER
encoding" when the certificate is submitted. If you must use wildcards
(for example www.airius|netscape.com), then you must make a special
note to the CA when you submit the certificate request. The following image
illustrates how you can submit a special note to the CA:
Using Netscape Console with Netscape Certificate
Management System 4.x
If you specify a URL when using Console's Certificate Request Wizard with
Netscape Certificate Management System 4.x (CMS), you must include a port
number. For example, if CMS is running on port 443 of the cmsServer.airius.com
host, you must enter the URL as https://cmsServer:443. If you
enter
https://cmsServer, you will not be able to automatically
request a certificate. (392984)
Using an external token
to store certificates
If you use an external token or smart device to store multiple security
certificates, the device may run out of storage space. This happens when
you repeatedly use the Certificate Setup Wizard to generate certificate
requests without deleting previously installed public or private keys.
(347448) To avoid this problem, follow the instructions provided by the
external device manufacturer to first back up your existing certificate(s),
and then to clear the device's memory.
Installing
a FORTEZZA PKCS #11 Module on Windows NT
If the FORTEZZA PKCS #11 module you want to install
is a DLL file (or shared library) and not a JAR file, do not use the "Manage
PKCS #11" or "Add PKCS #11" commands in Netscape Console. If you use the
Netscape Console graphical interface, you will not be able to activate
FORTEZZA ciphers. Instead, use the modutil command line utility located
at <server_root>/shared/bin/modutil.
To install a FORTEZZA PKCS #11 Module DLL File:
-
Locate the server instance for which you want to
install the PKCS #11 module.
-
Open a terminal window.
-
Go to the Administration Server's configuration directory
located at <server_root>/admin-serv/config.
-
At the prompt, enter this command: <server-root>/shared/bin/modutil
-dbdir . -create
This creates the required security module database
file (secmod.db) in the Administration Server's configuration
directory.
-
At the prompt, enter this command:
<server_root>/shared/bin/modutil -dbdir
. -add <module_name> -libfile <library_file> -nocertdb
<library_file> specifies the path
to the DLL or other library file containing the implementation of the PKCS
#11 interface module.
<module_name> specifies the name of
the PKCS #11 module (you specified this in Step1 when you installed the
drivers).
For example, if you are installing a Litronic token,
you would enter:
<server_root>/shared/bin/modutil -dbdir
. -add CryptOS -libfile core32
For detailed information about modutil, see modutil
Appendix B, "Administration Server Command Line Tools" in the
Netscape Console documentation.
Logging in as Directory Manager
If you log in to Netscape Console using the DN cn=directory manager,
your font display preferences will not be saved. (341686)
Expired SIE passwords block access to Administration
Server tasks
If a password expiration policy is enabled in Directory Server, and a connected
Administration Server's SIE passwords expire, you will not be able to access
the connected server. (343369) As a workaround, you can delay the expiration
date of the Administration Server passwords. Use the ldapmodify
utility to change two administrative entries. In the following example,
replace <hostname> with the hostname of the server, and finish
the command with Ctl-Z:
ldapmodify -D "cn=directory manager" -w password
dn: uid=Configuration Administrator, ou=admin, ou=Topology Management,
o=NetscapeRoot
changetype: modify
replace: userpassword
userpassword: <newpassword>
-
replace: passwordexpirationtime
passwordexpirationtime: 20011231000000
dn: cn=admin-serv-<hostname>, cn=Netscape Administration Server,
cn=Server Group, cn=<hostname>, ou=<hostname>.
o=NetscapeRoot
changetype: modify
replace: userpassword
userpassword: <newpassword>
-
replace: passwordexpirationtime
passwordexpirationtime: 20011231000000
Searching a Large User Directory
If you use the Search interface to list all users in a large directory
(for example, more than 1000 entries), the search may return 0 results.
(341275) To improve search results, simply restrict your search criteria.
Full Thread Dump
If you're trying to run the command line, and a segmentation violation
occurs resulting in a full thread dump output, you may have an incompatible
version of JRE or JDK in your path. Adding the following lines to the adminconfig
script will eliminate this problem:
JAVA_HOME=./bin/base/jre
export JAVA_HOME
CLASSPATH=
export CLASSPATH
You can manually edit the admconfig script located at /bin/admin/admconfig,
or you can enter these lines at the command line before running ./bin/admin/admconfig.
Using SSL
-
To start an SSL-enabled Administration Server without manually entering
a password, do the following:
-
Create a text file that will contain your security device passwords.
-
Add entries to this file using the following format: <token name>:
<password>
For instance, if you are using the internal software token, you would
enter internal (software): <password> where <password>is
the password for the token. If you are using additional tokens, add each
one's name and password on a new line.
-
In the <server root>/admin-serv/config directory, create a
text file called custom.conf.
-
Add the following line to custom.conf: pinFile: <pin file>
where <pinfile> is the full path to the text file containing
passwords.
-
If you are are using SSL, you need to be aware of important information
related to root certificate expiration by the end of 1999. At a minimum,
you may need to ask your users to upgrade their browsers to Communicator
4.7. Depending on how you are using SSL, you may also need to update the
root certificate in your server. For important and urgent information on
root certificate expiration, see Digital
Certificate Security Alert.
Using "objectClass: mailgroup" in Netscape Messaging
Server 3.6
-
If you are using distribution lists on Netscape Messaging Server 3.6, you
may receive the following error (370423):
A message was not delivered because a loop was found in the Mail
eXchanger (MX) record database. The destination host has an MX record that
points to this host, but there is no account for the recipient.
This error appears if a group's directory entry contains objectClass:
mailgroup instead of objectClass: mailGroup.
To fix this problem, follow these steps:
-
Export all group entries to an LDIF file.
-
Edit the file, replacing "mailgroup" with "mailGroup."
-
Delete each of the problem distribution lists.
-
Add the updated LDIF file by entering ldapmodify -a -f <name of
LDIF file> at the command line.
If you aren't familiar with LDIF or ldapmodify, see the Directory
Server Administrator's Guide.
Changing Configuration Directory Server Information
-
If you want to change the port number of the Configuration Directory Server
used by your Administration Server, do the following (391575):
-
In Console, select the Configuration Directory Server that you want to
change, and then click Open.
-
Click the Configuration tab, click Settings, and then change the value
for Port.
-
Click OK. The success dialog tells you to restart the server for the changes
to take effect.
-
Quit Console.
-
Restart the Directory Server from the command line.
-
Go to the Administration Server's server root and make the following changes:
-
Open /admin-serv/config/adm.conf and change ldapport
to the new Configuration Directory Server port number.
-
Open /shared/config/dbswitch.conf and change the directory
default URL to reflect the new port number.
-
Restart the Administration Server. When you launch Console, it will point
to the new Configuration Directory Server port.
-
If you want the Administration Server to use a new Configuration Directory
Server, do the following:
-
In the network tree, select the Administration Server that you specify
when logging into Console.
-
Click Open to open the Administration Server management window, and then
click the Configuration tab.
-
Click the Configuration DS tab, and then change the value for LDAP Host
and LDAP Port to the host name and port number of the new Configuration
Directory Server.
-
Quit Console and restart the Administration Server. When you launch Console,
it will point to the new Configuration Directory Server.
-
Note: These two procedures do not change the default URL for users
and groups. To change the User Directory host name or port number for a
domain, do the following:
-
Open Console
-
In the network tree, select the administration domain that uses the new
or changed Directory Server.
-
In the right-hand panel, click the Edit button.
-
In the "User Directory Host and Port" field, enter the new or changed Directory
Server host name and port number.
-
Click OK.
All server instances in the administration domain will now use the new
host name and port by default. If you want the instances in a particular
server group to use a different User Directory Server, change the User
DS settings for the server group's Administration Server.
Changing User Directory After SSL
is Enabled on Windows NT
If you want to change your User Directory you must do so before SSL is
enabled on Directory Server. On the Windows NT platform, changing your
User Directory after SSL is enabled on Directory Server results in a ugdsconfig.exe
application error (530500).
Creating 8 bit Characters
in Console
Some 8 bit characters, for example, Ê and Ë, cannot be created
in Console input fields.
To use these characters do the following:
-
Open a text editor of your choice
-
Create the 8 bit character
-
Copy the 8 bit character you created
-
Paste the character, using crtl-v, into the appropriate Console
input field (529527)
Where to Go for Other Information
For installation instructions, see the Install.htm file for the
server you're installing. Installation Instructions and Release Notes for
all Netscape servers are posted at this location: http://home.netscape.com/eng/server/
If you can't find the information you need, contact
Technical
Support.
Copyright © 2000 Sun Microsystems, Inc.
Some preexisting portions Copyright © 2000 Netscape Communications
Corp. All rights reserved.