Release Notes for iPlanet™ Portal Server 3.0 Service Pack 5

The Release Notes for iPlanet™ Portal Server, Version 3.0, Service Pack 5 document important information available at the time of release. Installing this product updates the iPlanet Portal Server software to include fixes from Service Pack 1, Service Pack 2, Service Pack 3, Service Pack 3a, and Service Pack 4 and Service Pack 5. The information in this document includes documentation for previous service packs.

These release notes contain the following sections:

• What's New in Service Pack 5

• Previous Service Pack Enhancements

• Known Problems and Limitations

• Bugs Fixed

• Documentation Updates

• How to Report Problems

• Where to Find More Information

Read this document before you begin installing Service Pack 5. For an online version of this and other Portal Server 3.0 documentation, see the iPlanet documentation Web site at:

http://docs.sun.com/

After you install and start using iPlanet Portal Server 3.0, Service Pack 5, check this Web site periodically to view the most up-to-date documentation.

---

About This Document

This section provides details about this document. It contains the following topics:

• Typographic Conventions

• Sample Machine Names

Typographic Conventions

Table 1 is a three column table that describes the typographic conventions used in this release note. The first column describes typeface or symbol, the second column describes the meaning, and the third column provides an example of how the typeface is used.

Table 1    Typographic Conventions

Typeface or Symbol	Meaning	Example
AaBbCc123	The names of commands, files, and directories; on-screen computer output.	Edit your .login file. Use ls -a to list all files. machine_name% You have mail.
AaBbCc123	What you type, contrasted with on-screen computer output.	machine_name% su Password:
AaBbCc123	Book titles, new words or terms, words to be emphasized, or glossary terms.	Read Chapter 6 in the User's Guide. These are called class options. You must be root to do this.
AaBbCc123	Command-line placeholder; replace with a real name or value.	To delete a file, type rm filename. http://server.domain:port/login/domain where domain is a Portal Server domain name.

Sample Machine Names

Table 2 is a two column table that lists the machine names used in code examples and the types of iPlanet Portal Server components to which they correspond. The first column of the table contains machine names, the second column states what component is installed on the machine.

Table 2    Sample Machine Names

Machine Name	Running as . . .
server1	The primary Portal Server
server2	iPlanet Portal Server not being used as the profile server in multiple server installations
gateway	iPlanet Portal Server gateway component

---

What's New in Service Pack 5

This section summarizes the newest enhancements implemented in Service Pack 5.

• Template Modifications

• Tips for Customizing Templates

• Customizing Desktop Top Level TABLE Attributes

• Maximizing Desktop Channels

• Setting Cookies From A JSPProvider Channel

See the "Desktop and Provider Changes" section of this document for details on these changes.

• Configuring Multiple Gateway Instances

• Using Wildcards In JavaScript Rewriter Rules

• Disabling Client-Side Caching of Redirected Content

• Advanced Rewriter Concepts

See the "Gateway Changes" section of this document for details on these changes.

• NetFile Internationalization and Usability Enhancements

See the "NetFile Changes" section of this document for details on these changes.

• Automatic Proxy Configuration for Netlet Connections

• Controlling Server Session Timeout When Using the Netlet

See the "Netlet Changes" section of this document for details on these changes.

• Tuning the Gateway for Optimal Performance

See the "Performance and Tuning Changes" section of this document for details on these changes.

• Disabling Synchronization of User Profile Changes

See the "Profile Service Changes" section of this document for details on these changes.

• Gateway Profile Attributes

• Non-Portal Server Cookie Management

See the "Documentation Updates" section of this document for details on these changes.

---

Previous Service Pack Enhancements

This section summarizes the cumulative enhancements implemented in the following previous Service Packs: iPlanet Portal Server 3.0, Service Pack 1, Service Pack 2, and Service Pack 3a, and Service Pack 4.

Authentication Changes

• A new parameter for redirecting users during login and logout is available.

• Users can be required to authenticate against more than one authentication mechanism.

• User default URLs can be set in the pluggable interface, without changing default URLs in user profiles.

• A new Desktop login channel allows users to register and receive personalized pages.

• Anonymous authentication is available.

• A user with a valid session can go directly to a login module without sending a logout URL.

• Users can change their membership login passwords.

• A user's email address can now be used as the user profile ID on the certificate.

• A persistent cookie mode is now available.

See the "Authentication Changes" section of this document for details on these changes.

Desktop and Provider Changes

• A new provider allows JavaServer Pages™ (JSP™) technology to be used to write providers for Desktop channels.

• The template scan interval, the length of time between checking to see whether disk files have been updated, can now be changed in the administration console.

• Tabs for organizing Desktop content are available for the edit page.

• The Provider API allows a channel to return either a complete HTML edit form or a subset of a complete HTML page.

• Administrators can prevent users from changing a channel's position on the Desktop.

• The Desktop can display full-width channels.

• The Desktop can display channels without frames, titles or controls.

• The Login Provider Channel template files now use the POST method when submitting login forms.

• The URL scraper can forward cookies passed in HTTP requests to the Desktop.

• Multiple cookies differing only in path or value can be used.

• Providers can access HTTP request and response headers.

• Session time-out units are now in minutes.

• Desktop applications can be run on Macintosh computers.

See the "Desktop and Provider Changes" section of this document for details on these changes.

Gateway Changes

• Gateway logging is now disabled by default.

• Administrators can set JavaScript™ variables for rewriting.

• Administrators can define JavaScript functions with a single parameter.

• Administrators can define JavaScript functions with multiple parameters.

• Rewrite Applet/Object parameter values can be changed via the administration console.

• Administrators can deny unknown certificates.

• Administrator can specify how many times the gateway should retry socket connections to a destination server.

• Outlook Web Access 2000 applications can now be used with the gateway.

• Some attribute settings are now inactive.

See the "Gateway Changes" section of this document for details on these changes.

Localization Changes

• Multiple locales for a domain are available.

• The user can select locale.

• The user can see changes in the locale of choice.

• A new properties file allows the default Desktop JSP Provider's description and title to be localized.

• A copy of the sample JSP Provider properties file is provided specifically for localizations.

See the "Localization Changes" section of this document for details on these changes.

NetFile Changes

• A generic file path search utility is now available for all data file types.

• Each channel now can identify whether it supports a client type's output format.

See the "NetFile Changes" section of this document for details on these changes.

NetFile Changes

• Improvements in using NetWare File Systems are available.

• Systems and shares can be defined at the domain, role and user level.

• NT hidden shares can be defined using the administration console.

• Shares on Windows NT systems are now alphabetized.

• NetFile usability has been improved.

See the "NetFile Changes" section of this document for details on these changes.

Netlet Changes

• The Netlet now supports an unlimited number of connections per Netlet.

• The Netlet now supports secure remote FTP transfers.

• The Netlet proxy manages communication between the gateway and target servers and offers improved security.

• Messages in Netlet windows can be changed.

• The Netlet applet can be used with Web browsers that are configured to use automatic proxy configuration (PAC) files.

• Internet Explorer can use automatic configuration files for automatic proxy services.

See the "Netlet Changes" section of this document for details on these changes.

Performance and Tuning Changes

• Netscape™ Security Services (NSS) is now supported on the gateway component.

• The Maximum Thread Pool Size parameter can be increased.

• A new method for loading multiple attributes in one profile request is available.

• Short-circuiting for session and logging requests improves performance.

• Adjusting iPlanet™ Web Server parameters can improve performance.

See the "Performance and Tuning Changes" section of this document for details on these changes.

Profile Service Changes

• A separate profile service is now used for each Portal Server instance.

• New methods for getting and setting user properties are available.

See the "Profile Service Changes" section of this document for details on these changes.

Server Changes

• Portal Server can now be run without the gateway.

• Multiple instances of the Portal Server can be run on different ports.

• The server can now access multiple instances of iPlanet Portal Server from a single server installation.

• You can run applications written using iPlanet Portal Server APIs on a server host that is not iPlanet Portal Server.

See the "Server Changes" section of this document for details on these changes.

Third-Party Software Changes

• A new parameter allows NetFile to display ISO8859-1 character sets.

See the "Third-Party Software Changes" section of this document for details on this change.

Webmail Changes

• A workaround to allow Portal Server to display Webmail is now available.

See the "Webmail Changes" section of this document for details on this change.

---

Authentication Changes

This section provides details about authentication changes in iPlanet Portal Server. It contains the following topics:

• Using the goto Parameter

• Authentication Chaining

• Setting Default URLs

• Login Channel

• Anonymous Authentication

• Extending Authentication

• Changing Membership Login Passwords

• Using an email Address as User Profile ID

• Setting Persistent Cookies

Using the goto Parameter

The goto parameter is now available. It enables applications to instruct authentication to redirect the user to a URL other than the default URL stored in the user profile upon login or logout. It is valid for the current session only, and it does not change the default URL stored in the user profile.

To be redirected to a specific URL, the application must specify the goto parameter in the URL.

The goto parameter allows the calling application to specify where the user is redirected upon successful login.

For example, if an application wanted to redirect the user to my.sesta.com after successful authentication, the URL would be:

http://server1.domain:port/login?goto=http://my.sesta.com

An API developer can use the goto parameter in conjunction with the logout URL to specify where the user should be redirected upon logout.

For example, if an application wanted to redirect the user to sesta.com after logout, the logout link would be:

http://server1.domain:port/logout?goto=http://sesta.com

Authentication Chaining

Authentication chaining can provide a higher level of security for organizations by requiring users to authenticate against more than one authentication mechanism. For example, if the membership and UNIX authentication modules are chained, Desktop users would authenticate against both to access the Desktop.

To set up authentication chaining, complete the following steps:

1. Log on to the administration console as super administrator.

2. Select Manage Domains.

3. Select the domain for which authentication chaining is to be used.

4. Select Authentication.

5. In the Authentication Chaining Modules field, enter the authentication modules to be chained, separated by spaces. For example:

   
   
   

   Membership Unix

   
   
   

6. Select the Authentication Enabled check box to enable authentication chaining.

7. Select Submit. A message is displayed indicating that the profile was successfully updated.

8. Select Continue.

Setting Default URLs

The user's default URL can now be set in the pluggable authentication interface, without changing the default URL in the user's profile. When the user authenticates successfully, the user is redirected to this URL.

A new method called setDefaultURL in the pluggable authentication API allows the authentication modules to set the user's default redirect URL on successful authentication:

public void setDefaultURL(java.lang.String url)

throws LoginException

This method overrides the goto parameter. See "Using the goto Parameter."

Login Channel

Portal Server now contains a membership authentication module that is useful for open portal installations. Combined with anonymous user, unregistered users can view non-personalized content in a portal, and registered users can log in and view personalized content.

The addition of a login channel on the Desktop allows registered users to access the portal, register and receive personalized pages. It allows non-registered users to view static content.

The login channel also allows the user to enable persistent cookies, if the domain allows this option. Persistent cookie support puts user login information into a cookie so that the user does not have to log in for subsequent sessions.

The user interface for the login channel does not have an edit page, as user-editable preferences are not available.

Anonymous Authentication

In a typical anonymous installation, the anonymous authentication module would be the only authentication type enabled. When the URL http://server.domain:port/login/domain is specified, the user's browser displays the anonymous user Desktop. No user input, other than the URL, is required.

A list of user IDs authorized to log in to the anonymous user's Desktop can be specified and modified through the administration console.

When a user ID appears in the List of Anonymous Usernames, access to the anonymous user's Desktop is granted. The session is assigned to the specified userID. When user ID does not appear in the List of Anonymous Usernames, the session is assigned to the user ID specified in the Default Anonymous Username field and the anonymous Desktop is displayed.

Modifying Default Anonymous User Names

To change the default anonymous user name, complete the following steps:

1. Log on to the administration console as super administrator.

2. From the left frame, select the Manage Domains link to display the Portal Server Domains page.

3. Select the domain to display the Role and Users page.

4. Expand the Profiles link and expand the Authentication link.

5. From the Authentication menu, select Anonymous.

6. Select Show Advanced Options at the bottom of the page.

7. In the List of Anonymous User Names, change default value anonymous to the desired user ID.

8. Select Submit at the bottom of the page to commit these changes to the profile server.

9. On the Profile Successfully Updated page, select Continue.

Setting Default Anonymous User Names

To define the default anonymous user name, complete the following steps:

1. Log on to the administration console as super administrator.

2. From the left frame, select the Manage Domains link.

3. In the Domain, Role and Users page, expand the Profiles link and expand the Authentication link.

4. From the Authentication Menu, select Anonymous.

5. Select Show Advanced Options at the bottom of the page.

6. In the Default Anonymous User Name field, change the default user ID anonymous to the desired user ID.

7. Select Submit at the bottom of the page to commit these changes to the profile server.

8. On the Profile Successfully Updated page, select Continue.

Enabling Anonymous Desktop

Use the administration console to enable an anonymous Desktop using the Anonymous Authentication Module and Login Channel.

To enable the anonymous Desktop, complete the following steps:

1. Log on to the administration console as super administrator.

2. From the left frame, select the Manage Domains link to display the Portal Server Domains page.

3. Select the domain to display the Domain, Role and Users page.

4. Expand Profiles link.

5. Select Authentication link.

6. From the Authentication Menu, select Anonymous and de-select all other authentication modules.

   Portal Server is now defaulted to the Anonymous authentication module in all cases and displays the anonymous Desktop by default.

7. Select Submit at the bottom of the page to commit these changes to the profile server.

8. Select Continue on the Profile Successfully Updated page.

9. Select Show Advanced Options at the bottom of the page.

10. In the Non Interactive Modules, add Membership.

    This enables users to use the login channel to use Membership authentication instead of having to use the provided membership login page.

11. Select Enable Persistent Cookie Mode, if persistent cookies are desired.

12. Select Submit at the bottom of the page to commit these changes to the profile server.

13. Select Continue on the Profile Successfully Updated page.

Customizing Anonymous Desktop Templates

You can customize templates for the anonymous Desktop by editing the menubar.html file and changing settings in the administration console.

To customize a user logout from the Desktop redirect to the anonymous user Desktop, complete the following steps:

1. Edit the HREF definition for the Log Out link in the /etc/opt/SUNWips/desktop/default/iwtDesktop/menubar.html file.

   ---

   Tip	Use this format to set the logout from the Desktop to be redirected to the anonymous Desktop in all cases: <A HREF="/logout?goto=/login/Anonymous?domain=mydomain">

   ---

To customize the Help page for the anonymous Desktop, complete the following steps:

1. Log on to the administration console as super administrator.

2. Select the Anonymous User Desktop.

3. From the left frame, select the Manage Domains link.

4. Select the domain.

5. Select Default Role.

6. Select Users.

7. Select Anonymous.

8. Expand Applications.

9. Select Desktop.

10. Scroll down and select Show Advanced Options.

11. Modify the value for Front Page Help.

    The default English locale value in Front Page Help is assumed to be relative from the /opt/SUNWips/public_html/docs/en_US/online_help directory.

12. Select Submit at the bottom of the page to commit these changes to the profile server.

13. Select Continue on the Profile Successfully Updated page.

Enabling Anonymous Desktop for Other Domains

To create an anonymous user for any other domain, complete the following steps:

1. Use this command to copy the /var/opt/SUNWips/iwtAnonymousUser.xml-orig file to a temporary location (/tmp):

   
   
   

   # cp /var/opt/SUNWips/iwtAnonymousUser.xml-orig /tmp/iwtAnonymousUser.xml-orig

   
   
   

2. Change the string INST_DEFAULT_DOMAIN in the /tmp/iwtAnonymousUser.xml-orig file to the name of the other domain:

   
   
   

   userConfigurable="true"

   >

   <Val>/INST_DEFAULT_DOMAIN/defaultRole</Val>

   </iwt:Att>

   
   
   

3. Use these commands to load the new anonymous user profile to the primary server service:

   
   
   

   # cd /opt/SUNWips/bin # ipsadmin create user /other_domain/anonymous /tmp/iwtAnonymousUser.xml-orig

   
   
   

4. Use this URL to access the authentication menu for the new domain in the browser:

   
   
   

   http://server1.domain:port/login?domain=/other_domain

   
   
   

Disabling Anonymous Desktop

To disable anonymous Desktop, complete the following steps:

1. Log on to the administration console as super administrator.

2. From the left frame, select the Manage Domains link to display the Portal Server Domains page.

3. Select the domain to display the Domain, Role and Users page.

4. Expand Profiles link.

5. Select Authentication link.

6. In the Authentication Menu, de-select the Anonymous auth module.

   At least one auth module entry must be selected in the field after you de-select any module.

7. Select Submit at the bottom of the page to commit these changes to the profile server.

8. Select Continue on the Profile Successfully Updated page.

Modifying the Login Channel

The login channel can be modified to work with other authentication modules. A sample template is available to illustrate how the login channel can be changed to work with the Unix authentication module, rather than the Membership authentication module.

To enable Unix authentication for the login channel, complete the following steps:

1. As root, use these commands to make a copy of the display.html file:

   
   
   

   # cd /etc/opt/SUNWips/desktop/default/iwtLoginProvider # mv display.html display_iwtAuthMembership.html

   
   
   

2. Replace the display.html file with /etc/opt/SUNWips/desktop/default/iwtLoginProvider/display_iwtAuthUnix.html.

   
   
   

   # cp display_iwtAuthUnix.html display.html

   
   
   

3. Log on to the administration console as super administrator.

4. From the left frame, select the Manage Domains link to display the Portal Server Domains page.

5. Select the domain to display the Domain, Role and Users page.

6. Expand the Profiles link and select the Authentication link.

7. Scroll down to and select Show Advanced Options.

8. In the Non Interactive Modules field, add Unix.

9. Select Submit at the bottom of the page to commit these changes to the profile server.

10. Select Continue on the Profile Successfully Updated page.

The login channel now uses UNIX authentication.

The template file, display_iwtAuthUnix.html, is an example of how templates could be created to enable other authentication modules for the login channel. The contents of the built-in login page for a given authentication method provide an example of the correct parameters to include in the display.html template.

Extending Authentication

When a registered user authenticates from the anonymous Desktop, Portal Server obtains information about the user and presents the user Desktop from the user profile. When a new user registers from the anonymous Desktop, the user's current session from the anonymous Desktop is destroyed before the auth module in the URL for the user's default Desktop is called.

This allows a user with a valid iPlanet Portal Server session to directly go to a login module without sending a logout URL. For example, a login channel sends the following URL to allow an anonymous user to register with the membership module:

http://server.domain:port/login/Membership?domain=/mydomain&arg=newsession

The arg=newsession parameter instructs the authentication module to destroy the current session before calling the authentication module in the URL.

Previously, if a user wanted to switch from anonymous user to registered user, it was impossible to authenticate the user using another authentication module such as the Membership module since an anonymous user has a valid session.

Changing Membership Login Passwords

Users can now change their membership login passwords.

To change the membership login password, the user must complete the following steps:

1. Select the Edit icon from the User Information channel menu.

2. Enter the original password and the new password and confirm the new password.

Password checking is subject to the same rules as the membership authentication module. The user must authenticate via Membership for changes to the Membership password.

Using an email Address as User Profile ID

A user's email address can now be used as the user profile ID on the certificate. When the email address is selected, the cert auth module searches for the emailAddr field in the certificate's user subject dn field for the attribute tag emailaddr and uses its value to access the user's profile ID.

The tag emailAddr is stored in the iwtAuthCert.properties file. It can be replaced with a different value, depending on the site or the certificate issuer.

To use the email address as profile ID, complete the following steps:

1. Log in to the administration console and select Manage Domains.

2. Select your domain and select Profiles and Authentication.

3. Select Cert from the list.

4. Select email address from the What field in cert to use to access user info in profile field.

5. Select Submit.

Setting Persistent Cookies

Persistent cookies are now supported. If the persistent cookie mode is enabled, the user:

• Is not required to log in to Portal Server after relaunching the browser

• Can display the Desktop immediately without logging in

  ---

  Note	If the user explicitly logs out when persistent cookie mode is enabled, logging in is required on the next visit.

  ---

To set up persistent cookie mode for an individual user, the user must select the Remember My Username and Password check box using the Login Channel.

Administrators can set a persistent cookie for a domain. To do this, complete the following steps:

1. Log in to the administration console and select Manage Domains.

2. Select your domain and select Profiles and Authentication.

3. In the Profile:Auth page, select Show Advanced Options.

4. In The Persistent Cookie MaxAge Value text box, specify the maximum age of the cookie in seconds.

5. Select the Enable Persistent Cookie Mode check box to enable the persistent cookie mode for users in this domain.

---

Desktop and Provider Changes

This section provides details about Desktop changes in iPlanet Portal Server. It contains the following topics:

• Template Modifications

• Tips for Customizing Templates

• Customizing Desktop Top Level TABLE Attributes

• JavaServer Pages Provider

• Setting Cookies From A JSPProvider Channel

• Reloading Templates without a Server Restart

• Tabbed Desktop

• Using Form Control

• Maximizing Desktop Channels

• Locking Channel Positions

• Setting Up Full-Width Channels

• Setting Up Frameless Channels

• Default Login Channel Templates Changes

• Forwarding Cookies

• Using Non-iPlanet Portal Server Cookie Management

• Enabling Access to HTTP Requests and Responses

• Setting Session Time-out Units

• Running Desktop Applications on Macintosh Clients

Template Modifications

The patch installer attempts to preserve customized template information and to automate the update of that information. However, since the contents of the files cannot be accurately predetermined, any modified template files are backed up in the same directory as their updated counterparts, with the patch name postfixed to the template name. For example,

/etc/opt/SUNWips/desktop/default/iwtBookmarkProvider/display.template

might be backed up to

/etc/opt/SUNWips/desktop/default/iwtBookmarkProvider/display.template.preSP5.

The backup files are also copied back to their original location upon service pack removal.

To help avoid potential content-related customization problems, refer to the "Tips for Customizing Templates" section of this document.

Table 3 is a three column table that lists the template files, .properties files, xml files, and platform files that are modified by this service pack. The first column of the table contains the template or flatfile names. The second column contains the component with which the template is associated. The third column describes the change to the template.

Table 3    Template Modifications 

Template or Flatfile Name	Component	Change
/etc/opt/SUNWips/platform.conf	Gateway and Platform	Added ips.gateway.newDomainLogic entry to support single and double level domains. Added allow.desktop.caching.in.client to allow the caching of the iPlanet Portal Server Desktop by the browser. Note: By default, the value for this option is set to false and must be set to true in order to cache the Desktop. Added ips.gateway.logging.hostlookup to control whether reverse DNS lookup occurs during logging calls.
/etc/opt/SUNWips/properties.file	Platform	Added domainlist.refresh.interval to reduce LDAP traffic retrieving primarily static data. This option enables the list of Portal domains (which is normally retrieved at every login) to be cached, and refreshed with the given interval in milliseconds. This reduces the load on the LADP server. By enabling caching , new domains will not besisible to users until the next refresh. For test and development systems this value should be left at 0. However, on stable production systems, the value should be increases. A reasonable value is 1800000 (30 minutes). Note: By default, the value for this option is set to 0, thus the behavior will remain the same as in Service Pack 4 unless this value is changed.
install_dir/SUNWips/locale/iwtNetFileApplet.properties	Platform	Added systemencoding=System Encoding function Added country names used in add host and edit host info
install_dir/SUNWips/locale/iwtNetFileServlet.properties	Platform	Added error43=Share does not exist or you do not have permission to access Added country name labels for NetFile Lite function Added macie50=<FONT COLOR=FF0000> Note: The </FONT> tag on Internet Explorer 5.0 on a Macintosh computer is not a supported browser version. Please update the browser to Internet Explorer 5.1.5 or greater.
/etc/opt/SUNWips/desktop/*/iwtDesktop/userTemplate.html	Platform	Added top level table definitions previously rendered internally by the FrontProvider Servlet. Removed content tag [tag:content] Note: if content tag has already been removed the changes will have to be made manually.
/etc/opt/SUNWips/xml/iwtDesktop.xml	Profile	Added attribute iwtMaximizeProvider to iwtDesktop profile
/etc/opt/SUNWips/xml/iwtGateway.xml	Profile	Added attribute iwtGateway=UnencodedURLCharset to gateway profile
template_dir/iwtBookmarkProvider/display.template	Platform	Added openSavedBookmarkURL function
install_dir/SUNWips/locale/iwtGateway.properties	Platform	Added X-x11=Rewrite JavaScript Function Parameters in Fractured HTML entry Added X-x17=Rewrite JavaScript Function Parameters in JavaScript or a URL entry Added X-x18=Extend Portal Session for Clientbound Netlet Traffic entry
install_dir/SUNWips/public_html/third_party/	Platform	Replaced citrix_start.html
install_dir/SUNWips/locale/iwtNetletServlet.properties	Platform	Added macloopbackhost=http://127.0.0.1 entry
install_dir/SUNWips/bin/ipshttpd	Platform	Overwrote IPS_CLASSES value to include additional jar entries
/etc/opt/SUNWips/platform.conf*	Platform and Gateway	Added ips.gateway.sockretries=3 entry Added allow.client.caching=true entry Added netlet.session.extension=true entry Added ips.gateway.mem_management_option=false entry Added ips.gateway.mem_management_interval=30 entry Added ips.gateway.mem_threshold=70 entry Removed netlet.session.extension.for.\ clientbound.traffic entry Removed blank lines
/etc/opt/SUNWips/xml/iwtGateway.xml	Profile	Added openSavedBookmarkURL:y value to iwtGateway-JavaScriptRewrite attribute Added window.location to iwtGateway-JavaScriptVariableConvert attribute Added new Attribute: iwtGateway-JavaScriptFracturedHTML Added new Attribute iwtGateway-JavaScriptFunctionParameterJavaScriptOrURL Added new Attribute iwtGateway-ThirdPartySessExt Modified rules for NetMail and NetFile in Rewrite Applet Parameters Values List of the Gateway Profile.
install_dir/SUNWips/bin/ipsgateway	Gateway	Overwrote IPS_CLASSES value to add additional jar entries Changed gateway specific Java Virtual Machine™ (JVM™) parameters in CMD value Note: These changes have been added for the multiple gateway instance support. This script is now much longer than the previous script.
/etc/init.d/ipsgateway	Gateway	Overwrote IPS_CLASSES value to add additional jar entries Changed gateway specific JVM parameters in CMD value Note: These changes have been added for the multiple gateway instance support. This script is now much longer than the previous script.

Tips for Customizing Templates

Because the Portal Server itself is so customizable, you should follow some precautions to ensure that any customizations made to the iPlanet Portal Server product are preserved after a product upgrade. First, set up a customized template directory if you have not already done so. While this directory might be an entire subset of the default template directory, it is advisable to copy over only those template files that you will be customizing. This particular scheme would then use the default directory as a base for all templates and would help ensure that customized templates are not accidentally overwritten when the default templates are modified.

Creating a Customized Template Directory

1. Create a directory at the same level as the /etc/opt/SUNWips/desktop/default/ directory with a new name such as mytemplates. In that directory, put only copies of the templates you need to modify. The other templates will be retrieved from the default directory.

2. Edit the templates in the mytemplates directory according to your own preference. Refer to the "Desktop Template and Tag Index" section of this document for additional template-related information.

3. Log into the administration console.

4. Select Manage Domains.

5. Select the domain you want to administer.

6. Go to Applications | Desktop.

7. In the Display/Layout section, change the value of the Template Directory field to match the name of the directory you just created—for example, mytemplates.

8. Click Submit at the bottom of the page.

In general, avoid modifying templates that have only a functional purpose rather than a look and feel purpose. One example of a template that should not need modifications is the iwtNetletProvider/display.template. This template contains only JavaScript necessary for the launching of the Netlet. The contents of the Netlet pop-up window should instead be customized by modifying the associated .properties file (install_dir/SUNWips/locale/iwtNetletServlet.properties). This is because the product might have a functional change that would overwrite a customization done specifically to that particular template file. This example also exhibits why it is important to keep only customized files in the customized template directory.

For instance, in the iPlanet Portal Server Service Pack 3 product, the Netlet launching behavior changed. Therefore, for customers who use the Netlet, and upgraded from the iPlanet Portal Server Service Pack 2 product to iPlanet Portal Server Service Pack 3, and have an entire copy of the default template directory, the functional change was not propagated to the customized template directory.

The following sections contain instructions for some simple template modifications that may help you get you started with your new customized template directory.

Customizing the Channel Border Look

To modify the look of all the channels (for example, where the buttons are and how the border looks) do the following:

1. Edit the file /etc/opt/SUNWips/desktop/mytemplates/iwtDesktop/providerWrapper.html

2. Edit the file

   /etc/opt/SUNWips/desktop/mytemplates/iwtDesktop/minimize.html

3. Logout of the Desktop and then log back in again.

Changing the Desktop Background Colors, Images, and Product Name

1. Edit the file /etc/opt/SUNWips/desktop/mytemplates/banner.html to:
   • Point to different graphics files with your company name or logo.

   • Change the background color and layout to match that of your portal's look.

   If you change the red background color in banner.html, you should also change the background color in the following files wherever the HTML tag attribute BGCOLOR appears:

   • contentTemplate.html

   • layout1Template.html

   • layout2Template.html

   • layout3Template.html

   • layout4Template.html

   • minimized.html

   • optionsTemplate.html

   • providerWrapper.html

2. If you want to change the iPlanet Portal Server 3.0 product name that appears on the Desktop in the menubar, you must remove the tag [tag:productName] that appears in the following files and replace it with the text you prefer. The files are:
   • banner.html

   • contentTemplate.html

   • editTemplate.html

   • errorTemplate.html

   • layout1Template.html

   • layout2Template.html

   • layout3Template.html

   • layout4Template.html

   • menubar.html

   • optionsTemplate.html

   • popupMenubar.html

   • popupTemplate.html

   • userTemplate.html

   This text can be changed in the profile store, but it is system-wide and not specific to any one domain. To change the value system-wide, do the following:

   1. From the profile server command line, as root type:

      install_dir/SUNWips/bin/ipsadmin get component iwtPlatform > /tmp/file

   2. Edit the file and delete all the attributes except for iwtPlatform-productName. Change the attribute value between the <Val></Val> tags to be the value you want-- most likely the title of your company portal. Save that file with just that attribute in it.

   3. From the command line, enter the following:

      install_dir/SUNWips/bin/ipsadmin change component iwtPlatform /tmp/file

3. Remove the iwtSampleRSS and iwtIPInfo channels. These channels both contain iPlanet information, so they can be removed from the installation by removing them from the available providers.

   These channels are sourced from the RSS Provider and URL Scraper providers, respectively, and are examples of how the iPlanet Portal Server can pull content from other sources. The iwtIPInfo channel is simply an HTML page and a GIF file displayed by the URLScraper. The iwtSampleRSS channel is an RDF file with an accompanying GIF file. You can set up channels like this quickly for your own portal by using the Channel Wizard in the iPlanet Portal Server Administration Console.

4. Restart the server for any changes you have made to take effect

Changing the Channel Buttons:

The links and image tags for the channel buttons are generated dynamically by the Desktop, but the actual image file sources are taken from the Desktop properties file. To change the button images, do the following:

1. Edit the file /opt/SUNWips/locale/iwtDesktop.properties and change the properties entries:
   • ProviderCommands-helpIcon

   • ProviderCommands-minimizeIcon

   • ProviderCommands-maximizeIcon

   • ProviderCommands-editIcon

   • ProviderCommands-removeIcon

   • ProviderCommands-attachIcon—all relative to install_dir/SUNWips/public_html/

2. Edit the following entries in the same .properties file as above to change the ALT text for the IMG tags in the channel buttons.
   • ProviderCommands-help

   • ProviderCommands-minimize

   • ProviderCommands-maximize

   • ProviderCommands-edit

   • ProviderCommands-remove

   • ProviderCommands-attach

Using Images for Channel Titles

1. In the providerWrapper.html file, replace [tag:title] with the following:

   
   
   

   <script>

   drawTitle('[tag:title]');

   </script>

   
   
   

2. In the <HEAD> section of the userTemplate.html file, insert the following:

   
   
   

   <script>

   function drawTitle(title)

   {

   if (title == 'special title') {

   document.write('<img src=/images/specialtitle.gif>');

   }

   else {

   document.write(title);

   }

   }

   </script>

   
   
   

Changing The Link Color in The Desktop

Edit the following line in userTemplate.html to change link colors for the page:

<BODY BGCOLOR="#FFFFFF">

Desktop Template and Tag Index

Table 4 is two column table that contains a list of templates and tag descriptions. The first column lists the template name. The second column provides a tag description.

Table 4    Desktop Template and Tag Index 

Template	Tag Description
iwtAppProvider
display.template - Contains the JavaScript that launches the windows that the HTML applications are displayed in.	[tag:apps] - Replaced with the application listings
iwtBookmarkProvider
display.template - Contains JavaScript language for the Bookmark Provider to open new windows launched from the form submittal or from saved bookmark links in the provider window. JavaScript also performs redirection of URLs to avoid burdening the gateway with unecessary requests for content that can be retrieved directly by the browser.	[tag:bookmarks] - List of bookmark links [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:windowOption] - JavaScript variable default for method of launching bookmark windows (taken from iPlanet Portal Server user preferences).
edit.template - contains the edit screen formatting for the Bookmark provider. It contains four tags.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:resourceList] - Selectable list of bookmarks for the edit page [tag:resourceCount] - Total number of bookmarks [tag:windowOptions] - Default for checkboxes defining how the bookmark should be opened (new window, existing window, etc.)
iwtMailCheckProvider
display.template - Mail check layout provider content	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:mailStatColor] - Color of status text, based on actual mail status [tag:mailStatus] - Status text [tag:mailCount] - Total count of unread messages
iwtNetletProvider
display.template - Contains JavaScript necessary to launch a Netlet session.	[tag:content] - Appropriate JavaScript for launching the correct Netlet type based on the Netlet rules
edit.template - Contains the formatting for the edit of the Netlet provider.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:newRuleSelect] - HTML section for adding new dynamic rules [tag:targetList] - Section of HTML table listing existing dynamic rules [tag:targetCount] - Total number of dynamic rules
wtUserInfoProvider
content.html - Content page for the UserInfo provider.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop [tag:iwtUserInfoProvider-greeting] - User's greeting [tag:iwtUserInfoProvider-firstname] - User's first name [tag:iwtUserInfoProvider-lastName] - User's last name [tag:iwtUserInfoProvider-currentDate] - Current date [tag:iwtUserInfoProvider-timeLeft] - Time left in user's session [tag:iwtUserInfoProvider-maxIdle] - Maximum idle time
edit.template - Edit page for the UserInfo provider.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:iwtUserInfoProvider-greeting] - User's greeting [tag:iwtUserInfoProvider-firstname] - User's first name [tag:iwtUserInfoProvider-lastName] - User's last name [tag:iwtUserInfoProvider-currentDate] - Date [tag:iwtUserInfoProvider-timeLeft] - Time left in user's session [tag:iwtUserInfoProvider-maxIdle] - Maximum idle time [tag:iwtUserInfoProvider-timeZoneList] - List of timezones [tag:iwtUserInfoProvider-IMAPServerName] - IMAP server name [tag:iwtUserInfoProvider-SMTPServerName] - STMP server name [tag:iwtUserInfoProvider-IMAPPassword] - IMAP server password [tag:iwtUserInfoProvider-IMAPUserId] - IMAP username [tag:iwtUserInfoProvider-localeList] - List of available locales [tag:iwtUserInfoProvider-passwordHandler] - HTML code to change membership password, if available
passwordHandler-Membership.html - Partial template inserted into edit.template if membership authentication is used. This allows the user to change password.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif)
iwtDesktop
alertTemplate.html - Not used.	No tags
arrangeProvider.js - Javascript used in the Desktop Layout page	No tags
bareProviderWrapper.html - Template for each provider wrapper with no titlebar.	[tag:borderSize] - size of border (CELLPADDING) around provider HTML table [tag:size] - size of border, (BORDER) around provider HTML table [tag:bgColor] - provider background color [tag:content] - provider content
banner.html - the banner across the top of the Desktop pages, including the edit, layout, and content pages.	No tags
contentTemplate.html - the HTML template for the Content (Channels) page	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product name [tag:openFrontPage] - Inserts openFrontPage.js template [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:menubar] - Inserts menubar.html template [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:thinProviders] - Checkbox list of available thin providers to add to Desktop [tag:wideProviders] - Checkbox list of available wide providers to add to Desktop [tag:fullProviders] - Checkbox list of available full width providers to add to Desktop
editTemplate.html - Generic edit page template.	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product Name [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:openFrontPage] - Inserts openFrontPage.js template [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:menubar] - Inserts menubar.html template [tag:providerName] - The name of the provider or channel [tag:inlineError] - Replaced with inlineError.html template if error has occured [tag:title] - The title of the provider or channel [tag:contentOptions] - The edit page content from the provider or channel
errorTemplate.html - Error template. Used when an internal Desktop error (usually a provider error) has occurred making display of the providers impossible.	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product name [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:productName] - Product name [tag:helpFile] - URL or directory path to the Help file [tag:helpTag] - String for link to Help file
inlineError.html - HTML to show an error message	[tag:errMessage] - The error message
launchPopup.js - JavaScript to launch a popup window.	No tags
layout1Template.html - left/thin, right/wide.	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product name [tag:openFrontPage] - Inserts openFrontPage.js template [tag:arrangeProvider] - Inserts arrangeProvider.js template [tag:performSubstitution] - Inserts performSubstitution.js template [tag:performColumnSubstitution] - Inserts performColumnSubstitution.js template [tag:selectAll] - Inserts selectAll.js template [tag:switchColumns] - Inserts switchColumns.js template [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:menubar] - Inserts menubar.html template [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:layoutFullTop] - Inserts layoutFullTop.html template [tag:leftUserProviderList] - List that shows left column channels [tag:rightUserProviderList] - List that shows right column channels [tag:layoutFullBottom] - Inserts layoutFullBottom.html template
layout2Template.html - left/wide, right/thin.	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product name [tag:openFrontPage] - Inserts openFrontPage.js template [tag:arrangeProvider] - Inserts arrangeProvider.js template [tag:performSubstitution] - Inserts performSubstitution.js template [tag:performColumnSubstitution] - Inserts performColumnSubstitution.js template [tag:selectAll] - Inserts selectAll.js template [tag:switchColumns] - Inserts switchColumns.js template [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:menubar] - Inserts menubar.html template [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:layoutFullTop] - Inserts layoutFullTop.html template [tag:leftUserProviderList] - List that shows left column channels [tag:rightUserProviderList] - List that shows right column channels [tag:layoutFullBottom] - Inserts layoutFullBottom.html template
layout3Template.html - left/thin, center/wide, right/thin.	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product name [tag:openFrontPage] - Inserts openFrontPage.js template [tag:arrangeProvider] - Inserts arrangeProvider.js template [tag:performSubstitution] - Inserts performSubstitution.js template [tag:performColumnSubstitution] - Inserts performColumnSubstitution.js template [tag:selectAll] - Inserts selectAll.js template [tag:switchColumns] - Inserts switchColumns.js template [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:menubar] - Inserts menubar.html template [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:layoutFullTop] - Inserts layoutFullTop.html template [tag:leftUserProviderList] - List that shows left column channels [tag:rightUserProviderList] - List that shows right column channels [tag:layoutFullBottom] - Inserts layoutFullBottom.html template [tag:centerUserProviderList] - List that shows center column channels
layout4Template.html - left/thin, center/thin, right/thin.	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product name [tag:openFrontPage] - Inserts openFrontPage.js template [tag:arrangeProvider] - Inserts arrangeProvider.js template [tag:performSubstitution] - Inserts performSubstitution.js template [tag:performColumnSubstitution] - Inserts performColumnSubstitution.js template [tag:selectAll] - Inserts selectAll.js template [tag:switchColumns] - Inserts switchColumns.js template [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:menubar] - Inserts menubar.html template [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:layoutFullTop] - Inserts layoutFullTop.html template [tag:leftUserProviderList] - List that shows left columns channels [tag:rightUserProviderList] - List that shows right column channels [tag:centerUserProviderList] - List that shows center column channels [tag:layoutFullBottom] - Inserts layoutFullBottom.html template
layoutFullBottom.html - Partial HTML template for layout pages when the user has a full-width channel available at the bottom of the layout.	[tag:fullbottomUserProviderList] - List of Full Width (Bottom) Channels to move [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif)
layoutFullTop.html - Partial HTML template for layout pages when the user has a full width channel available at the top of the layout.	[tag:fulltopUserProviderList] - List of Full Width (Top) Channels to move [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif)
menubar.html - HTML for the menubar containing the Home, Options, Content, Layout, Help, and Logout links	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:productName] - Product name [tag:help_link] - Link to help from Desktop
minimized.html - Template of a provider when it is in its minimized state - just the title and button bar showing, no content area showing.	[tag:borderSize] - The border size of the channel (default 0) [tag:size] - Table width, fixed at 100% [tag:title] - The title of the provider or channel [tag:provider_cmds] - Inserts the channel command button links, for example, minimize and detach.
noCache.html - HTML META headers to prevent browser caching of the pages.	No tags
openFrontPage.js - Javascript to go back to the Desktop page.	No tags
openURLInParent.js - Javascript to open a URL in the parent window. Used in popup windows.	No tags
optionsTemplate.html - Template for the Options page of the Desktop.	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product name [tag:openFrontPage] - Inserts openFrontPage.js template [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:menubar] - Inserts menubar.html template [tag:inlineError] - Replaced with inlineError.html template if error has occured [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:serviceTimeout] - Provider Timeout in seconds [tag:layoutOneChecked] - Makes Radio button for layout one the default [tag:layoutTwoChecked] - Makes Radio button for layout two the default [tag:layoutThreeChecked] - Makes Radio button for layout three the default [tag:layoutFourChecked] - Makes Radio button for layout four the default
performColumnSubstitution.js - JavaScript used on the Layout page.	No tags
performSubstitution.js - JavaScript used on the Layout page.	No tags
popupMenubar.html - Menubar to be used in popup windows.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:productName] - Product name
popupTemplate.html - Used to show provider and channel content in detached windows. Similar to providerWrapper, but not in a table structure.	[tag:noCache] - Inserts noCache.html template [tag:productName] - Product name [tag:providerTitle] - Provider or Channel title [tag:openURLInParent] - Inserts openURLInParent.js template [tag:style] - Inserts style.html template [tag:popupMenubar] - Inserts popupMenubar.html template [tag:providerContent] - Content of the provider
providerWrapper.html - Template that all providers and channels use for layout on Desktop. Defines the look of the border of the providers and channels on the screen.	[tag:borderSize] - The border size of the channel [tag:size] - Table width, fixed at 100% [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:title] - Provider title [tag:provider_cmds] - Inserts the channel command button links, for example, minimize or detach. [tag:bgColor] - Background color [tag:content] - Provider or channel content inserted here
removeProvider.js - Not used.	No tags
selectAll.js - Javascript used on the Layout page.	No tags
style.html - Stylesheet/CSS information for the HTML pages.	No tags
switchColumns.js - Javascript used on the Layout page.	No tags
userTemplate.html - The base Desktop layout structure document. There is very little content in this file, since most of the the Desktop is swapped in during processing in the servlets. This is a good place to put global JavaScript variable initializations which may need to be used by the providers.	[tag:noCache] - Inserts noCache.html template. [tag:launchPopup] - Inserts launchPopup.js template [tag:detachedContent] - Provider content [tag:productName] - Product name [tag:style] - Inserts style.html template [tag:banner] - Inserts banner.html template [tag:inlineError] - Replaced with inlineError.html template if error has occured [tag:content] - Provider or channel content (HTML table) inserted here [tag:menubar] - Inserts menubar.html template
iwtTabProvider
editForm.html - Edit page template for creating and removing tabs.	[tag:iwtTabProvider.makeNewTab] - Inserts makeNewTab.html template [tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:iwtTabProvider.removeRenameTab] - Inserts removeRenameTab.html template
makeNewTab.html - HTML used in editForm.html for creating a new tab.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:iwtTabProvider.tabTopics] - HTML for selecting a tab topic
removeRenameTab.html - HTML used in editForm.html for removing or renaming existing tabs.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:iwtTabProvider.tabList] - List of available tabs to remove
selectedTab.html - HTML used to show the currently selected tab on the Desktop.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:iwtTabProvider.tabName] - Tab name
tabs.html - Template of the tab provider on the Desktop.	[tag:tabs] - Inserts either tab.html or selectedTab.html depending on whether the current tab being drawn is selected [tag:editTabs] - Inserts editTabs.html template
tab.html - HTML used to show the unselected tab or tabs on the Desktop.	[tag:iwtDesktop-fontFace1] - Default font for the Desktop (sans-serif) [tag:iwtTabProvider.tabURL] - Tab URL (When Tab is clicked) [tag:iwtTabProvider.tabName] - Tab name
iwtWeatherProvider
This directory is not used	No tags

Customizing Desktop Top Level TABLE Attributes

The top level TABLE attribute definitions have been moved from being emitted directly by the FrontProvider Servlet to the userTemplate Desktop template file. All customized template directories under /etc/opt/SUNWips/desktop/ that contain an iwtDesktop/userTemplate.html file will be modified automatically by the installer to include the default TABLE attributes which were already being set by the FrontProvider.

As a result, the attributes can now be modified to provide more flexible control over the look and feel of the entire iPlanet Portal Server Desktop in addition to providing a means to use Cascading Style Sheets for themes, or JavaScript to change the TABLE attributes dynamically.

If the content tag ([tag:content]) was already removed from the userTemplate.html file prior to the service pack installation, the template will need to be updated manually in order for the portal contents to be displayed correctly.

Just below the inlineError tag ([tag:inlineError]) of each customized userTemplate.html file, add the following:

<!-- BEGIN TOP FULL PROVIDERS -->

<TABLE WIDTH=100% BORDER=0 CELLPADDING=2 CELLSPACING=0><TR><TD VALIGN=TOP><CENTER>

[tag:fullTopContent]

</CENTER></TD></TR></TABLE>

<!-- END TOP FULL PROVIDERS -->

<TABLE WIDTH=100% BORDER=0 CELLPADDING=0 CELLSPACING=4><TR>

<TD WIDTH=[tag:leftWidth]% VALIGN=TOP>

<!-- BEGIN LEFT PROVIDERS -->

[tag:leftContent]

<!-- END LEFT PROVIDERS -->

</TD>

<TD WIDTH=[tag:centerWidth]% VALIGN=TOP>

<!-- BEGIN CENTER PROVIDERS -->

[tag:centerContent]

<!-- END CENTER PROVIDERS -->

</TD>

<TD WIDTH=[tag:rightWidth]% VALIGN=TOP>

<!-- BEGIN RIGHT PROVIDERS -->

[tag:rightContent]

<!-- END RIGHT PROVIDERS -->

</TD></TR></TABLE>

<!-- BEGIN BOTTOM FULL PROVIDERS -->

<TABLE WIDTH=100% BORDER=0 CELLPADDING=2 CELLSPACING=0><TR><TD VALIGN=TOP><CENTER>

[tag:fullBottomContent]

</CENTER></TD></TR></TABLE>

<!-- END BOTTOM FULL PROVIDERS -->

Maximizing Desktop Channels

Individual channels on the iPlanet Portal Server Desktop can now be maximized. Maximizing a channel means that it is displayed on entire Desktop space between the horizontal menu bars. When a channel has been maximized, the banner and the menu bars are still visible.

If a channel is edited in the maximized state, its previous size will be restored once the edit is completed. Additionally, if the provider is detached while maximized, it will be re-attached in a restored state.This feature is also extended by adding the ability to tag-swap the providerName tag ([tag:providerName]) in the provider Desktop templates.

In order to maximize a provider channel, a URL should be constructed so that the channel's name appears at the end of the query string. The following is an example of a relative URL for a stocks channel:

/DesktopServlet?action=content&provider=iwtMaximizeProvider&targetprovider=stocks

Selecting this link from anywhere on the Desktop or explicitly setting it in the URL field of the web browser, after being fully qualified, will result in the stocks channel being maximized.

This maximize feature differs from the maximize functionality already built in to the Desktop as a provider command. When a provider has been minimized, the menu bar for the provider will contain a maximize button. Maximize, in this instance, will merely restore the provider to its original position and size on the Portal Desktop.

One example of how to use this new feature on the Desktop would be to create the maximize URL dynamically using the tag-swapping capability of the iPlanet Portal Server from within the providerWrapper.html template. The provider commands available are determined based on the policy for that provider and user. However, a maximize button could be inserted just prior to the provider_cmds tag so each provider could be independently maximized.

For example:

...

<TD BGCOLOR="#999999" NOWRAP>

<P ALIGN="RIGHT">

<A HREF="/DesktopServlet?action=content&provider

=iwtMaximizeProvider&targetprovider

=[tag:providerName]">

<IMG SRC="/desktop/images/b_maximize.gif" ALT="Maximize" BORDER=0></A>

<A HREF="/DesktopServlet?action=content&provider=iwtFrontProvider">

<IMG SRC="/desktop/images/b_attach.gif" ALT="Restore"

BORDER=0>[tag:provider_cmds]

</TD>

...

In this example, default Desktop images were used for two additional buttons—one to maximize the provider, and one to restore it to its original size. To avoid potential confusion for the end users, these buttons should be made unique if the providers will be allowed to minimize or detach.

Both the providerWrapper.html and userTemplate.html files could be changed to have only one image which would represent the current state of the provider (maximized or restored).

For example:

Add the following to the HEAD element of the userTemplate.html file:

...

<SCRIPT>

var pageLoc=this.location.href;

var isMaximized=pageLoc.search(/provider=iwtMaximizeProvider/);

function setProvState(provName) {

if (isMaximized == -1) {

document.location.href="/DesktopServlet?action=content&provider

=iwtMaximizeProvider&targetprovider="+provName;

}

else {

document.location.href="/DesktopServlet?action=content&provider

=iwtFrontProvider"

}

}

function setImgState() {

if (isMaximized == -1) {

document.images.provState.alt="Maximize";

document.images.provState.src="/desktop/images/b_maximize.gif";

}

else {

document.images.provState.alt="Restore";

document.images.provState.src="/desktop/images/b_attach.gif";

}

}

</SCRIPT>

...

Edit the providerWrapper.html template to look like the following:

...

<TD BGCOLOR="#999999" NOWRAP>

<P ALIGN="RIGHT">

<A HREF="javascript:setProvState('[tag:providerName]')">

<IMG SRC="/desktop/images/b_maximize.gif"

ALT="Maximize" NAME="provState" BORDER=0></A>

[tag:provider_cmds]

</TD>

...

The preceeding example uses JavaScript to determine whether the provider is maximized or not and to dynamically update the button and corresponding URL.

This example demonstrates how the provider maximization feature might be generally applied to the Desktop. Many other applications are possible. If Secure Remote Access Pack has been installed, verify that any reference to the maximize or restore URLs are rewritten correctly.

JavaServer Pages Provider

The JSP Provider allows you to use JavaServer Pages technology to write providers for Desktop channels. JSP Provider-based channels have the following attributes in addition to the attributes of other channels:

• contentPage - the JavaServer Page specification used to generate the HTML content for the channel through the provider's getContent method. The generated HTML must contain only those tags that are appropriate for display within a channel.

• editPage - the JavaServer Page specification used to generate the internal content for the edit form through the provider's getContent method displayed when the user selects the channel's Edit function. This page is optional, and if it is not specified, the isEditable method for the provider returns false.

• processPage - the JavaServer Page specification used to process the results of an edit page using the processEdit method.

The contentPage and editPage JSP specifications can be used in various combinations. For example, you can use a JSP specification to generate content while you can use Java™ code in the provider class to generate the edit page. Both have access to iPlanet Portal Server platform services.

Processing of the edit form consists of Java code that checks validity of the form entry and updates user preferences for the channel. The result is a display of the Desktop in the case of success or a display of the edit page in the case of a failure, possibly with some error information for the user.

To handle the processing of an edit form, the JSP-based provider has these options:

• Defining a processPage JSP. If defined, this JSP is invoked via a POST request and the JSP processes the results, either using a script or a bean or other Java class. The JSP must produce a redirect in the response. This redirect then becomes the return value for the provider's processEdit method.

• Extending the JSPProvider class and implementing the processEdit method. The processPage attribute is left blank.

Support for JSP-based channels is provided through a class called JSPProvider. The JSPProvider extends the ProfileProviderAdapter class to support other attributes for the channel by using the profile service.

When specifying a JSP in one of the JSP attributes, the path name is interpreted relative to the Desktop template directory using the same algorithm as for other Desktop templates, including the locale setting.

If the user's locale is de_DE, the Desktop type is SunBlue, and a JSP attribute is set to myChan/chan.jsp, the system would search for these JSP files:

/etc/opt/SUNWips/desktop/SunBlue_de_DE/myChan/chan.jsp

/etc/opt/SUNWips/desktop/SunBlue_de_DE/chan.jsp

/etc/opt/SUNWips/desktop/SunBlue/myChan/chan.jsp

/etc/opt/SUNWips/desktop/SunBlue/chan.jsp

/etc/opt/SUNWips/desktop/default_de_DE/myChan/chan.jsp

/etc/opt/SUNWips/desktop/default_de_DE/chan.jsp

/etc/opt/SUNWips/desktop/default/myChan/chan.jsp

/etc/opt/SUNWips/desktop/default/chan.jsp

Setting Cookies From A JSPProvider Channel

Cookies can now be set from JSP provider channels using response.addCookie(cookie_name) to amend the Set-Cookie response from the Desktop Servlet. For example, a personal cookie-based counter could be added to the out-of-box samplecontent.jsp by adding the following code to /etc/opt/SUNWips/desktop/desktop_name/samplecontent.jsp:

<%

int value=0;

Cookie[] cookArr = request.getCookies();

for ( int i=0; i < cookArr.length ; i++ ) {

Cookie acookie = cookArr[i];

if ( acookie.getName().equals("Counter") ) {

try

{

value= Integer.parseInt(acookie.getValue() );

value++;

out.println("According to your cookie counter, you have been here <B>"+

value +"</B> times.");

}

catch(Exception ex){}

}

}

Cookie nCook = new Cookie("Counter",String.valueOf(value));

nCook.setMaxAge(1500);

response.addCookie(nCook);

%>

When the default JSP provider channel is accessed, a cookie will now be set and the provider will indicate the cookie value plus one which represents the current number of visits to the page.

Reloading Templates without a Server Restart

When the Desktop accesses templates to generate content, it reads them from disk and caches them. All subsequent requests for the template are served from the cache.

The Desktop periodically checks to see if the disk files have been updated. If the disk file is newer than the cache, the template is re-cached based on the updated disk file.

The length of time between checking to see if the disk files have been updated is the template scan interval. This interval can now be changed in the administration console. Changing the template scan interval causes the Desktop to immediately check for changes to the disk files and then wait for the new interval value before re-checking again.

To change the template scan interval, complete the following steps:

1. Log on to the administration console as super administrator.

2. From the left frame, select the Management Platform Settings link.

3. Expand the Applications link.

4. Select the Desktop link.

5. In the Component Profile: Desktop page, edit the Template Scan Interval Field.

   ---

   Tip	The default value for the template scan interval is 900 seconds, or 15 minutes.

   ---

6. Select the Submit button, at the bottom of the page, and save the changes.

7. Select the Continue button on the Profile Successfully Updated page.

Tabbed Desktop

The Desktop can now use tabs to organize content. Tabbed Desktop pages can be individually modified to customize the Desktop.

The tab feature must be turned on for any given domain. By default, it is not active. The super administrator must enable the Tab Provider and then configure or remove tabs in a chosen domain.

Configuring the Tab Desktop

To enable Desktop tabs in a particular domain, complete the following steps:

1. Log on to the administration console as super administrator.

2. From the left frame, select the Manage Domains link.

3. Select a domain.

4. Expand the Applications link in the right frame.

5. Select the Desktop link.

6. At the bottom of the Profile: Desktop page, select Show Advanced Options.

7. In the Profile: Desktop page, scroll down to the Channels Field.

8. If the iwtTabProvider is shown in the Available Channels list, complete the following steps:
   1. Highlight iwtTabProvider in the Available Channels list.

   2. Select the arrow to move iwtTabProvider to the Selected Channels field.

9. If the iwtTabProvider is not shown in the Available Channels list, then complete the following steps:
   1. In the New Channel Name window, enter a new channel name, iwtTabProvider.

   2. In the Provider Class Name field, enter a new provider class:

      com.iplanet.portalserver.providers.tab.TabProvider

   3. In the Available Channels list, select Add to display iwtTabProvider in the Available Channels list.

   4. In the Available Channels list, highlight iwtTabProvider.

   5. Select the arrow to move iwtTabProvider to the Selected Channels field.

10. Scroll down the page and confirm that the Active Channel List Module contains a Tab Channel List entry. The Tab Channel List Module must be selected. For example:

    com.iplanet.portalserver.desktop.util.channellist.TabChannelList

11. In the Start Tab field, enter a tab name. The first tab default name is My Front Page.

    This Tab is always present on every Desktop in the domain and is not user configured.

12. In the Available Tabs field, edit the default tab conditions that the tab contains. Change the name, providers, and description to create a custom tab. For example:

    name=new tab|channels=iwtTabProvider;iwtUserInfoProvider;
    iwtIPInfoProvider;iwtSampleRss|desc=new tab description|
    removable=true|renamable=true

13. In the Tab Pattern field, enter the name of a tab content template, and the providers to be included.

14. In the Make From Scratch Tab field, enter a suitable heading and all content providers that appear on the Edit Tab Provider page. For example:

    name=Make From Scratch ...|channels=iwtTabProvider;iwtUserInfoProvider;
    iwtBookmarkProvider;iwtIPInfoProvider|desc=Design a tab from the ground up|
    removable=true|renamable=true

15. In the Maximum Number of Tabs field, provide the total number of tabs that can be on the Desktop.

    ---

    Tip	The default value is 4.

    ---

16. Select Submit to save the changes.

17. On the Profile Successfully Updated page, select Continue.

Configuring the Tab Provider on the Desktop

Users can configure the tabs on their Desktops. The tab's channel edit page allows users to create, rename, or remove tabs from their Desktops. In addition, users can select which tab should be present on the initial Desktop page.

To configure tabs, the user must complete the following steps:

1. As a user, log in to the iPlanet Portal Server Desktop.

2. From the tab banner, select Edit.

In the Edit Tab Provider page, the user can use a predefined tab content template by topic, or by choosing each channel for the new tab manually.

Creating Customized Tabs

To create custom tabs, the user must complete the following steps:

1. In the Edit Tab Provider page's Tab Name field, enter the name of the tab being created.

2. In the Tab Topics field, select Make From Scratch.

3. Select Finished at the bottom of the page.

4. In the Channels page, select the channels to display on the Desktop.

   ---

   Tip	During configuration of Desktop pages and layout, the administrator uses the administration console to determine which channels are thin and thick.

   ---

5. Select Finished at the bottom of the page to return to the Desktop.

Creating Default Content Tabs

To create a default content for a tab, the user must complete the following steps:

1. In the Edit Tab Provider's Tab Name field, enter the name of the tab being created.

2. In the Tab Topics field, select a pre-made Tab Content Provider.

3. Select Finished at the bottom of the page to return to the Desktop.

Aligning Tabs

Desktop tabs can now be aligned from the left side or the right side of the Desktop. By default, tabs are left-aligned.

To use tabs, the super administrator must enable the Tab Provider and then configure or remove tabs in a selected domain.

To change to right-to-left ordering of Desktop tabs, complete the following steps:

1. Log in to the administration console.

2. Select Manage Domains.

3. Select the domain for which you want to apply the changes.

4. Select the key next to Applications to expand the Application list.

5. Select Desktop to display the Profile: Desktop page.

6. From the Available Channels list, select iwtTabProvider.

7. Select Edit Channel to display the Profile: Tab Provider page.

8. Select Show Advanced Options at the bottom of the page.

9. Put a check mark in the check box labeled RTL Presentation.

10. Select Submit.

11. Select Continue when the console displays the Profile was successfully updated message.

Using Form Control

The Provider API now allows a channel to return either a complete HTML edit form, or a subset of a complete HTML page in response to a request for the edit page.

Provider API

Integer constants are added to the Provider interface that return values from the getEditType() method. These integer constants define the form type, return type, from the getEditType() method:

public static final int provider.EDIT_SUBSET ;

public static final int provider.EDIT_COMPLETE ;

New methods query and set the form type.

public int getEditType();

The Desktop uses the getEditType() method so that it knows to expect either a complete or subset HTML form to be returned when calling channel.getEdit().

These restrictions apply to what can be returned from getEdit() when the edit type is equal to EDIT_COMPLETE:

• This method returns a complete, valid, HTML form.

• The form is an encoding type of application/x-www-form-urlencoded.

• The form must contain the correct parameters for instructing the Desktop to process the page, as defined in editTemplate.html.

• The following parameters must be present in the submitted form:
  • action=process

  • provider="iwtEditProvider"

  • targetprovider=target channel name

• The form action must be /DesktopServlet. When returning a complete HTML form, a channel must submit valid actions to the Desktop as defined in the Desktop URL Javadoc software.

Provider Attributes

For channels that extend the ProfileProviderAdapter class, a new attribute can be defined in the profile component:

</iwt:Att>

<iwt:Att name="iwtProvider-editType"

desc="Edit Form Type"

type="singlechoice"

idx=""

userConfigurable="TRUE">

<Val>edit_subset</Val>

<CVal>edit_subset</CVal>

<CVal>edit_complete</CVal>

<Rperm>ADMIN</Rperm><Rperm>OWNER</Rperm>

<Wperm>ADMIN</Wperm>

</iwt:Att>

The default value is different for each provider. Variations to this might include turning off write permission for OWNER, if one or the other edit type was not implemented.

All iPlanet Portal Server default channels return Provider.EDIT_SUBSET. Modifying the -editType attribute causes a malfunction. A new channel must return Provider.EDIT_SUBSET, or Provider.EDIT_COMPLETE depending on how the getEdit() method is implemented.

Locking Channel Positions

Administrators can now lock a channel's position so that the user cannot change its position or remove it from the Desktop. The purpose is to force the user to see particular content.

The Layout page that allows the user to arrange channels on the Desktop does not list locked channels.

To lock a channel's position, complete the following steps:

1. Log in to the administration console and select Manage Domains.

2. Select the domain and select Profiles and Policy.

3. Deselect the Movable check box for the channel to lock the channel's position.

   ---

   Tip	If you select the Movable check box, the user can move channels around in the Desktop.

   ---

4. Deselect the Removable check box, so that the channel cannot be removed from the Desktop.

   ---

   Tip	If you select the Removable check box, the user can remove channels from the Desktop.

   ---

5. Select Submit.

To unlock a channel's position, complete the following steps:

1. Log in to the administration console and select Manage Domains.

2. Select the domain and select Profiles and Policy.

3. Select the Movable check box for the channel to unlock the channel's position.

   ---

   Tip	If you select the Movable check box, the user can move channels around in the Desktop.

   ---

4. Select the Removable check box so the channel can be removed from the Desktop.

   ---

   Tip	If you select the Removable check box, the user can remove channels from the Desktop.

   ---

5. Select Submit.

Setting Up Full-Width Channels

The Portal Server Desktop can now display full-width channels. A full-width channel spans the width of the Desktop, either at the top or bottom.

To configure a full-width channel, complete the following steps:

1. Log in to the administration console and select Manage Domains.

2. Select your domain and select Applications and Desktop.

3. Select the channel to modify and select Edit Channel.

4. Select Show Advanced Options.

5. Modify Width to either full_top or full_bottom.

6. Select Submit.

Setting Up Frameless Channels

The Portal Server Desktop can now display unframed channels. A frameless channel is one that is displayed without a title, controls, and a border or frame.

To configure a frameless channel, complete the following steps:

1. Log in to the administration console and select Manage Domains.

2. Select your domain and select Applications and Desktop.

3. From the list of available channels, select the channel you want to present without a border.

4. Select Edit Channel and select Show Advanced Options.

5. Deselect the Framed? check box if it is selected.

   ---

   Tip	If the Framed? check box is selected, the channel is displayed with a title, controls, and border.

   ---

6. Select Submit.

   ---

   Note	To modify just the border of the channel, edit the hasBorder attribute in the Policy page.

   ---

Default Login Channel Templates Changes

The Login Provider Channel template files now use the POST method for improved security when submitting the login forms. This change provides the choice of using the POST or GET methods in customized login channels.

Using the POST method is more secure because it prevents the password from showing up in the server logs, URLs and bookmarks.

Forwarding Cookies

The URL scraper can now forward cookies passed in the HTTP request to the Desktop. That is, the URL scraper sends cookies when it makes a connection to the target site to retrieve the content it is scraping. The URL scraper also sends set-cookie requests to the browser. That is, it gets all cookies from set-cookie headers and adds them to the HTTP response to the client browser.

By default, no cookies are forwarded. For the affected domain, role or user, the administrator must use the administration console to set the list of cookies to forward.

To forward cookies, complete the following steps:

1. Log in to the administration console and select Manage Domains.

2. Select your domain and select Profiles and Policy.

3. Change the entries in the allow and deny lists for the Cookies To Forward privilege for the channel.

   A * entry allows or denies all cookies. Other entries are compared using a prefix match.

Using Non-iPlanet Portal Server Cookie Management

Multiple cookies containing the same name and the same path can be stored, as long as the domain is not explicitly set to the same value. By default, the domain value is the fully qualified hostname of the server that originally set the cookie.

To set your own cookies:

1. Log in to the iPlanet Portal Server administration console.

2. Select Gateway Management.

3. Select Manage Gateway Profile.

4. Select the Non Portal Server Cookie Management check box.

If the cookie is in a different domain from the server (for example, if scraping a page to the iPlanet Portal Server Desktop that sets its own cookie), complete the following steps:

1. Add that cookie to the Forward Cookie URL List.

2. Select Submit.

3. Select Continue when the console displays the message Profile was successfully updated.

4. Select Server Management.

5. Select Manage Server Profile.

6. Add the cookie domain name to the Cookie Domain List and select Add.

   ---

   Tip	Use this format to add the domain name: .domain_name.com Note the . that precedes the name. For example: .sesta.com

   ---

7. Select Submit.

8. Select Continue when the console displays the Profile was successfully updated message

9. Log out of the administration console and restart the server and gateway.

If the cookie is set from the same domain as the server, complete the following steps:

1. Select Submit.

2. Select Continue when the console displays the Profile was successfully updated message

3. Log out of the administration console and restart the server and gateway.

Enabling Access to HTTP Requests and Responses

Providers can now access HTTP request and response headers. This change is desirable for single sign-on, setting cookies, getting parameters from the HTTP headers, and for inserting data into the headers.

Three new methods in the Content Provider interface are available to provide this. The methods are:

• public StringBuffer getContent(HttpServletRequest req, HttpServletResponse res);

• public StringBuffer getEdit(HttpServletRequest req, HttpServletResponse res);

• public URL processEdit(HttpServletRequest req, HttpServletResponse res);

These methods in the ProviderAdapter and ProfileProviderAdapter classes call the getContent, getEdit, and processEdit methods.

Table 5 is a two column table that lists the indicated methods for the HttpServletRequest and HttpServletResponses objects. The first column lists the method name and the second column lists the return values.

Table 5    HttpServletRequest and HttpServletResponses 

getSession(boolean)	Null
isRequestedSessionIdFromCookie()	False
isRequestedSessionIdFromUrl()	False
isRequestedSessionIdValid()	False
getContentLength()	-1
getInputStream()	UnsupportedOperationException
getParameter(String)	uses internal Map to return parameter
getParameterNames()	uses internal Map to return names
getParameterValues(String)	uses internal Map to return values
getReader()	UnsupportedOperationException
encodeRedirectUrl(String)	arg
encodeUrl(String)	arg
sendError(int)	UnsupportedOperationException
sendError(int, String)	UnsupportedOperationException
sendRedirect(String)	UnsupportedOperationException
setStatus(int)	UnsupportedOperationException
setStatus(int, String)	UnsupportedOperationException
getOutputStream()	UnsupportedOperationException
getWriter()	UnsupportedOperationException
setContentLength(int)	UnsupportedOperationException
setContentType(String)	UnsupportedOperationException

Setting Session Time-out Units

The session time out unit of measurement is now in minutes.

To set the session time-out to the maximum possible value, complete the following steps:

1. Log on to the administration console as super administrator.

2. Select Manage Domains.

3. Select the name of the desired domain.

4. Select Session under Profiles.

5. Make value of Maximum Idle Time to the maximum value of: 153722867280912930.

6. Make value of Maximum Session Time to the maximum value of: 153722867280912930.

7. Select Submit.

Running Desktop Applications on Macintosh Clients

NetFile and NetMail applications now work on a Macintosh similarly to the way they work on other supported platforms.

The Netlet application, when used on a Macintosh, however, does not support the dynamic loading feature. If the Netlet is enabled, Macintosh clients automatically load the Netlet when the Netlet Channel is enabled on the Desktop.

Table 6 is a two column table that lists the minimum system requirements for running the Netlet, NetMail, and NetFile applications on Macintosh clients. The first column contains the system component name, and the second column describes the minimum requirements for that component.

Table 6    Minimum system requirements for running Portal Server applications on Macintosh clients

Component	Description
Operating environment	Macintosh 8.6 - 9.2.2
Browser	Microsoft Internet Explorer 5.0
Java Virtual Machine	Macintosh OS Runtime for Java (MRJ) 2.2.3

---

Gateway Changes

This section provides details about gateway changes in iPlanet Portal Server. It contains the following topics:

• Configuring Multiple Gateway Instances

• Using Wildcards In JavaScript Rewriter Rules

• Disabling Client-Side Caching of Redirected Content

• Advanced Rewriter Concepts

• Gateway Logging

• Rewriting JavaScript Variables in JavaScript

• Rewriting JavaScript Functions with a Single Parameter

• Rewriting Javascript Functions with Multiple Parameters

• Editing Rewrite Applet/Object Parameter Values

• Denying Unknown Certificate Authorities

• Setting the Number of Socket Connection Retries

• Using Outlook Web Access 2000

• Inactive Attributes

Configuring Multiple Gateway Instances

It is now possible to configure multiple gateway instances on a single system, with the following caveats:

• All instances on a single system must be associated with the same profile and platform server instances.

• Each gateway instance needs a unique IP address to bind to, with a hostname in DNS.

• All gateway instances associated with the same profile server instance must listen on the same port, for example, 443, and use the same protocol, for example, HTTPS.

Updated Command Options

The ipsgateway script in install_base/SUNWips/bin now supports several new options. Table 7 is a two column table that describes the new ipsgateway command options. The first column contains the command, and the second column provides a description of the new command.

The following examples assume that the commands are being run from the directory in which they reside.

Table 7    New Command Options

Command	Description
ipsgateway create fully_qualified_instance_name	Adds a new gateway instance listening on fully_qualified_instance_name
ipsgateway delete fully_qualified_instance_name	Deletes the instance listening on fully_qualified_instance_name
ipsgateway startall	Starts all instances
ipsgateway stopall	Stops all instances

In addition, the following commands in install_base/SUNWips/bin now accept an optional instance name argument to specify the instance to target:

• ipsgateway start [fully_qualified_instance_name]

• ipsgateway stop [fully_qualified_instance_name]

• ipsgateway watchdog on|off [fully_qualified_instance_name]

• certadmin [fully_qualified_instance_name]

• checkipsgw [fully_qualified_instance_name]

The instance created at install time is considered the default instance, and is addressed using the above commands with no hostname argument. The default instance cannot be deleted.

There is also a copy of the ipsgateway script in the /etc/init.d directory.

Creating Multiple Gateway Instances

You can create multiple instances of the iPlanet Portal Server gateway, after you install the iPlanet Portal Server gateway.

Unless you have a multi-homed system and wish to have individual gateway instances for each physical interface, you will need to configure a virtual interface for each gateway instance to bind to. For more information on configuring virtual interfaces, refer to InfoDoc 15659 at http://www.sunsolve.sun.com.

By default, the minimum and maximum JVM heapsize value for the default instance is 512Mb and 768Mb respectively, and for additional instances is 256Mb and 384Mb respectively. If you configure a large number of instances, you may want to change these values in the ipsgateway script, to avoid exhausting physical memory.

To create a new gateway instance, perform the following steps.

1. Configure a virtual interface for the new IP address. Refer to InfoDoc 15659.

2. Add a forward and reverse entry in DNS for this IP address. When creating a new gateway instance, use the fully qualified hostname that you gave this IP address in DNS as the instance name.

   After the iPlanet Portal Server gateway has been installed, and the appropriate interfaces are established, do the following to create a new gateway instance:

3. As root enter the following commands:

   
   
   

   # cd /opt/SUNWips/bin # ipsgateway create fully_qualified_instance_name

   
   
   

4. When prompted, answer the questions.

   ---

   Note	If the gateway is listening on all interfaces, the script prompts you to choose only one interface. You can accept the default gateway interface or enter another one for the gateway to listen on.

   ---

   
   
   

   Your default instance currently binds to all IP addresses.

   Enter the FQDN of the IP address it should bind to. [gateway.sesta.com]:

   IP address in DNS for gateway.sesta.com: 192.168.01.03.

   Restart default instance, and start new instance when complete? [y/n]: y

   About to create new gateway instance:

   Hostname = gwinstance2.sesta.com

   IP address = 192.168.01.07

   About to reconfigure default gateway instance:

   Hostname = gateway.sesta.com

   IP address = 192.168.01.03

   Continue? [y/n]: y

   Creating self-signed certificate for gwinstance1.sesta.com:

   NOTE: Field entries cannot contain an = character.

   All Fields are mandatory, if left blank they

   will be filled by some default values

   What is the fully-qualified DNS name of this host? [gwinstance2.sesta.com]

   What is the name of your organization (ex: Company)? [] mycompany

   What is the name of your organizational unit (ex: division)? [] mydivision

   What is the name of your City or Locality? [] mycity

   What is the name (no abbreviation please) of your State or Province? [] my state

   What is the two-letter country code for this unit? [] US

   Token name is needed only if you are not using the default internal (software)

   cryptographic module, for example, if you want to use a crypto card (Token names

   could be listed using: modutil -dbdir /etc/opt/SUNWips/cert.gwinstance1.red.iplanet.com -list);

   Otherwise, just hit Return below.

   Please enter the token name []

   Enter the name you like for this certificate: certificate2

   creating passphrase to be used for the certificate...

   IMPORTANT: Remember this passphrase, it may be needed later

   Enter passphrase []

   Verify (re-enter) passphrase []

   
   
   

After creating the instance, do the following to add the instance name and default portal domain for that instance:

1. Add the new gateway instance name to the Platform Gateway list.
   1. Log on to the administration console as super administrator.

   2. From the left frame select the Sever Management link.

   3. Select Manage Server Profile.

   4. Add the new gateway instances to the Gateway List. For example,

      gateway2.sesta.com

2. Add the default portal domain for that instance.

   This is the domain that the gateway instance will contact if one is not specified by the client. The domain is specified by adding the following to the Domain URLs list of that domain:

   1. From the left frame, select Manage Domains.

   2. Click on the Domain.

   3. Click on the Authentication Link.

   4. Add the gateway URLs to the Domain URLs list using the following format:

      gateway_instance_name

      gateway_instance_ame/portal_domain

      gateway_instance _ipaddress

      gateway_instance_ipaddress/portal_domain

Alternatively, use the ipsadmin command line utility to:

1. Update the Platform Gateway list by retrieving the iwtPlatform component profile.

2. Edit the iwtPlatform-gateways attribute, and update the Domain URLs list by retrieving the domain profile and editing the iwtAuth-domainURL attribute.

Using Wildcards In JavaScript Rewriter Rules

The JavaScript rewriting ability has been extended to include the ability to use wildcards for rules that can be added to the Rewrite JavaScript Variables in the URLs section of the Gateway Profile. This helps reduce the number of similar rules necessary to represent the same basic JavaScript content. It also allows the creation of rules to represent complex JavaScript content that makes proficient use of the JavaScript object model where arrays are used to access data values.

Previously, if the content looked like:

document.all["IMG"+img].src = "../../images/"

The only solution would be to change the code in a manner similar to the following:

up2dir = "../../" document.all["IMG"+img].src = up2dir+"images/"

and add up2dir to the Rewrite JavaScript Variables In URLs section of the Gateway Profile.

It is now possible to define a rule such as document.all*.src in the same section of the iPlanet Portal Server Gateway Profile.

Disabling Client-Side Caching of Redirected Content

A new entry has been added to the /etc/opt/SUNWips/platform.conf file called allow.client.caching. This controls the caching behavior of non-Desktop content redirected through the gateway.

Setting allow.client.caching value to false will result in a pragma:no-cache header being set for any content retrieved by the gateway. This ensures that no Portal content accessed by remote users will be cached on their local machine, regardless of their individual browser caching options if they are using at least an HTTP 1.0 compliant browser.

For example, if the iPlanet Portal Server has been deployed to take advantage of its authentication and secure remote access features, but not the Desktop itself, setting allow.client.caching to false will prevent whatever content is redirected after successful authentication from being cached on the user's local machine.

Limitations and Considerations

Setting allow.client.caching to false, will dramatically increase the load on the gateway component. Caching itself exists to eliminate unnecessary server requests for static content. However, in a secure environment, the performance ramifications of not allowing client caching of content may be outweighed by the added security of content not being permanently, even temporarily, stored on a remote machine. This might be the case when a remote employee is accessing sensitive corporate intellectual property from a public Internet kiosk.

Additionally, a Microsoft Internet Explorer 5.x limitation exists in which helper applications cannot load encrypted data with associated MIME types not handled internally by the browser if a "no-caching" header is set. The same is true for saving encrypted files to a different location on disk.

Internet Explorer has its own functionality for preventing the permanent caching of SSL pages. This functionality can be configured using an advanced browser setting called "Do Not Save Encrypted Pages To Disk." When this option is not enabled, Internet Explorer first decrypts the SSL data, then caches it in the clear prior to handing the decrypted copy to a helper application like Word for .doc files. This functionality is not related to the iPlanet Portal Server itself, since it affects users accessing any SSL-enabled web server in the same way. When the "Do Not Save Encrypted Pages To Disk" option is enabled, the behavior appears to be exactly the same, except the browser cleans up after itself by removing the decrypted data from the cache directory once it is handed off to the helper application.

Therefore, the iPlanet Portal Server allow.client.caching option should not be set to false if Internet Explorer will be a supported client by the deployed portal, with end users downloading or saving files locally that are not registered to be handled internally by the browser itself.

Caching Alternatives

Many secure portal deployments need to work around the browser no-cache header limitation for SSL pages. Working around the browser no-cache header can be difficult if the browsers are not under corporate IT control. If the browsers are under IT control however, a custom Internet Explorer browser can be built using the Internet Explorer Administrator Kit (IEAK).

With the IEAK, the advanced browser option "Do Not Save Encrypted Pages to Disk" can be locked down in an enabled state. If the iPlanet Portal Server gateway is running https, no pages accessed by the client will be cached. This essentially works around the limitation of encrypted pages having to be decrypted and cached prior to being passed to a helper application. Such is the case when this browser option is not enabled. With the default iPlanet Portal Server platform.conf entry allow.client.caching set to true, Internet Explorer browsers can access any pages through the gateway regardless of whether they need helper applications to launch without caching any data.

To limit access and possible caching by other browsers, logic can be added to /etc/opt/SUNWips/auth/[your_template_dir]/login_template.html that disallows their login, and possibly usage.

For example:

<HEAD>

<TITLE>Login</TITLE>

<SCRIPT>

function checkBrowser() {

if (navigator.userAgent.toLowerCase().indexOf("msie") > 0 ) {

// NOP

}

else {

document.location.href="/other_browser_error.html";

}

}

</SCRIPT>

</HEAD>

<BODY BGCOLOR="#ffffff" onLoad="checkBrowser();"

onResize="this.history.go(-1);">

Alternately, multiple gateways may be used with a redirector in front basing its decision on the userAgent. This would enable allow.client.caching to be set to false on one iPlanet Portal Server gateway accessed by Netscape clients and set to true on a different gateway accessed by Internet Explorer clients (customized using IEAK or with a downloaded activeX plugin that would enforce the "Do Not Save Encrypted Pages To Disk" option enabled). Because SRAP licenses are based on the number of users instead of CPUs, having multiple gateway hardware boxes will not affect software costs for the same number of users.

Using the same psuedo-code as above for an Internet Explorer-only solution, the multi-browser solution might look as follows:

<HTML>

<HEAD>

<TITLE>http://portal.iplanet.com</TITLE>

<SCRIPT>

function checkBrowser() {

if (navigator.userAgent.toLowerCase().indexOf("msie") > 0 ) {

document.location.href="https://ie-portal.iplanet.com";

}

else {

document.location.href="https://ns-portal.iplanet.com";

}

}

</SCRIPT>

</HEAD>

<BODY BGCOLOR="#ffffff" onLoad="checkBrowser();">

SP;</BODY>

</HTML>

Advanced Rewriter Concepts

Two new Gateway Profile sections have been added. They are advanced configuration options and should be used only as a last resort for difficult rewriting problems that have no other workaround.

• Rewriting JavaScript Function Parameters in Fractured HTML

• Rewriting JavaScript Function Parameters Which Appear as JavaScript Or as A URL

To access these new Gateway Profile sections:

1. Log in to the Administration Console.

2. Select Gateway Management.

3. Select Manage Gateway Profile.

4. Scroll to the bottom of the frame and select Show Advanced Options.

   The two new advanced Gateway Profile sections should be available for configuration.

Rewriting JavaScript Function Parameters in Fractured HTML

This Gateway Profile section is suitable for search, rewrite, and replace applications where JavaScript language dynamically creates HTML through multiple document.write function calls. For example:

...

document.writeln('<FORM METHOD=GET');

document.writeln('ACTION="../servlet/'+ name + '">');

...

In this particular case, the FORM tag is broken up by multiple document.writeln() function calls, and the rewriter is unable to determine that ACTION is an HTML tag attribute of the FORM tag. In order to rewrite correctly, the URL pattern ../servlet/ needs to be added to the Rewrite JavaScript Function Parameters in Fractured HTML section of the Gateway Profile.

Rewriting JavaScript Function Parameters Which Appear as JavaScript Or as A URL

Some JavaScript functions do not differentiate the context of what can be passed to the function as a parameter. This additional Gateway Profile section allows for some ambiguity in rewriting JavaScript function parameters. Specifically, this new Gateway Profile section allows the rewriting of JavaScript function parameters that are themselves either JavaScript or a URL. For example:

...

Target("name", "javascript:top.location='http://www.yahoo.com'");

Target("name2", "http://www.google.com");

...

In this example, a function target has been created whose second function parameter can either be a URL or a JavaScript statement. To rewrite this correctly, Target:,y would be added to Rewrite JavaScript Function Parameters in JavaScript or a URL, instead of Rewrite JavaScript Function Parameters.

Redirecting URLs That Are Relative to the Server Root

URLs that are relative to the server root are resolved using the browser's URL field or may be constructed by using built-in scripting methods created from the browser's URL field. If the request to fetch the URL contains a Referer header (such as requests for embeded images) a redirection will be created so that the browser asks for the correct, rewritten, fully qualified URL.

If no Referer header exists, a 404 not found HTTP error will be returned instead. For example, the following message will be thrown in iwtGateway logs:

"Response

HTTP/1.0 404 Not Found

Date: Wed, 05 Feb 2003 20:00:50 PST

"

2/5/03 8:00:50 PM PST: Thread[Thread-198,5,main]

--> Session: Request:

GET HTTP/1.0

Host: null

Accept: */*

Referer:

http://showcase2.notes.net/mail/test123myname.nsf/($Inbox)/ED515AE20F1B

162885256CBF000BC4FC/?OpenDocument&PresetFields=s_ViewName;%28%24Inbox%29,s_Fr om

Mail;1

Warning: Rewriter misconfigured for embedded URL /myweb/webpage.gif

from Referer: <URLString here>

By turning on message level logging and testing the gateway access to internal content with Service Pack 5, it may now be possible to use the logs as a self-help mechanism for finding things that should be added to the Gateway profile.

Gateway Logging

Gateway logging is now disabled by default because logging traffic between the gateway and the server can affect portal performance.

Administrators can use the administration console to enable gateway logging.

To enable gateway logging, complete the following steps:

1. Log on to the administration console as super administrator.

2. From the left frame, select the Gateway Management link.

3. In the right frame, select the Manage Gateway Profile link to display the Component Profile: Gateway page.

4. At the bottom of the page, select Show Advanced Options.

5. Select the Logging Enabled check box.

6. Select Submit.

7. Select Continue when the console displays the Profile was successfully updated message.

8. Use these commands to stop and restart the gateway:

   
   
   

   # /opt/SUNWips/bin/ipsgateway stop # /opt/SUNWips/bin/ipsgateway start

   
   
   

Rewriting JavaScript Variables in JavaScript

The entries in this list are the names of the JavaScript variables which are in turn expressed in JavaScript, and which is rewritten by the gateway.

The iPlanet Portal Server administration console's Gateway Profile page contains the Rewrite JavaScript Variables in JavaScript list.

If the list has the following entries:

• jsvarjs1

• jsvarjs2

and the rewriter's input is:

<html>

<script language="JavaScript">

var jsvarjs1 = "var1 = 'url1'; + some_var;

var jsvarjs2 = "func2('url2');" + some_var;

</script>

</html>

The gateway tries to rewrite the right-hand sides of both jsvarjs1 and jsvarjs2.

• If there is an entry var1 in Rewrite JavaScript Variables in URL, then url1 is rewritten.

• If there is an entry func2:y in Rewrite JavaScript Function Parameters list, then url2 is rewritten.

Rewriting JavaScript Functions with a Single Parameter

The gateway wraps the matched parameters with a function called iplanet, which does the actual rewriting when the browser interprets the page.

The iPlanet Portal Server administration console's Gateway Profile page contains the Rewrite JavaScript Function Parameters Function list. This is the syntax for entries in this list:

java_script_function_name: [y|], [y|], ...

Example

If the list has an entry:

func1:y

and the rewriter's input is:

<html>

<script language="JavaScript">

...

func1("http://" + some_func() + some_var);

</script>

</html>

Then the output becomes:

<html>

<script language="JavaScript">

...

func1(iplanet("http://" + some_func() + some_var));

function iplanet(url) {

...

}

</script>

</html>

Rewriting Javascript Functions with Multiple Parameters

The gateway rewrites JavaScript variables or JavaScript functions according to existing rules specific to that variable, or function, in the gateway profile.

The gateway tries to rewrite the matched parameters. A matched parameter in JavaScript is either in the form of a JavaScript variable or a JavaScript function.

The iPlanet Portal Server administration console's Gateway Profile page contains the Rewrite JavaScript Function Parameters list. Each entry in the list has the following syntax:

java_script_function_name: [y|], [y|], ...

If the list has an entry:

func1:y,,y

and the rewriter's input is:

<html>

<script language="JavaScript">

func1("func2('url2');", 500, var3='url3');

</script>

</html>

The gateway tries to rewrite func2 and var3.

• If there is an entry var3 in Rewrite JavaScript Variables in URLs, then url3 is rewritten.

• If there is an entry func2:y in Rewrite JavaScript Function Parameters list, then url2 is rewritten

Editing Rewrite Applet/Object Parameter Values

Administrators can now use the administration console to edit the Rewrite Applet/Object Parameter Values list on the Gateway Profile page.

This is the syntax for entries in this list:

object_of_applet/object_url applet_class/object_classid applet/object_parameter_name [url_pattern]

• If url_pattern is omitted, the value of the applet/object parameter is examined as a single URL, and the gateway rewrites accordingly.

• If url_pattern is included, the gateway rewrites according to the pattern matching.
  • The url_pattern consists of *, or **, plus the separation character used in the original parameter value to separate multiple fields. One wildcard (*) matches any field that is not to be rewritten. Two wildcards (**) match any field that is to be rewritten. The separation character could be , or |.

  • The last field to be rewritten does not have to be indicated by **. The url_pattern matches the start of the string in the parameter value, and the remainder of the value is considered a URL to be rewritten.

Example

If the gateway receives this request for the URL:

http://some_server/some_dir/some.html

And this is the response:

<applet archive=iplanet.jar code=iplanet.class>

<param name=server1 value="url1">

<param name=server2 value="url2">

<param name=server3 value="0|234|test|url3">

<param name=anotherParam value="yes,5,url4>

</applet>

<object classid="clsid:D27CDB6E-AE6D" codebase="url5"

<param name="movie" value="url6">

<param name="video" value="url7,2,url8">

</object>

</html>

Table 8 is a two column table that contains examples of entries for the Rewrite Applet/Object parameter Values List. The first column provides an example value that is entered in the list. The second column provides a description of how the URL is rewritten.

Table 8    Rewrite Applet/Object Parameter Values List

Value	Description
some.html iplanet.class *	No parameter value is rewritten, because object_of_applet/object_url does not match the object of the request URL.
/some_dir/some.html iplanet.class *	url1 and url2 are rewritten. url3 and url4 are not rewritten because they are embedded within strings that do not appear to be URLs as they do not start with /, http or https.
/some_dir/some.html iplanet2.class *	No parameter value is rewritten because iplanet2.class does not match the value of the applet code attribute or the object classid attribute.
* * server* *|*|*|	url3 is rewritten because *|*|*| matches 0|234|test|.
/some_dir/some.html clsid:D27CDB6E-AE6D \ movie	url6 is rewritten.
/some_dir/some.html clsid:D27CDB6E-AE6D \ video **,*,**	url7 and url8 are rewritten because the first ** matches the position of url7, and the second ** matches the position of url8.