7/9

3 Product Documentation

Oracle iPlanet Web Server 6.1 SP12 is the last release at which the entire documentation set for Oracle iPlanet Web Server 6.1 was updated. Subsequent to the 6.1 SP12 release, updates and corrections to 6.1 documentation are provided in this Release Notes document; see Section 3.1, "Corrections and Updates to 6.1 SP12 Manuals."

The Oracle iPlanet Web Server 6.1 SP12 documentation is available online in PDF and HTML formats at:

http://download.oracle.com/docs/cd/E19857-01/index.html.

Table 3-1 Oracle iPlanet Web Server 6.1 Documentation Roadmap

For Information About	See
Late-breaking information about the software and documentation	Oracle iPlanet Web Server Release 6.1 SP21 Release Notes (this document)
Information about Web Server 6.1 FastCGI plug-in, including information about server application functions (SAFs), installation, configuration, technical notes, and pointers to additional resources.	FastCGI Plug-in Release Notes
Information about Web Server 6.1 Reverse Proxy plug-in, including information about server application functions (SAFs), installation, configuration, technical notes, and pointers to additional resources.	Reverse Proxy Plug-in Release Notes
Getting started with Web Server, including hands-on exercises that introduce server basics and features (recommended for first-time users)	Getting Started Guide
Performing installation and migration tasks: Installing Web Server and its various components, supported platforms, and environments Migrating from Sun ONE Web Server 4.1 or 6.0 to Web Server 6.1	Installation and Migration Guide Note: Java ES patches for Oracle iPlanet Web Server 6.1 were provided up to release 6.1.12. The information in this section is applicable only to release 6.1.12 and earlier releases. If Sun Java Enterprise System 1 is installed on your system and you want to upgrade the Oracle iPlanet Web Server 6.1 that is part of Sun Java Enterprise System 1 to Oracle iPlanet Web Server Release 6.1 SP21, you must use the Java Enterprise System (JES) installer to perform the upgrade. Do not use the separate component installer included with Oracle iPlanet Web Server Release 6.1 SP21.
Performing the following administration tasks: Using the Administration and command-line interfaces Configuring server preferences Using server instances Monitoring and logging server activity Using certificates and public key cryptography to secure the server Configuring access control to secure the server Using Java 2 Platform, Standard Edition (J2SE platform) security features Deploying applications Managing virtual servers Defining server workload and sizing the system to meet performance needs Searching the contents and attributes of server documents, and creating a text search interface Configuring the server for content compression Configuring the server for web publishing and content authoring using WebDAV	Administrator's Guide
Using programming technologies and APIs to do the following: Extend and modify Web Server Dynamically generate content in response to client requests Modify the content of the server	Programmer's Guide
Creating custom Netscape Server Application Programmer's Interface (NSAPI) plugins	NSAPI Programmer's Guide
Implementing servlets and JavaServer Pages ( JSP) technology in Web Server	Programmer's Guide to Web Applications
Editing configuration files	Administrator's Configuration File Reference
Tuning Web Server to optimize performance	Performance Tuning, Sizing, and Scaling Guide

3.1 Corrections and Updates to 6.1 SP12 Manuals

The following sections describe corrections and updates to Oracle iPlanet Web Server 6.1 SP12 manuals:

• New Information About Case Sensitivity of HTTP Header Names

• Extraneous Information in Setting Access Rights

• Incorrect Information About net_read() Return Value

• Incorrect Information About PathCheck Flow Control

• Incorrect Instructions for Stopping schedulerd Control Daemon

• Upgrade Fails in HP_UX When Upgraded From Oracle Web Server SP12/ SP14 to Web Server SP17

• Incorrect Information on HTTP/1.1 Compliance

• New Example to Understand the IP Attribute

• "Incorrect Information About the Default Value"

• "Set-cookie Header Appended with the HttpOnly Option"

• "Supported Directory Servers"

• "Description of Processes for a Web Server Instance"

• "TLS Communication through Certain Load Balancers Breaks in 6.1 SP15 and Later Releases (6.1 SP17 and later Releases on HP-UX)"

3.1.1 New Information About Case Sensitivity of HTTP Header Names

Section 4.2 of the HTTP/1.1 standard (http://www.ietf.org/rfc/rfc2616.txt) states that HTTP header names are case-insensitive. When processing header names, Web Server 6.1 converts the names to all-lowercase.

3.1.2 Extraneous Information in Setting Access Rights

The section Setting Access Rights in the Sun Java System Web Server 6.1 SP12 Administrator's Guide contains the following inaccurate note. Please ignore this note.

Note:

Although the following methods are present in the code, they are not included in the document above: revlog, getattribute, getattributename, getproperties, startrev, stoprev, edit, unedit, save, setattribute, revadd, revlabel and destroy.

3.1.3 Incorrect Information About net_read() Return Value

The section net_read in the Sun Java System Web Server 6.1 SP12 NSAPI Programmer's Guide contains incorrect information about the return value for the net_read() function. The correct information is:

Returns

The number of bytes read, which will not exceed the maximum size, sz. A negative value is returned if an error has occurred, in which case errno is set to the constant ETIMEDOUT if the operation did not complete before timeout seconds elapsed.

The number of bytes read, which will not exceed the maximum size, sz. A negative value is returned if an error has occurred, in which case errno is set to one of the following constants:

• ETIMEDOUT if the read operation did not complete before timeout seconds elapsed.

• EAGAIN if non-blocking I/O is enabled on the socket descriptor and the socket was temporarily unavailable.

• EWOULDBLOCK if non-blocking I/O is enabled on the socket descriptor and the read operation would have blocked.

3.1.4 Incorrect Information About PathCheck Flow Control

The section "PathCheck" in the Sun Java System Web Server 6.1 SP12 NSAPI Programmer's Guide contains incorrect information.

Incorrect:

If the NameTrans directive assigned a name or generated a physical path name that matches the name or ppath attribute of another object, the server first applies the PathCheck directives in the matching object before applying the directives in the default object.

Correct:

If the NameTrans directive assigned a name or generated a physical path name that matches the name or ppath attribute of another object, the server first applies the PathCheck directives in the default object before applying the directives in the matching object.

3.1.5 Incorrect Instructions for Stopping schedulerd Control Daemon

The section "Using Schedulerd Control-based Log Rotation (UNIX/Linux)" in the Sun Java System Web Server 6.1 SP12 Administrator's Guide contains incorrect information about stopping the schedulerd control daemon

Incorrect:

export PID_FILE=/opt/SUNWwbsvr/https-admserv/logs/scheduler.pid
kill -9 -`cat $PID_FILE`
    - rm $PID_FILE

Correct:

export PID_FILE=/opt/SUNWwbsvr/https-admserv/logs/scheduler.pid
kill -9 `cat $PID_FILE`
     rm $PID_FILE

3.1.6 Upgrade Fails in HP_UX When Upgraded From Oracle Web Server SP12/ SP14 to Web Server SP17

Upgrade from Oracle Web Server SP12 or SP 14 to Web Server SP17 fails in HP_UX operating system.

Workaround:

1. Go to <install root>/plugins/include/nspr path.

2. Run the ls -l command and find all the files that have non-existing symbolic links.

3. Remove the files that have non-existing symbolic links using the command rm <file names>.

4. Run the Web server SP17 installer to upgrade the instance.

Note:

This upgrade issue exists only in the HP_UX operating system.

3.1.7 Incorrect Information on HTTP/1.1 Compliance

The section "About Hypertext Transfer Protocol (HTTP)" in Sun ONE Web Server 6.1 Administrator's Guide lists outdated RFC number.

Incorrect:

The iPlanet Web Server 4.x supports HTTP 1.1. Previous versions of the server supported HTTP 1.0. The server is conditionally compliant with the HTTP 1.1 proposed standard, as approved by the Internet Engineering Steering Group (IESG) and the Internet Engineering Task Force (IETF) HTTP working group. For more information on the criteria for being conditionally compliant, see the Hypertext Transfer Protocol—HTTP/1.1 specification (RFC 2068).

Correct:

The iPlanet Web Server 6.1 supports HTTP 1.1. Previous versions of the server supported HTTP 1.0. The server is conditionally compliant with the HTTP 1.1 proposed standard, as approved by the Internet Engineering Steering Group (IESG) and the Internet Engineering Task Force (IETF) HTTP working group. For more information on the criteria for being conditionally compliant, see the Hypertext Transfer Protocol—HTTP/1.1 specification (RFC 2616).

The section "Compliance" in Sun Java System Web Server 6.1 SP12 NSAPI Programmer's Guide lists outdated RFC number and incorrect link.

Incorrect:

For more information on the criteria for being conditionally compliant, see the Hypertext Transfer Protocol -- HTTP/1.1 specification (RFC 2068) at:

http://www.ietf.org/rfc/rfc2068.txt?number=2068

Correct:

For more information on the criteria for being conditionally compliant, see the Hypertext Transfer Protocol -- HTTP/1.1 specification (RFC 2616) at: http://www.ietf.org/rfc/rfc2616.txt

3.1.8 New Example to Understand the IP Attribute

The following is an example to understand the IP attribute mentioned in the section "ACL File Syntax" in Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference:

deny (all) ip ="*";

allow (read, execute, info) (ip="10.186.81.*") or (ip="10.159.184.187");

If there is no wildcard, do the following:

deny (all) ip ="*";

allow (read, execute, info) (ip="10.186.81.155,10.159.184.187");

3.1.9 Incorrect Information About the Default Value

The section "AcceptTimeout" in Sun Java System Web Server 6.1 SP7 Administrator's Configuration File Reference contains incorrect information about the default value.

Incorrect:

30 seconds for servers that don't use hardware encryption devices and 300 seconds for those that do.

Correct:

The default value of the AcceptTimeout parameter is always 30 seconds.

3.1.10 Set-cookie Header Appended with the HttpOnly Option

A new property named httponlysessioncookie has been added to JAVA element of the server.xml configuration file. By default, this property is true and ;HttpOnly is appended to the set-cookie header. When the value is set to false, ;HttpOnly is not appended. You can set this property by changing the server.xml configuration file.

Starting from Oracle iPlanet Web Sever 6.1.18, the set-cookie header value is being appended by ;HttpOnly due to security reasons. If you do not wish to append ;HttpOnly to the set-cookie header, do the following :

Set the httponlysessioncookie property of the JAVA element in server.xml configuration file to false.

3.1.11 Supported Directory Servers

The following versions of LDAP directory servers are supported:

• Oracle Directory Server Enterprise Edition 11gR1 (11.1.1.3+)

• Oracle Virtual Directory 11gR1 (11.1.1.3+)

• Oracle Internet Directory 11gR1 (11.1.1.3+)

3.1.12 Description of Processes for a Web Server Instance

For Unix, the invocation of a web server instance brings up a single watchdog process, which brings up a primordial process, which in turn launches a worker process. The watchdog process is named webservd-wdog, whereas both the primordial process and the worker are named webservd. The worker process waits for HTTP requests and processes them to generate HTTP responses. The other two processes together provide limited High Availability functionality. If the worker process crashes or goes down, then the primordial process brings up another instance of the worker process. If the primordial process goes down, then the watchdog process must bring up another instance of it.

For Windows, the primordial process is not used.

3.1.13 TLS Communication through Certain Load Balancers Breaks in 6.1 SP15 and Later Releases (6.1 SP17 and later Releases on HP-UX)

When you use certain load balancers, such as F5 Networks' BIG-IP, to distribute client requests to iPlanet Web Server 6.1 SP15 and later releases (6.1 SP17 and later Releases in HP-UX), TLS communication using CBC ciphers (such as TLS_RSA_WITH_AES_256_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA) breaks. BIG-IP and, possibly, other load balancers are unable to forward responses from the Oracle iPlanet Web Server instances to the clients.

The NSS version included in Oracle iPlanet Web Server release 6.1 SP15 (and later) implements split data packets. BIG-IP and some other load balancers might not be able to handle split data packets.

Workaround

Caution:

This workaround removes the fix introduced in release 6.1 SP15 (6.1 SP17 in HP-UX) for the CVE-2011-3389 security vulnerability.

1. Stop the server.

2. In the startserv script, set the environment variable NSS_SSL_CBC_RANDOM_IV to 0.

   The startserv script is located in the instance_dir/bin directory. On Windows, for example, add the following line in the startserv script:

   set NSS_SSL_CBC_RANDOM_IV=0

3. Start the server.

3.2 Documentation, Support, and Training

The Oracle web site provides information about the following additional resources:

• Documentation: http://www.oracle.com/technetwork/documentation/index.html

• Support: http://support.oracle.com/

• Training: http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=315