Skip Headers
Oracle® iPlanet Web Server Release Notes
Release 7.0.27

E18789-23
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Product Documentation

The Oracle iPlanet Web Server 7.0 documentation is provided in the following formats:

Oracle iPlanet Web Server 7.0.9 is the last release for which the entire documentation set for 7.0 was updated. Subsequent to the 7.0.9 release, updates and corrections to Oracle iPlanet Web Server 7.0 documentation are provided in this Release Notes document; see Documentation Corrections, Enhancements, and Issues Resolved.

This chapter contains the following sections:

Web Server Documentation Set

The Web Server documentation set describes how to install and administer the Web Server.

For an introduction to Web Server, refer to the books in the order in which they are listed in Table 3-1.

Table 3-1 Web Server Documentation

Document Title Contents

Oracle iPlanet Web Server Release Notes  (this document)

  • Late-breaking information about the software and documentation

  • Supported platforms and patch requirements for installing Web Server

Oracle iPlanet Web Server Installation and Migration Guide

Performing installation and migration tasks:

  • Installing Web Server and its various components

  • Migrating data from Sun ONE Web Server 6.0 or Sun Java System Web Server 6.1 to Oracle iPlanet Web Server 7.0

Oracle iPlanet Web Server Administrator's Guide

Performing the following administration tasks:

  • Using the Administration and command-line interfaces

  • Configuring server preferences

  • Using server instances

  • Monitoring and logging server activity

  • Using certificates and public key cryptography to secure the server

  • Configuring access control to secure the server

  • Using Java Platform, Enterprise Edition (Java EE) security features

  • Deploying applications

  • Managing virtual servers

  • Defining server workload and sizing the system to meet performance requirements

  • Searching the contents and attributes of server documents, and creating a text search interface

  • Configuring the server for content compression

  • Configuring the server for web publishing and content authoring using WebDAV

Oracle iPlanet Web Server Troubleshooting Guide

Using programming technologies and APIs to do the following:

  • Extending and modifying Web Server

  • Dynamically generating content in response to client requests and modifying the content of the server

Oracle iPlanet Web Server NSAPI Developer's Guide

Creating custom Netscape Server Application Programmer's Interface (NSAPI) plug-ins

Oracle iPlanet Web Server Developer's Guide for Java Web Applications

Implementing Java Servlets and JavaServer Pages (JSP) technology in Web Server

Oracle iPlanet Web Server Administrator's Configuration File Reference

Editing configuration files

Oracle iPlanet Web Server Performance Tuning, Sizing, and Scaling Guide

Tuning Web Server to optimize performance

Oracle iPlanet Web Server Command-Line Reference

Administration commands that allow you to administer Web Server through the CLI

Documentation Corrections, Enhancements, and Issues Resolved

The following table lists the corrections and enhancements to the Oracle iPlanet Web Server 7.0.9 documentation, and documentation issues resolved.

Issue ID Description

6932016

How to work around the Verisign EV cert chain issue with a new built-in CA root.

See Web Server Migration and Upgrade Issues.

6965828

Clustered instances must be synchronized before accepting a request after restarting.

See Additional Information About Configuring a Web Application for Session Replication.

6968560

Document how to upgrade a certificate chain.

See Updating a Certificate Chain.

6971148

Change security context for JDK libraries on SELinux.

See Issues Resolved in 7.0.9.

6977258

CR6611067 in WS7.0 release notes not correct.

See Issues Resolved in 7.0.9.

6977268

All request header names are returned as lowercase.

See Web Server Core Issues.

6989578

Incorrect reference to remove SUNWlxml package from the system in 7.0 release notes.

See Solaris 10 (SPARC and x86) Patches.

6989830

Link to "Supported Virtualization Technologies with Oracle Fusion Middleware" is not correct.

See System Virtualization Support.

6991930

GDD document has multiple typos in the "Hung or Unresponsive" chapter.

See Corrections to the Procedure for Gathering Debug Data on a Hung or Unresponsive Web Server Process.

6993379

Java ES installation and upgrade notes need a correction.

See Installation, Migration, and Upgrade Notes.

6993705

Timeout parameter should be described in the http-client-config table list.

See Information About timeout Parameter of http-client-config.

6994415

%duration% measured in milliseconds in Red Hat Linux (doc mentions microseconds).

See Clarification About Unit of Time Used for the%duration% Log Parameter.

6996370

Web Server 7.0 startup error when obj.conf has valid <If> fn="rewrite" <Else> inside.

See Web Server Core Issues.

7022621

JDK versions supported for WS7

See Supported JDKs.

12306447

Docs need to provide information on how to protect a resource.

See Information About Securing a URI Using an Authentication Database.

12777290

Doc has the incorrect -d "com.iplanet.ias.server.logging.serverlogmanager".

See Correction to JVM Option Example.

12989862

Fix request for 6932016 should add info regarding 7003615.

See problem ID 6932016 in Table 2-5.

13011275

Add minimum required memory and minimum recommended disk space to release notes.

See Supported Platforms.

13540300

Doc bug regarding default value of keep-alive threads.

See Correction to Default Number of Keep-Alive Threads.

13560430

Description of limit queue length not correct.

See Clarification About the Limit Queue Length Shown in the perfdump Report.

13889880

7.0.13 patch causes problems with F5-BigIP.

See TLS Communication Through Certain Load Balancers Breaks in 7.0.13 and Later Releases.

14512832

Search collections does not support PDF 9.0.

See Search Collections Does Not Support PDF 9.0.

12068601

Information about the htpasswd command.

See Information about the htpasswd Command.

14469503

Create .noStartOnBoot file to control autostart.

See Create .noStartOnBoot File to Control Autostart.

14664654

The information about the parameter max-procs is no longer valid.

See Invalid Information About the Parameter max-procs.

16576024

The button to copy the configuration is called Dupliacte not Copy.

See The Button to Copy the Configuration is called Duplicate not Copy.

16589719

Information about the sticky cookie parameter.

See Information on the Sticky Cookie Parameter.

16758897

Unable to create an ACL based on the incoming referrer header.

See Unable to Create an ACL Based on the Incoming Referrer Header.

17835893, 17888070, 17920072

New configuration option for get/set properties in auth.db.

See New Configuration Option to Get/Set Properties in the auth-db.

18278817

Lists the components you can use with a custom log format.

See Components for Use with Custom Log Format.

21744964

Information about the io-timeout element for HTTP Settings.

See Information about the io-timeout Element for HTTP Settings.

21440256

Information about the NetWriteTimeout Parameter.

See Information about the NetWriteTimeout Parameter.

15963420

Information about default value of ssl3-tls-cipher suite.

See Default Value of ssl3-tls-cipher Suite.

Updating a Certificate Chain

The information in the section in Installing a Certificate Chain in Oracle iPlanet Web Server 7.0.9 Administrator's Guide is applicable to updating certification chains as well. So the title of the section should be "Installing or Updating a Certificate Chain".

Corrections to the Procedure for Gathering Debug Data on a Hung or Unresponsive Web Server Process

The Sun Gathering Debug Data for Sun Java System Web Server technical note contains errors in "To Gather Debug Data on a Hung or Unresponsive Web Server Process", specifically in Step 5 of the procedure.

The following is the corrected Step 5.

5. Run the following commands and save the output.

Solaris:

    ps -ef | grep server-root
    vmstat 5 5
    iostat [ -t ] [ interval [ count ] ]
    top
    uptime

HP-UX:

    ps -ef |grep server-root
    vmstat 5 5
    iostat [ -t ] [ interval [ count ] ]
    top
    sar

Linux:

    ps -aux | grep server-root
    vmstat 5 5
    top
    uptime
    sar

Windows:

  1. Obtain the WEB process PID:

    C:\windbg-root>tlist.exe
    
  2. Obtain the process details of the WEB running process PID:

    C:\windbg-root>tlist.exe web-pid
    

Clarification About Unit of Time Used for the%duration% Log Parameter

According to Using the Custom Log File Format of Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference, the %duration% log parameter indicates the time Web Server spent handling the request in microseconds.

Note the following clarification:

  • On Solaris and AIX, Web Server calculates and records the time in microseconds.

  • However, on Windows, HP-UX, and Linux, Web Server calculates the time in milliseconds and records it in microseconds.

Additional Information About Configuring a Web Application for Session Replication

The Configuring a Web Application for Session Replication section of Oracle iPlanet Web Server 7.0.9 Administrator's Guide describes the procedure to enable the server to replicate sessions.

The first step in the procedure is to modify the session-manager element in the sun-web.xml configuration file. When doing so, you must, in addition, set the reapIntervalSeconds property to 1 second, as shown in the following example:

<sun-web-app>
   <session-config>
      <session-manager persistence-type="replicated">
         <manager-properties>
            <property name="reapIntervalSeconds" value="1"/>
         </manager-properties>
      </session-manager>
   </session-config>
</sun-web-app>

Setting reapIntervalSeconds to 1 second ensures that session data is not missed during session failover; that is, clustered instances are synchronized after restarting before new requests are accepted.

For more information about reapIntervalSeconds, see manager-properties Element in Oracle iPlanet Web Server 7.0.9 Developer's Guide to Java Web Applications.

Information About timeout Parameter of http-client-config

Table 7–60 http-client-config Parameters of Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference does not list the timeout parameter, which can be used to configure the Web Server to time out after a specified duration.

The timeout parameter can be configured by using the http-client-config ObjectType function in obj.conf as follows:

ObjectType fn="http-client-config" timeout="value"

This configuration parameter instructs the reverse proxy to close the connection to the origin server if the origin server does not respond to a request within the specified timeout period. Note that this parameter does not signify that the request has to be completed within the timeout period.

The default value of the timeout parameter is 300 seconds.

For more information about reverse proxy configuration, see http://docs.oracle.com/cd/E19146-01/821-1828/ghquv/index.html.

Introducing exclude-escape-chars Parameter in http-client-config

Oracle iPlanet Web Server escapes many characters. The exclude-escape-chars parameter can be used to avoid escaping specific characters such as, % & " < > \r \n + * '

The exclude-escape-chars parameter can be configured by using the http-client-config ObjectType function in obj.conf as follows:

ObjectType fn="http-client-config" exclude-escape-chars="+%"

PID File Disappears in Red Hat Linux

The PID file disappears in the Red Hat Linux operating system and the sever cannot be stopped. To overcome this situation, change the temp-path value in the server.xml file to a location where the server user has exclusive rights, as shown in the following example:

<temp-path>/var/tmp/https-test-73d21d24</temp-path>

Another option to resolve this situation is to exclude the temp-directory in the tmpwatch program.

Token Name

The token name that is used for password-file option in wadm CLI must be in small letters, as shown in the following example.

wadm_internal

Using SMF on Solaris 10

It is recommended that if you choose to use SMF to control the administration server, you must make sure that you have to use SMF for managing all other instances as well. This will enable all instances to be controlled independently.

Problem with set-cookie Header

Starting from the 7.0.9 release, the set-cookie header value is being appended by ;HttpOnly due to a security reason. However, if you do not wish to append ;HttpOnly to the set-cookie header, use the following process:

Set the httponly-session-cookie property of the servlet-container element in server.xml configuration file to false:

A new property named httponly-session-cookie has been added to servlet-container element of the server.xml configuration file. By default, this property is true and ;HttpOnly will be appended to set-cookie header. When this flag is set to false, ;HttpOnly is not appended. You can set this property by using the set-servlet-container-prop CLI command or the Servlet Container page of the administration console.

Information About Securing a URI Using an Authentication Database

Managing Users and Groups in the Oracle iPlanet Web Server 7.0.9 Administrator's Guide describes how to create authentication databases and how to create users and groups. However, it does not describe how to use an authentication database to secure a URI.

To secure a URI (say /docs) by using an authentication database (say authdb_docs), create an ACL for the configuration, or for a virtual server, with /docs as the URI and authdb_docs as the authentication database, as described in http://docs.oracle.com/cd/E19146-01/821-1828/gczyo/index.html.

Correction to JVM Option Example

In the section Adding a JVM Option of the Oracle iPlanet Web Server 7.0.9 Administrator's Guide, the following JVM option that is provided as an example is incorrect:

-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager

The correct option is the following:

-Djava.util.logging.manager=com.sun.webserver.logging.ServerLogManager

Correction to Default Number of Keep-Alive Threads

The Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference shows the default value of the number of keep-alive threads as 1. That value is not correct.

The default value of the number of keep-alive threads is set to the number of processors in the system.

Clarification About the Limit Queue Length Shown in the perfdump Report

The Oracle iPlanet Web Server 7.0.9 Performance Tuning, Sizing, and Scaling Guide describes the Limit Queue Length parameter shown in the perfdump report, incorrectly, as "maximum size of the connection queue".

Note that Limit Queue Length is the limit on the maximum number of connections queued. This limit depends on the availability of file descriptors.

TLS Communication Through Certain Load Balancers Breaks in 7.0.13 and Later Releases

When you use certain load balancers, like F5 Networks' BIG-IP, to distribute client requests to Oracle iPlanet Web Server 7.0.13 (and later releases), TLS communication using CBC ciphers (such as TLS_RSA_WITH_AES_256_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA) breaks. BIG-IP and, possibly, other load balancers are unable to forward responses from the Oracle iPlanet Web Server instances to the clients.

The NSS version included in Oracle iPlanet Web Server release 7.0.13 (and later) implements split data packets. BIG-IP and some other load balancers might not be able to handle split data packets.

Workaround

Caution:

This workaround removes the fix introduced in release 7.0.13 for the CVE-2011-3389 security vulnerability.

  1. Stop the server.

  2. In the startserv script, set the environment variable NSS_SSL_CBC_RANDOM_IV to 0.

    The startserv script is located in the instance_dir/bin directory. On Windows, for example, add the following line in the startserv script:

    set NSS_SSL_CBC_RANDOM_IV=0
    
  3. Start the server.

Search Collections Does Not Support PDF 9.0

A search collection indexes and stores information about documents (.html,.htm,.txt and.PDF)on the server. Once the server administrator indexes all or some of a server's documents, information such as title, creation date, and author is available for searching.

Note that PDF documents of version 9.0 or later versions are not supported for search collections.

For more information, see the Oracle iPlanet Web Server 7.0.9 Administrator's Guide.

Information about the htpasswd Command

The htpasswd command is used to generate or modify a password file suitable for use with the htaccess access control mechanism.

The htpasswd usage is as follows:

htpasswd [-c] passwordfile username [password]

In this command, -c creates a new passwordfile (overwriting an old one if it exists). Without -c, the command modifies the existing file by either updating the user's password (if user already exists) or adding a new user with the given name. If the optional password argument is not specified, the command prompts interactively for the password.

Note:

htaccess is not the preferred access control mechanism in Web Server. Wherever possible, use ACLs instead.

Create .noStartOnBoot File to Control Autostart

By default, the scripts that are created, as described in the Oracle iPlanet Web Server 7.0.9 Installation and Migration Guide, will start up all web server instances.

You can control the automatic starting of a specific web server instance, by creating the file .noStartOnBoot under the root directory of that instance.

Invalid Information About the Parameter max-procs

The FastCGI section of Oracle iPlanet Web Server 7.0.9 Administrator's Guide contains information about the parameter max-procs:

This parameter is not valid. The information about the max-procs parameter should be ignored.

The Button to Copy the Configuration is called Duplicate not Copy

According to the section, Resolving Service ID Conflicts on Windows of the Oracle iPlanet Web Server 7.0.9 Installation and Migration Guide, the Copy button on the Admin Console Configurations page can be used to copy the configuration.

Note that the name of the button is Duplicate not Copy.

Information on the Sticky Cookie Parameter

The section Configuring Reverse Proxy in Web Server of the Oracle iPlanet Web Server 7.0.9 Migration Guide, contains information about the reverse proxy configuration. The following is the additional information on the sticky cookie parameter:

  • When you are configuring the sticky load balancing, you must correctly identify the name of the session cookie as used by the backend server, and use the same as the value to the sticky-cookie parameter to the set-origin-server SAF. The default value of sticky-cookie is JSESSIONID. If the backend server is using a different sticky cookie name, the sticky-cookie parameter value should be set accordingly and not use the default name.

  • An irregular HTTP response from a backend server can force the Route subsystem to assume the backend to have gone 'bad' and mark the it as offline. For example, a backend server sending a response with a mismatching content-length. In such a case the sticky cookie load balancing can break.

Unable to Create an ACL Based on the Incoming Referrer Header

According to the section To Create an ACL of the Oracle iPlanet Web Server 7.0.9 Developer's Guide, it is possible to create an ACL based on the 'Referer' header in the incoming request.

Note:

The header is called Referrer and not Referer.

When an ACL is configured within the Web Server to use the 'Referrer' header in the incoming request, the request fails and you get the following error message:

09/Jan/2013:08:32:55] security (18472): for host 1.2.3.4 trying to GET /index.html, acl-state reports: HTTP5187: access of/prods/web/709/https-referer_acl/docs/index.html denied because evaluation ofACL uri=/index.html directive 2 failed

Workaround:

The functionality to use the 'Referrer' header in an incoming request in the processing of an ACL is not built into the core functionality of the Web Server. The functionality is provided in one of the sample plugins that ship with the product:

For example, for Oracle iPlanet Web Server 7.0: /<server_root>/samples/nsacl.

With Oracle iPlanet Web Server 7.0, the samples are not installed by default. They have to be manually selected during the installation of the product. Do the following to install the NSAPI sample plugin:

  1. Build the NSAPI sample plugin nsacl. The environment must be setup with a compiler in the following path:

    1. cd /<server_root>/samples/nsacl

    2. gmake

  2. To install the sample plugin in the Web Server, do the following:

    1. Edit the magnus.conf file to include:

      Init fn="load-modules" shlib="/prods/web/709/samples/nsacl/example.so"

      funcs="las_ref_init"

      Init fn="acl-register-module" module="lasref" func="las_ref_init".

    2. Deploy the manual changes.

    3. Restart the Web Server.

  3. Create the ACL entry.

    1. To edit either the default.acl file or the acl file for the relevant virtual server, do the following:

      acl "uri=/index.html";
      authenticate (user,group)
      {database = "keyfile";
      method = "basic"; };
      deny (all)
      user = "anyone";
      allow (all)
      referrer = "test";
      
    2. Deploy the manual changes.

    3. Restart the Web Server

Note:

On Oracle iPlanet Web Server 7.0.16 and earlier versions, the lasref.c file needs to be edited with the following change:

Change line 75 from

rq->request_is_cacheable &= ~NSAPICacheAccelSafe;

To

rq->request_is_cacheable = 0;

This issue has been addressed in Oracle iPlanet Web Server 7.0.17.

New Configuration Option to Get/Set Properties in the auth-db

A new configuration option, followreferrals, is added for the auth-db. This option applies for the LDAP auth-dbs and is set to true by default.

You can use the CLI get-ldap-authdb-prop and set-ldap-authdb-prop commands, or the Admin GUI pages, to get/set this configuration as needed. This option also applies for the LDAP auth-db used in the admin server.

Components for Use with Custom Log Format

The section Configuration File Reference in http://docs.oracle.com/cd/E19146-01/821-1827/index.html of the Oracle iPlanet Web Server 7.0.9 Migration Guide, contains information about the log format used by Web Server to customize the format of log files. The following is additional information on components supported for use with a custom log format.

  • DNS Time: %Req->vars.xfer-time-dns%

  • Connect Wait Time: %Req->vars.xfer-time-cwait%

  • Full Wait Time: %Req->vars.xfer-time-fwait%

  • Initial Wait Time: %Req->vars.xfer-time-iwait%

  • Total Wait Time(sec): %Req->vars.xfer-time-total%

  • Total Wait Time(msec): %Req->vars.xfer-time%

Information about the io-timeout Element for HTTP Settings

Table 3-22 in Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference shows incorrect information about the io-timeout element.

The correct description for io-timeout is given in the table below:

Element Occurrences Description

io-timeout

0 or 1

The maximum time (in seconds) that the server waits for an individual packet. The value can be from 0.001 to 3600.

Information about the NetWriteTimeout Parameter

Oracle iPlanet Web Server 7.0 supports NetWriteTimeout parameter in the obj.conf file to configure write timeout. The value of this parameter is specified in seconds.

For example, to configure 60 minutes timeout, specify the value as follows:

NetWriteTimeout 3600

Default Value of ssl3-tls-cipher Suite

The ssl3-tls-cipher elements configures SSL3 and TLS cipher suites. The corresponding value of the ssl3-tls-cipher elements is given in the table below:

Element Value

SSL_RSA_WITH_RC4_128_MD5

False

SSL_RSA_WITH_RC4_128_SHA

True

SSL_RSA_WITH_3DES_EDE_CBC_SHA

True

SSL_RSA_WITH_DES_CBC_SHA

False

SSL_RSA_EXPORT_WITH_RC4_40_MD5

False

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

False

SSL_RSA_WITH_NULL_MD5

False

SSL_RSA_WITH_NULL_SHA

False

SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

False

SSL_RSA_FIPS_WITH_DES_CBC_SHA

False

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

True

TLS_ECDHE_RSA_WITH_NULL_SHA

False

TLS_ECDHE_RSA_WITH_RC4_128_SHA

True

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

True

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

True

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

True

TLS_ECDH_RSA_WITH_RC4_128_SHA

True

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

True

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

True

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

True

TLS_ECDH_ECDSA_WITH_RC4_128_SHA

True

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

True

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

True

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

True

TLS_ECDHE_ECDSA_WITH_NULL_SHA

False

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

True

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

True

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

True

TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

False

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

False

TLS_RSA_WITH_AES_128_CBC_SHA

True

TLS_RSA_WITH_AES_256_CBC_SHA

True

TLS_RSA_WITH_SEED_CBC_SHA

True

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

True

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

True

TLS_RSA_WITH_AES_128_CBC_SHA256

True

TLS_RSA_WITH_AES_128_GCM_SHA256

True

TLS_RSA_WITH_AES_256_CBC_SHA256

True

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

True

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

True

Tab to Change Pre-compressed Settings is Content Handling tab not Content Management tab

According to the section, Configuring the Server to Serve Pre-Compressed Content of the Oracle iPlanet Web Server 7.0.9 Administrator's Guide , the Content Management tab on the Virtual Server page can be used to change the pre-compressed content settings.

Note that the name of the tab is Content Handling and not Content Management.

Documentation, Support, and Training

The Oracle web site provides information about the following additional resources: