Oracle® iPlanet Web Server Release Notes Release 7.0.27 E18789-23 |
|
|
PDF · Mobi · ePub |
The Oracle iPlanet Web Server 7.0 documentation is provided in the following formats:
Manuals: You can view the Oracle iPlanet Web Server 7.0 manuals and release notes in HTML and in PDF formats.
Online help: Click the Help button in the graphical interface of the product to view context-sensitive help.
Oracle iPlanet Web Server 7.0.9 is the last release for which the entire documentation set for 7.0 was updated. Subsequent to the 7.0.9 release, updates and corrections to Oracle iPlanet Web Server 7.0 documentation are provided in this Release Notes document; see Documentation Corrections, Enhancements, and Issues Resolved.
This chapter contains the following sections:
The Web Server documentation set describes how to install and administer the Web Server.
For an introduction to Web Server, refer to the books in the order in which they are listed in Table 3-1.
Table 3-1 Web Server Documentation
Document Title | Contents |
---|---|
Oracle iPlanet Web Server Release Notes (this document) |
|
Performing installation and migration tasks:
|
|
Performing the following administration tasks:
|
|
Using programming technologies and APIs to do the following:
|
|
Creating custom Netscape Server Application Programmer's Interface (NSAPI) plug-ins |
|
Oracle iPlanet Web Server Developer's Guide for Java Web Applications |
Implementing Java Servlets and JavaServer Pages (JSP) technology in Web Server |
Oracle iPlanet Web Server Administrator's Configuration File Reference |
Editing configuration files |
Oracle iPlanet Web Server Performance Tuning, Sizing, and Scaling Guide |
Tuning Web Server to optimize performance |
Administration commands that allow you to administer Web Server through the CLI |
The following table lists the corrections and enhancements to the Oracle iPlanet Web Server 7.0.9 documentation, and documentation issues resolved.
Issue ID | Description |
---|---|
6932016 |
How to work around the Verisign EV cert chain issue with a new built-in CA root. |
6965828 |
Clustered instances must be synchronized before accepting a request after restarting. See Additional Information About Configuring a Web Application for Session Replication. |
6968560 |
Document how to upgrade a certificate chain. |
6971148 |
Change security context for JDK libraries on SELinux. |
6977258 |
CR6611067 in WS7.0 release notes not correct. |
6977268 |
All request header names are returned as lowercase. |
6989578 |
Incorrect reference to remove SUNWlxml package from the system in 7.0 release notes. |
6989830 |
Link to "Supported Virtualization Technologies with Oracle Fusion Middleware" is not correct. |
6991930 |
GDD document has multiple typos in the "Hung or Unresponsive" chapter. See Corrections to the Procedure for Gathering Debug Data on a Hung or Unresponsive Web Server Process. |
6993379 |
Java ES installation and upgrade notes need a correction. |
6993705 |
Timeout parameter should be described in the See Information About timeout Parameter of http-client-config. |
6994415 |
See Clarification About Unit of Time Used for the%duration% Log Parameter. |
6996370 |
Web Server 7.0 startup error when |
7022621 |
JDK versions supported for WS7 See Supported JDKs. |
12306447 |
Docs need to provide information on how to protect a resource. See Information About Securing a URI Using an Authentication Database. |
12777290 |
Doc has the incorrect |
12989862 |
Fix request for 6932016 should add info regarding 7003615. |
13011275 |
Add minimum required memory and minimum recommended disk space to release notes. See Supported Platforms. |
13540300 |
Doc bug regarding default value of keep-alive threads. |
13560430 |
Description of limit queue length not correct. See Clarification About the Limit Queue Length Shown in the perfdump Report. |
13889880 |
7.0.13 patch causes problems with F5-BigIP. See TLS Communication Through Certain Load Balancers Breaks in 7.0.13 and Later Releases. |
14512832 |
Search collections does not support PDF 9.0. |
12068601 |
Information about the |
14469503 |
Create |
14664654 |
The information about the parameter |
16576024 |
The button to copy the configuration is called Dupliacte not Copy. See The Button to Copy the Configuration is called Duplicate not Copy. |
16589719 |
Information about the sticky cookie parameter. |
16758897 |
Unable to create an ACL based on the incoming referrer header. See Unable to Create an ACL Based on the Incoming Referrer Header. |
17835893, 17888070, 17920072 |
New configuration option for get/set properties in auth.db. See New Configuration Option to Get/Set Properties in the auth-db. |
18278817 |
Lists the components you can use with a custom log format. |
21744964 |
Information about the io-timeout element for HTTP Settings. See Information about the io-timeout Element for HTTP Settings. |
21440256 |
Information about the NetWriteTimeout Parameter. |
15963420 |
Information about default value of ssl3-tls-cipher suite. |
The information in the section in Installing a Certificate Chain in Oracle iPlanet Web Server 7.0.9 Administrator's Guide is applicable to updating certification chains as well. So the title of the section should be "Installing or Updating a Certificate Chain".
The Sun Gathering Debug Data for Sun Java System Web Server technical note contains errors in "To Gather Debug Data on a Hung or Unresponsive Web Server Process", specifically in Step 5 of the procedure.
The following is the corrected Step 5.
5. Run the following commands and save the output.
Solaris:
ps -ef | grep server-root
vmstat 5 5
iostat [ -t ] [ interval [ count ] ]
top
uptime
HP-UX:
ps -ef |grep server-root
vmstat 5 5
iostat [ -t ] [ interval [ count ] ]
top
sar
Linux:
ps -aux | grep server-root
vmstat 5 5
top
uptime
sar
Windows:
Obtain the WEB process PID:
C:\windbg-root>tlist.exe
Obtain the process details of the WEB running process PID:
C:\windbg-root>tlist.exe web-pid
According to Using the Custom Log File Format of Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference, the %duration%
log parameter indicates the time Web Server spent handling the request in microseconds.
Note the following clarification:
On Solaris and AIX, Web Server calculates and records the time in microseconds.
However, on Windows, HP-UX, and Linux, Web Server calculates the time in milliseconds and records it in microseconds.
The Configuring a Web Application for Session Replication section of Oracle iPlanet Web Server 7.0.9 Administrator's Guide describes the procedure to enable the server to replicate sessions.
The first step in the procedure is to modify the session-manager
element in the sun-web.xml
configuration file. When doing so, you must, in addition, set the reapIntervalSeconds
property to 1 second, as shown in the following example:
<sun-web-app> <session-config> <session-manager persistence-type="replicated"> <manager-properties> <property name="reapIntervalSeconds" value="1"/> </manager-properties> </session-manager> </session-config> </sun-web-app>
Setting reapIntervalSeconds
to 1 second ensures that session data is not missed during session failover; that is, clustered instances are synchronized after restarting before new requests are accepted.
For more information about reapIntervalSeconds
, see manager-properties Element in Oracle iPlanet Web Server 7.0.9 Developer's Guide to Java Web Applications.
timeout
Parameter of http-client-config
Table 7–60 http-client-config Parameters of Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference does not list the timeout
parameter, which can be used to configure the Web Server to time out after a specified duration.
The timeout
parameter can be configured by using the http-client-config
ObjectType function in obj.conf
as follows:
ObjectType fn="http-client-config" timeout="value"
This configuration parameter instructs the reverse proxy to close the connection to the origin server if the origin server does not respond to a request within the specified timeout
period. Note that this parameter does not signify that the request has to be completed within the timeout
period.
The default value of the timeout
parameter is 300 seconds.
For more information about reverse proxy configuration, see http://docs.oracle.com/cd/E19146-01/821-1828/ghquv/index.html
.
exclude-escape-chars
Parameter in http-client-config
Oracle iPlanet Web Server escapes many characters. The exclude-escape-chars
parameter can be used to avoid escaping specific characters such as, % & " < > \r \n + * '
The exclude-escape-chars
parameter can be configured by using the http-client-config
ObjectType function in obj.conf
as follows:
ObjectType fn="http-client-config" exclude-escape-chars="+%"
The PID file disappears in the Red Hat Linux operating system and the sever cannot be stopped. To overcome this situation, change the temp-path
value in the server.xml
file to a location where the server user has exclusive rights, as shown in the following example:
<temp-path>/var/tmp/https-test-73d21d24</temp-path>
Another option to resolve this situation is to exclude the temp-directory
in the tmpwatch
program.
The token name that is used for password-file
option in wadm
CLI must be in small letters, as shown in the following example.
wadm_internal
It is recommended that if you choose to use SMF to control the administration server, you must make sure that you have to use SMF for managing all other instances as well. This will enable all instances to be controlled independently.
set-cookie
HeaderStarting from the 7.0.9 release, the set-cookie
header value is being appended by ;HttpOnly
due to a security reason. However, if you do not wish to append ;HttpOnly
to the set-cookie
header, use the following process:
Set the httponly-session-cookie
property of the servlet-container
element in server.xml
configuration file to false
:
A new property named httponly-session-cookie
has been added to servlet-container
element of the server.xml
configuration file. By default, this property is true
and ;HttpOnly
will be appended to set-cookie
header. When this flag is set to false
, ;HttpOnly
is not appended. You can set this property by using the set-servlet-container-prop
CLI command or the Servlet Container page of the administration console.
Managing Users and Groups in the Oracle iPlanet Web Server 7.0.9 Administrator's Guide describes how to create authentication databases and how to create users and groups. However, it does not describe how to use an authentication database to secure a URI.
To secure a URI (say /docs
) by using an authentication database (say authdb_docs
), create an ACL for the configuration, or for a virtual server, with /docs
as the URI and authdb_docs
as the authentication database, as described in http://docs.oracle.com/cd/E19146-01/821-1828/gczyo/index.html
.
In the section Adding a JVM Option of the Oracle iPlanet Web Server 7.0.9 Administrator's Guide, the following JVM option that is provided as an example is incorrect:
-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager
The correct option is the following:
-Djava.util.logging.manager=com.sun.webserver.logging.ServerLogManager
The Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference shows the default value of the number of keep-alive threads as 1. That value is not correct.
The default value of the number of keep-alive threads is set to the number of processors in the system.
The Oracle iPlanet Web Server 7.0.9 Performance Tuning, Sizing, and Scaling Guide describes the Limit Queue Length parameter shown in the perfdump
report, incorrectly, as "maximum size of the connection queue".
Note that Limit Queue Length is the limit on the maximum number of connections queued. This limit depends on the availability of file descriptors.
When you use certain load balancers, like F5 Networks' BIG-IP, to distribute client requests to Oracle iPlanet Web Server 7.0.13 (and later releases), TLS communication using CBC ciphers (such as TLS_RSA_WITH_AES_256_CBC_SHA
and TLS_RSA_WITH_3DES_EDE_CBC_SHA
) breaks. BIG-IP and, possibly, other load balancers are unable to forward responses from the Oracle iPlanet Web Server instances to the clients.
The NSS version included in Oracle iPlanet Web Server release 7.0.13 (and later) implements split data packets. BIG-IP and some other load balancers might not be able to handle split data packets.
Workaround
Caution:
This workaround removes the fix introduced in release 7.0.13 for the CVE-2011-3389 security vulnerability.
Stop the server.
In the startserv
script, set the environment variable NSS_SSL_CBC_RANDOM_IV
to 0.
The startserv
script is located in the instance_dir
/bin
directory. On Windows, for example, add the following line in the startserv
script:
set NSS_SSL_CBC_RANDOM_IV=0
Start the server.
A search collection indexes and stores information about documents (.html,.htm,.txt and.PDF)on the server. Once the server administrator indexes all or some of a server's documents, information such as title, creation date, and author is available for searching.
Note that PDF documents of version 9.0 or later versions are not supported for search collections.
For more information, see the Oracle iPlanet Web Server 7.0.9 Administrator's Guide.
The htpasswd
command is used to generate or modify a password file suitable for use with the htaccess
access control mechanism.
The htpasswd
usage is as follows:
htpasswd [-c] passwordfile username [password]
In this command, -c
creates a new passwordfile
(overwriting an old one if it exists). Without -c
, the command modifies the existing file by either updating the user's password (if user already exists) or adding a new user with the given name. If the optional password argument is not specified, the command prompts interactively for the password.
Note:
htaccess
is not the preferred access control mechanism in Web Server. Wherever possible, use ACLs instead.
By default, the scripts that are created, as described in the Oracle iPlanet Web Server 7.0.9 Installation and Migration Guide, will start up all web server instances.
You can control the automatic starting of a specific web server instance, by creating the file .noStartOnBoot
under the root directory of that instance.
The FastCGI section of Oracle iPlanet Web Server 7.0.9 Administrator's Guide contains information about the parameter max-procs
:
This parameter is not valid. The information about the max-procs
parameter should be ignored.
According to the section, Resolving Service ID Conflicts on Windows of the Oracle iPlanet Web Server 7.0.9 Installation and Migration Guide, the Copy button on the Admin Console Configurations page can be used to copy the configuration.
Note that the name of the button is Duplicate not Copy.
The section Configuring Reverse Proxy in Web Server of the Oracle iPlanet Web Server 7.0.9 Migration Guide, contains information about the reverse proxy configuration. The following is the additional information on the sticky cookie parameter:
When you are configuring the sticky load balancing, you must correctly identify the name of the session cookie as used by the backend server, and use the same as the value to the sticky-cookie
parameter to the set-origin-server
SAF. The default value of sticky-cookie
is JSESSIONID
. If the backend server is using a different sticky cookie name, the sticky-cookie
parameter value should be set accordingly and not use the default name.
An irregular HTTP response from a backend server can force the Route subsystem to assume the backend to have gone 'bad' and mark the it as offline. For example, a backend server sending a response with a mismatching content-length. In such a case the sticky cookie load balancing can break.
According to the section To Create an ACL of the Oracle iPlanet Web Server 7.0.9 Developer's Guide, it is possible to create an ACL based on the 'Referer' header in the incoming request.
Note:
The header is called Referrer and not Referer.
When an ACL is configured within the Web Server to use the 'Referrer' header in the incoming request, the request fails and you get the following error message:
09/Jan/2013:08:32:55] security (18472): for host 1.2.3.4 trying to GET /index.html, acl-state reports: HTTP5187: access of/prods/web/709/https-referer_acl/docs/index.html denied because evaluation ofACL uri=/index.html directive 2 failed
Workaround:
The functionality to use the 'Referrer' header in an incoming request in the processing of an ACL is not built into the core functionality of the Web Server. The functionality is provided in one of the sample plugins that ship with the product:
For example, for Oracle iPlanet Web Server 7.0: /<server_root>/samples/nsacl
.
With Oracle iPlanet Web Server 7.0, the samples are not installed by default. They have to be manually selected during the installation of the product. Do the following to install the NSAPI sample plugin:
Build the NSAPI
sample plugin nsacl
. The environment must be setup with a compiler in the following path:
cd /<server_root>/samples/nsacl
gmake
To install the sample plugin in the Web Server, do the following:
Edit the magnus.conf
file to include:
Init fn="load-modules" shlib="/prods/web/709/samples/nsacl/example.so"
funcs="las_ref_init"
Init fn="acl-register-module" module="lasref" func="las_ref_init"
.
Deploy the manual changes.
Restart the Web Server.
Create the ACL entry.
To edit either the default.acl
file or the acl
file for the relevant virtual server, do the following:
acl "uri=/index.html"; authenticate (user,group) {database = "keyfile"; method = "basic"; }; deny (all) user = "anyone"; allow (all) referrer = "test";
Deploy the manual changes.
Restart the Web Server
Note:
On Oracle iPlanet Web Server 7.0.16 and earlier versions, the lasref.c
file needs to be edited with the following change:
Change line 75 from
rq->request_is_cacheable &= ~NSAPICacheAccelSafe;
To
rq->request_is_cacheable = 0;
This issue has been addressed in Oracle iPlanet Web Server 7.0.17.
A new configuration option, followreferrals
, is added for the auth-db. This option applies for the LDAP auth-dbs and is set to true by default.
You can use the CLI get-ldap-authdb-prop
and set-ldap-authdb-prop
commands, or the Admin GUI pages, to get/set this configuration as needed. This option also applies for the LDAP auth-db used in the admin server.
The section Configuration File Reference in http://docs.oracle.com/cd/E19146-01/821-1827/index.html of the Oracle iPlanet Web Server 7.0.9 Migration Guide, contains information about the log format used by Web Server to customize the format of log files. The following is additional information on components supported for use with a custom log format.
DNS Time: %Req->vars.xfer-time-dns%
Connect Wait Time: %Req->vars.xfer-time-cwait%
Full Wait Time: %Req->vars.xfer-time-fwait%
Initial Wait Time: %Req->vars.xfer-time-iwait%
Total Wait Time(sec): %Req->vars.xfer-time-total%
Total Wait Time(msec): %Req->vars.xfer-time%
io-timeout
Element for HTTP SettingsTable 3-22 in Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference shows incorrect information about the io-timeout
element.
The correct description for io-timeout
is given in the table below:
Element | Occurrences | Description |
---|---|---|
|
0 or 1 |
The maximum time (in seconds) that the server waits for an individual packet. The value can be from 0.001 to 3600. |
NetWriteTimeout
ParameterOracle iPlanet Web Server 7.0 supports NetWriteTimeout
parameter in the obj.conf
file to configure write timeout. The value of this parameter is specified in seconds.
For example, to configure 60 minutes timeout, specify the value as follows:
NetWriteTimeout 3600
The ssl3-tls-cipher elements configures SSL3 and TLS cipher suites. The corresponding value of the ssl3-tls-cipher elements is given in the table below:
Element | Value |
---|---|
|
False |
SSL_RSA_WITH_RC4_128_SHA |
True |
SSL_RSA_WITH_3DES_EDE_CBC_SHA |
True |
SSL_RSA_WITH_DES_CBC_SHA |
False |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 |
False |
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |
False |
SSL_RSA_WITH_NULL_MD5 |
False |
SSL_RSA_WITH_NULL_SHA |
False |
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA |
False |
SSL_RSA_FIPS_WITH_DES_CBC_SHA |
False |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
True |
TLS_ECDHE_RSA_WITH_NULL_SHA |
False |
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
True |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
True |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
True |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
True |
TLS_ECDH_RSA_WITH_RC4_128_SHA |
True |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA |
True |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
True |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
True |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA |
True |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
True |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
True |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
True |
TLS_ECDHE_ECDSA_WITH_NULL_SHA |
False |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
True |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
True |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
True |
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA |
False |
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA |
False |
TLS_RSA_WITH_AES_128_CBC_SHA |
True |
TLS_RSA_WITH_AES_256_CBC_SHA |
True |
TLS_RSA_WITH_SEED_CBC_SHA |
True |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA |
True |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA |
True |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
True |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
True |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
True |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
True |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
True |
According to the section, Configuring the Server to Serve Pre-Compressed Content of the Oracle iPlanet Web Server 7.0.9 Administrator's Guide , the Content Management tab on the Virtual Server page can be used to change the pre-compressed content settings.
Note that the name of the tab is Content Handling and not Content Management.