Features and Enhancements in Web Server 7.0.9

Oracle iPlanet Web Server 7.0.9 is an update release to Sun Java System Web Server 7.0. In addition to the features and enhancements in Web Server 7.0 and Updates 1 through 8, Web Server 7.0.9 brings the following additional features and enhancements to the product.

• Resolution of SSL/TLS Vulnerability CVE-2009-3555

• Support for JDT Java Compiler

• Support for Oracle JRockit JDK

• Ability to Change Session ID on Authentication

• For Large Applications, --directory Option of add-webapp Command Deprecated in Favor of --file-on-server Option

Resolution of SSL/TLS Vulnerability CVE-2009-3555

Web Server 7.0 Update 7 included NSS 3.12.5, which provided relief, but not resolution, for the SSL/TLS renegotiation vulnerability CVE-2009-3555. Additionally, Web Server 7.0 Update 7 disabled all use of SSL/TLS renegotiation in order to protect Web Server from attack. If either the client or Web Server attempted to trigger renegotiation on an existing SSL/TLS session, the connection would fail.

Web Server 7.0.9 includes NSS 3.12.6, which provides safe SSL/TLS renegotiation and so provides resolution of CVE-2009-3555. As a result, Web Server 7.0.9 re-enables use of SSL/TLS renegotiation.

Support for JDT Java Compiler

You can now configure Web Server to use the Eclipse JDT Java compiler instead of Ant and another Java compiler. For more information, see Using the Eclipse JDT Java Compiler in Oracle iPlanet Web Server 7.0.9 Developer’s Guide to Java Web Applications.

Support for Oracle JRockit JDK

Web Server now supports the Oracle JRockit JDK on the 32–bit platforms it supports. For the 7.0.9 release, the minimum required JRockit JDK version is R27.6.5, which is certified to be compatible with Java SE 6 Update 14 (1.6.0_14).

Ability to Change Session ID on Authentication

Web Server 7.0.9 adds the changeSessionIdOnAuthentication property to the sun-web-app element of the sun-web.xml file. This property enables web applications to change session IDs upon authentication in order to avoid session fixation attacks. For more information, see sun-web-app Element in Oracle iPlanet Web Server 7.0.9 Developer’s Guide to Java Web Applications.

For Large Applications, --directory Option of add-webapp Command Deprecated in Favor of --file-on-server Option

For large applications, you should use the --file-on-server option of the add-webapp command to provide a path to an exploded war file outside the Web Server root directory. Note, however, that the Administration server does not manage web applications deployed outside the Web Server root directory. For more information, see add-webapp(1) and Deploying a Web Application Directory in Oracle iPlanet Web Server 7.0.9 Administrator’s Guide.