Release Notes for iPlanet™ Web Proxy Server

Version 3.6 Service Pack 1

Part Number: 816-6147-10

Updated September 25, 2002

---

These release notes contain information about new features, known limitations,and migration procedures for iPlanet™ Web Proxy Server.

These release notes contain the following sections:

• Supported Platforms
• Required Patches
• Memory Information
• SSL Information
• Installation Information
• Migration Information
• Problems Corrected
• Problems Corrected in SP1
• New Features
• New Features in SP1
• Installation procedure of SP1 on Unix
• Installation procedure of SP1 on Windows
• Virus Scanning
• Troubleshooting
• Known Problems
• How to Report Problems
• Where to Go for More Information

Supported Platforms

Required Patches

Sun Solaris Patch Information

For each patch, install the listed revision or a later revision. For example, if patch 111111-01 is required, the later revision 111111-03 will also work.

iPlanet Web Proxy Server 3.6 on Solaris 2.6 requires patch 105529 rev09 or later.

Memory Information

When a process is active, the amount of RAM it uses may increase over a short period.
 

SSL Information

Installation Information

In addition, on a Windows NT or Windows 2000 machine, the proxy server should be installed independently of any other iPlanet product to avoid conflicts with DLLs.

Migration Information

Note	If you used the virus scanning capability of Netscape Proxy Server 3.5x, turn virus scanning off before proceeding with the migration operation. To turn virus scanning off, select Filters | Virus Screening and click Turn off Virus screening.

Migrating  from Netscape Proxy Server 3.5x on NT

Migrating from Netscape Proxy Server on UNIX

Migrating Proxy Plug-ins on AIX

Previous versions of iPlanet Web Proxy Server were built on AIX 4.1, which did not support native runtime linking. Plug-ins were enabled by building Proxy Server with additional software provided by IBM AIX to Netscape. No special runtime linking directives were required to build plug-ins. Because of this, plug-ins built for previous versions of Proxy Server on AIX will not work with iPlanet Web Proxy Server 3.6 without modification.

However, these plug-ins can easily be relinked to work with iPlanet Web Proxy Server 3.6. iPlanet provides a script to relink existing plug-ins. Only the existing plug-in is required to run the script (not the original source and .o files). Specific comments are provided within the script. Because all AIX versions from 4.2 onward natively support runtime linking, we do not anticipate this issue being a problem again for future iPlanet Web Proxy Server releases built on AIX.

Relink Script

#!/bin/ksh
#
# script to modify a plugin built for Netscape Proxy Server 3.5 to
# work with iPlanet Web Proxy Server 3.6
#
# usage: relink_plugin
#
# Script will create .new that will work with iPlanet Web Proxy Server 3.6
#
# If your plugin was built with a specific default LIBPATH, then
# you must modify the DEF_LIBPATH variable below. Run the command
# "dump -H " and your existing default LIBPATH will be listed
# as the PATH information by INDEX 0 under the ***Import File Strings***
# section.

DEF_LIBPATH=/usr/lib/threads:/usr/ibmcxx/lib:/usr/lib:/lib

# If your plugin has dependencies on other shared objects, then you
# must modify the LIB variable below to include those dependencies
# (e.g.
# if you need symbols from shared objects libusra.so, libusrb.so, & libusrc.so;
# you would specify LIBS="-lusra -lusrb -lusrc")
# Run the command "dump -H " to see if your plugin has
# any dependencies; they will be listed under the ***Import File Strings***
# section (Note: you don't have to specify system library dependencies
# such as libc.a, libc_r.a, etc.)

LIBS=

# Note: the following warnings may appear, but you can ignore them:
# ld: 0711-415 WARNING: Symbol __priority0x80000000 is already exported.
# ld: 0711-224 WARNING: Duplicate symbol: __priority0x80000000
# ld: 0711-224 WARNING: Duplicate symbol: .__priority0x80000000
# ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.

# Note: If you are running with the AIX CSet++ 3.1.4 compiler instead of
# the CSet++ 3.6.4 compiler, then replace all references in this script
# to "ibmcxx" with "lpp/xlC".

/usr/bin/ld -bnso -r -o /tmp/obj.o $1
/usr/ibmcxx/bin/makeC++SharedLib_r -p 0 -G -blibpath:$DEF_LIBPATH $LIBS \
/tmp/obj.o -o $1.new

Problems Corrected

• Proxy Server appends LF instead of CRLF to host header. (4588536)
  Proxy Server was only adding LF (\n) to the end of the host header when it should have been adding CRLF (\r\n).

• Proxy Server does not establish a secure connection with sites. (4588536)
  If the SSL server certificate used by CMS was signed with a key longer than 1024 bits, Proxy Server was unable to verify the SSL server certificate's digital signature.

• Proxy Server does not load group attributes only to check existence. (4575103)
  When Proxy Server starts, it checks that the groups used in the ACL exist. To do so, Proxy Server searches for the LDAP entry corresponding to each group. This search no longer returns all the group attribute values, because the values can be large for a group containing many members.

• Proxy Server does not generate an error message when using "Unverified User from client". (4580723)
  When going through Proxy Server to a site that requires authentication, the error "...remote-auth reports:missing parameter to remote-auth (need type)" is not shown in the error log when you check "Unverified User from client" under Server Status|Log Preferences|Only log.

• Proxy Server remains bound to LDAP server on default DN. (4586796)
  After each bind to the LDAP server for user authentication, Proxy Server makes sure that it binds again as the default DN. This prevents erroneous cases of authentication failure.

• Proxy Server changes the case of additional characters, and as a result changes cookie content, when cookie text size is greater than 595 characters. (4572215)

• Proxy Server cannot upload to root directory. (4608854)
  It is now possible to upload a file to the root directory through Proxy Server.

• Socks Server hangs. (4576106)
  Socks Server no longer hangs when the administrator changes default settings to increase the number of worker threads or posted accepts.

• Proxy Server on NT constantly restarts under heavy CPU load. (4579465)

• Proxy Server on NT sends extra <CR<LF in POST request. (4568138)

• Proxy Server does not free 3 file descriptors at restart. (4561522)

• The keep-alive HTTP header is taken into account by the CONNECT method. (4562943)

• Socks Server crashes when requests require LDAP authentication. (4559696)

• Socks Server cannot restart because bind to LDAP fails. (4540806)

Problems Corrected in SP1

This section lists problems corrected in iPlanet Web Proxy Server 3.6 SP1:

• Proxy Crashes with very long URLs. (4563178)
  In previous releases, when a request was bigger than 4118 bytes, Proxy Server would crash due to a problem with buffers in the flexlog. This problem has been corrected.

• Proxy processes consumed 100 CPU after executing log rotate command. (4621100)

• Unable to configure ACL with large groups via HP-UX admin server. (4624955)
  This problem was specific to the HP-UX platform. When attempting to set an ACL by specifying a large group (over 500 members) it failed with the message "Incorrect usage:Bad user or group, this users/groups were not in the database" (although they were in the database). This problem has been corrected and an HP-UX proxy admin can hold large groups without problems.

• Error occurs when adding/modifying ACL if there are many ACLs. (4646267)
  When adding or modifying a number of ACLs with specific large groups, the following error occurred and inconsistencies occurred between genworks.*.acl and generated.*acl. "System Error : Unable to create write ACL". This problem was HP-UX specific and has been corrected.

• Clients are requested to input UID & PASSWORD. (4550626)
  When using client authentication through a secure reverse proxy, a temporary failure or a crash on the LDAP directory caused a prompt (repeatedly asking users for authentication).

  A new magnus variable (LdapCheckUp) has been created to correct this problem. In explanation, the proxy recycles child processes when they reach a limit of having served 128 requests (ProcessLife). When a child process reaches this limit, it sends a SIGCHLD signal to the daemon. When the daemon receives this signal, it recycles the child process (respawns a new process) and simultaneously calls a callback function that checks the sanity of the LDAP connections. That is, the frequency of calls made by the daemon is a function of the number of processes (ns-proxy), the value of the ProcessLife variable and the load supported by the proxy. This function simply compares dates from the present to the last call made. If the time frame is bigger than LdapCheckUp, a sanity check is performed.

  In summary, the time is now a parameter, set through the new LdapCheckUp variable in magnus.conf. The default value of this variable is 30 seconds.

  Example:

  LdapCheckUp 20 => This line in the magnus.conf means that the variable has been set to 20 seconds.

• KeepAlive on Reverse Proxy does not work correctly. (4537319)
  This fix enables you to establish persistent connections against a non-secure reverse proxy if the keep-alive feature is enabled in the Proxy and the client browser sends an http header indicating a persistent connection. This fix applies only to UNIX platforms.

• Can't cache some URL's. (4562322)
  Requests with an erroneus content-length header were not cached by the proxy (the error log showed messages such as "incomplete cache file removed for..."). This was a UNIX-specific problem (Win32 platforms were not affected).

• LANG="ja" prevents log rotation. (4550628)

• Proxy 3x/NT treats only last reverse mapping. (4539371)
  This was a Win32 platform specific problem (UNIX platforms were not affected).

• Unable to upload file size more than 4Mb under reverse proxy. (4538211)
  Proxy was unable to upload (http method POST) a file bigger than 4 Mb using reverse proxy under SSL.
  Note: Uploading files larger than 10Mb is not supported by iPlanet Web Proxy Server 3.6.

• POST with enctype="multipart/form-data" fails sometimes. (4536787)
  A problem existed when uploading files (http method POST) through proxy in secure mode from a WAN network. A new magnus.conf variable (NetBufferSize) has been incorporated in the magnus.conf to control the network buffer size. This variable prevents the error log message "cannot buffer client data" from occurring.

  The syntax of the variable is as follows:

  NetBufferSize 4096 => This line in the magnus.conf indicates that the network buffer has been set to 4096 bytes. The maximum value is 100000 bytes. If NetBufferSize is set to higher than 100000 bytes, Proxsy Server uses its maximum size (100000 bytes).

  In addition, a problem was detected with certain versions of Microsoft IIS which returned a keep-alive header when the http request explicitly meant a non-persistent connection. To solve this problem (which indirectly affects proxy behavior) the following sample plugin can be used:

  /*
   *
   * Copyright %G% Sun Microsystems, Inc. All Rights Reserved
   *
   */
  #include "base/pblock.h" 
  #include "base/session.h" 
  #include "frame/req.h" 
  #include "frame/log.h"       /* log_error */ 
  #include  
  #ifndef XP_WIN32 
  #include   /* sleep */ 
  #define NSAPI_PUBLIC 
  #else /* XP_WIN32 */ 
  #include  
  #define NSAPI_PUBLIC __declspec(dllexport) 
  #endif /* XP_WIN32 */ 
  /* these strings are part of an hidden API in the proxy */ 
  #define FILTER_SVR_HDR_STR   "filter-srv-hdrs" 
  #define FILTER_ACT_STR       "filter-act" 
  #define FILTER_SUB_STR       "filter-sub" 
  char *hstr = FILTER_SVR_HDR_STR; 
  char *astr = FILTER_ACT_STR; 
  char *sstr = FILTER_SUB_STR; 
  NSAPI_PUBLIC int replace_response_keep(pblock *pb, Session *sn, Request *rq) 
  { 
     /* store an action that will be executed by proxy-retrieve" */ 
     /*log_error(LOG_INFORM,"replace_response_keep", sn, rq, "KEEPALIVE"); */
    pblock_nvinsert(hstr, "Connection: Keep-Alive", rq->vars); 
    pblock_nvinsert(astr, "replace", rq->vars); 
     pblock_nvinsert(sstr, "Connection: close\r\n", rq->vars); 
     return REQ_NOACTION; 
  } 
  

  At configuration time, the following object must be added to the obj.conf file:

  # Sun Microsystem  - obj.conf
  # You can edit this file, but comments and formatting changes
  # might be lost when the admin server makes changes.
  Init funcs="replace-response-keep" shlib="/usr/iplanet/suitespot/plugins/repl.so" fn="load-modules"
  <Object name="default">
  NameTrans fn="map" from="file:" to="ftp:" cont="yes"
  ....
  Filter  fn="replace-response-keep" 
  ....
  </Object>
  

  For more information, see the iPlanet Web Proxy Server 3.6 Administrator's Guide.

• 3.5x->3.6 migration breaks ACL. (4551161)

• Sagt process fails to respond. (4546947)
  The SNMP sagt process in Proxy Server did not respond properly if the octet number of an interface was larger than 2^31. In addition, the sagt process sometimes crashed. This problem has been fixed for all supported platforms.

• OULU encode test cause SNMP agent core dump. (4532320)
  The c06-snmpv1-req-enc-pr1 test suite from OULU caused the Admin Server SNMP master agent magt to core dump. (For more information, see http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html).

• Instability of SOCKS daemon. (4535931)
  The SOCKS daemon stopped every time an attempt was made to load a large picture from the webserver through the proxy, when the client connected to the server through a modem line.

• Failure: can't stat() cache partition. (4558738)
  Proxy Server did not disable partitions or urldbgen databases when global caching was disabled within the proxy.

• Web Proxy 3.6 (reg) - No performance object for the Proxy in win perf monitor. (4615444)

• accon and accallow become very slow and unable to control ACL. (4639459)
  This problem occurred only on the HP-UX platform. When setting approximately 40 ACL's with groups that had several unique members, the Proxy Admin Server was unable to control the ACL. The following error occurred: "Internal error: The administration server was unable to fulfill your request".

• Error 7024 and authentication problem. (4539275)
  When using a local LDAP database for users and groups within Proxy an "Error 7024" sometimes appeared in the error log, followed by the error "password did not match directory". Clients were rejected (they could not go through the proxy) although the credentials they provided were correct. This was a file descriptor problem (a consequence of the use of the local database). I/O functions "fopen" and "open" have a limitation on the maximum number of file descriptors. To overcome this problem, check the current system settings (see the ulimit command).

• After a new OS patch, the proxy server hangs. (4552944)
  This was a SOLARIS-specific problem. After updating the OS from release 11 to release 26, Proxy Server hung during peak hours generating several defunct processes. This problem was a consequence of a bug in the Solaris libthread library. The problem is corrected by applying Solaris patch (see iPlanet knowledge base (article 7531) and Sunsolve).

• Proxy on NT permanently restarts. (4538284)
  Limitations on the local LDAP Proxy database under heavy loads caused the proxy to restart frequently. To avoid this problem, it is highly recommended that you use an external directory server.

• Default proxy timeout (4548270)
  The Administrator's Guide and the Online help state that the default value of a Proxy timeout is 20 minutes. The correct value is 5 minutes.

• Multiple calls in the icp.conf file (4559457)
  The Administrator's Guide and the Online help state that multiple calls can be made to the "server" function via the icp.conf file. This is true only for the following functions: add_parent, add_sibling.
  In the case of the "server" function, only the last call is taken into account. The server function stands for the configuration of the local proxy and there is only one.

• Doc & Code differ to add header in the response (4539178)
  The Administrator's Guide erroneously states that "the Request->srvhdrs parameter block is the set of HTTP headers for the server to send back. This parameter block can be modified by any function". This does not work. A Proxy retrieve is mono-block and completely opaque. Content adaptation is not possible. The solution is to add a header in the response, to use the filter mechanisms (either pre-posted actions or a "pre-filter" forked process), or to rewrite service_proxy_retrieve(!!). Note : The only pre-posted filter actions supported by Proxy 3.x are "replace", "remove", and "reject". There is no "add" action that can be used as a workaround. However, a workaround has been coded that enables a custom plugin to add a header in the response. The filter action API has been extended with an "add" action.

• Document bug for Proxy Server Cache erase (4547222)
  The iPlanet Web Proxy Server 3.6 Administrator's Guide provides the incorrect syntax for the following command:

  cd proxy directory/cache
  find s* -type f -exec rm {} \.; 
  This should be:
  cd proxy directory/cache
  find s*  -type f  -exec rm {} \;
  On Windows platforms:
  From a DOS prompt: cd <server_root>\cache
  In addition, note the difference in the following command syntax:
   del *. /s /p  (--> will prompt for delete confirmation)
   del *. /s /q  (--> will not prompt for delete confirmation)
  

New Features

This section describes the new features and enhancements made in iPlanet Web Proxy Server 3.6.

Use of LDAP dynamic groups for authentication (4570987)

Proxy Server supports LDAP dynamic groups, in addition to LDAP static groups, for authentication, access control, and user and group management. Dynamic groups are managed via the LDAP server user interface. They are used in Proxy Server administration in the same way as static groups (by providing the name of the group to define ACLs).

This feature introduces two new configuration parameters in the configuration file magnus.conf:

• dyngroups. This parameter determines how Proxy Server handles dynamic groups. It takes three values: off (default), on and recursive.
  • When set to off (default), Proxy Server does not take dynamic groups into account (it still takes into account users and static groups).
  • When set to on, Proxy Server evaluates dynamic groups but not recursively. Therefore, dynamic groups cannot have group members.
  • When set to recursive, Proxy Server evaluates dynamic groups recursively. This option allows you to have static and dynamic groups that can include static or dynamic groups. This is the most costly option in terms of CPU consumption.

• searchdepth. This parameter provides the maximum search depth in groups (static or dynamic). It takes an integer, greater than zero (the default value is 30). If the search process remains unsuccessful within this limit, access is denied.

  For example, when searchdepth is set to 2:

  • "user belongs to group1 which belongs to group2" is scanned.
  • "user belongs to group1 which belongs to group2 which belongs to group3" is not scanned.

  The following is an example of the magnus.conf configuration file:

  dyngroups recursive
  searchdepth 10

Authentication/LDAP caching on NT (4571109)

Proxy Server can now cache LDAP information in a simple hash-based proxy authentication cache. LDAP caching reduces the load on your directory server and improves performance. The proxy authentication cache stores user password and user group information, which resides in memory.

From the administration user interface, you can enable and disable the authentication cache, configure the hash table size, configure the number of entries the cache holds, and set the entry expiration time.

The following is the obj.conf directive for enabling and disabling this feature:

Init status=<ON|OFF> hash-size=<SIZE table hash of>
table-size=<SIZE table of entries> expires=<EXPIRES seconds in time,> fn="init-pauth-cache"

Handling of LDAP server failover (4575151)

Proxy Server provides basic failover capability, so that it can serve requests when Directory Server is not running. Directory Server must still be running to administer Proxy Server through the administration console.

To add alternate LDAP servers, enter multiple host names in the Directory Server field in the administration console of Proxy Server, separated by a blank character. The LDAP port is common to all servers, so alternate servers must use the same LDAP port as configured in the administration console.

Proxy Server has two time-out values, one for the bind and one for searches. When a time-out is raised, Proxy Server retries to contact the failed LDAP server once. If Directory Server is unreachable, the current LDAP operation fails and all opened connections on the failed server are marked down. The next Proxy Server operation will use a new pool of connections to the next alternate server. Proxy Server does not switch back to the main LDAP server if it becomes available.

At start time, Proxy Server opens a set of connections to the LDAP directory server (see the LdapConnPool parameter). If the main server is unreachable, Proxy Server tries to switch to an alternate server and tries to open connections. If this procedure fails, an error is reported to the log.

No failover is implemented in the console, so the primary directory must be up and running to use the administration console.

You can configure server failover using two new parameters in the configuration file, magnus.conf:

• SearchTimeLimit (integer>0, default=15). Specifies the time-out value, in seconds, for search operations on the LDAP server.

• BindTimeLimit (integer>0, default=30). Specifies the time-out value, in seconds, for bind operations on the LDAP server.

New Features in SP1

This section describes the new features and enhancements in iPlanet Web Proxy Server 3.6 Service Pack 1.

Handling Client Authentication With Digital Certificates (4543418)

Proxy Server now provides user authentication facilities using digital authentication certificates. This is achieved with the certmap.conf file. Specifically, this certificate-mapping file determines how a server should look up a user entry in the LDAP directory. This file (located under <server_root>/userdb) can be edited and entries added to match the organization of your LDAP directory and to list the certificates you want your users to have.

Specifically, the mapping file defines:

• Where in the LDAP tree the server should begin its search.
• Which certificate attributes the server should use as search criteria when searching for the entry in the LDAP directory.
• Whether the server goes through an additional verification process.

A mapping has the following syntax:

certmap name issuerDN
name:property [value]

The first line specifies a name for the mapping. The name is arbitrary; you can define it to be whatever you want. However, issuerDN must match the distinguished name of the certificate authority who issued the client certificate. For example, the following two issuerDN lines differ only in the spaces separating the components, but the server treats these two entries as different:

Certmap Iplanet1 ou=Red Certificate Authority,o=iPlanet,c=US
Certmap Iplanet2 ou=Red Certificate Authority, o=iPlanet, c=US

The second and subsequent lines in the named mapping match properties with values. The certmap.conf file has six standard properties. You can use the Certificate-Mapping API to create your own custom properties.

To enable/disable this feature, a new magnus.conf variable has been added with two possible values (ON/OFF). The feature is disabled (OFF) by default. To enable the feature, use the following syntax:

CertificateChecking ON

ACL's and Authentication with certificates

When you declare allowed users and/or groups, remember that the written ACL file uses the UID field for authentication (basic or SSL) at a later stage. In the case of SSL authentication, the client certificate is used for this purpose.

The proxy attempts to match the certificate presented by the user with the credentials of the user stored in the LDAP Directory Server, following the search criteria defined in the certmap.conf file. If this step was successful the proxy attempts to match the UID extracted from the certificate with the name of the user stored in the ACL file.

Therefore, the UID field must exist within the client certificate. If the UID field is not found in the user certificate, the proxy will use the CN (Common Name) field to match the name stored in the generated ACL file, by default.

Installation procedure of SP1 on Unix

To install the binary, proceed as follows:

1. Shut down the Admin Server and all instances of the Proxy Server before installation.

2. Backup everything under <server-root>.

3. Untar the SURF-Pack distribution.

4. cd iproxy-3.6-us directory

5. At the command line, enter: ./ns-setup

6. When the installation script prompts you for your server root directory, enter the name of the directory where your Proxy Server is installed. The installation script will install the patched versions.

7. Start up the Admin Server and all desired Proxy Server instances (if they were not shut down and started up by the SURF-Pack installer).

Installation procedure of SP1 on Windows

To install the binary, proceed as follows:

1. Backup everything under <server root> (normally c:\WINNT\Netscape\SuitSpot).

   Under this directory you should see the following:

   • adminacl -> directory
   • admin-serv -> directory
   • alias -> directory
   • bin -> directory
   • extras -> directory
   • httpacl -> directory
   • include -> directory
   • install -> directory
   • lib -> directory
   • manual -> directory
   • nsapi -> directory
   • ns-icons -> directory
   • plugins -> directory
   • proxy -> directory
   • userdb -> directory
   • proxy-"machine name" -> directory
   • admserv -> file
   • license.txt -> file
   • Nyr -> file
   • Proxy.txt -> file
   • uninst.exe -> uninstall binary

   This will create a copy of all configuration files, proxy instances, etc.

2. Stop the Proxy and Admin Server. Uninstall the Proxy, using the binary <server root>\uninst.exe. Uninstall the Admin Server.

3. Remove everything under <server root> manually. Take care to remove only the directories and files concerning the Proxy (in case the customer is running additional Netscape applications). Refer to step (1) for more information.

4. Reinstall the Proxy in the same directory as the old Proxy, using the binary provided. Enter the same information as in the previous installation (the same admin password, admin port, proxy port, and binding information to the LDAP directory server, if applicable).

5. After installation from a DOS prompt, stop the Proxy and Admin Server. Copy all the configuration files from the back-up Proxy copy into the correct location (admin config files, proxy config files, and acl files). This process can be cumbersome, depending on the customer configuration. Not all the files shown below must be copied (files to be copied depend on the customer configuration):

   < tr> < tr> < tr> < tr> < tr>

   adminacl	->	Admin acl files
   admin-serv \config	->	Admin config files
   httpacl	->	Proxy acl's
   proxy-"name machine"\config\	->	Proxy config files (if there is more instances process must be repeated with each of them)
   proxy\cache	->	Cache of proxy
   userdb	->	If using local database instead of LDAP directory server

6. Start the Admin Server, then start the Proxy Server.

   ---

   Virus Scanning

   Virus scanning is not supported in iPlanet Web Proxy Server 3.6.

   ---

   Troubleshooting

   • Members of a proxy array cannot update configuration from the master.

     There are two possible reasons for this problem:

     1. When setting up a proxy array for the first time, be sure to use a higher Configuration ID for the master than for the members. Otherwise, members will not take into account the configuration they read from the master. For example, set Configuration ID to 2 for the master and 1 for members.
     2. On UNIX only, if Administration Server and Proxy Server are running under two different users, Proxy Server may not be able to update the parray.pat file because this file is created by Administration Server with Administration Server's write access.

   • I cannot view my access log file from the server manager.

     The log files may have grown too big. To remedy this, manually rotate the log files. In the server manager, select Server Status|Archive Log and click the Archive button. A new set of empty log files is created and the previous ones are renamed. The old log files can be deleted or backed up elsewhere.

     To avoid this problem in the future:

     1. Limit the amount of information stored in the access log file. To do so, select Server Status|Log Preferences, and check only information fields corresponding to the information you want the access log file to record.
     2. Start a job to rotate log files regularly. To do so, choose Server Status|Archive Log, check rotate log at and choose the hours and days of access log rotations. To select more than one hour, keep the ctrl key pressed down while clicking on the hour menu. Click OK.

   • On HP-UX, when I restart the Socks Server it simply stops running.

     On an HP-UX box, an attempt to restart the Socks Server while requests are being processed simply stops the Socks Server. Restart occurs each time you click the Save and Apply button in any Socks Server administration screen.

     The fix for bug #538551 prevents the Socks Server from stopping at restart but only if no request is being processed at the same time. A simple workaround is to stop, then start the Socks Server instead of performing a restart.

   ---

   Known Problems

   • Access control to log files on UNIX systems.

     Proxy access log files and error log files are regular UNIX files. These files belong to the UNIX user account that Proxy Server uses. If your log file content is highly confidential, use a dedicated UNIX user to run Proxy Server and set the proper permission mode to log files.

     Change the log file permission mode to deny access to anybody but the owner:

     $ chmod 600 access errors
     $ ls -l access errors
     -rw-------   1 <owner><group>      327 Apr  9 15:10 access
     -rw-------   1 <owner><group>      258 Apr  9 16:29 errors

   • For other known problems see the Netscape Proxy Server 3.52 release notes.

   ---

   How to Report Problems

   If you have problems with Sun ONE Proxy Server, contact customer support at the following location:

   • http://www.sun.com/service/support/software/iplanet/index.html

   So that we can best assist you in resolving problems, please have the following information available when you contact support:

   • Description of the problem, including the situation where the problem occurs and its impact on your operation

   • Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem

   • Detailed steps on the methods you have used to reproduce the problem

   • Any error logs or core dumps

   ---

   For More Information

   For more information on Sun ONE Web Proxy Server, refer to the following documentation:

   • Web Proxy Server 3.6 Administrator's Guide - NT Version

   • Web Proxy Server 3.6 Administrator's Guide - Unix Version

   • Web Proxy Server 3.6 Installation Guide - NT Version

   • Web Proxy Server 3.6 Installation Guide - Unix Version

   • Web Proxy Server 3.6 Release Notes

   • Web Proxy Server 3.6 Service Pack 1 Release Notes

   Further information can be found at the following Internet locations:

   • Support --- http://www.sun.com/service/support/software/iplanet/index.html

   • Consulting Services --- http://www.sun.com/service/sunps/iplanet/

   • Developer Information --- http://developer.iplanet.com/

   • Sofware Training --- http://wwws.sun.com/software/training/

   • Software --- http://wwws.sun.com/software/

   • Product Data Sheet --- http://wwws.sun.com/software/products/web_proxy/ds_web_proxy.html

   ---

   Use of Sun ONE Web Proxy Server is subject to the terms described in the license agreement accompanying it. Copyright © 2002 Sun Microsystems, Inc. All rights reserved.