| Sun ONE Web Server 6.1 Administrator's Guide |
Chapter 5
Setting Administration PreferencesYou can configure your Administration Server using the pages on the Preferences and Global Settings tabs. Note that you must enable cookies in your browser to run the CGI programs necessary for configuring your server.
This chapter includes the following sections:
Shutting Down the Administration ServerOnce the server is installed, it runs constantly, listening for and accepting HTTP requests. You might want to stop and restart your server if, for instance, you have just installed a Java Development Kit (JDK) or Directory Server, or if you have changed listen socket settings.
You can stop the server using one of the following methods:
After you shut down the server, it may take a few seconds for the server to complete its shut-down process and for the status to change to “Off.”
Editing Listen Socket SettingsBefore the server can process a request, it must accept the request via a listen socket, then direct the request to the correct virtual server. When you install Sun ONE Web Server, one listen socket, ls1, is created automatically. This listen socket uses the IP address 0.0.0.0 and the port number you specified as your HTTP server port number during installation (the default is 8888). You cannot delete the default listen socket.
You can edit your server’s listen socket settings using the Administration Server’s Listen Sockets Table. To access the table, perform the following steps:
For more information, see Using Virtual Servers and the online help for the Edit Listen Sockets page.
Changing the User Account (UNIX/Linux)The Server Settings page allows you to change the user account for your web server on UNIX and Linux machines. All the server’s processes run as this user.
You do not need to specify a server user if you chose a port number greater than 1024 and are not running as the root user (in this case, you do not need to be logged on as root to start the server). If you do not specify a user account here, the server runs with the user account you start it with. Make sure that when you start the server, you use the correct user account.
Note
If you do not know how to create a new user on your system, contact your system administrator or consult your system documentation.
Even if you start the server as root, you should not run the server as root all the time. You want the server to have restricted access to your system resources and run as a non-privileged user. The user name you enter as the server user should already exist as a normal UNIX/Linux user account. After the server starts, it runs as this user.
If you want to avoid creating a new user account, you can choose the user nobody or an account used by another HTTP server running on the same host. On some systems, however, the user nobody can own files but not run programs.
To access the Server Settings page, perform the following steps:
Changing the Superuser SettingsYou can configure superuser access for your Administration Server. These settings affect only the superuser account. That is, if your Administration Server uses distributed administration, you need to set up additional access controls for the administrators you allow.
To change the superuser settings for the Administration Server, perform the following steps:
The superuser’s user name and password are kept in a file called server_root/https-admserv/config/admpw. If you forget the user name, you can view this file to obtain the actual name; however, note that the password is encrypted and unreadable. The file has the format username:password. If you forget the password, you can edit the admpw file and simply delete the encrypted password. You can then go to the Server Manager forms and specify a new password.
Caution
Because you can edit the admpw file, it is very important that you keep the server computer in a secure place and restrict access to its file system:
Allowing Multiple AdministratorsMultiple administrators can change specific parts of the server through distributed administration.
Note
The default Directory Service must be an LDAP-based directory service for distributed administration to work.
With distributed administration you have two levels of users:
- superuser is the user listed in the file server_root/https-admserv/config/admpw. This is the user name (and password) you specified during installation. This user has full access to all forms in the Administration Server, except the Users & Groups forms, which depend on the superuser having a valid account in an LDAP server such as Sun ONE Directory Server.
- administrators go directly to the Server Manager forms for a specific server, including the Administration Server. The forms they see depend on the access control rules set up for them (usually done by the superuser). Administrators can perform limited administrative tasks and can make changes that affect other users, such as adding users or changing access control.
For an in-depth discussion on access control, see What Is Access Control?.
To enable distributed administration, perform the following steps:
- Verify that you have installed a Directory Server.
- Access the Administration Server.
- Once you’ve installed a Directory Server, you may also need to create an administration group, if you have not previously done so.
To create a group, perform the following steps:
- Choose the Users & Groups tab.
- Click the New Group link.
- Create an “administrators” group in the LDAP directory and add the names of the users you want to have permission to configure the Administration Server, or any of the servers installed in its server root. All users in the “administrators” group have full access to the Administration Server, but you can use access control to limit the servers and forms they will be allowed to configure.
- Choose the Preferences tab.
- Click the Distributed Admin link.
- Make the desired changes and click OK.
For more information, see the Distributed Administration page in the online help.
Specifying Log File OptionsThe Administration Server log files record data about the server, including the types of errors encountered and information about server access. Viewing these logs allows you to monitor server activity and troubleshoot problems by providing data like the type of error encountered and the time certain files were accessed.
You can specify the type and format of the data recorded in the Administration Server logs using the Log Preferences page. For instance, you can choose to log data about every client who accesses the Administration Server or you can omit certain clients from the log. In addition, you can choose the Common Logfile Format, which provides a fixed amount of information about the server, or you can create a custom log file format that better suits your requirements.
Access the Administration Server Log Preferences page by choosing the Preferences tab, then clicking the Logging Options link.
For more information, see the Logging Options page in the online help, and Using Log Files.
Viewing Log Files
The Administration Server log files are located in admin/logs in your server root directory. For example, on Windows, the path to your log files might look like c:\Sun\server6\https-admserv\logs. You can view both the error log and the access log through the Sun ONE Web Server console or using a text editor.
The Access Log File
The access log records information about requests to and responses from the server.
To view the access log file, perform the following steps:
For more information, see the View Error Log page in the online help, and Using Log Files.
The Error Log File
The error log lists all the errors the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log in to the server.
To view the error log file, perform the following steps:
For more information, see the View Access Log page in the online help, and Using Log Files.
Archiving Log Files
You can set up your log files to be automatically archived. At a certain time, or after a specified interval, Sun ONE Web Server rotates your access logs. Sun ONE Web Server saves the old log files and stamps the saved file with a name that includes the date and time they were saved.
For example, you can set up your files to rotate every hour, and Sun ONE Web Server saves and names the file “access.199907152400,” where “name|year|month|day|24-hour time” is concatenated together into a single character string. The exact format of the access log archive file varies depending upon which type of log rotation you set up.
Access log rotation is initialized at server startup. If rotation is turned on, Sun ONE Web Server creates a time-stamped access log file and rotation starts at server startup.
Once the rotation starts, Sun ONE Web Server creates a new time stamped access log file when there is a request that needs to be logged to the access log file and it occurs after the previously-scheduled “next rotate time.”
Using schedulerd Control-based Log Rotation (UNIX/Linux)
You can configure several features of your Sun ONE Web Server to operate automatically and set to begin at specific times. The schedulerd control daemon checks the computer clock and then spawns processes at certain times. (These settings are stored in the schedulerd file.)
This schedulerd control daemon controls cron tasks for your Sun ONE Web Server and can be activated and deactivated from the Administration Server. The tasks performed by the cron process depends on the various servers. (Note that on Windows platforms, the scheduling occurs within the individual servers.)
Some of the tasks that can be controlled by schedulerd control daemon include scheduling collection maintenance and archiving log files. You need to restart the schedulerd control daemon whenever you change the settings for scheduled tasks.
To restart, start, or stop the schedulerd control daemon, perform the following steps:
Note that any time you add a task to schedulerd, you need to restart the daemon.
Configuring Directory ServicesYou can store and manage information such as the names and passwords of your users in a single Directory Server using an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). You can also configure the server to allow your users to retrieve directory information from multiple, easily accessible network locations.
To configure the directory services preferences, perform the following steps:
For more information, see the Configure Directory Service page in the online help.
Restricting Server AccessYou can control access to the entire server or to parts of the server (that is, directories, files, file types). When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access-control entries (ACEs), and then it uses the matching entries to determine if the request is allowed or denied. Each ACE specifies whether or not the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access-control list (ACL). When a request comes in to the server, the server looks in vsclass.obj.conf (where vsclass is the virtual server class name) for a reference to an ACL, which is then used to determine access. By default, the server has one ACL file that contains multiple ACLs.
You can set access control globally for all servers through the Administration Server or for a resource within a specific server instance through the Server Manager. For more information about setting access control for a resource, see Setting Access Control.
To restrict access to your Sun ONE Web Servers, perform the following steps:
- Access the Administration Server and choose the Global Settings tab.
- Click the Restrict Access link.
- Select the desired server and click Create ACL.
The Administration Server displays the access control rules for the server you specified.
- Make the desired access control changes and click OK. For more information, see the Restrict Access page in the online help.
