Sun Java System Web Server 6.1 SP11 Administrator's Guide

Chapter 5 Setting Administration Preferences

You can configure your Administration Server using the pages on the Preferences and Global Settings tabs.

Note –

You must enable cookies in your browser to run the CGI programs necessary for configuring your server.

This chapter includes the following sections:

Shutting Down the Administration Server

Once the server is installed, it runs constantly, listening for and accepting HTTP requests. You might want to stop and restart your server if, for instance, you have just installed a Java Development Kit (JDK) or Directory Server, or if you have changed listen socket settings.

You can stop the server by using one of the following methods:

After you shut down the server, it may take a few seconds for the server to complete its shut-down process and for the status to change to “Off.”

Editing Listen Socket Settings

Before the server can process a request, it must accept the request via a listen socket, then direct the request to the correct virtual server. When you install the Sun Java System Web Server, one listen socket, ls1, is created automatically. This listen socket uses the IP address and the port number you specified as your HTTP server port number during installation (the default is 8888). You cannot delete the default listen socket.

You can edit the server’s listen socket settings using the Administration Server’s Listen Sockets Table.

ProcedureTo access the administration server’s Listen Sockets table

  1. Access the Administration Server and click the Preferences tab.

  2. Click the Edit Listen Sockets link.

  3. Make the necessary changes and click OK.

    For more information, see Chapter 14, Using Virtual Servers and the online help for the Edit Listen Sockets page.

Changing the User Account (UNIX/Linux)

The Server Settings page allows you to change the user account for the web server on UNIX and Linux machines. All the server’s processes run as this user.

You do not need to specify a server user if you specified a port number greater than 1024 and are not running the server as root (in this case, you do not need to be logged in as root to start the server). If you do not specify a user account, the server runs with the user account specified at server startup. Make sure, you use the correct user account when you start the server.

Note –

If you do not know how to create a new user on your system, contact your system administrator or refer to the system documentation.

Even if you start the server as root, you should not run the server as root all the time. You want the server to have restricted access to your system resources and run as a non-privileged user. The user name you enter as the server user should already exist as a normal UNIX/Linux user account. After the server starts, it runs as this user.

To avoid creating a new user account, choose the user nobody or an account used by another HTTP server running on the same host. On some systems, the user nobody can own files but is unable to run programs.

ProcedureTo access the Server Settings page

  1. Access the Administration Server and choose the Preferences tab.

  2. Click the Server Settings link.

  3. Make the desired changes and click OK.

Changing the Superuser Settings

You can configure superuser access for Administration Server. These settings affect only the superuser account. If your Administration Server uses distributed administration, set up additional access controlsfor the administrators you allow.

Caution – Caution –

If you use Sun Java System Directory Server to manage users and groups, update the superuser entry in the directory before you change the superuser's user name or password. If you do not update the directory first, you will not be able to access the Users & Groups forms in the Administration Server. To fix this problem, you can access the Administration Server with an administrator account that has access to the directory, or update the directory using the Sun Java System Directory Server’s Console or its configuration files.

ProcedureTo change the superuser settings for the Administration server

  1. Access the Administration Server and choose the Preferences tab.

  2. Click the Superuser Access Control link.

  3. Make the desired changes and click OK.

    Note –

    You can change the Administration Server user from root to another user to enable multiple users (belonging to the group) to edit or manage the configuration files. If you use a UNIX/Linux platform, the installer can give “rw” (read/write) permissions to a group for the configuration files, on Windows platforms, the user must belong to the “Administrators” group to modify the configuration file.

    The superuser’s user name and password are kept in a file called server_root/https-admserv/config/admpw. If you forget the user name, you can view this file to obtain the actual name; however, note that the password is encrypted and unreadable. The file has the format username:password. If you forget the password, you can edit the admpw file and simply delete the encrypted password. You can then go to the Server Manager forms and specify a new password.

    Caution – Caution –

    Because you can edit the admpw file, it is very important that you keep the server in a secure location and restrict access to its file system:

    • On UNIX/Linux systems, consider changing the file ownership so that it is writable only by root or the system user that runs the Administration Server daemon.

    • On Windows systems, restrict the file ownership to the user account that the Administration Server uses.

Allowing Multiple Administrators

Multiple administrators can change specific parts of the server through distributed administration.

Note –

The default Directory Service must be an LDAP-based directory service for distributed administration to work.

With distributed administration there are two levels of users:

For more information on access control, see What Is Access Control?.

Note –

Before you can enable distributed administration, you must install a Directory Server. For more information, see the Sun Java System Web Server 6.1 SP11 Installation and Migration Guide and the Sun Java System Directory Server Administrator’s Guide.

ProcedureTo enable distributed administration

  1. Verify that you have installed a Directory Server.

  2. Access the Administration Server.

  3. Once you have installed a Directory Server, you might need to create an administration group, if you have not created it.

    To create a group, perform the following steps:

    1. Choose the Users & Groups tab.

    2. Click the New Group link.

    3. Create an “administrators” group in the LDAP directory and add the names of the users who have permission to configure the Administration Server, or any of the servers installed in its server root. All users in the “administrators” group have full access to the Administration Server, but you can use access control to limit the servers and forms they are allowed to configure.

      Caution – Caution –

      Once you create an access-control list, the distributed administration group is added to that list. If you change the name of the “administrators” group, you must manually edit the access-control list to change the group it references.

  4. Choose the Preferences tab.

  5. Click the Distributed Admin link.

  6. Make the necessary changes and click OK.

    For more information, see the Distributed Administration page in the online help.

Specifying Log File Options

The Administration Server log files record data about the server, including the types of errors encountered and information about server access. Viewing these logs allows you to monitor server activity and troubleshoot problems by providing data like the type of error encountered and the time certain files were accessed.

You can specify the type and format of the data recorded in the Administration Server logs using the Log Preferences page. For instance, you can choose to log data about every client who accesses the Administration Server or you can omit certain clients from the log. In addition, you can choose the Common Logfile Format, which provides a fixed amount of information about the server, or you can create a custom log file format that better meets your requirements.

Access the Administration Server Log Preferences page by clicking the Logging Options link from the Preferences tab.

For more information, see the Logging Options page in the online help, and Chapter 11, Using Log Files.

Viewing Log Files

The Administration Server log files are located in the admin/logs directory in your server's root directory. For example, on a Windows platform, the path to your log files might look like c:\Sun\server6\https-admserv\logs. You can view the error log and the access log using the Sun Java System Web Server console or a text editor.

The Access Log File

The access log records information about requests to and responses from the server.

ProcedureTo view the access log file

  1. Access the Administration Server and choose the Preferences tab.

  2. Click the View Access Log link and click OK.

    For more information, see the View Error Log page in the online help, and Chapter 11, Using Log Files.

The Error Log File

The error log lists all the errors the server has encountered since the log file was created. It also contains informational messages about the server such as when the server was started and users who attempted unsuccessfully to log in to the server.

ProcedureTo view the error log file

  1. Access the Administration Server and choose the Preferences tab.

  2. Click the View Error Log link and click OK.

    For more information, see the View Access Log page in the online help, and Chapter 11, Using Log Files.

Archiving Log Files

You can set up a process by which your log files are automatically archived. At a certain time, or after a specified interval, Sun Java System Web Server rotates your access logs. Sun Java System Web Server saves the old log files and stamps the saved file with a name that includes the date and time they were saved.

For example, you can set up a schedule for your files to rotate every hour, and Sun Java System Web Server saves and names the file “access.199907152400,” where “name|year|month|day|24-hour time” is concatenated together into a single character string. The exact format of the access log archive file varies depending upon which type of log rotation you schedule.

Access log rotation is initialized at server startup. If rotation is activated, the Sun Java System Web Server creates a time-stamped access log file and rotation starts at server startup.

Once the rotation starts, the Sun Java System Web Server creates a new time stamped access log file when there is a request that needs to be logged in the access log file and it occurs after the previously-scheduled “next rotate time.”

Using Schedulerd Control-based Log Rotation (UNIX/Linux)

You can configure several features of your Sun Java System Web Server to operate automatically and set to begin at specific times. The schedulerd control daemon checks the computer clock and then spawns processes at certain times. (These settings are stored in the schedulerd file.)

This schedulerd control daemon controls cron tasks for your Sun Java System Web Server and can be activated and deactivated from the Administration Server. The tasks performed by the cron process depends on various servers. (Note that on Windows platforms, the scheduling occurs within the individual servers.)

Some of the tasks controlled by the schedulerd control daemon include scheduling collection maintenance and archiving log files. Restart the schedulerd control daemon when you change the settings for scheduled tasks.

ProcedureTo restart, start, or stop the schedulerd control daemon

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Cron Control link.

  3. Click Start, Stop, or Restart to change the schedulerd controls.

    For starting schedulerd daemon from the CLI, run the following commands:

      > ADMSERV_ROOT=$SERVER_ROOT/https-admserv/config
      > export ADMSERV_ROOT
      > cd $SERVER_ROOT/bin/https/bin
     > ./schedulerd -d <server_root>

    For example:

      > ADMSERV_ROOT=/export2/iws61sp1/https-admserv/config
      > export ADMSERV_ROOT
      > cd /export2/iws61sp1/bin/https/bin
      > ./schedulerd -d /export2/iws61sp1
      > server scheduler daemon started# 

    For stopping schedulerd from the command-line, kill the schedulerd process and remove the pid file as shown below:

    export PID_FILE=/opt/SUNWwbsvr/https-admserv/logs/
    kill -9 -`cat $PID_FILE`
        - rm $PID_FILE

    Note –

    Whenever you add a task to the schedulerd daemon, you must restart the daemon

Configuring Directory Services

You can store and manage information such as the names and passwords of your users in a single Directory Server using an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). You can also configure the server to allow your users to retrieve directory information from multiple, easily accessible network locations.

ProcedureTo configure the directory services preferences

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Configure Directory Service link.

  3. Make the desired changes and click OK.

    For more information, see the Configure Directory Service page in the online help.

Restricting Server Access

You can control access to the entire server or to parts of it (that is, directories, files, file types). When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access-control entries (ACEs), and then it uses the matching entries to determine if the request is allowed or denied. Each ACE specifies whether or not the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access-control list (ACL). When the server requires a request, it looks in the vsclass.obj.conf file (where vsclass is the virtual server class name) for a reference to an ACL, which is used to determine access. By default, the server has one ACL file that contains multiple ACLs.

You can configure access control globally for all servers through the Administration Server or for a resource within a specific server instance through the Server Manager. For more information about configuring access control for a resource, see Setting Access Control.

Note –

You must enable distributed administration before you can restrict access to the server.

ProcedureTo restrict access to your Sun Java System web server

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Restrict Access link.

  3. Select the desired server and click Create ACL.

    The Administration Server displays the access control rules for the server you specified.

  4. Make the desired access control changes and click OK.

  5. For more information, see the Restrict Access page in the online help.