Sun ONE logo    
Release Notes for Sun ONE Web Proxy Server 3.6 Service Pack 2
817-0538-10
Updated: January 12, 2003



Release Notes for Sun(TM) Open Net Environment (Sun ONE) Web Proxy Server

Version 3.6 SP2

These release notes contain important information available at the time of the version 3.6 Service Pack 2 release of Sun™ Open Net Environment (Sun ONE) Web Proxy Server (formerly iPlanet Web Proxy Server).

Sun ONE Web Proxy Server can be installed on the following platforms: Windows, HP-UX, AIX and Solaris™ Operating Environment (Solaris OE). For operating environment version details, refer to the section Supported Platforms in these release notes.

An electronic version of these release notes can be found at the Sun ONE documentation web site: http://docs.sun.com. Check the web site prior to installing and setting up your software and then periodically thereafter to view the most up-to-date release notes and manuals.

These release notes contain the following sections:

Enhancements in Service Pack Releases

Some of the enhancements made in the service pack releases of Sun ONE Web Proxy Server 3.6 are listed below:

Handling Client Authentication With Digital Certificates (4543418)

Proxy Server now provides user authentication facilities using digital authentication certificates. This is achieved with the certmap.conf  file. Specifically, this certificate-mapping file determines how a server should look up a user entry in the LDAP directory. This file (located under <server_root>/userdb) can be edited and entries added to match the organization of your LDAP directory and to list the certificates you want your users to have.

Specifically, the mapping file defines:

  • Where in the LDAP tree the server should begin its search.

  • Which certificate attributes the server should use as search criteria when searching for the entry in the LDAP directory.

  • Whether the server goes through an additional verification process.

A mapping has the following syntax:

certmap name issuerDN

name:property [value]

The first line specifies a name for the mapping. The name is arbitrary; you can define it to be whatever you want. However, issuerDN must match the distinguished name of the certificate authority who issued the client certificate. For example, the following two issuerDN lines differ only in the spaces separating the components, but the server treats these two entries as different:

Certmap Iplanet1 ou=Red Certificate Authority,o=iPlanet,c=US

Certmap Iplanet2 ou=Red Certificate Authority, o=iPlanet, c=US

The second and subsequent lines in the named mapping match properties with values. The certmap.conf  file has six standard properties. You can use the Certificate-Mapping API to create your own custom properties.

To enable/disable this feature, a new magnus.conf variable has been added with two possible values (ON/OFF). The feature is disabled (OFF) by default. To enable the feature, use the following syntax:

CertificateChecking ON

ACL's and Authentication with certificates

When you declare allowed users and/or groups, remember that the written ACL file uses the UID field for authentication (basic or SSL) at a later stage. In the case of SSL authentication, the client certificate is used for this purpose.

The proxy attempts to match the certificate presented by the user with the credentials of the user stored in the LDAP Directory Server, following the search criteria defined in the certmap.conf  file. If this step was successful the proxy attempts to match the UID extracted from the certificate with the name of the user stored in the ACL file.

Therefore, the UID field must exist within the client certificate. If the UID field is not found in the user certificate, the proxy will use the CN (Common Name) field to match the name stored in the generated ACL file, by default.

Use of LDAP dynamic groups for authentication (4570987)

Proxy Server supports LDAP dynamic groups, in addition to LDAP static groups, for authentication, access control, and user and group management. Dynamic groups are managed via the LDAP server user interface. They are used in Proxy Server administration in the same way as static groups (by providing the name of the group to define ACLs).

This feature introduces two new configuration parameters in the configuration file magnus.conf:

  • dyngroups. This parameter determines how Proxy Server handles dynamic groups. It takes three values: off  (default), on  and  recursive. When set to off  (default), Proxy Server does not take dynamic groups into account (it still takes into account users and static groups).

    • When set to on, Proxy Server evaluates dynamic groups but not recursively. Therefore, dynamic groups cannot have group members.

    When set to recursive, Proxy Server evaluates dynamic groups recursively. This option allows you to have static and dynamic groups that can include static or dynamic groups. This is the most costly option in terms of CPU consumption.

  • searchdepth. This parameter provides the maximum search depth in groups (static or dynamic). It takes an integer, greater than zero (the default value is 30). If the search process remains unsuccessful within this limit, access is denied. For example, when searchdepth  is set to 2:

    • "user belongs to group1 which belongs to group2" is scanned.

    • "user belongs to group1 which belongs to group2 which belongs to group3" is not scanned.

    The following is an example of the magnus.conf  configuration file:

    dyngroups recursive

    searchdepth 10

Authentication/LDAP caching on NT (4571109)

Proxy Server can now cache LDAP information in a simple hash-based proxy authentication cache. LDAP caching reduces the load on your directory server and improves performance. The proxy authentication cache stores user password and user group information, which resides in memory.

From the administration user interface, you can enable and disable the authentication cache, configure the hash table size, configure the number of entries the cache holds, and set the entry expiration time.

The following is the obj.conf  directive for enabling and disabling this feature:

Init status=<ON|OFF> hash-size=<Size_of_hash_table>

table-size=<Size_of_table_of_entries> expires=<Expires_in_so_many_seconds> fn="init-pauth-cache"

Example:

Init status="on" hash-size="271" table-size="1355" expire="3600" fn="init-pauth-cache"

Handling of LDAP server failover (4575151)

Proxy Server provides basic failover capability, so that it can serve requests when Directory Server is not running. Directory Server must still be running to administer Proxy Server through the administration console.

To add alternate LDAP servers, enter multiple host names in the Directory Server field in the administration console of Proxy Server, separated by a blank character. The LDAP port is common to all servers, so alternate servers must use the same LDAP port as configured in the administration console.

Proxy Server has two time-out values, one for the bind and one for searches. When a time-out is raised, Proxy Server retries to contact the failed LDAP server once. If Directory Server is unreachable, the current LDAP operation fails and all opened connections on the failed server are marked down. The next Proxy Server operation will use a new pool of connections to the next alternate server. Proxy Server does not switch back to the main LDAP server if it becomes available.

At start time, Proxy Server opens a set of connections to the LDAP directory server (see the LdapConnPool parameter). If the main server is unreachable, Proxy Server tries to switch to an alternate server and tries to open connections. If this procedure fails, an error is reported to the log.

No failover is implemented in the console, so the primary directory must be up and running to use the administration console.

You can configure server failover using two new parameters in the configuration file, magnus.conf:

  • SearchTimeLimit (integer>0, default=15). Specifies the time-out value, in seconds, for search operations on the LDAP server.

  • BindTimeLimit (integer>0, default=30). Specifies the time-out value, in seconds, for bind operations on the LDAP server.

Installation Notes

This section describes how to install proxy server, and contains the following information:

Supported Platforms

Sun ONE Web Proxy Server 3.6 SP2 is supported on the following platforms:

Table 1    Supported Platforms

Operating System

Architecture

Sun Solaris 9, Sun Solaris 8; Solaris 2.6 supported through binary compatibility.

UltraSPARC

Microsoft Windows NT 4.0 Server with Service Pack 6a 

Intel x86

Microsoft Windows 2000 Server with Service Pack 3

Intel x86

Microsoft Windows 2000 Advanced Server with Service Pack 3

Intel x86

Hewlett-Packard HP-UX 11.0 with the following restrictions/recommendations:

  • The value of the maxfiles and maxfiles_lim kernel parameters must be at least 2048, or the proxy server may exit.

PA-RISC

IBM AIX 4.3.3

Power PC

Supported Browsers

  • Netscape Navigator™

    • 4.7x

    • 7.0

  • Internet Explorer

    • 5.5

Required Patches

This section provides patch information for Solaris OE.

Sun Solaris Patch Information

All patches on Sun's recommended patch list should be installed. For Sun's recommended patch list, see http://sunsolve.sun.com/pubpatch. For each patch, install the listed revision or a later revision. For example, if patch 111111-01 is required, the later revision 111111-03 will also work.

Sun ONE Web Proxy Server 3.6 on Solaris 2.6 requires patch 105529 rev09 or later.

Memory Information

Depending upon the platform, each process uses the following amount of RAM when idle:

Table 2    Memory usage

Operating System

Memory usage per process

Sun Solaris 8

5 MB per process (proxy server default is set to 32 processes)

Microsoft Windows NT4 & 2000 Server or Advanced Server

21 MB

Hewlett-Packard HP-UX 11.0 

3.5 MB per process (proxy server default is set to 32 processes)

IBM AIX 4.3.3

3 MB per process (proxy server default is set to 32 processes)

SSL Information

SSL information remains the same as in the previous version. The NT and Windows 2000 versions of Sun ONE Web Proxy Server 3.6 do not support SSL.

Migration Notes

This section includes migration information for installing Sun ONE Web Proxy Server 3.6:

Migrating  from Netscape Proxy Server 3.5x on NT

If you are migrating from a 3.5x release of Netscape Proxy Server to iPlanet Web Proxy Server 3.6 or higher, refer to the Sun ONE Web Proxy Server 3.6 SP2 Installation Guide before you carry out the migration.

The script \extras\cpProxyData.pl is provided to help you to retain your data and configuration files even as you migrate Proxy Server from a 3.5x version to a 3.6 version. For information on how to use this script, please refer to the section Migrating from a Previous Version of the Proxy Server in the Sun ONE Web Proxy Server 3.6 SP2 Installation Guide.


Caution

Do not use the option "Migrate from previous version" in the administration window. This link works only for Proxy Servers installed on UNIX systems.

Migrating from Netscape Proxy Server on UNIX

Use the option "Migrate from previous version" in the administration window to migrate from Netscape Proxy Server 3.5x to iPlanet Web Proxy Server 3.6.


Note

When you import a server from an earlier version, be sure to assign the same Server Identifier as was originally used to identify the server, otherwise you will experience problems with existing access control settings.

Migrating Proxy Plug-ins on AIX

iPlanet Web Proxy Server 3.6 is built on AIX 4.3, which natively supports runtime linking. Consequently, NSAPI plug-ins (which reference symbols in the ns-proxy main executable) must be built using the -G option which specifies that symbols must be resolved at runtime. Previous versions of iPlanet Web Proxy Server were built on AIX 4.1, which did not support native runtime linking. Plug-ins were enabled by building Proxy Server with additional software provided by IBM AIX to Netscape. No special runtime linking directives were required to build plug-ins. Because of this, plug-ins built for previous versions of Proxy Server on AIX will not work with iPlanet Web Proxy Server 3.6 without modification.

However, these plug-ins can easily be relinked to work with iPlanet Web Proxy Server 3.6. A script to relink existing plug-ins is provided in the plugins directory. Only the existing plug-in is required to run the script (not the original source and .o  files). Specific comments are provided within the script. Because all AIX versions from 4.2 onward natively support runtime linking, we do not anticipate this issue being a problem again for future Sun ONE Web Proxy Server releases built on AIX.

Relink Script

The relink script, relink_36plugin, is located in the following directory:

server_root/plugins (See relink_36plugin script for usage.)

#!/bin/ksh

#

# script to modify a plugin built for Netscape Proxy Server 3.5 to

# work with iPlanet Web Proxy Server 3.6

#

# usage: relink_plugin

#

# Script will create .new that will work with iPlanet Web Proxy Server 3.6

#

# If your plugin was built with a specific default LIBPATH, then

# you must modify the DEF_LIBPATH variable below. Run the command

# "dump -H " and your existing default LIBPATH will be listed

# as the PATH information by INDEX 0 under the ***Import File Strings***

# section. DEF_LIBPATH=/usr/lib/threads:/usr/ibmcxx/lib:/usr/lib:/lib

# If your plugin has dependencies on other shared objects, then you

# must modify the LIB variable below to include those dependencies

# (e.g.

# if you need symbols from shared objects libusra.so, libusrb.so, & libusrc.so;

# you would specify LIBS="-lusra -lusrb -lusrc")

# Run the command "dump -H " to see if your plugin has

# any dependencies; they will be listed under the ***Import File Strings***

# section (Note: you don't have to specify system library dependencies

# such as libc.a, libc_r.a, etc.)

LIBS=

# Note: the following warnings may appear, but you can ignore them:

# ld: 0711-415 WARNING: Symbol __priority0x80000000 is already exported.

# ld: 0711-224 WARNING: Duplicate symbol: __priority0x80000000

# ld: 0711-224 WARNING: Duplicate symbol: .__priority0x80000000

# ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.

# Note: If you are running with the AIX CSet++ 3.1.4 compiler instead of

# the CSet++ 3.6.4 compiler, then replace all references in this script

# to "ibmcxx" with "lpp/xlC".

/usr/bin/ld -bnso -r -o /tmp/obj.o $1

/usr/ibmcxx/bin/makeC++SharedLib_r -p 0 -G -blibpath:$DEF_LIBPATH $LIBS \

/tmp/obj.o -o $1.new

For more information on the migration process, refer to the Sun ONE Web Proxy Server 3.6 SP2 Installation Guide.

Troubleshooting

Members of a proxy array cannot update configuration from the master.

There are two possible reasons for this problem:

  1. When setting up a proxy array for the first time, be sure to use a higher Configuration ID for the master than for the members. Otherwise, members will not take into account the configuration they read from the master. For example, set Configuration ID to 2 for the master and 1 for members.

  2. On UNIX only, if Administration Server and Proxy Server are running under two different users, Proxy Server may not be able to update the parray.pat file because this file is created by Administration Server with Administration Server's write access.

I cannot view my access log file from the server manager.

The log files may have grown too big. To remedy this, manually rotate the log files. In the server manager, select Server Status|Archive Log and click the Archive button. A new set of empty log files is created and the previous ones are renamed. The old log files can be deleted or backed up elsewhere.

To avoid this problem in the future:

  1. Limit the amount of information stored in the access log file. To do so, select Server Status|Log Preferences, and check only information fields corresponding to the information you want the access log file to record.

  2. Start a job to rotate log files regularly. To do so, choose Server Status|Archive Log, check rotate log at and choose the hours and days of access log rotations. To select more than one hour, keep the ctrl key pressed down while clicking on the hour menu. Click OK.

On HP-UX, when I restart the Socks Server it simply stops running.

On an HP-UX box, an attempt to restart the SOCKS Server while requests are being processed simply stops the SOCKS Server. Restart occurs each time you click the Save and Apply button in any SOCKS Server administration screen.

The fix for bug #538551 prevents the SOCKS Server from stopping at restart but only if no request is being processed at the same time. A simple workaround is to stop, then start the Socks Server instead of performing a restart.

Resolved Issues

This section contains lists of issues resolved in the following releases:

Issues Resolved in 3.6 SP2

This section lists problems corrected in Sun ONE Web Proxy Server 3.6 SP2:

Problem 4728221. Cannot customize error message for 404 and 500

The iPlanet Web Proxy Server 3.6 Administrator's Guide incorrectly states that the 404 and 500 error messages can be customized. Because these error messages are not generated by proxy server this in fact is not possible. For a list of error messages you can customize, see Sun ONE Web Proxy Server 3.6 SP2 Administrator's Guide.

Problem 4627087. urldbgen not supported on NT.

The iPlanet Web Proxy Server 3.6 Administrator's Guide - NT Version incorrectly states that the urldbgen  utility is supported by proxy server on the Windows NT platform. This utility is supported only on the UNIX platform. The Sun ONE Web Proxy Server 3.6 SP2 Administrator's Guide - NT Version has been updated to correct the error.

Problem 4767765. Doc bug in admin guide on evaluating template.

The iPlanet Web Proxy Server 3.6 SP1 Administrator's Guide states that templates follow a hierarchy according to which the longest regular expression that matches the URL takes precedence over other regular expressions. In fact, the proxy server does not provide for hierarchies of templates. As of Sun ONE Web Proxy Server 3.6 SP2, the Administrator's Guide has been updated to remove this incorrect information.

Problem 4710423. Proxy logs incorrect content length.

Sun ONE Web Proxy Server 3.6 SP2 logs the content length that is sent by the content server in the response headers and not the exact amount of bytes transferred.

Problem 4636517. Documentation of sitemon command required.

As of Sun ONE Web Proxy Server 3.6 SP2, the Administrator's Guide - UNIX Version carries a complete description of the sitemon  command.

Problem 4539177. Doc & Code differences to add a customized header in the request.

As of Sun ONE Web Proxy Server 3.6 SP2, a new section titled "Appending Customized Outgoing Headers" has been added to the Administrator's Guide - UNIX Version.

Problem 4703051. A new configuration variable in socks5.conf will be added to provide tuning.

As of Sun ONE Web Proxy Server 3.6 SP2, a new tuning parameter is available in the server-root/proxy-id/config/socks5.conf file called SOCKS5_TIMEOUT. This specifies the idle period that the SOCKS server will keep a connection alive between a client and a remote server before dropping the connection. For more details, see the Sun ONE Web Proxy Server 3.6 SP2 Administrator's Guide.

Problem 4537443. Proxy doesn't allow ServerID name to include dots in it.

As of Sun ONE Web Proxy Server 3.6 SP2, a new section titled "Creating a New Proxy Server Instance" has been added to the Sun ONE Web Proxy Server 3.6 SP2 Administrator's Guide, that specifies the characters you can use while naming the Server Identifier.

Problem 4657410. Performance affected on HP-UX when modifying ACL.

This problem was specific to the HP-UX platform. When attempting to set an ACL by specifying a large group (over 500 members), the response slowed down significantly. This problem has been corrected, and access control can now be specified for large groups without any performance overhead.

Problem 4707469. ACL file gets corrupted if user or group specified in ACL doesn't exist.

In previous releases, if you restricted access control (ACL) for a resource, and subsequently, deleted all the user or group entries from the directory server database who were restricted by that ACL restriction, you would encounter future problems with enabling access restrictions for any other resource. In addition, the following error message would be generated: "System Error: Unable to create write ACL. An error occurred while trying to create the ACL structures."

As of Sun ONE Web Proxy Server 3.6 SP2, this problem has been corrected. If none of the user or group entries pertaining to an ACL exists on the directory server, the corresponding entry is replaced by "all" in the genwork.proxy-id.acl file, as shown below:

Default deny anyone;

Default authenticate in {

Database "default";

Method basic;

};

Default allow all;

Further, the administrator is sent a notification containing a reference to the corresponding ACL.

Problem 4643838. KeepAlive on Reverse Proxy Server does not work correctly.

Problem 4645900. After logging into a secure site, and entering search criteria, results do not get displayed.

Problem 4701070. Performance problem of the secure reverse proxy.

Problem 4725149. Sometimes, accept failed occurs if client stops the request.

Problem 4727882. An instance configured to use a second IP address configured on the host uses the first one.

Problem 4752175. Cache Policy default status should be "automatic" instead of "disabled."

Problem 4531117. Some log entries are missing "HTTP/1.0."

Problem 4540845. During FTP upload, a file name, if it contains spaces, is shortened.

Problem 4692843. Cannot migrate from Proxy 3.5x to Proxy 3.6 SP1.

Problem 4724289. SOCKS server tries to access an invalid socket.

Problem 4713948. Cannot specify mime filter with some mime type combination.

Problem 4715263. Failing to enable ACL in admin server on IE5.0.

Problem 4539858. SNMP agent does not work when secure reverse proxy enabled.

Problem 4540506. Proxy.txt contains reference to the Proxy 3.6 CD layout.

Problem 4621701. Proxy reported hostname as not existing even though it did.

Problem 4672205. Only the neccessary partitions should be cleaned by the newgc script.

Issues Resolved in 3.6 SP1

This section lists problems corrected in iPlanet Web Proxy Server 3.6 SP1:

Proxy Crashes with very long URLs. (4563178)

In previous releases, when a request was bigger than 4118 bytes, Proxy Server would crash due to a problem with buffers in the flexlog. This problem has been corrected.

Proxy processes consumed 100 CPU after executing log rotate command. (4621100)

Unable to configure ACL with large groups via HP-UX admin server. (4624955)

This problem was specific to the HP-UX platform. When attempting to set an ACL by specifying a large group (over 500 members) it failed with the message "Incorrect usage: Bad user or group, this users/groups were not in the database" (although they were in the database). This problem has been corrected and an HP-UX proxy admin can hold large groups without problems.

Error occurs when adding/modifying ACL if there are many ACLs. (4646267)

When adding or modifying a number of ACLs with specific large groups, the following error occurred and inconsistencies occurred between genworks.*.acl  and  generated.*acl. "System Error: Unable to create write ACL." This problem was HP-UX specific and has been corrected.

Clients are requested to input UID & PASSWORD. (4550626)

When using client authentication through a secure reverse proxy, a temporary failure or a crash on the LDAP directory caused a prompt (repeatedly asking users for authentication).

A new magnus variable (LdapCheckUp) has been created to correct this problem. In explanation, the proxy recycles child processes when they reach a limit of having served 128 requests (ProcessLife). When a child process reaches this limit, it sends a SIGCHLD signal to the daemon. When the daemon receives this signal, it recycles the child process (respawns a new process) and simultaneously calls a callback function that checks the sanity of the LDAP connections. That is, the frequency of calls made by the daemon is a function of the number of processes (ns-proxy), the value of the ProcessLife variable and the load supported by the proxy. This function simply compares dates from the present to the last call made. If the time frame is bigger than LdapCheckUp, a sanity check is performed.

In summary, the time is now a parameter, set through the new LdapCheckUp variable in magnus.conf. The default value of this variable is 30 seconds. Example:

LdapCheckUp 20 => This line in the magnus.conf  file means that the variable has been set to 20 seconds.

KeepAlive on Reverse Proxy does not work correctly. (4537319)

This fix enables you to establish persistent connections against a non-secure reverse proxy if the keep-alive feature is enabled in the Proxy and the client browser sends an http header indicating a persistent connection. This fix applies only to UNIX platforms.

Can't cache some URL's. (4562322)

Requests with an erroneous content-length header were not cached by the proxy (the error log showed messages such as "incomplete cache file removed for..."). This was a UNIX-specific problem (Win32 platforms were not affected).

LANG="ja" prevents log rotation. (4550628)

Proxy 3x/NT treats only last reverse mapping. (4539371)

This was a Win32 platform specific problem (UNIX platforms were not affected).

Unable to upload file size more than 4Mb under reverse proxy. (4538211)

Proxy was unable to upload (http method POST) a file bigger than 4 Mb using reverse proxy under SSL.

Note: Uploading files larger than 10Mb is not supported by iPlanet Web Proxy Server 3.6.

POST with enctype="multipart/form-data" fails sometimes. (4536787)

A problem existed when uploading files (http method POST) through proxy in secure mode from a WAN network. A new magnus.conf variable (NetBufferSize) has been incorporated in the magnus.conf file to control the network buffer size. This variable prevents the error log message "cannot buffer client data" from occurring. The syntax of the variable is as follows:

NetBufferSize 4096 => This line in the magnus.conf file indicates that the network buffer has been set to 4096 bytes. The maximum value is 100000 bytes. If NetBufferSize is set to higher than 100000 bytes, Proxy Server uses its maximum size (100000 bytes).

In addition, a problem was detected with certain versions of Microsoft IIS which returned a keep-alive header when the http request explicitly meant a non-persistent connection. To solve this problem (which indirectly affects proxy behavior) the following sample plugin can be used:

/*

* Copyright %G% Sun Microsystems, Inc. All Rights Reserved

#include "base/pblock.h"

#include "base/session.h"

#include "frame/req.h"

#include "frame/log.h" /* log_error */

#include

#ifndef XP_WIN32

#include /* sleep */

#define NSAPI_PUBLIC

#else /* XP_WIN32 */

#include

#define NSAPI_PUBLIC __declspec(dllexport)

#endif /* XP_WIN32 */

/* these strings are part of an hidden API in the proxy */

#define FILTER_SVR_HDR_STR "filter-srv-hdrs"

#define FILTER_ACT_STR "filter-act"

#define FILTER_SUB_STR "filter-sub"

char *hstr = FILTER_SVR_HDR_STR;

char *astr = FILTER_ACT_STR;

char *sstr = FILTER_SUB_STR;

NSAPI_PUBLIC int replace_response_keep(pblock *pb, Session *sn, Request *rq)

{

/* store an action that will be executed by proxy-retrieve" */

/*log_error(LOG_INFORM,"replace_response_keep", sn, rq, "KEEPALIVE"); */

pblock_nvinsert(hstr, "Connection: Keep-Alive", rq->vars);

pblock_nvinsert(astr, "replace", rq->vars);

pblock_nvinsert(sstr, "Connection: close\r\n", rq->vars);

return REQ_NOACTION;

}

At configuration time, the following object must be added to the  obj.conf  file:

# Sun Microsystem - obj.conf

# You can edit this file, but comments and formatting changes

# might be lost when the admin server makes changes.

Init funcs="replace-response-keep" shlib="/usr/iplanet/suitespot/plugins/repl.so" fn="load-modules"

<Object name="default">

NameTrans fn="map" from="file:" to="ftp:" cont="yes"

....

Filter fn="replace-response-keep"

....

</Object>

For more information, see the iPlanet Web Proxy Server 3.6 Administrator's Guide.

3.5x->3.6 migration breaks ACL. (4551161)

Sagt process fails to respond. (4546947)

The SNMP sagt process in Proxy Server did not respond properly if the octet number of an interface was larger than 2^31. In addition, the sagt process sometimes crashed. This problem has been fixed for all supported platforms.

OULU encode test cause SNMP agent core dump. (4532320)

The c06-snmpv1-req-enc-pr1 test suite from OULU caused the Admin Server SNMP master agent magt to core dump. (For more information, see http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html).

Instability of SOCKS daemon. (4535931)

The SOCKS daemon stopped every time an attempt was made to load a large picture from the webserver through the proxy, when the client connected to the server through a modem line.

Failure: can't stat() cache partition. (4558738)

Proxy Server did not disable partitions or urldbgen databases when global caching was disabled within the proxy.

Web Proxy 3.6 (reg) - No performance object for the Proxy in win perf monitor. (4615444)

accon and accallow become very slow and unable to control ACL. (4639459)

This problem occurred only on the HP-UX platform. When setting approximately 40 ACL's with groups that had several unique members, the Proxy Admin Server was unable to control the ACL. The following error occurred: "Internal error: The administration server was unable to fulfill your request."

Error 7024 and authentication problem. (4539275)

When using a local LDAP database for users and groups within Proxy an "Error 7024" sometimes appeared in the error log, followed by the error "password did not match directory." Clients were rejected (they could not go through the proxy) although the credentials they provided were correct. This was a file descriptor problem (a consequence of the use of the local database). I/O functions "fopen" and "open" have a limitation on the maximum number of file descriptors. To overcome this problem, check the current system settings (see the ulimit command).

After a new OS patch, the proxy server hangs. (4552944)

This was a SOLARIS-specific problem. After updating the OS from release 11 to release 26, Proxy Server hung during peak hours generating several defunct processes. This problem was a consequence of a bug in the Solaris OE libthread library. The problem is corrected by applying a Solaris OE patch (see iPlanet knowledge base (article 7531) and Sunsolve).

Proxy on NT permanently restarts. (4538284)

Limitations on the local LDAP Proxy database under heavy loads caused the proxy to restart frequently. To avoid this problem, it is highly recommended that you use an external directory server.

Default proxy timeout (4548270)

The Administrator's Guide and the Online help state that the default value of a Proxy timeout is 20 minutes. The correct value is 5 minutes.

Multiple calls in the icp.conf file (4559457)

The Administrator's Guide and the Online help state that multiple calls can be made to the "server" function via the icp.conf  file. This is true only for the following functions: add_parent, and add_sibling.

In the case of the "server" function, only the last call is taken into account. The server function stands for the configuration of the local proxy and there is only one.

Doc & Code differ to add header in the response (4539178)

The Administrator's Guide erroneously states that "the Request->srvhdrs  parameter block is the set of HTTP headers for the server to send back. This parameter block can be modified by any function." This does not work. A Proxy retrieve is mono-block and completely opaque. Content adaptation is not possible. The solution is to add a header in the response, to use the filter mechanisms (either pre-posted actions or a "pre-filter" forked process), or to rewrite service_proxy_retrieve. Note: The only pre-posted filter actions supported by Proxy 3.x are replace, remove, and reject. There is no "add" action that can be used as a workaround. However, a workaround has been coded that enables a custom plugin to add a header in the response. The filter action API has been extended with an "add" action.

Document bug for Proxy Server Cache erase (4547222)

The iPlanet Web Proxy Server 3.6 Administrator's Guide provides the incorrect syntax for the following command:

cd proxy directory/cache

find s* -type f -exec rm {} \.;

This should be:

cd proxy directory/cache

find s* -type f -exec rm {} \;

On Windows platforms:

From a DOS prompt: cd <server_root>\cache

In addition, note the difference in the following command syntax:

del *. /s /p (--> will prompt for delete confirmation)

del *. /s /q (--> will not prompt for delete confirmation)

Issues Resolved in 3.6

iPlanet Web Proxy Server 3.6 includes fixes to the following known problems that occurred in earlier releases:

Proxy Server appends LF instead of CRLF to host header. (4588536)

Proxy Server was only adding LF (\n) to the end of the host header when it should have been adding CRLF (\r\n).

Proxy Server does not establish a secure connection with sites. (4588536)

If the SSL server certificate used by CMS was signed with a key longer than 1024 bits, Proxy Server was unable to verify the SSL server certificate's digital signature.

Proxy Server does not load group attributes only to check existence. (4575103)

When Proxy Server starts, it checks that the groups used in the ACL exist. To do so, Proxy Server searches for the LDAP entry corresponding to each group. This search no longer returns all the group attribute values, because the values can be large for a group containing many members.

Proxy Server does not generate an error message when using "Unverified User from client". (4580723)

When going through Proxy Server to a site that requires authentication, the error "...remote-auth reports:missing parameter to remote-auth (need type)" is not shown in the error log when you check "Unverified User from client" under Server Status|Log Preferences|Only log.

Proxy Server remains bound to LDAP server on default DN. (4586796)

After each bind to the LDAP server for user authentication, Proxy Server makes sure that it binds again as the default DN. This prevents erroneous cases of authentication failure.

Proxy Server changes the case of additional characters, and as a result changes cookie content, when cookie text size is greater than 595 characters. (4572215)

Proxy Server cannot upload to root directory. (4608854)

It is now possible to upload a file to the root directory through Proxy Server.

Socks Server hangs. (4576106)

Socks Server no longer hangs when the administrator changes default settings to increase the number of worker threads or posted accepts.

Proxy Server on NT constantly restarts under heavy CPU load. (4579465)

Proxy Server on NT sends extra <CR<LF in POST request. (4568138)

Proxy Server does not free 3 file descriptors at restart. (4561522)

The keep-alive HTTP header is taken into account by the CONNECT method. (4562943)

Socks Server crashes when requests require LDAP authentication. (4559696)

Socks Server cannot restart because bind to LDAP fails. (4540806)

Known Problems and Solutions

This section lists known problems with this release of Sun ONE Web Proxy Server 3.6 SP2. Information is organized into the following areas:

General

IE 6.0SP1 does not work as expected with ACL turned on if the proxy server is running on Windows (4798065).

If an ACL has been configured for a resource on the Windows platform, the authentication of a valid user fails during the first request.

Workaround

Refresh the page using the `Refresh' button of the IE browser. All subsequent requests from that browser instance will work.

Proxy restarts constantly when LDAP server not available. (4537829)

On the Windows platform, if you start the proxy server before the LDAP server is started, the proxy server will constantly stop and restart.

Workaround

Make sure that the LDAP server is up and running before you start the proxy server.

The restart-admin script does not work. (4763670)

The Administration Server cannot be restarted using the restart-admin script.

Workaround

Restart the Administration Server by first stopping the server using the stop-admin  command and start it again using the start-admin  command.

Migration from earlier version of proxy to 3.6SP2 fails. (4766480)

If you migrate a proxy instance running on a previous version of the proxy server on which access control is enabled, to the Sun ONE Web Proxy Server 3.6 SP2 release, you might receive the following error message: "Expected entry in the ACL file not found."

Workaround

When you import a server from an earlier version, be sure to assign the same Server Identifier as was originally used to identify the server, otherwise you will experience problems with existing access control settings.

Traces in access logfile are not chronologically ordered. (4540631)

On the Windows platform, log file entries do not appear in chronological order.

Access control to log files on UNIX systems.

Workaround

Proxy access log files and error log files are regular UNIX files. These files belong to the UNIX user account that Proxy Server uses. If your log file content is highly confidential, use a dedicated UNIX user to run Proxy Server and set the proper permission mode to log files.

Change the log file permission mode to deny access to anybody but the owner:

$ chmod 600 access errors

$ ls -l access errors

-rw-------   1 <owner><group>      327 Apr  9 15:10 access

-rw-------   1 <owner><group>      258 Apr  9 16:29 errors

How to Report Problems

If you have problems with Sun ONE Proxy Server, contact customer support at the following location:

So that we can best assist you in resolving problems, please have the following information available when you contact support:

  • Description of the problem, including the situation where the problem occurs and its impact on your operation

  • Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem

  • Detailed steps on the methods you have used to reproduce the problem

  • Any error logs or core dumps

For More Information

For more information on Sun ONE Web Proxy Server, refer to the following documentation:

Further information can be found at the following Internet locations:


Copyright 2002 Sun Microsystems, Inc. All rights reserved.