This chapter describes how to:
Modify choices that were made during the installation procedure
Modify files for special circumstances
Stop and restart the i-Planet gateway's reverse proxy
Stop and restart the i-Planet server's web server
Find and install certificates from a certificate authority
If, after you have installed the i-Planet software, you want to add, delete or change subdomains on your network, you must edit the file /opt/SUNWsnrp/config/HTMLTranslator.config on the i-Planet gateway.
As root, add the new domain or domains to (or delete the domain or domains from) the line Domains=Eng in the file/opt/SUNWsnrp/config/HTMLTranslator.config on the i-Planet gateway. Use the vertical line (or pipe) (|) character to separate the subdomains.
For example, if you defined the eng subdomain during installation and you now want to include the corp domain, add |corp to the line Domains=eng. The name for the subdomain is not case sensitive.
The file should now look like the following:
Host=https://i-Planet_server.eng.company.com/ Domains=Eng|corp ... |
Stop and restart the reverse proxy on the i-Planet gateway for the change to take effect.
See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.
You can add a web proxy after you have installed the i-Planet software. You also can fine tune the web proxy.
You must stop and restart the reverse proxy on the i-Planet gateway for the change to take effect. See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.
If you opted not to define a web proxy during the installation procedure, you can add one by the following procedure.
As root, on the i-Planet gateway, modify the file /opt/SUNWsnrp/config/ReverseProxy.config so that the line Proxy= reads Proxy=fully_qualified_name_of_web_proxy_machine:port_number, if the port number is required.
You can also use this procedure to change the web proxy. For example, if you want to change the webproxy2.corp.company.com as the web proxy and you want to use port from 8000 to 8080. Change the line Proxy= in the file /opt/SUNWsnrp/config/ReverseProxy.config to Proxy=webproxy2.eng.company.com:8080.
The line in the file should now look like the following:
Proxy=webproxy2.corp.company.com:8080 |
If you have installed a web proxy either during installation or after install, you can fine tune the web proxy by modifying the file /opt/SUNWsnrp/config/ReverseProxy.config and the files /etc/opt/SUNWstnr/gateway/UseWebProxyURL.conf and /etc/opt/SUWNstnr/gateway/DontUseWebProxyURL.conf. This permits you to specify:
URLs that must be passed to the web proxy.
URLs that are not to be passed to the web proxy.
If the line Proxy= does not contain a web proxy, no web proxy is used, no matter what value is set for UseProxy=. If a web proxy is specified in the line Proxy=, then that web proxy is used or not, depending on the value, true or false, to which you have set the line UseProxy=:
true means that you want to use the web proxy for any URL, except for those listed in the file DontUseWebProxyURL.conf file.
If you want a URL to be passed to the web proxy, the request header is checked against the entries in the DontUseWebProxyURL.conf file. If it matches, the request is not passed to the web proxy. If it does not match any of the entries, it is passed to the web proxy.
false means that you do not want to use the web proxy for any URL, except for those listed in the file UseWebProxyURL.conf file.
If you do not want a URL to be passed to the web proxy, the request header is checked against the entries in the UseWebProxyURL.conf file. If it matches, the request is passed to the web proxy. If it does not match any of the entries, it is not passed to the web proxy.
Use the following procedure to tune the web proxy and to set which URLs must pass through the web proxy and which do not.
As root, on the i-Planet gateway, modify the ReverseProxy.config file in the directory /opt/SUNWsnrp/config so that the line UseProxy=true, if you want to use the web proxy for all URLs or so that the line UseProxy=false, if you do not want to use the web proxy for all URLs.
As root, on the i-Planet gateway, type the URLs for which you want to use the web proxy in the file /etc/opt/SUNWstnr/gateway/UseWebProxyURL.conf.
The form for the URLs is http://hostname:port_number, where the hostname and port_number must match the name of the host and the port number where it is used in any other file or in the Administration Console.
As root, on the i-Planet gateway, type the URLs for which you do not want to use the web proxy in the file /etc/opt/SUNWstnr/gateway/DontUseWebProxyURL.conf.
The form for the URLs is http://hostname:port_number, where the hostname and port_number must match the name of the host and the port number where it is used in any other file or in Administration Console.
Stop and restart the reverse proxy on the i-Planet gateway for the change to take effect.
See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.
If you modify any of the configuration files manually, you must restart the i-Planet gateway's reverse proxy server for it to recognize the changes. It is generally a good idea to first stop the reverse proxy, to ensure that it is not running, then to restart the reverse proxy.
Restarting the reverse proxy on the i-Planet gateway should not affect an application, if it is not using a Netlet other than the time it takes to restart the reverse proxy server on the i-Planet gateway. Any connection through the Netlet will be lost when you restart the reverse proxy server.
If you have to reboot the i-Planet gateway, the reverse proxy server will start automatically.
As root on the i-Planet gateway, stop and restart the reverse proxy server:
# /opt/SUNWsnrp/bin/iplanet_gw stop # /opt/SUNWsnrp/bin/iplanet_gw start |
Within HTML files, URLs can exist anywhere in JavaScriptTM. The URL rewriter must be able to open the page to which the URLs in the JavaScript statements refer. For the Java rewriter to be able to do this, you must modify the file /opt/SUNWsnrp/config/HTMLTranslator.config on the i-Planet gateway.
As root on the i-Planet gateway, add the following lines to the file /opt/SUNWsnrp/config/HTMLTranslator.config:
JavaScriptRewrite=openNewWindow:y|parent.openNewWindow:y JavaScriptVariables=location.href|_fr.location|mf.location\ |parent.location|self.location |
JavaScriptRewrite variable is set equal to the function openNewWindow or parent.openNewWindow and its flag set to y. Functions have the form func1:y, ,y, where func1 is the name of the function, the colon separates the name from the flags, and the flags are separated by commas. A flag is an instruction to translate a corresponding argument or not.
The statement JavaScriptRewrite=func1:y, ,y|func2:,y,y means that if the variable JavaScriptRewrite finds func1 or func2 in an HTML page, it will rewrite it according to the flags set for the arguments to that function. If it finds func1, it will rewrite the first and third arguments because the flags for those arguments are set to y for yes, but not to the second argument. If it finds fun2, it will rewrite the second and third arguments because the flags for those arguments are set to y to yes, but not the first argument.
The URL rewriter sets the JavaScriptVariables listed equal to the values for these variables that it finds in the JavaScript in an HTML page.
For example, the variable JavaScriptVariable is set so that the line in the file reads JavaScriptVariables=location.href|_sr.href and an HTML page contains the following JavaScript:
The URL rewriter looks through the JavaScript for the variables location.href and _sr.href. It finds a match for location.href, and it does not find a match for the variable loc (because the variable loc does not appear in the JavaScriptVariables statement). It also does not find a match for _sr.href.
<script language=javascript> loc = "/cgi-bin/aaa.cgi"; location.href = "/cgi-bin/bbb.cgi";</script>
The URL rewriter then sets the value of location.href equal to "/cgi-bin/bbb.cgi", and the HTML page becomes:
<script language=javascript> loc = "/cgi-bin/aaa.cgi"; location.href = "https://i-Planet_gateway/http://destination_host/cgi-bin /bbb.cgi";</script>
The variable loc remains unchanged since there are no instructions in the JavaScriptVariables statement for rewriting it.
Stop and restart the reverse proxy on the i-Planet gateway for the change to take effect.
See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.
You can enable or disable UNIX login for the end user to the i-Planet Desktop on the i-Planet gateway.
As root on the i-Planet gateway, type the following command to enable the end user to use UNIX to log in to the i-Planet Desktop.
# /opt/SUNWsnrp/bin/iplanet_gw unix on |
Stop and restart the reverse proxy on the i-Planet gateway for the changes to take place.
See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.
As root on the i-Planet server, type the following command to enable the end user to use UNIX to log in to the i-Planet Desktop.
# /opt/SUNWjeev/bin/iplanet_serv unix on |
Stop and start the web server on the i-Planet server.
See the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.
As root, type the following command on the i-Planet gateway to disable UNIX login.
# /opt/SUNWsnrp/bin/iplanet_gw unix off |
Stop and restart the reverse proxy on the i-Planet gateway for the changes to take place.
See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.
As root on the i-Planet server, type the following command to disable the end user to use UNIX to log in to the i-Planet Desktop.
# /opt/SUNWjeev/bin/iplanet_serv unix off |
Stop and start the web server on the i-Planet server.
See the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.
Use the following procedure to enable users to administer i-Planet through the Administration Console.
If a regular user has not previously logged into the i-Planet Desktop and you want to enable a regular user to run the Administration Console, as root on the i-Planet server, change to the directory profiles and copy the file root to the name of the new user:
# cd /opt/SUNWjeev/profiles # cp root new-user |
Edit the file for the new user and replace the lines:
role=web with role=web admin
session.uid=root with session.uid=new-user.
The file for the new user should now look like the following:
role=web admin user.url=http://fully_qualified_server_host_name:8080/\ servlet/SNDesktop?template=user_login session.uid=new-user |
If the user has logged in, as root on the i-Planet server, edit the file for the user in /opt/SUNWjeev/profiles and add admin to the line role=web.
The file for the user should now look like the following:
role=web admin user.url=http://fully_qualified_i-Planet_server_host_name:8080/\ servlet/SNDesktop?template=user_login session.uid=new-user |
If users want to run the Administration Console from outside the i-Planet gateway or firewall or both, they must have admin privileges. They must either log in as root or log in as a regular user with the admin role.
The web server is located on the i-Planet server.
You must restart the web server manually after the i-Planet server fails. You must also restart the web server manually, if it fails.
You restart the web server with the following procedure:
As root on the i-Planet server, type the following to restart the web server:
# /opt/SUNWjeev/bin/iplanet_serv start |
If you make any changes, whether through the Administration Console or by editing files, you must stop and restart the web server on the i-Planet server before the changes will take effect.
If you have to reboot the i-Planet server, the web server will start automatically.
As root on the i-Planet server, type the following to stop and restart the web server:
# /opt/SUNWjeev/bin/iplanet_serv stop # /opt/SUNWjeev/bin/iplanet_serv start |
End users must start their session over because all the session information is contained in the i-Planet server. No warning message is sent to the end users.
This section provides information on tuning the web server for more efficient operation within the operating environment.
As root, you can:
Add these settings to the file containing the shell script in /etc/rc3.d for settings like these
Create a new file for these settings in /etc/rc3.d
The shell script in this file should run before the shell script in file S42rp, which contains the script that starts the Java Web Server(TM).
The following TCP/IP settings have been identified as beneficial to servers running web servers.
ndd -set /dev/tcp tcp_close_wait_interval 45000 ndd -set /dev/tcp tcp_mss_max 6000 ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 16000 ndd -set /dev/ip ip_path_mtu_discovery 0 ndd -set /dev/tcp tcp_conn_req_max_q 1024 ndd -set /dev/tcp tcp_conn_req_max_q0 1024 ndd -set /dev/tcp tcp_conn_req_min 1 ndd -set /dev/tcp tcp_xmit_hiwat 65535 ndd -set /dev/tcp tcp_recv_hiwat 65535 ndd -set /dev/tcp tcp_cwnd_max 65534 ndd -set /dev/tcp tcp_keepalive_interval 90000 ndd -set /dev/tcp tcp_ip_abort_interval 60000 ndd -set /dev/tcp tcp_ip_abort_cinterval 60000 ndd -set /dev/tcp tcp_rexmit_interval_initial 3000 ndd -set /dev/tcp tcp_rexmit_interval_min 3000 ndd -set /dev/tcp tcp_rexmit_interval_max 10000 ndd -set /dev/tcp tcp_conn_grace_period 500 ndd -set /dev/ip ip_ignore_redirect 1 ndd -set /dev/tcp tcp_slow_start_initial 2
It should be unnecessary to administer the Java web Server through the Java Web Server Administration tool. But should it be necessary, use the following procedure to enable the password and log in to the Java Web Server.
The default setting for logging in to the Java Web Server Administration tool is set to admin as the login. The default password, admin, as the password is disabled when the Java web server is installed.
If you need to run the Java Web Server Administration tool, you must
Enable the default password
Run the administration tool
Change the password for reasons of security
Do not use the Java Web Server Administration tool to start and stop the Java Web Server. Use the command in the procedure below or in the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.
Enable the default password for the Java Web Server Administration tool:
# cp /opt/SUNWjeev/realms/data/defaultRealm/keyfile/\ opt/SUNWjeev/realms/data/adminRealm/keyfile |
Stop and restart the web server on the i-Planet server
For information on stopping and restarting the web server, see the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.
The default login is admin and the default password is admin. This is a security risk. Please log in to the Java Web Server Administration tool and change the password.
In a browser, type the following URL to run the Java Web Server Administration tool:
http://i-Planet_server:9090/ |
Port 9090 is the administration port for the Java Web Server.
You can edit the netfile.denyhosts field in the /etc/opt/SUNWstnr/platform.conf file to deny end users access to hosts such as the i-Planet gateway. You do this by editing the platform.conf file on the i-Planet server. You cannot do this using the Administration Console.
If end users try to add a machine whose IP address is one of those in netfile.denyhosts field, they will receive an error message and they will not be allowed access to that machine.
NetFile always denies access to the host on which it is running. NetFile gets this address itself. You do not need to add its address to the platform.conf file manually.
Add the IP addresses of the machines to which you want to deny access in the netfile.denyhosts field of the /etc/opt/SUNWstnr/platform.conf file on the i-Planet server, for example:
netfile.denyhosts=129.123.1.1 123.123.1.2 |
Separate the addresses in this field by spaces. Use the form in the example.
i-Planet requires that the number of end users in the file /opt/SUNWjeev/profiles be equal or less than the number of Right To Use (RTU) tokens that is available under your licensing agreement. You can remove end users who are no longer with your company, but you cannot have more users than your allotted RTUs. If you have more names in the profile file, no one will be able to log in.
If the license server should stop or if you stop the license server, end users will not be able to log into the i-Planet Desktop until it is started.
If the i-Planet server should go down, the license server should automatically start at reboot. If the license server does not automatically start up, use the following commands to stop and start the license server. In the unlikely event that your end users receive an error message that they cannot log in, it may be that you must restart the license server
As root, on the i-Planet server, stop and start the license server:
# /etc/rc2.d/S85lmgrd stop # /etc/rc2.d/S85lmgrd start |
Stop and restart the web server on the i-Planet server.
For information on stopping and restarting the web server, see the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.
i-Planet works with Netscape and Internet Explorer. This section contains information about using these browsers.
This section contains information on tuning various versions of Netscape browsers.
When using Netscape 4.05 with the Solaris 2.6 Operating Environment, warnings that you get when Java windows comes up appear whenever you start a new window.
To prevent this behavior, use the following procedure to create the file.
Create a file called .Xdefaults in your home directory.
Put the following lines in this file:
Netscape.useStderrDialog: false Netscape.useStdoutDialog: false |
To prevent this behavior, follow the procedure below, if the file .Xdefaults already exists in your home directory.
If this file already exits in your home directory, add the lines:
Netscape.useStderrDialog: false Netscape.useStdoutDialog: false |
For all versions of Netscape, the preferences must be set to accept all cookies. Use the following procedure to do this.
Start Netscape.
From the Edit menu, choose Preferences.
On the Category frame of the Netscape: Preferences window, click Advanced.
On the Cookies panel of the Advanced Change preferences that affect the entire product, click the radio button before "accept all cookies."
Click OK at the bottom of the Netscape: Preferences window.
The amount of space available for tmp/ files on the server determines the size of files that end users can download or have access.
If end users look at sensitive or classified documents through Internet Explorer, they must be sure to exit the browser when they have finished. Copies of all files that they have looked at are stored on the computer that they are using until they close all Internet Explorer windows.