Chapter 3 Other Administrative Tasks

This chapter describes how to:

• Modify choices that were made during the installation procedure

• Modify files for special circumstances

• Stop and restart the i-Planet gateway's reverse proxy

• Stop and restart the i-Planet server's web server

• Find and install certificates from a certificate authority

Subdomains

If, after you have installed the i-Planet software, you want to add, delete or change subdomains on your network, you must edit the file /opt/SUNWsnrp/config/HTMLTranslator.config on the i-Planet gateway.

To Add a Subdomain or Subdomains

1. As root, add the new domain or domains to (or delete the domain or domains from) the line Domains=Eng in the file/opt/SUNWsnrp/config/HTMLTranslator.config on the i-Planet gateway. Use the vertical line (or pipe) (|) character to separate the subdomains.

   For example, if you defined the eng subdomain during installation and you now want to include the corp domain, add |corp to the line Domains=eng. The name for the subdomain is not case sensitive.

   The file should now look like the following:

   Host=https://i-Planet_server.eng.company.com/ Domains=Eng|corp ...

2. Stop and restart the reverse proxy on the i-Planet gateway for the change to take effect.

   See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.

Web Proxy

You can add a web proxy after you have installed the i-Planet software. You also can fine tune the web proxy.

You must stop and restart the reverse proxy on the i-Planet gateway for the change to take effect. See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.

Adding a Web Proxy

If you opted not to define a web proxy during the installation procedure, you can add one by the following procedure.

To Add a Web Proxy

1. As root, on the i-Planet gateway, modify the file /opt/SUNWsnrp/config/ReverseProxy.config so that the line Proxy= reads Proxy=fully_qualified_name_of_web_proxy_machine:port_number, if the port number is required.

You can also use this procedure to change the web proxy. For example, if you want to change the webproxy2.corp.company.com as the web proxy and you want to use port from 8000 to 8080. Change the line Proxy= in the file /opt/SUNWsnrp/config/ReverseProxy.config to Proxy=webproxy2.eng.company.com:8080.

The line in the file should now look like the following:

Proxy=webproxy2.corp.company.com:8080

Fine Tuning the Web Proxy

If you have installed a web proxy either during installation or after install, you can fine tune the web proxy by modifying the file /opt/SUNWsnrp/config/ReverseProxy.config and the files /etc/opt/SUNWstnr/gateway/UseWebProxyURL.conf and /etc/opt/SUWNstnr/gateway/DontUseWebProxyURL.conf. This permits you to specify:

• URLs that must be passed to the web proxy.

• URLs that are not to be passed to the web proxy.

If the line Proxy= does not contain a web proxy, no web proxy is used, no matter what value is set for UseProxy=. If a web proxy is specified in the line Proxy=, then that web proxy is used or not, depending on the value, true or false, to which you have set the line UseProxy=:

• true means that you want to use the web proxy for any URL, except for those listed in the file DontUseWebProxyURL.conf file.

If you want a URL to be passed to the web proxy, the request header is checked against the entries in the DontUseWebProxyURL.conf file. If it matches, the request is not passed to the web proxy. If it does not match any of the entries, it is passed to the web proxy.

• false means that you do not want to use the web proxy for any URL, except for those listed in the file UseWebProxyURL.conf file.

If you do not want a URL to be passed to the web proxy, the request header is checked against the entries in the UseWebProxyURL.conf file. If it matches, the request is passed to the web proxy. If it does not match any of the entries, it is not passed to the web proxy.

Use the following procedure to tune the web proxy and to set which URLs must pass through the web proxy and which do not.

To Tune the Web Proxy

1. As root, on the i-Planet gateway, modify the ReverseProxy.config file in the directory /opt/SUNWsnrp/config so that the line UseProxy=true, if you want to use the web proxy for all URLs or so that the line UseProxy=false, if you do not want to use the web proxy for all URLs.

2. As root, on the i-Planet gateway, type the URLs for which you want to use the web proxy in the file /etc/opt/SUNWstnr/gateway/UseWebProxyURL.conf.

   The form for the URLs is http://hostname:port_number, where the hostname and port_number must match the name of the host and the port number where it is used in any other file or in the Administration Console.

3. As root, on the i-Planet gateway, type the URLs for which you do not want to use the web proxy in the file /etc/opt/SUNWstnr/gateway/DontUseWebProxyURL.conf.

   The form for the URLs is http://hostname:port_number, where the hostname and port_number must match the name of the host and the port number where it is used in any other file or in Administration Console.

4. Stop and restart the reverse proxy on the i-Planet gateway for the change to take effect.

   See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.

Stopping and Restarting the i-Planet Gateway's Reverse Proxy Server

If you modify any of the configuration files manually, you must restart the i-Planet gateway's reverse proxy server for it to recognize the changes. It is generally a good idea to first stop the reverse proxy, to ensure that it is not running, then to restart the reverse proxy.

Restarting the reverse proxy on the i-Planet gateway should not affect an application, if it is not using a Netlet other than the time it takes to restart the reverse proxy server on the i-Planet gateway. Any connection through the Netlet will be lost when you restart the reverse proxy server.

If you have to reboot the i-Planet gateway, the reverse proxy server will start automatically.

To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway

1. As root on the i-Planet gateway, stop and restart the reverse proxy server:

   # /opt/SUNWsnrp/bin/iplanet_gw stop # /opt/SUNWsnrp/bin/iplanet_gw start

URL Rewriting for HTML Files

Within HTML files, URLs can exist anywhere in JavaScript^TM. The URL rewriter must be able to open the page to which the URLs in the JavaScript statements refer. For the Java rewriter to be able to do this, you must modify the file /opt/SUNWsnrp/config/HTMLTranslator.config on the i-Planet gateway.

To Modify the File HTMLTranslator.config

1. As root on the i-Planet gateway, add the following lines to the file /opt/SUNWsnrp/config/HTMLTranslator.config:

   JavaScriptRewrite=openNewWindow:y|parent.openNewWindow:y JavaScriptVariables=location.href|_fr.location|mf.location\ |parent.location|self.location

   JavaScriptRewrite variable is set equal to the function openNewWindow or parent.openNewWindow and its flag set to y. Functions have the form func1:y, ,y, where func1 is the name of the function, the colon separates the name from the flags, and the flags are separated by commas. A flag is an instruction to translate a corresponding argument or not.

   The statement JavaScriptRewrite=func1:y, ,y|func2:,y,y means that if the variable JavaScriptRewrite finds func1 or func2 in an HTML page, it will rewrite it according to the flags set for the arguments to that function. If it finds func1, it will rewrite the first and third arguments because the flags for those arguments are set to y for yes, but not to the second argument. If it finds fun2, it will rewrite the second and third arguments because the flags for those arguments are set to y to yes, but not the first argument.

   The URL rewriter sets the JavaScriptVariables listed equal to the values for these variables that it finds in the JavaScript in an HTML page.

   For example, the variable JavaScriptVariable is set so that the line in the file reads JavaScriptVariables=location.href|_sr.href and an HTML page contains the following JavaScript:

   The URL rewriter looks through the JavaScript for the variables location.href and _sr.href. It finds a match for location.href, and it does not find a match for the variable loc (because the variable loc does not appear in the JavaScriptVariables statement). It also does not find a match for _sr.href.

   <script language=javascript> loc = "/cgi-bin/aaa.cgi"; location.href = "/cgi-bin/bbb.cgi";</script>

   The URL rewriter then sets the value of location.href equal to "/cgi-bin/bbb.cgi", and the HTML page becomes:

   <script language=javascript> loc = "/cgi-bin/aaa.cgi"; location.href = "https://i-Planet_gateway/http://destination_host/cgi-bin /bbb.cgi";</script>

   The variable loc remains unchanged since there are no instructions in the JavaScriptVariables statement for rewriting it.

2. Stop and restart the reverse proxy on the i-Planet gateway for the change to take effect.

   See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.

Enabling or Disabling UNIX Login to The i-Planet Desktop for the End User

You can enable or disable UNIX login for the end user to the i-Planet Desktop on the i-Planet gateway.

To Enable UNIX Login for the End User

1. As root on the i-Planet gateway, type the following command to enable the end user to use UNIX to log in to the i-Planet Desktop.

   # /opt/SUNWsnrp/bin/iplanet_gw unix on

2. Stop and restart the reverse proxy on the i-Planet gateway for the changes to take place.

   See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.

3. As root on the i-Planet server, type the following command to enable the end user to use UNIX to log in to the i-Planet Desktop.

   # /opt/SUNWjeev/bin/iplanet_serv unix on

4. Stop and start the web server on the i-Planet server.

   See the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.

To Disable UNIX Login for the End User

1. As root, type the following command on the i-Planet gateway to disable UNIX login.

   # /opt/SUNWsnrp/bin/iplanet_gw unix off

2. Stop and restart the reverse proxy on the i-Planet gateway for the changes to take place.

   See the procedure "To Stop and Restart the Reverse Proxy Server on the i-Planet Gateway" in this chapter.

3. As root on the i-Planet server, type the following command to disable the end user to use UNIX to log in to the i-Planet Desktop.

   # /opt/SUNWjeev/bin/iplanet_serv unix off

4. Stop and start the web server on the i-Planet server.

   See the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.

Adding Users for the Administration Console

Use the following procedure to enable users to administer i-Planet through the Administration Console.

To Add a User Who Has Not Logged In

1. If a regular user has not previously logged into the i-Planet Desktop and you want to enable a regular user to run the Administration Console, as root on the i-Planet server, change to the directory profiles and copy the file root to the name of the new user:

   # cd /opt/SUNWjeev/profiles # cp root new-user

2. Edit the file for the new user and replace the lines:

   role=web with role=web admin

   session.uid=root with session.uid=new-user.

   The file for the new user should now look like the following:

   role=web admin user.url=http://fully_qualified_server_host_name:8080/\ servlet/SNDesktop?template=user_login session.uid=new-user

To Add a User Who Has Logged In

1. If the user has logged in, as root on the i-Planet server, edit the file for the user in /opt/SUNWjeev/profiles and add admin to the line role=web.

   The file for the user should now look like the following:

   role=web admin user.url=http://fully_qualified_i-Planet_server_host_name:8080/\ servlet/SNDesktop?template=user_login session.uid=new-user

   ---

   Note -

   If users want to run the Administration Console from outside the i-Planet gateway or firewall or both, they must have admin privileges. They must either log in as root or log in as a regular user with the admin role.

   ---

Web Server

The web server is located on the i-Planet server.

Restarting the Web Server

You must restart the web server manually after the i-Planet server fails. You must also restart the web server manually, if it fails.

You restart the web server with the following procedure:

To Restart the Web Server

1. As root on the i-Planet server, type the following to restart the web server:

   # /opt/SUNWjeev/bin/iplanet_serv start

Stopping and Restarting the Web Server

If you make any changes, whether through the Administration Console or by editing files, you must stop and restart the web server on the i-Planet server before the changes will take effect.

If you have to reboot the i-Planet server, the web server will start automatically.

To Stop and Restart the Web Server on the i-Planet Server

1. As root on the i-Planet server, type the following to stop and restart the web server:

   # /opt/SUNWjeev/bin/iplanet_serv stop # /opt/SUNWjeev/bin/iplanet_serv start

   ---

   Note -

   End users must start their session over because all the session information is contained in the i-Planet server. No warning message is sent to the end users.

   ---

Tuning the Web Server

Overview

This section provides information on tuning the web server for more efficient operation within the operating environment.

As root, you can:

• Add these settings to the file containing the shell script in /etc/rc3.d for settings like these

• Create a new file for these settings in /etc/rc3.d

The shell script in this file should run before the shell script in file S42rp, which contains the script that starts the Java Web Server(TM).

TCP/IP Settings

The following TCP/IP settings have been identified as beneficial to servers running web servers.

ndd -set /dev/tcp tcp_close_wait_interval 45000
ndd -set /dev/tcp tcp_mss_max 6000
ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 16000
ndd -set /dev/ip ip_path_mtu_discovery 0
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/tcp tcp_conn_req_max_q0 1024
ndd -set /dev/tcp tcp_conn_req_min 1
ndd -set /dev/tcp tcp_xmit_hiwat 65535
ndd -set /dev/tcp tcp_recv_hiwat 65535 
ndd -set /dev/tcp tcp_cwnd_max 65534
ndd -set /dev/tcp tcp_keepalive_interval 90000
ndd -set /dev/tcp tcp_ip_abort_interval 60000
ndd -set /dev/tcp tcp_ip_abort_cinterval 60000
ndd -set /dev/tcp tcp_rexmit_interval_initial 3000
ndd -set /dev/tcp tcp_rexmit_interval_min 3000
ndd -set /dev/tcp tcp_rexmit_interval_max 10000
ndd -set /dev/tcp tcp_conn_grace_period 500 
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/tcp tcp_slow_start_initial 2 

Using the Java Web Server Administration Tool

It should be unnecessary to administer the Java web Server through the Java Web Server Administration tool. But should it be necessary, use the following procedure to enable the password and log in to the Java Web Server.

The default setting for logging in to the Java Web Server Administration tool is set to admin as the login. The default password, admin, as the password is disabled when the Java web server is installed.

If you need to run the Java Web Server Administration tool, you must

• Enable the default password

• Run the administration tool

• Change the password for reasons of security

  ---

  Note -

  Do not use the Java Web Server Administration tool to start and stop the Java Web Server. Use the command in the procedure below or in the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.

  ---

To Enable the Password and Log In to the Java Web Server Administration Tool

1. Enable the default password for the Java Web Server Administration tool:

   # cp /opt/SUNWjeev/realms/data/defaultRealm/keyfile/\ opt/SUNWjeev/realms/data/adminRealm/keyfile

2. Stop and restart the web server on the i-Planet server

   For information on stopping and restarting the web server, see the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.

   ---

   Caution -

   The default login is admin and the default password is admin. This is a security risk. Please log in to the Java Web Server Administration tool and change the password.

   ---

3. In a browser, type the following URL to run the Java Web Server Administration tool:

   http://i-Planet_server:9090/

   Port 9090 is the administration port for the Java Web Server.

Denying NetFile End Users Access to Hosts

You can edit the netfile.denyhosts field in the /etc/opt/SUNWstnr/platform.conf file to deny end users access to hosts such as the i-Planet gateway. You do this by editing the platform.conf file on the i-Planet server. You cannot do this using the Administration Console.

If end users try to add a machine whose IP address is one of those in netfile.denyhosts field, they will receive an error message and they will not be allowed access to that machine.

NetFile always denies access to the host on which it is running. NetFile gets this address itself. You do not need to add its address to the platform.conf file manually.

To Deny Hosts Access to i-Planet NetFile Application

1. Add the IP addresses of the machines to which you want to deny access in the netfile.denyhosts field of the /etc/opt/SUNWstnr/platform.conf file on the i-Planet server, for example:

   netfile.denyhosts=129.123.1.1 123.123.1.2

Separate the addresses in this field by spaces. Use the form in the example.

Licensing

General Information About Licensing

i-Planet requires that the number of end users in the file /opt/SUNWjeev/profiles be equal or less than the number of Right To Use (RTU) tokens that is available under your licensing agreement. You can remove end users who are no longer with your company, but you cannot have more users than your allotted RTUs. If you have more names in the profile file, no one will be able to log in.

If the license server should stop or if you stop the license server, end users will not be able to log into the i-Planet Desktop until it is started.

Stopping and Starting the License Server

If the i-Planet server should go down, the license server should automatically start at reboot. If the license server does not automatically start up, use the following commands to stop and start the license server. In the unlikely event that your end users receive an error message that they cannot log in, it may be that you must restart the license server

To Stop and Start the License Server

1. As root, on the i-Planet server, stop and start the license server:

   # /etc/rc2.d/S85lmgrd stop # /etc/rc2.d/S85lmgrd start

2. Stop and restart the web server on the i-Planet server.

   For information on stopping and restarting the web server, see the procedure "To Stop and Restart the Web Server on the i-Planet Server" in this chapter.

Configuring the Browsers

i-Planet works with Netscape and Internet Explorer. This section contains information about using these browsers.

Netscape

This section contains information on tuning various versions of Netscape browsers.

Warnings with Netscape 4.05

When using Netscape 4.05 with the Solaris 2.6 Operating Environment, warnings that you get when Java windows comes up appear whenever you start a new window.

To prevent this behavior, use the following procedure to create the file.

To Add the File .Xdefaults

1. Create a file called .Xdefaults in your home directory.

2. Put the following lines in this file:

   Netscape.useStderrDialog: false Netscape.useStdoutDialog: false

To prevent this behavior, follow the procedure below, if the file .Xdefaults already exists in your home directory.

To Modify the File .Xdefaults

1. If this file already exits in your home directory, add the lines:

   Netscape.useStderrDialog: false Netscape.useStdoutDialog: false

Netscape and Applications from the Desktop

For all versions of Netscape, the preferences must be set to accept all cookies. Use the following procedure to do this.

To Set Netscape Browsers to Accept All Cookies

1. Start Netscape.

2. From the Edit menu, choose Preferences.

3. On the Category frame of the Netscape: Preferences window, click Advanced.

4. On the Cookies panel of the Advanced Change preferences that affect the entire product, click the radio button before "accept all cookies."

5. Click OK at the bottom of the Netscape: Preferences window.

Netscape tmp/ File Size

The amount of space available for tmp/ files on the server determines the size of files that end users can download or have access.

Internet Explorer

If end users look at sensitive or classified documents through Internet Explorer, they must be sure to exit the browser when they have finished. Copies of all files that they have looked at are stored on the computer that they are using until they close all Internet Explorer windows.