Netscape Console 4.1
for Windows NT and Unix
These notes were last updated August 18, 2000.
These release notes contain important information about Netscape Console
4.1. Please read these notes before using the product.
Installation Instructions and Release Notes for all 4.x versions
of Netscape servers are available online at this location: http://home.netscape.com/eng/server.
Use of this product is subject to the terms detailed in the license
agreement accompanying it.
Netscape Console incorporates compression code by the Info-ZIP group.
There are no extra charges or costs due to the use of this code, and
the original compression sources are freely available from ftp://ftp.cdrom.com/pub/infozip/
on the Internet.
The release notes contain these explanations:
What's New in This Release
Netscape Console provides a unified administration interface to all the
intranet, extranet, client, and server software under an administrator's
control. The 4.1 version of Netscape Console includes three new features:
Server Authentication, LDAP Failover Support, and a Merge Configuration
utility.
Server Authentication
When a user accesses a server via the Netscape Console using SSL, the server
presents a certificate to the Console during the SSL handshake session.
Through server authentication, the user can authenticate, or trust,
the server's certificate. The authentication process can be
accomplished directly by the user, or by Netscape Console on behalf of
the user through a trust database. The database is maintained by
Netscape Console.
LDAP Failover Support
Since the Directory Server has become a very critical resource that servers
and clients depend on, Netscape Console now supports failover to an LDAP
replica when the primary Directory Server goes down or becomes unavailable.
For more information, see "User
Directory Settings"
in the online help.
Merge Configuration Utility
The Merge Configuration utility merges configuration data from a pilot
directory with configuration data from your real Directory Server. This
is useful when you've been testing a directory configuration, and want
to merge the test data with the data in an existing directory. For
more information, see "Merging
Configuration Data from Two Directory Servers"
in the online help.
Potential Problems and Solutions
This section describes the following known problems and related solutions:
Installation
-
On Windows NT, if you are upgrading from an earlier version of Console,
do not choose the "Custom" option during installation. Doing so will cause
the installation to fail. (112554)
-
Netscape Server Products should be installed on a local disk drive.
If you install a Netscape Server Product on a networked drive,
the product may not work as designed. (336269)
-
You can save the install cache when you install Netscape Console.
When you save the install cache, all the values you specify during installation
are saved to a file. This file is useful when you want to perform
subsequent silent installations. To save the install cache, in the
server root, enter setup -k . (339769) For more information
on silent installation, see Chapter
4 of the Netscape Directory Server 4.0 Installation Guide.
-
If you log in from a remote HP workstation to OSF, and then run Netscape
Console, the Console may occasionally hang. To avoid this problem,
both install and run Netscape Console on an HP workstation. (341699)
- If your configuration directory is running on Netscape Directory Server
4.0 or lower, you may receive an "error 14" message when performing Console
operations (392925). This is because Console 4.1 and higher require schema
updates to the directory. To fix this problem, install the latest version
of iPlanet Directory Server.
Loss of Network Connection
If you lose a network connection while Netscape Console
is running, Netscape Console may become inoperative. Re-establish
your network connection, then restart Netscape Console. (106714)
Proxied
Administration Not Supported
Netscape Console 4.1 does not support proxied administration.
Setting
Access Permissions for a Server
You can grant or deny server access to an individual
user, but you cannot grant or deny server access to a group. If you
select a server in the Netscape Console navigation tree, and attempt to
use the Set Access Permissions command to specify a group of users, the
permissions you set will not work as expected. (337487)
This is caused by an incorrectly defined Access Control Instruction (ACI)
under o=NetscapeRoot. To work around this problem, use ldapmodify to
patch this ACI with the following LDIF content:
dn: o=NetscapeRoot
changetype: modify
delete: aci
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read,
search, compare)groupdnattr="ldap:///o=NetscapeRoot?uniquemember?sub";)
-
add: aci
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read,
search, compare)groupdnattr="uniquemember";)
If you are unfamiliar with ldapmodify and LDIF, refer to the
Netscape Directory Server Administrator's Guide.
Setting
Access Permissions for a Server Task
If you create an ACI rule to grant or deny access
to a server task, the rule will not take effect until you restart both
the server (such as Directory Server or Messaging Server) as well as it's
Administration Server. (345956, 342786)
Specifying
Multiple User Directories for Failover Support
When you specify more than one User Directory for
failover purposes, do not use carriage returns to separate directory host
names. If you use carriage returns, you'll get an error message.
Instead of carriage returns, use spaces to separate host names. (345731)
Example: Eros.Airius.com:389 Zeus.Airius.com:389
Server Instance Names
Do not use a period (.) in server instance names.
If you use a period in a server instance name, Netscape Console will not
recognize the server
instance. For example, the server
instance msg.airius.com is not acceptable; msg-airius-com
is acceptable. (311490)
Non-English
Version of Windows NT Operating System
If you are running Netscape Console on a non-English
version of the Windows NT operating system, you cannot use
the right Alt key or the Ctrl+Alt+key combination to enter special characters
such as: @, \, or |. (323858) As a workaround, change
the Keyboard Layout setting to US. When your Keyboard Layout preference
is set to US, you can use the Shift-2 combination to enter the @ character.
To change the Keyboard Layout setting:
-
From the Start menu, choose Settings | Control Panel.
-
In the Control Panel, double click the Keyboard icon,
and then click Input Locales.
-
Select an input locale, and then click Properties.
-
In the Input Locale Properties dialog, from the drop-down
list select US, and then click OK.
Non default uid
When the default language requires a uid in a
form other than the default (user's first initial followed by last name),
you must manually override the nsuserformat attribute in the configuration
directory. (117507) To change the nsuseridformat attribute:
-
In the Netscape Console, open the Directory Server
that contains the configuration directory you want to modify.
-
In the Directory Server, click Directory.
-
Expand the navigation tree to follow this path:
NetscapeRoot/[administration domain]/Global Preferences.
-
In the navigation tree, select Global Preferences.
-
In the right pane double-click Common.
-
In the Property Editor window, locate the attribute
nsuseridformat
and enter one of the following values as appropriate:
-
firstletter_lastname (this
is the default value)
-
givenname_firstletter
-
lastname_givenname
-
givenname_lastname
-
Click OK.
-
Restart Netscape Console.
Changing a User's Password
If you create a user without indicating a password, selecting the user
and clicking on the Password button will allow you to assign a value for
the user's password attribute. If you try to change this value by clicking
on the Password button again, the new value will be stored alongside the
old value and the user will have two valid passwords. To work around this:
select the user, click on Edit, and then enter and confirm the new password
in the Edit Entry dialog box. Alternatively, you can choose to assign a
password when creating a new user. If you have already created a user with
multiple passwords, perform a new search for the user and enter a new password
using the Edit or Password button. This will discard any old values and
assign a single password for the user
8-bit Characters
When creating a new user or editing a user's personal
data, do not use 8-bit characters in the First Name and Last Name fields.
If you use 8-bit characters in the First Name or Last Name fields,
the user ID is not automatically generated for you. Instead, use
ASCII characters to enter the user's personal data. (117507)
Windows NT with
DHCP
You cannot install Administration Server 4.0 or Directory
Server 4.0 on Windows NT with DHCP. As a workaround, you can install
successfully using a static IP address. (105984)
Changes to IP address
If, for any reason, your computer system's IP address changes, the Administration
Server will not start (332357, 354994). The IP address must be changed
in both the Administration Server configuration and the Configuration Directory.
As a workaround, follow these steps:
-
Copy the Perl script provided below, and save it as a file in the <Server_Root>/shared/bin
directory. In this example, the file is named admin_ip.pl.
-
In the <Server_Root>/shared/bin directory,
-
On Windows NT, enter
..\..\install\perl admin_ip.pl <Directory_Manager_DN>
<Directory_Manager_password> <old_IP> <new_IP> [port #]
-
On Unix, enter
admin_ip.pl <Directory_Manager_DN> <Directory_Manager_password>
<old_IP> <new_IP> [port #]
#!../../install/perl -w
# This script automatically changes the Administration Server IP
address in both the local.conf file and in the Configuration Directory.
The old IP address is stored in the file local.conf.old.
die "Usage: admin_ip.pl <DDirectory_Manager_DN> <Directory_Manager_password>
<old_IP> <new_IP> [port #]\n" unless (($#ARGV >= 2) &&
($#ARGV <= 4));
$dirmgr = $ARGV[0];
$passwd = $ARGV[1];
$oldIPaddr = $ARGV[2];
$newaddr = $ARGV[3];
$port = 389;
$port = $ARGV[4] if ($ARGV[4]);
$adminconfig = "../../admin-serv/config/";
$ldapsearch = "./ldapsearch";
$ldapmodify = "./ldapmodify";
$baseobject = "o=NetscapeRoot";
$query = "(&(&(cn=configuration)(objectclass=nsConfig))(nsserveraddress=\"$oldIPaddr\"))";
$dn = "";
$oldaddr = "";
$/ = ""; # enable paragraph mode
# Find the old IP address in the directory
open (LDAP, "$ldapsearch -p $port -b $baseobject -D \"$dirmgr\"
-w $passwd \"$query\" |");
while (<LDAP>) {
s/\n //g;
if (/\nnsserveraddress: (.*)\n/) {
$oldaddr = $1;
print "Old IP in directory: $oldaddr\n";
}
if (/^dn: (.*)\n/) {
$dn = $1;
print "DN: $dn\n";
# Update the IP address stored in the configuration directory
open (LDAP2, "| $ldapmodify -p $port -D \"$dirmgr\"
-w $passwd");
print LDAP2 "dn: $dn\n";
print LDAP2 "changetype: modify\n";
print LDAP2 "replace: nsserveraddress\n";
print LDAP2 "nsserveraddress: $newaddr\n";
close (LDAP2);
}
}
close (LDAP);
# Update the admin config file
$newconfig=$adminconfig . "local.conf";
$oldconfig = $adminconfig . "local.conf.old";
rename $newconfig, $oldconfig;
open (OLD, "<" . $oldconfig);
open (NEW, ">" . $newconfig);
print "oldaddr: $oldaddr\n";
print "newaddr: $newaddr\n";
while (<OLD>) {
s/$oldaddr/$newaddr/g;
print NEW;
}
close(OLD);
close(NEW);
Using HP-UX
-
If Netscape Console randomly crashes, make sure you
have the patch PHKL_14750 installed on your system. Contact Hewlett-Packard
for detailed information on obtaining this patch.
-
If you're using a multi-CPU system, you need to install
this patch: PHNE_16645. This addresses the Administration Server
process spinning problem. Contact Hewlett-Packard for detailed information
on obtaining the patch.
-
When using the Users and Groups Search Directory,
the screen may not draw properly. (291656) When this happens, click Search
to perform the search again.
Using AIX with jre 1.1.6
If Netscape Console crashes upon startup, you must disable JIT. (316827)
To disable JIT, invoke startconsole with the -nojit option.
Using Linux
If Netscape Console hangs during log in, it may be due to a problem
with NIS (349906). As a workaround, in /etc/nsswitch.conf,
modify the nis and dns lookup ordering in the the hosts entry. Make
sure dns comes before nis.
For example, change this entry:
hosts: files nisplus nis dns
to this entry:
hosts: files dns nisplus nis
On Windows NT, End-User
Page Not Accessible with SSL
On Windows NT, if you enable SSL on the Directory Server, you will not
be able to access the End-User Page (see illustration). (342135)
Using
Netscape Console with Netscape Certificate Server 1.x
When you use a Netscape 4.x server to request a server certificate from
a Netscape Certificate Server 1.x, do not use wildcards, punctuation marks,
or other special characters when specifying the server host name.
If you do, Certificate Server will display the following message "Invalid
DER encoding" when the certificate is submitted. If you must use
wildcards (for example www.airius|netscape.com), then you must
make a special note to the CA when you submit the certificate request.
The following image illustrates how you can submit a special note to the
CA:
Using an external token
to store certificates
If you use an external token or smart device to store multiple security
certificates, the device may run out of storage space. This happens
when you repeatedly use the Certificate Setup Wizard to generate certificate
requests without deleting previously installed public or private keys.
(347448) To avoid this problem, follow the instructions provided
by the external device manufacturer to first back up your existing certificate(s),
and then to clear the device's memory.
Installing
a FORTEZZA PKCS #11 Module on Windows NT
If the FORTEZZA PKCS #11 module you want to install
is a DLL file (or shared library) and not a JAR file, do not use the "Manage
PKCS #11" or "Add PKCS #11" commands in Netscape Console. If you
use the Netscape Console graphical interface, you will not be able to activate
FORTEZZA ciphers. Instead, use the modutil command line utility located
at <server_root>/shared/bin/modutil.
To install a FORTEZZA PKCS #11 Module DLL File:
-
Locate the server instance for which you want to
install the PKCS #11 module.
-
Open a terminal window.
-
Go to the Administration Server's configuration directory
located at <server_root>/admin-serv/config.
-
At the prompt, enter this command: <server-root>/shared/bin/modutil
-dbdir . -create
This creates the required security module database
file (secmod.db) in the Administration Server's configuration
directory.
-
At the prompt, enter this command:
<server_root>/shared/bin/modutil -dbdir
. -add <module_name> -libfile <library_file> -nocertdb
<library_file> specifies the path
to the DLL or other library file containing the implementation of the PKCS
#11 interface module.
<module_name> specifies the name of
the PKCS #11 module (you specified this in Step1 when you installed the
drivers).
For example, if you are installing a Litronic token,
you would enter:
<server_root>/shared/bin/modutil -dbdir
. -add CryptOS -libfile core32
For detailed information about modutil, see modutil
Appendix B, "Administartion Server Command Line Tools" in the
Netscape Console documentation.
Logging in as Directory Manager
If you log in to Netscape Console using the DN cn=directory manager,
your font display preferences will not be saved. (341686)
Expired SIE passwords block access to Administration
Server tasks
If a password expiration policy is enabled in Directory Server, and a connected
Administration Server's SIE passwords expire, you will not be able to access
the connected server. (343369) As a workaround, you can
delay the expiration date of the Administration Server passwords.
Use the ldapmodify utility to change two administrative entries.
In the following example, replace <hostname> with the hostname
of the server, and finish the command with Ctl-Z:
ldapmodify -D "cn=directory manager" -w
password
dn: uid=Configuration
Administrator, ou=admin, ou=Topology Management, o=NetscapeRoot
changetype: modify
replace: userpassword
userpassword:
<newpassword>
-
replace: passwordexpirationtime
passwordexpirationtime:
20011231000000
dn: cn=admin-serv-<hostname>,
cn=Netscape Administration Server, cn=Server Group, cn=<hostname>, ou=<hostname>.
o=NetscapeRoot
changetype: modify
replace: userpassword
userpassword:
<newpassword>
-
replace:
passwordexpirationtime
passwordexpirationtime:
20011231000000
Searching a Large User Directory
If you use the Search interface to list all users in a large directory
(for example, more than 1000 entries), the search may return 0 results.
(341275) To improve search results, simply restrict your search criteria.
Administration Server Memory Usage
If you leave Netscape Console running for long periods while connected
to a server is also running, memory loss may occur at a rate of about
20MB per week. (342950) To prevent this memory loss, stop Netscape
Console when you are not using it.
Configuration Administrator
vs. Local Administrator
The Local Administrator (also referred to as Admin Server Superuser
or Administration Server Administrator) makes it possible for you
to
access an Administration Server and perform limited server administration
even when the Directory Server is inaccessible or is not running.
The Configuration Administrator and Local Administrator are two separate
entities. If you change the username or password for one,
Netscape Console does not automatically make the same changes for the
other.
The Authentication Process
During installation, you're asked to specify a username and password for
the Configuration Administrator. The Configuration Administrator
is authorized to access and modify the Configuration Directory of your
LDAP server. Netscape Console creates the Configuration Administrator
as an entry in the LDAP user directory under: ou=Administrators, out=Mission
Control, ou=<domain>, o=NetscapeRoot.
Also during installation, Netscape Console uses the same username and
password you specified for the Configuration Administrator to automatically
create the Local Administrator. The Local Administrator does not
have an LDAP entry; it exists only as an entity named in a local configuration
file stored at <server_root>/admin-serv/config/admpw. The Local
Administrator can execute limited .cgi programs such as starting, stopping,
or restarting servers in the local Server Group.
Normally, when you log in to Netscape Console as the Configuration Administrator,
the username and password you enter are authenticated against the LDAP
entry. But if the Directory Server cannot be accessed or the user
LDAP entry cannot be found, Netscape Console authenticates the username
and password against the Local Administrator credentials stored in the
admpw file. When running Netscape Console, if the Directory Server
is down, you'll be given the option to start it and asked for the Local
Administrator credentials.
Changing Administrator Usernames and Passwords
Keep in mind that the Configuration Administrator and Local Administator
are two separate entities. If you change the username or password
for one, Netscape Console does not automatically make the same changes
for the other.
To change the username or password for the Configuration
Administrator:
-
In Netscape Console, click Users and Groups.
-
In the Users and Groups window, click Directory.
-
In the Change Directory Window, enter a new Bind DN or Bind Password, then
click OK.
To change the username or password for the
Local Administrator:
-
In the Netscape Console navigation tree, locate and select the Administration
Server you want to reconfigure. Click Open to open the Administration
Server window.
-
In the Administration Server window, click Configuration.
-
In the Configuration tab, click Access.
-
In the Access tab, enter a new Username or Password.
-
Restart the Administration Server.
Full Thread Dump
If your're trying to run the command line, and a segmentation violation
occurs resulting in a full thread dump output, you may have an incompatible
version of JRE or JDK in your path. Adding the following lines
to the admconfig script will eliminate this problem:
JAVA_HOME=./bin/base/jre
export JAVA_HOME
CLASSPATH=
export CLASSPATH
You can manually edit the admconfig script located at /bin/admin/admconfig,
or you can enter these lines at the command line before running ./bin/admin/admconfig.
Using SSL
- To start an SSL-enabled Administration Server without manually entering a password, do the following:
- Create a text file that will contain your security device passwords.
- Add entries to this file using the following format: <token name>: <password>
For instance, if you are using the internal software token, you would enter internal (software): <password>
where <password> is the password for the token. If you are using additional tokens, add each one's name and password on
a new line.
- In the <server root>/admin-serv/config directory, create a text file called custom.conf.
- Add the following line to custom.conf: pinFile: <pin file> where <pinfile> is the full path to the text file containing passwords.
- If you are are using SSL, you need to be aware of important information
related to root certificate expiration by the end of 1999. At a minimum, you may need to ask your
users to upgrade their browsers to Communicator 4.7. Depending on how you are using SSL, you
may also need to update the root certificate in your server. For important and urgent information on
root certificate expiration, see Digital Certificate Security Alert.
How to Report Problems
Use the Bug Report
Form for Netscape Server Products to help us address bugs you may find.
While we may not be
able to respond personally to individual bugs, we will pay careful attention
to each message we receive.
Where to Go for Other Information
For installation instructions, see the Install.htm file for the
server you're installing. Installation Instructions and Release Notes
for all Netscape servers are posted at this location: http://home.netscape.com/eng/server
If you can't find the information you need, contact technical
support.
© Copyright 1999-2000 Netscape
Communications Corporation, a subsidiary of America Online, Inc. All rights
reserved.