Documentation 

 Netscape Console 4.1
for Windows NT and Unix


 

These release notes contain important information about Netscape Console 4.1. Please read these notes before using the product.

Installation Instructions and Release Notes for all  4.x versions of Netscape servers are available online at this location: http://home.netscape.com/eng/server.

Use of this product is subject to the terms detailed in the license agreement accompanying it.

Netscape Console incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code, and
the original compression sources are freely available from ftp://ftp.cdrom.com/pub/infozip/ on the Internet.
 


The release notes contain these explanations:

What's New in This Release

Netscape Console provides a unified administration interface to all the intranet, extranet, client, and server software under an administrator's control.  The 4.1 version of Netscape Console includes three new features:  Server Authentication, LDAP Failover Support, and a Merge Configuration utility.

Server Authentication

When a user accesses a server via the Netscape Console using SSL, the server presents a certificate to the Console during the SSL handshake session.  Through server authentication, the user can authenticate, or trust,  the server's certificate.   The authentication process can be accomplished directly by the user, or by Netscape Console on behalf of the user through a trust database.  The database is maintained by Netscape Console.

LDAP Failover Support

Since the Directory Server has become a very critical resource that servers and clients depend on, Netscape Console now supports failover to an LDAP replica when the primary Directory Server goes down or becomes unavailable.  For more information, see "User Directory Settings" in the online help.

Merge Configuration Utility

The Merge Configuration utility merges configuration data from a pilot directory with configuration data from your real Directory Server. This is useful when you've been testing a directory configuration, and want to merge the test data with the data in an existing directory.  For more information, see "Merging Configuration Data from Two Directory Servers" in the online help.

Potential Problems and Solutions

This section describes the following known problems and related solutions:
 

Installation

Loss of Network Connection

If you lose a network connection while Netscape Console is running, Netscape Console may become inoperative.  Re-establish your network connection, then restart Netscape Console. (106714)

Proxied Administration Not Supported

Netscape Console 4.1 does not support proxied administration.

Setting Access Permissions for a Server

You can grant or deny server access to an individual user, but you cannot grant or deny server access to a group.  If you select a server in the Netscape Console navigation tree, and attempt to use the Set Access Permissions command to specify a group of users, the permissions you set will not work as expected.  (337487)

This is caused by an incorrectly defined Access Control Instruction (ACI) under o=NetscapeRoot. To work around this problem, use ldapmodify to patch this ACI with the following LDIF content: 

dn: o=NetscapeRoot 
changetype: modify 
delete: aci 
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, 
search, compare)groupdnattr="ldap:///o=NetscapeRoot?uniquemember?sub";) 
- 
add: aci 
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, 
search, compare)groupdnattr="uniquemember";)

If you are unfamiliar with ldapmodify and LDIF, refer to the Netscape Directory Server Administrator's Guide.

Setting Access Permissions for a Server Task

If you create an ACI rule to grant or deny access to a server task, the rule will not take effect until you restart both the server (such as Directory Server or Messaging Server) as well as it's Administration Server.  (345956, 342786)

Specifying Multiple User Directories for Failover Support

When you specify more than one User Directory for failover purposes, do not use carriage returns to separate directory host names.  If you use carriage returns, you'll get an error message.  Instead of carriage returns, use spaces to separate host names.  (345731) Example:  Eros.Airius.com:389 Zeus.Airius.com:389

Server Instance Names

Do not use a period (.) in server instance names.  If you use a period in a server instance name, Netscape Console will not recognize the server
instance.   For example, the server instance msg.airius.com is not acceptable; msg-airius-com is acceptable. (311490)

Non-English Version of Windows NT Operating System

If you are running Netscape Console on a non-English version of  the Windows NT  operating system, you cannot use the right Alt key or the Ctrl+Alt+key combination to enter special characters such as:  @, \, or |.  (323858)  As a workaround, change the Keyboard Layout setting to US.  When your Keyboard Layout preference is set to US, you can use the Shift-2 combination to enter the @ character.

To change the Keyboard Layout setting:

  1. From the Start menu, choose Settings | Control Panel.
  2. In the Control Panel, double click the Keyboard icon, and then click Input Locales.
  3. Select an input locale, and then click Properties.
  4. In the Input Locale Properties dialog, from the drop-down list select US, and then click OK.

Non default uid

When the default language requires a uid in a  form other than the default (user's first initial followed by last name), you must manually override the nsuserformat attribute in the configuration directory. (117507) To change the nsuseridformat attribute:
  1. In the Netscape Console, open the Directory Server that contains the configuration directory you want to modify.
  2. In the Directory Server, click Directory.
  3. Expand the navigation tree to follow this path:   NetscapeRoot/[administration domain]/Global Preferences.
  4. In the navigation tree, select Global Preferences.
  5. In the right pane double-click Common.
  6. In the Property Editor window, locate the attribute nsuseridformat and enter one of the following values as appropriate:
  7. Click OK.
  8. Restart Netscape Console.

Changing a User's Password

If you create a user without indicating a password, selecting the user and clicking on the Password button will allow you to assign a value for the user's password attribute. If you try to change this value by clicking on the Password button again, the new value will be stored alongside the old value and the user will have two valid passwords. To work around this: select the user, click on Edit, and then enter and confirm the new password in the Edit Entry dialog box. Alternatively, you can choose to assign a password when creating a new user. If you have already created a user with multiple passwords, perform a new search for the user and enter a new password using the Edit or Password button. This will discard any old values and assign a single password for the user

8-bit Characters

When creating a new user or editing a user's personal data, do not use 8-bit characters in the First Name and Last Name fields.  If you use  8-bit characters in the First Name or Last Name fields, the user ID is not automatically generated for you.  Instead, use ASCII characters to enter the user's personal data. (117507)

Windows NT with DHCP

You cannot install Administration Server 4.0 or Directory Server 4.0 on Windows NT with DHCP.  As a workaround, you can install successfully using a static IP address. (105984)

Changes to IP address

If, for any reason, your computer system's IP address changes, the Administration Server will not start (332357, 354994).  The IP address must be changed in both the Administration Server configuration and the Configuration Directory. As a workaround, follow these steps:

  1. Copy the Perl script provided below, and save it as a file in the <Server_Root>/shared/bin directory.  In this example, the file is named admin_ip.pl.
  2. In the <Server_Root>/shared/bin directory,


#!../../install/perl -w

# This script automatically changes the Administration Server IP address in both the local.conf file and in the Configuration Directory.  The old IP address is stored in the file local.conf.old.

die "Usage: admin_ip.pl <DDirectory_Manager_DN> <Directory_Manager_password>
<old_IP> <new_IP> [port #]\n" unless (($#ARGV >= 2) && ($#ARGV <= 4));

$dirmgr = $ARGV[0];
$passwd = $ARGV[1];
$oldIPaddr = $ARGV[2];
$newaddr = $ARGV[3];
$port = 389;
$port = $ARGV[4] if ($ARGV[4]);

$adminconfig = "../../admin-serv/config/";
$ldapsearch = "./ldapsearch";
$ldapmodify = "./ldapmodify";
$baseobject = "o=NetscapeRoot";
$query = "(&(&(cn=configuration)(objectclass=nsConfig))(nsserveraddress=\"$oldIPaddr\"))";
$dn = "";
$oldaddr = "";

$/ = ""; # enable paragraph mode

# Find the old IP address in the directory
open (LDAP, "$ldapsearch -p $port -b $baseobject -D \"$dirmgr\" -w $passwd \"$query\" |");
while (<LDAP>) {
  s/\n //g;
  if (/\nnsserveraddress: (.*)\n/) {
    $oldaddr = $1;
    print "Old IP in directory: $oldaddr\n";
  }
  if (/^dn: (.*)\n/) {
    $dn = $1;
    print "DN: $dn\n";

# Update the IP address stored in the configuration directory
    open (LDAP2, "| $ldapmodify -p $port -D \"$dirmgr\" -w $passwd");
    print LDAP2 "dn: $dn\n";
    print LDAP2 "changetype: modify\n";
    print LDAP2 "replace: nsserveraddress\n";
    print LDAP2 "nsserveraddress: $newaddr\n";
    close (LDAP2);
  }
}
close (LDAP);

# Update the admin config file
$newconfig=$adminconfig . "local.conf";
$oldconfig = $adminconfig . "local.conf.old";
rename $newconfig, $oldconfig;
open (OLD, "<" . $oldconfig);
open (NEW, ">" . $newconfig);
print "oldaddr: $oldaddr\n";
print "newaddr: $newaddr\n";
while (<OLD>) {
  s/$oldaddr/$newaddr/g;
  print NEW;
}
close(OLD);
close(NEW);
 

Using HP-UX

Using AIX with jre 1.1.6

If Netscape Console crashes upon startup, you must disable JIT.  (316827) To disable JIT, invoke startconsole with the -nojit option.

Using Linux

If Netscape Console hangs during log in, it may be due to a problem with NIS (349906).  As a workaround, in /etc/nsswitch.conf, modify the nis and dns lookup ordering in the the hosts entry.  Make sure dns comes before nis.
For example, change this entry:
hosts:      files nisplus nis dns
to this entry:
hosts:      files dns nisplus nis
 

On Windows NT, End-User Page Not Accessible with SSL

On Windows NT, if you enable SSL on the Directory Server, you will not be able to access the End-User Page (see illustration).  (342135)

Using Netscape Console with Netscape Certificate Server 1.x

When you use a Netscape 4.x server to request a server certificate from a Netscape Certificate Server 1.x, do not use wildcards, punctuation marks, or other special characters when specifying the server host name.  If you do, Certificate Server will display the following message "Invalid DER encoding" when the certificate is submitted.  If you must use wildcards (for example www.airius|netscape.com), then you must make a special note to the CA when you submit the certificate request.   The following image illustrates how you can submit a special note to the CA:


 
 

Using an external token to store certificates

If you use an external token or smart device to store multiple security certificates, the device may run out of storage space.  This happens when you repeatedly use the Certificate Setup Wizard to generate certificate requests without deleting previously installed public or private keys.  (347448)  To avoid this problem, follow the instructions provided by the external device manufacturer to first back up your existing certificate(s), and then to clear the device's memory.
 

Installing a FORTEZZA PKCS #11 Module on Windows NT

If the FORTEZZA PKCS #11 module you want to install is a DLL file (or shared library) and not a JAR file, do not use the "Manage PKCS #11" or "Add PKCS #11" commands in Netscape Console.  If you use the Netscape Console graphical interface, you will not be able to activate FORTEZZA ciphers.  Instead, use the modutil command line utility located at  <server_root>/shared/bin/modutil.
 
To install a FORTEZZA PKCS #11 Module DLL File:
  1. Locate the server instance for which you want to install the PKCS #11 module.
  2. Open a terminal window.
  3. Go to the Administration Server's configuration directory located at <server_root>/admin-serv/config.
  4. At the prompt, enter this command:   <server-root>/shared/bin/modutil -dbdir . -create

    5. This creates the required security module database file (secmod.db) in the Administration Server's configuration directory.
  5. At the prompt, enter this command:

    6. <server_root>/shared/bin/modutil -dbdir . -add <module_name> -libfile <library_file>  -nocertdb

    <library_file> specifies the path to the DLL or other library file containing the implementation of the PKCS #11 interface module.

    <module_name> specifies the name of the PKCS #11 module (you specified this in Step1 when you installed the drivers).

For example, if you are installing a Litronic token, you would enter:
<server_root>/shared/bin/modutil -dbdir . -add CryptOS -libfile core32

For detailed information about modutil, see modutil Appendix B, "Administartion Server Command Line Tools" in the Netscape Console documentation.

Logging in as Directory Manager

If you log in to Netscape Console using the DN cn=directory manager, your font display preferences will not be saved.  (341686)
 

Expired SIE passwords block access to Administration Server tasks

If a password expiration policy is enabled in Directory Server, and a connected Administration Server's SIE passwords expire, you will not be able to access the connected server.  (343369)  As a workaround, you can  delay the expiration date of the Administration Server passwords.  Use the ldapmodify utility to change two administrative entries.  In the following example, replace <hostname> with the hostname of the server, and finish the command with Ctl-Z:

     ldapmodify -D "cn=directory manager" -w password
         dn: uid=Configuration Administrator, ou=admin, ou=Topology Management, o=NetscapeRoot
         changetype: modify
         replace: userpassword
         userpassword: <newpassword>
         -
         replace: passwordexpirationtime
         passwordexpirationtime: 20011231000000

         dn: cn=admin-serv-<hostname>, cn=Netscape Administration Server, cn=Server Group, cn=<hostname>, ou=<hostname>.
     o=NetscapeRoot
         changetype: modify
         replace: userpassword
         userpassword: <newpassword>
         -
           replace: passwordexpirationtime
         passwordexpirationtime: 20011231000000
 

Searching a Large User Directory

If you use the Search interface to list all users in a large directory (for example, more than 1000 entries), the search may return 0 results.  (341275) To improve search results, simply restrict your search criteria.

Administration Server Memory Usage

If  you leave Netscape Console running for long periods while connected to a  server is also running, memory loss may occur at a rate of about 20MB per week.  (342950)  To prevent this memory loss, stop Netscape Console when you are not using it.
 

Configuration Administrator vs. Local Administrator


The Local Administrator (also referred to as Admin Server Superuser or Administration Server Administrator)  makes it possible for you to
access an Administration Server and perform limited server administration even when the Directory Server is inaccessible or is not running.
The Configuration Administrator and Local Administrator are two separate entities.  If you change the username or password for one,
Netscape Console does not automatically make the same changes for the other.

The Authentication Process
During installation, you're asked to specify a username and password for the Configuration Administrator.  The Configuration Administrator is authorized to access and modify the Configuration Directory of your LDAP server.  Netscape Console creates the Configuration Administrator as an entry in the LDAP user directory under: ou=Administrators, out=Mission Control, ou=<domain>, o=NetscapeRoot.

Also during installation, Netscape Console uses the same username and password you  specified for the Configuration Administrator to automatically create the Local Administrator.  The Local Administrator does not have an LDAP entry; it exists only as an entity named in a local configuration file stored at <server_root>/admin-serv/config/admpw.  The Local Administrator can execute limited .cgi programs such as starting, stopping, or restarting servers in the local Server Group.

Normally, when you log in to Netscape Console as the Configuration Administrator, the username and password you enter are authenticated against the LDAP entry.  But if the Directory Server cannot be accessed or the user LDAP entry cannot be found,  Netscape Console authenticates the username and password against the Local Administrator credentials stored in the admpw file.  When running Netscape Console, if the Directory Server is down, you'll be given the option to start it and asked for the Local Administrator credentials.
 

Changing Administrator Usernames and Passwords
Keep in mind that the Configuration Administrator and Local Administator are two separate entities.  If you change the username or password for one,  Netscape Console does not automatically make the same changes for the other.
     To change the username or password for the Configuration Administrator:
  1. In Netscape Console, click Users and Groups.
  2. In the Users and Groups window, click Directory.
  3. In the Change Directory Window, enter a new Bind DN or Bind Password, then click OK.
     To change the username  or password for the Local Administrator:
    1. In the Netscape Console navigation tree,  locate and select the Administration Server you want to reconfigure.  Click Open to open the Administration Server window.
    2. In the Administration Server window, click Configuration.
    3. In the Configuration tab, click Access.
    4. In the Access tab, enter a new Username or Password.
    5. Restart the Administration Server.

Full Thread Dump

If your're trying to run the command line, and a segmentation violation occurs resulting in a full thread dump output, you may have an  incompatible version of JRE or JDK in  your path.  Adding the following lines to the  admconfig script will eliminate this problem:
JAVA_HOME=./bin/base/jre
export JAVA_HOME
CLASSPATH=
export CLASSPATH
You can  manually edit the admconfig script located at /bin/admin/admconfig, or you can enter these lines at the command line before running ./bin/admin/admconfig.

Using SSL

How to Report Problems

Use the Bug Report Form for Netscape Server Products to help us address bugs you may find.   While we may not be able to respond personally to individual bugs, we will pay careful attention to each message we receive.

Where to Go for Other Information

For installation instructions, see the Install.htm file for the server you're installing.  Installation Instructions and Release Notes for all Netscape servers are posted at this location:  http://home.netscape.com/eng/server

If you can't find the information you need, contact technical support.

© Copyright 1999-2000 Netscape Communications Corporation, a subsidiary of America Online, Inc. All rights reserved.