Previous Contents Index Next |
iPlanet Directory Access Router Installation Guide |
Chapter 2 Computer System Requirements
Before you can install iPlanet Directory Access Router (iDAR), you must make sure that the systems on which you plan to install the software meet the minimum hardware and operating system requirements.These requirements are described in detail for each platform in the following sections:
Supported Platforms
Supported Platforms
iDAR is supported on the following platforms:
Sun Solaris 2.6 for SPARC operating environment
Sun Solaris 8 for SPARC (32 bit) operating environment
Microsoft Windows NT 4.0 Server with Service Pack 6a (x86 only)
Note For each platform, check the required patches and kernel parameter settings, as described in the sections that follow.
Hardware Requirements
On all platforms, you will need:
Operating System Requirements
This section covers the required operating system version, patches, and utilities for each platform.
Solaris 2.6 and Solaris 8 Operating Systems
Solaris 2.6 and Solaris 8 Operating Systems
If you plan to run iDAR on a Solaris operating system, you must ensure that the recommended patch cluster is installed. Solaris patches are identified by two numbers, for example, 106125-10. The first number (106125) identifies the patch itself. The second number identifies the version of the patch, in the example above the patch is version number 10. We recommend installing the latest version of the patch in order to benefit from the latest fixes.For advice on guarding against potential security threats, see the Solaris Operating Environment Security Sun Blueprint at this site: http://www.sun.com/blueprints/0100/security.pdf
Disk Space Requirements
Ensure that you have sufficient disk space before downloading the software.
- current working directory: 200 MB
Required System Modules
iDAR is optimized for systems with the UltraSPARC chipsets.Use of Solaris 2.6 or 8 with the Sun recommended patches is required.
The Sun patches listed in Table 2-1 or Table 2-2 should be installed on your system before installing this iPlanet product. The command "showrev -p" will list the patches which have been installed. If you need to get a patch, see the web page sunsolve.sun.com or FTP to ftp://sunsolve.sun.com/pub/patches.
You will need to reboot your machine after installing these patches.
In addition to the patches listed here, you may want to install the latest patch cluster for your version of Solaris, which includes additional recommended and security patches. The Sun recommended patch clusters can be obtained from your Solaris support representative, or from http://sunsolve.sun.com.
This release of iPlanet Directory Server is not supported on Solaris 2.5.1 or earlier, Solaris 7, or any version of Solaris x86.
This release of iPlanet Directory Server may be used on a 64 bit Solaris 8 environment, but will run as a 32 bit process, and is limited to 3.7 GB of process memory.
Verify System Tuning
Deployment of a service based on iPlanet directory products will require system tuning to achieve optimal performance. Basic Solaris tuning guidelines are available from several books, including Sun Performance and Tuning: Java and the Internet (ISBN 0-13-095249-4). Advanced tuning information is available in the Solaris Tunable Parameters Reference Manual (806-4015) which can be obtained from this site: http://docs.sun.com/ab2/coll.707.1/The program idsktune, which is available in your installation at <server-root>/shared/bin/idsktune, analyzes the Solaris kernel tuning parameters and reports any changes that should be made to improve performance. This program does not modify the system.
File Descriptors
The system-wide maximum file descriptor table size setting will limit the number of concurrent connections that can be established to iDAR. The governing parameter, rlim_fd_max, is set in the /etc/system file. By default if this parameter is not present the maximum is 1024. It can be raised to 4096 by adding to /etc/system a lineand rebooting the system. This parameter should not be raised above 4096 without first consulting your Sun Solaris support representative as it may affect the stability of the system.
TCP Tuning
The TCP/IP implementation in a Solaris kernel is by default not correctly tuned for Internet or Intranet services. The following /dev/tcp tuning parameters should be inspected, and if necessary changed to fit the network topology of the installation environment.The tcp_time_wait_interval in Solaris 8 and tcp_close_wait_interval in Solaris 2.6 specify the number of milliseconds that a TCP connection will be held in the kernel's table after it has been closed. If its value is above 30000 (30 seconds) and the directory is being used in a LAN, MAN or under a single network administration, it should be reduced by adding a line similar to the following to the
/etc/init.d/inetinit file:ndd -set /dev/tcp tcp_close_wait_interval 30000
The tcp_conn_req_max_q0 and tcp_conn_req_max_q parameters control the maximum backlog of connections that the kernel will accept on behalf of the iDAR process. If the directory is expected to be used by a large number of client hosts simultaneously, these values should be raised to at least 1024 by adding a line similar to the following to the /etc/init.d/inetinit file:
ndd -set /dev/tcp tcp_conn_req_max_q0 1024
ndd -set /dev/tcp tcp_conn_req_max_q 1024The tcp_keepalive_interval specifies the interval in seconds between keepalive packets sent by Solaris for each open TCP connection. This can be used to remove connections to clients that have become disconnected from the network. The ids-proxy-con-timeout attribute on the ids-proxy-sch-NetworkGroup objectclass, with a value in seconds, can also be used for this purpose, as it will time out idle connections. For more information, see Chapter 16, "Groups Configuration" in the iDAR Administrator's Guide.
The tcp_rexmit_interval_initial value should be inspected when performing server performance testing on a LAN or high speed MAN or WAN. For operations on the wide area Internet, its value need not be changed.
The tcp_smallest_anon_port controls the number of simultaneous connections that can be made to the server. When rlim_fd_max has been increased to above 4096, this value should be decreased, by adding a line similar to the following to the /etc/init.d/inetinit file:
ndd -set /dev/tcp tcp_smallest_anon_port 8192
The tcp_slow_start_initial parameter should be inspected if clients will predominately be using the Windows TCP/IP stack.
The tcp_ip_abort_cinterval controls how long in milliseconds iDAR should wait for an LDAP server to respond when establishing a new connection. This value should normally be reduced by adding a line similar to the following to the /etc/init.d/inetinit file:
ndd -set /dev/tcp tcp_ip_abort_cinterval 10000
In some environments, it may also be necessary to change the tcp_ip_abort_interval and tcp_strong_iss tuning parameters.
Windows NT 4.0 Server
This section describes how to prepare your system for installation of iDAR on Windows NT.
Configuring a Machine to Run iPlanet Directory Access Router
iDAR should be installed on a computer that is isolated from the Internet by a network-level firewall. This is necessary to protect the NT operating system from IP-based attacks.No other network functions should be provided by this computer. The computer should not be dual-booting or running other operating systems. At a minimum, the computer system should have at least 256 MB of RAM, 300 MB of disk, a Pentium II or later processor, and a 100Mbps ethernet connection.
Disk Space Requirements
Ensure that you have sufficient disk space before downloading the software.Download drive: 100 MB
Installation drive: 200 MB
Required System Modules
Windows NT Server Service Pack 6a is required. iDAR is not supported on Windows NT 3.5.1 or earlier releases, or Windows NT for the Alpha architecture. Neither is it supported on Windows NT Workstation, because this form of the operating system is not suitable for scalable Internet or Intranet server deployments. Windows NT Workstation is limited in its allowable setting for connection backlog. Windows NT Server allows a connection backlog setting of more than 10, which is necessary for TCP/IP servers under heavy load.
Installing Windows NT Server
During the installation of Windows NT, please observe the following:
If there is already an operating system present on the computer, choose to perform a fresh install rather than an upgrade.
Format the drives with NTFS rather than FAT, as NTFS allows access controls to be set on files and directories.
Specify that the computer will be a stand-alone server and will not be a member of any existing domain or workgroup. This will reduce dependencies on the network security services.
Choose an administrator password of at least 9 characters. Use punctuation or other non-alphabetic characters in the first 7 characters.
Do not install Internet Information Server.
Specify only TCP/IP as network protocol, and do not install any other network services.
Installing Third-Party Utilities
You need an UNZIP utility to unpack the iDAR software. There are many commercially licensed, free and shareware tools available, such as PKZIP or Winzip. Note that shareware unregistered versions of PKZIP 2.70 maintain a TCP/IP connection to an Internet advertising service, and so may not be suitable for installation on this system.You need to install Adobe Acrobat Reader to read the documentation. It can be downloaded from ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x.
Install Windows Service Packs and Hotfixes
Windows NT Service Packs include key fixes that are necessary to maintain the security and reliability of the operating system. The hotfix series contains important changes for problems that were found after the service pack was released. Windows NT Server Service Pack 6a is required.
Install Windows NT 4.0 Service Pack 6a or Later
It can be obtained from http://www.microsoft.com/windows/servicepacks/. The system will reboot after the service pack is installed.
Install Hotfixes
Download and install any Windows NT 4.0 Hotfixes that are for the service pack that is installed on the system, such as post-sp6a for Service Pack 6a. They can be obtained from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/. It will probably be necessary to reboot the system after each hotfix is installed.
Installing Microsoft Utilities
The following additional utilities are recommended to improve the security of the Windows NT Operating System. They are not required for the operation of the iDAR.If you have the Resource Kit CD-ROM produced by Microsoft Press, then copy the utility `passprop.exe' from the Windows NT Server Resource Kit onto the system. The utility is located on the CD in the i386\netadmin directory. You will need this later to enable Administrator account lockout.
You will need to install Microsoft Internet Explorer 5 or later, as this is needed by the Security Configuration Manager.
The Microsoft Security Configuration Manager is located on the Service Pack 4 CD-ROM, or can be downloaded from
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/tools/scm/. This tool is described in Microsoft Knowledge Base article Q195227.
Ensure That the System Clock is Correct and Kept Accurate
So that date and time stamps in log files can be correlated with those of other computer systems, the system clock should be kept reasonably in sync. As the NET TIME command requires NetBIOS, which will be disabled during post-installation system configuration, either a TCP/IP based NTP client should be installed (such as the shareware program Tardis), or a time radio receiver attached. See http://www.ntp.org/ for more information on NTP clients for Windows NT.
Install TCP ISN Patch
If you will be authenticating users to the directory, then TCP connection hijacking is a vulnerability. Microsoft has released a patch to improve the serial numbers, q243835i.exe. For more information please see http://www.microsoft.com/security/bulletins/ms99-046.asp
Additional Post-Installation System Configuration
The Windows environment will require tuning to provide optimum performance for iDAR in an operational environment. Consult the Windows system administrator's documentation or support channel for information on NT tuning for multi-threaded internet services. The following sections provide some guidelines.
Restrict Network Services
Network file sharing is not required by iDAR and should be disabled. Go to the Control Panel and open the Network icon. Remove the Workstation, Computer Browser, NetBIOS Interface, Remote Access Service and Server Services from Network Services tab. Leave RPC Configuration.
From then on, each time the Network Control Panel is used, Windows NT will prompt to install Windows NT Networking. Always answer No to the prompt.
Remove NETBIOS
The iDAR uses only TCP/IP and does not require any Microsoft network services. On the Bindings tab of the Network window, select All Protocols. Disable the WINS Client. This unbinds NETBIOS from TCP/IP.
Enable Port Filtering
The RPC services are not removed, as it may be necessary for Microsoft software to make RPC connections on the loopback interface. However, the RPC ports must not be accessible to other systems.Open the Network window; select the Protocols tab, then select TCP/IP and click Properties...; select Advanced and Enable Security. On the TCP/IP Filtering window, permit only TCP ports 389 and 636 and the administration port number, permit no UDP ports, and permit only IP protocol 6 (TCP). If you have multiple interfaces, it may be necessary to repeat this for each interface.
Note that after this change has been made, the Microsoft command-line FTP client will no longer operate. This is because the Microsoft client requires the FTP server to establish a connection in the reverse direction, and all non-LDAP ports are blocked.
Disable IP Routing
On the TCP/IP protocol window, disable IP Routing.
Disable WINS Client
On the Devices window of the Control Panel, disable the WINS Client.
Remove the OS/2 and POSIX Subsystem Keys From the Registry
iPlanet Directory Access Router does not require OS/2 and POSIX subsystems. Remove them by performing the following registry actions with regedit.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT
There is another key under CurrentControlSet\Control named SessionManager, without a space in its name. Do not alter anything below that key.
Delete the value of Os2LibPath in this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Change the value of the Optional item in the following key to the two bytes
"00 00":HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
Delete the Posix and OS/2values from the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
Remove the OS/2 DLLs
Delete all files in the %SystemRoot%\system32\os2 directory and all subdirectories.
Stop Unneeded Services
Open the Control Panel, and the Services panel. Stop and disable any running services except for the following: EventLog, iPlanet Directory Server, iPlanet Administration Server, NT LM Security Support Provider, Plug and Play, Protected Storage, Remote Procedure Call (RPC) Service, and SNMP.Services that are listed as Manual start do not need to be disabled.
Ensure System Will Automatically Reboot on Error
Open the Control Panel System panel. Under the Startup/Shutdown tab, set the show list time to 0 seconds, and select the Automatic reboot checkbox.
Configure User Accounts
Open the Administrative tools. (Start>Programs>Administrative Tools>User Manager.) Under Policies, choose Account... On the Account Policies window, allow accounts to be locked out.
Next, under Policies, choose User Rights... Select Access this computer from the network, remove Everyone and add Authenticated Users.
Next, under Policies, choose Audit, select Audit These Events, and check the boxes for both Success and Failure for the Logon and Logoff Events.
You may wish also to rename the administrator account to something else, making it harder to guess.
If you have copied the passprop utility from the NT Server Resource Kit, it can be used to allow lockout of the administrator's account by running it on the command line as passprop/adminlockout.
Encrypt Account Database
Protect the NT user account database, SAM, by running the syskey program. This encrypts the Administrator's password so that registry-extracting hacker tools cannot use it.
Event Log Configuration
Open the Event Viewer (Start>Programs>Administrative Tools>Event Viewer); set the log overwrite intervals (located under Log>Log Settings...) to a value appropriate to your deployment.
Set Tuning Parameters
The transmission control blocks (TCBs) store data for each TCP connection. A control block is attached to the TCB hash table for each active connection. If there are not enough control blocks available when an LDAP connection arrives at the server via TCP/IP, there is added delay while it waits for additional control blocks to be created. By increasing the TCB timewait table size, you reduce latency overhead by allowing more client connections to be serviced faster. To adjust this value, add to the following registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
the MaxFreeTcbs value of 0xFA0.
This example increases the TCB timewait table to 4,000 entries from the default of 2,000. Now that the overhead time introduced by TCP has been lowered for iPlanet Directory Access Router, adjust the corresponding hash table that stores the TCBs. Adjust the hash table by adding to the following registry value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
the value of MaxHashTableSize to 0x400.
This increases the TCB hash table size from 512 to 1,024, allowing more room for connection information. TCB information is stored in the nonpaged memory pool. If iPlanet Directory Access Router is experiencing memory bottlenecks and more memory cannot be allotted to the server, lower the above values.
On a multiprocessor system, we recommend optimizing the NIC and CPU relationship. Each LDAP request received over the network generates an interrupt to the processor requesting service. If the processor does not consider the request to be sufficiently urgent, (i.e., with a sufficiently high interrupt level), it defers the request. This deferred interrupt request becomes a Deferred Procedure Call (DPC). As more and more requests come into the server, the number of interrupts and DPCs increases.
When an interrupt is sent to a particular CPU and is subsequently deferred, additional server overhead is incurred if this DPC is shipped off to another CPU in the server (if the server is an SMP capable machine). This is NTs default behavior and can be costly from a performance perspective. To stop this transfer from happening, add to the following registry value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NDIS\Parameters
the value of ProcessorAffinityMask to 0.
This forces the CPU that handled the interrupt to also handle any associated DPCs. This also insures that the network interface card or cards are not to associated with a specific CPU. This improves the CPUs servicing of interrupts and DPCs generated by the network interface card(s).
Windows NT ships with a variety of transport drivers such as TCP/IP, NBF (NetBEUI), and NWLink. All of these transports export a TDI interface on top and an NDIS (Network Driver Interface Specification) on the bottom. (Windows NT also ships with AppleTalk and DLC, however, these do not have a TDI interface.) If the TCP/IP protocol is first in the bindings list, average connection setup time decreases.
Windows NT can implement the Van Jacobson TCP fast retransmit and recovery algorithm to quickly retransmit missing segments upon the receipt of n ACKS, without waiting for the retransmission timer to expire. To implement the Van Jacobson algorithm, edit:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters
Add a value named TcpMaxDupAcks, with type REG_DWORD, and set the value to the number of ACKs. The range is 1-3, and the default is 2.
Previous Contents Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated July 26, 2001