"Administrator's Guide": Setting Administration Preferences

Complete Contents
About This Guide
Chapter 1 Introduction to iPlanet Web Server
Chapter 2 Administrating iPlanet Web Servers
Chapter 3 Setting Administration Preferences
Chapter 4 Managing Users and Groups
Chapter 5 Working with Server Security
Chapter 6 Managing Server Clusters
Chapter 7 Configuring Server Preferences
Chapter 8 Understanding Log Files
Chapter 9 Using SNMP to Monitor Servers
Chapter 10 Configuring the Server for Performance
Chapter 11 Extending Your Server with Programs
Chapter 12 Working with Configuration Styles
Chapter 13 Managing Server Content
Chapter 14 Controlling Access to Your Server
Chapter 15 Configuring Web Publishing
Chapter 16 Using Search
Appendix A HyperText Transfer Protocol
Appendix B ACL File Syntax
Appendix C Internationalized iPlanet Web Server
Appendix D Server Extensions for Microsoft FrontPage
Appendix E iPlanet Web Server User Interface
Glossary
Index

Administrator's Guide: Setting Administration Preferences

Contents

Index

Bookshelf

Chapter 3 Setting Administration Preferences

This document describes the administration forms available via the Preferences and Global Settings tabs in the Administration Server that you use to configure your iPlanet Web Servers. Note that you must enable cookies in your browser to run the CGI programs necessary for configuring your server.

This chapter includes the following sections:

Shutting Down the Administration Server

Changing Network Settings

Changing the Superuser Settings

Enabling Distributed Administration

Configuring Secure Sockets Layer (SSL)

Specifying Log File Options

Configuring Directory Services

Restricting Server Access

Shutting Down the Administration Server

Once the server is installed, it runs constantly, listening for and accepting HTTP requests. You can stop the server using one of the following methods:

Access the Administration Server, choose the Servers tab, and perform the following steps:

Select the Manage Servers option.

Select the server you want to shut down from the Select a Server drop-down list.

Click Manage. The iPlanet Web Server displays the Server Manager forms.

For more information about using the Server On/Off page, see Starting and Stopping the Server.

Choose the Preferences tab, select the Shut Down option, and click Shut down the administration server! button. For more information, see The Shut Down Page.

Use the Services window in the Control Panel (Windows NT).

Use stop, which shuts down the server completely, interrupting service until it is restarted. If you set the etc/inittab file to automatically restart (using "respawn"), you must remove the line pertaining to the web server in etc/inittab before shutting down the server; otherwise, the server automatically restarts. (Unix/Linux platforms).

After you shut down the server, it may take a few seconds for the server to complete its shut-down process and for the status to change to "Off."

Changing Network Settings

Network settings affect the way the Administration Server works with your iPlanet Web Servers. You can change the system user account and password and port number for iPlanet Web Administration Server.

Changing the User Account and Password
To change the system user account, you must use the Server Manager forms. For more information, see Configuring Network Settings.

NT
You can also change the password that the server uses when the service starts. Make sure that the user account has a password and has both administrative and "log on as a service" permissions. You should change the permissions using the Windows NT User Manager program located in the Administrative Tools group for your desktop.

Changing the Port Number
You can also change the port number that theAdministration Server listens to. The port number can be any number between 1 and 65535, but it is typically a random number greater than 1024. For security reasons, consider changing the port number regularly.

To change the Administration Server port number, perform the following steps:

Access the Administration Server and choose the Preferences tab.

Click the Network Settings link.

Make the desired changes and click OK.

Note that you must restart the server for the settings to take effect.

For more information, see The Network Settings Page.

Changing the Superuser Settings

You can configure superuser access for your Administration Server. These settings affect only the superuser account. That is, if your Administration Server uses distributed administration, you need to set up additional access controls for the administrators you allow.

Warning. If you use Netscape Directory Server to manage users and groups, you need to update the superuser entry in the directory before you change the superuser username or password. If you don't update the directory first, you won't be able to access the Users & Groups forms in the Administration Server. To fix this, you'll need to either access the Administration Server with an administrator account that does have access to the directory, or you'll need to update the directory using the Netscape Directory Server's Netscape Console or configuration files.

To change the superuser settings for the Administration Server, perform the following steps:

Access the Administration Server and choose the Preferences tab.

Click the Superuser Access Control link.

Make the desired changes and click OK.

For more information, see The Superuser Access Control Page.

Note. You can change the Administration Server user from root to another user on the operating system to enable multiple users (belonging to the group) to edit/manage the configuration files. However, note that while on Unix/Linux platforms, the installer can give "rw" (read/write) permissions to a group for the configuration files, on Windows NT platforms, the user must belong to the "Administrators" group.

The superuser's username and password are kept in a file called server_root/admin-serv/config/admpw. If you forget the username, you can view this file to obtain the actual name; however, note that the password is encrypted and unreadable. The file has the format username:password.

Warning. If you forget the password, you can edit the admpw file and simply delete the encrypted password. You can then go to the Server Manager forms and specify a new password. Because you can do this, it is very important that you keep the server computer in a secure place and restrict access to its file system. On Unix/Linux systems, consider changing the file ownership so that it's writable only by root or whatever system user runs the Administration Server daemon. On NT systems, restrict the file ownership to the user account Administration Server uses.

Enabling Distributed Administration

Distributed administration allows multiple administrators to change specific parts of the server. With distributed administration you have three levels of users:

superuser is the user listed in the file server_root/admin-serv/config/admpw. This is the user name (and password) you specified during installation. This user has full access to all forms in the Administration Server, except the Users & Groups forms, which depend on the superuser having a valid account in an LDAP server such as Netscape Directory Server.

administrators go directly to the Server Manager forms for a specific server, including the Administration Server. The forms they see depend on the access control rules set up for them (usually done by the superuser). Administrators can perform limited administrative tasks and can make changes that affect other users, such as adding users or changing access control.

end users can view read-only data stored in the database. Additionally, end users may be granted access permissions to change only specific data.

For an in-depth discussion of access control for iPlanet Web Server, see What Is Access Control?.

Note. Before you can enable distributed administration, you must install a Directory Server. For more information, see Netscape Directory Server Administrator's Guide.

To enable distributed administration, perform the following steps:

Verify that you have installed a Directory Server.

Access the Administration Server.

One you've installed a Directory Server, you may also need to create an administration group, if you have not previously done so.

To create a group, perform the following steps:

Choose the Users & Groups tab.

Click the New Group link.

Create an "administrators" group in the LDAP directory and add the names of the users you want to have permission to configure the Administration Server, or any of the servers installed in its server root. All users in the "administrators" group have full access to the Administration Server, but you can use access control to limit the servers and forms they will be allowed to configure.

Warning. Once you create an access-control list, the distributed administration group is added to that list. If you change the name of the "administrators" group, you must manually edit the access-control list to change the group it references.

Choose the Preferences tab.

Click the Distributed Admin link.

Make the desired changes and click OK.

For more information, see

The Distributed Administration Page

Configuring Secure Sockets Layer (SSL)

Using the Administration Server, you can activate the iPlanet Web Server encryption feature and set various encryption preferences. For more information regarding iPlanet Web Server encryption features, see About iPlanet Web Server Security.

Note that prior to activating SSL for your iPlanet Web Server you need to set up some preliminary requirements, such as creating a trust database, and requesting and installing an encryption certificate. For more information, see Configuring iPlanet Web Server for SSL.

Activating SSL
To activate SSL for your Administration Server, perform the following steps:

Access the Administration Server and choose the Preferences tab.

Click the Encryption On/Off link.

Make the desired changes and click OK.

For more information, see The Encryption On/Off Page.

Setting Encryption Preferences
The Administration Server enables you to set the following SSL encryption preferences:

Choose between various versions of SSL.

Specify whether to require client certificates.

Set the SSL 2.0 ciphers.

Set the SSL 3.0 ciphers.

Your server can perform encryption with a number of different encryption functions, called ciphers. Some ciphers are more resistant to cracking than others. During an SSL connection, the client and the server agree to use the strongest cipher they can both use for communication. For more information regarding ciphers, see Managing Servers with Netscape Console.

To set these encryption preferences, perform the following steps:

Access the Administration Server and choose the Preferences tab.

Click the Encryption Prefs link.

Check the SSL versions you want your server to communicate with. The latest and most secure version is SSL version 3, but a few older clients use only SSL version 2. You will probably want to enable your server to use both versions.

Check the ciphers you want your server to use. The ciphers are listed for each version of SSL. Some ciphers are more secure, or stronger, than others. Generally speaking, the more bits a cipher uses during encryption, the harder it is to decrypt the data. Ciphers are described after this list.

Click OK. Make sure you restart your server.

When a client initiates an SSL connection with a server, the client lets the server know what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. Since there are a number of ciphers available, you should consider enabling all ciphers.

You can choose ciphers from both the SSL 2 and SSL 3 protocols. Unless you have a compelling reason why you don't want to use a specific cipher, you should check them all.

For more information, see The Encryption Preferences Page.

Setting Stronger Ciphers
You can set stronger ciphers via the Stronger Ciphers option on the Server Manager Preferences tab. The Stronger Ciphers option presents a choice of 168, 128, or 56-bit secret keysize restriction, or no restriction. You can specify a filename to be served when the restriction is not met. If no filename is specified, iPlanet Web Server returns a "Forbidden" status.

If you select a restriction that is not consistent with the current cipher settings under Security Preferences, iPlanet Web Server displays a popup dialog that warns that you need to enable ciphers with larger secret keysizes.

The implementation of the keysize restriction is now based on an NSAPI PathCheck directive, rather than Service fn=key-toosmall. This directive is:

PathCheck fn="ssl-check" [secret-keysize=<nbits>] [bong-file=<filename>]

where <nbits> is the minimum number of bits required in the secret key, and <filename> is the name of a file (not a URI) to be served if the restriction is not met.

This function returns REQ_NOACTION if SSL is not enabled, or if the secret-keysize parameter is not specified. If the secret keysize for the current session is less than the specified secret-keysize, the function returns REQ_ABORTED with a status of PROTOCOL_FORBIDDEN if bong-file is not specified, or else REQ_PROCEED, and the "path" variable is set to the bong-file <filename>. Also, when a keysize restriction is not met, the SSL session cache entry for the current session is invalidated, so that a full SSL handshake will occur the next time the same client connects to the server.

Note. The Stronger Ciphers form removes any Service fn=key-toosmall directives that it finds in an object when it adds a PathCheck fn=ssl-check.

For more information, see The Enforce Strong Security Requirements Page.

Specifying Log File Options

Log files can help you monitor your server's activity. You can use these logs to monitor your server and troubleshoot problems.

To configure logging options for the Administration Server, perform the following steps:

Access the Administration Server and choose the Preferences tab.

Click the Logging Options link.

Make the desired changes and click OK.

For more information, see The Logging Options Page.

This section also includes topics that describe how to configure the iPlanet Web Server Log File options to perform the following tasks:

Viewing the Access Log File

Viewing the Error Log File

Archiving Log Files

Viewing the Access Log File
The access log, located in admin/logs in the server root directory, records information about requests to the server and the responses from the server.You can specify the server log format—what is included in the access log file—to be the Common Logfile Format, a commonly supported format that provides a fixed amount of information about the server, or you can create a custom log file format that better suits your server requirements.

To view the access log file, perform the following steps:

Access the Administration Server and choose the Preferences tab.

Click the View Access Log link and click OK.

For more information, see The View Error Log Page.

Viewing the Error Log File
The error log file, located in admin/logs in the server root directory, lists all the errors the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log in to the server.

To view the error log file, perform the following steps:

Access the Administration Server and choose the Preferences tab.

Click the View Error Log link and click OK.

You can also view the server's active and archived log files from the Server Manager. For more information regarding these log files, see The View Access Log Page.

Archiving Log Files
You can set up your log files to be automatically archived. At a certain time, or after a specified interval, iPlanet Web Server rotates your access logs. iPlanet Web Server saves the old log files and stamps the saved file with a name that includes the date and time they were saved.

For example, you can set up your files to rotate every hour, and iPlanet Web Server saves and names the file "access.199907152400," where "name|year|month|day|24-hour time" is concatenated together into a single character string. The exact format of the access log archive file varies depending upon which type of log rotation you set up.

iPlanet Web Server offers the two types of log rotation for archiving files:

Internal-daemon log rotation—this type of log rotation happens within the HTTP daemon, so the server doesn't need to restart.

Cron-based log rotation—this type of log rotation is based on the time stored in the cron.conf file. For more information about cron controls, see Using Cron Controls (Unix/Linux).

Access log rotation is initialized at server startup. If rotation is turned on, iPlanet Web Server creates a time-stamped access log file and rotation starts at server startup.

Once the rotation starts, iPlanet Web Server creates a new time stamped access log file when there is a request that needs to be logged to the access log file and it occurs after the previously-scheduled "next rotate time."

For more information about achiving log files, see Archiving Log Files.

Using Cron Controls (Unix/Linux)
You can configure several features of your iPlanet Web Server to operate automatically and set to begin at specific times. The Netscape cron daemon checks the computer clock and then spawns processes at certain times. (These settings are stored in the ns-cron.conf file.)

This cron daemon controls scheduled tasks for your iPlanet Web Server and can be activated and deactivated from the Administration Server. The tasks performed by the cron process depends on the various servers. (Note that on NT platforms, the scheduling occurs within the individual servers.)

Some of the tasks that can be controlled by cron daemons include scheduling collection maintenance and archiving log files. You need to restart cron control whenever you change the settings for scheduled tasks.

To restart, start, or stop cron control, perform the following steps:

Access the Administration Server and choose the Global Settings tab.

Click the Cron Control link.

Click Restart, Start, or Stop to change the cron controls.

Note that any time you add a task to cron, you need to restart the daemon.

Configuring Directory Services

You can manage all your user information from a single source via an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). You can also configure the server to allow your users to retrieve directory information from multiple, easily accessible network locations.

To configure the directory services preferences, perform the following steps:

Access the Administration Server and choose the Global Settings tab.

Click the Configure Directory Service link.

Make the desired changes and click OK.

For more information, see The Configure Directory Service Page.

Restricting Server Access

You can control access to the entire server or to parts of the server (that is, directories, files, file types). When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access-control entries (ACEs), and then it uses the matching entries to determine if the request is allowed or denied. Each ACE specifies whether or not the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access-control list (ACL).When a request comes in to the server, the server looks in obj.conf for a reference to an ACL, which is then used to determine access. By default, the server has one ACL file that contains multiple ACLs.

You can set access control globally for all servers through the Administration Server or for a resource within a specific server instance through the Server Manager. For more information about setting access control for a resource, see Restricting Access to Your Web Site.

Note. You must turn on distributed administration before you can restrict server access.

To restrict access to your iPlanet Web Servers, perform the following steps:

Access the Administration Server and choose the Global Settings tab.

Click the Restrict Access link.

Select the desired server and click Edit ACL.

The Administration Server displays the access control rules for the server you specified.

Make the desired access control changes and click OK.

For more information, see The Restrict Access Page.