iPlanet Portal Server 3.0 Service Pack 1 Release Notes



iPlanet Portal Server 3.0
Service Pack 1
Release Notes


These release notes provide important information about the iPlanetTM Portal Server 3.0 Service Pack 1.

Please read these notes before installing and using iPlanet Portal Server 3.0 Service Pack 1.



Overview of Service Pack 1

Service Pack 1 for the iPlanet Portal Server 3.0 delivers a set of fixes which affect the Server components.

  • Service Pack 1 addresses Portal Server deployments in Open Portal mode (without a Gateway server) versus Secure Portal mode (with a Gateway server).

    The fundamental difference between these two modes is that Portal Server when deployed in Secure mode is built on two key software modules; the Portal server and the Gateway server, and the Open Portal mode utilizes a Portal server and no Gateway.

  • Service Pack 1 modifies the Portal server element to provide a key set of services when deployed in Open Portal mode. These include:

    • Security in membership provisioning, as members create username and password combinations

    • Ability to search external LDAP servers for membership information

    • Ability of the URL Scraper to handle relative links without the Gateway

  • A fix for the Gateway server corrects problems in handling the re-writing of multiple URLs within the Java Script parameters in certain HTML pages.

  • A fix for the Gateway server logging corrects continual logging traffic between the Gateway and the Portal server even when disabled.



Where to Go for More Information

For document information about the iPlanet Portal Server 3.0, visit:

http://docs.iplanet.com/docs/manuals/portal.html



Gateway Logging

When Gateway logging is enabled, logging traffic between the Gateway and the Portal server can impact Portal performance. In Service Pack 1, Gateway default logging is disabled. To enable Gateway logging do the following:

  1. Logon as Super Administrator.

  2. Select the Gateway Management link from the left frame.

  3. Select the Manage Gateway Profile link in the right frame.

  4. In the Component Profile: Gateway page, do the following:

    1. Scroll to the end of the page and select the Show Advanced Options button.

    2. Scroll to near the bottom of the page to the Logging Enabled check box, and select the box to enable the Gateway logging.

    3. Select the Submit button at the bottom of the page to commit these changes to the profile server.

  5. Select the Continue button on the Profile Successfully Updated page.



Open Portal Mode

If the Portal does not contain sensitive information (deploying public information and allowing access to free applications), then by using the Open Portal mode (without a Gateway), the Portal server can respond faster to access requests by a large number of users than if a Gateway server (Secure Portal mode) is installed.

The Gateway element, which provides encryption services and URL rewriting, is not required when the iPlanet Portal Server is operating in Open Portal mode.

Running iPlanet Portal Server without the gateway is referred to as Open Portal mode. The main difference between an open portal and a secure portal are the services presented by the open portal typically reside within the DMZ and not within the secured intranet.


Note Using the iPlanet Portal Server without the Gateway (Open Portal mode) may improve the individual response of the Portal for a large number of simultaneous users.



The Secure Portal

The iPlanet Portal Server 3.0 product was targeted towards customers deploying highly secure portals or remote access portals. These types of portals have a major emphasis on security and protection and privacy of intranet resources. The iPlanet Portal Server architecture is well suited to this type of portal. The URL Rewriting, URL Access Policy, and Netlet features of the Gateway, allow users to securely access intranet resources from the internet without exposing these resources to the public internet. The Gateway, residing in the DMZ, provides a single secure access point to all intranet URLs and applications. All other iPlanet Portal Server services such as Session, Authentication, Desktop, Channels, and Profile database reside behind the DMZ in the secured intranet. Communication from the client browser to the Gateway is encrypted using https. Communication from the Gateway to the server and intranet resources may be either http or https.


The Open Portal

The release of iPlanet Portal Server 3.0 Service Pack 1 enables the features necessary for iPlanet Portal Server to be deployed without the services of the Gateway.


Configuring the Portal to run SSL in Open Portal Mode

The typical public portal runs in the clear or using http. It may however be desirable to deploy a portal using http over SSL (https). The Portal server may be configured to run https services during installation or manually changed from http to https after installation.

See the iPlanet Portal Server 3.0 Administration Guide for more information on using SSL.


Note This type of open portal does not require the services of the gateway.


Users access the server directly as if the server was configured for http, but use https://server.domain instead of http://server.domain.

The following features are not available when running without the Gateway or in Open Portal mode:

Netlet

This feature is not available without the Gateway.
The netlet provides a secure encrypted tunnel for TCP/IP applications from the browser through the Gateway to the backend service.

URL Access Policy Enforcement

Generic URL access validation is not available without the Gateway.
One of the many functions of the gateway is to ensure that any request for a URL is validated against the requesting user's policy. It is important to note that this does not mean there is no user policy. All iPlanet Portal Server services such as the Desktop are protected by the iPlanet Portal Server Policy server.
For example, if a user is restricted from either running the desktop or adding specific channels within the desktop, this type of policy is still enforced.

URL Rewriting

There will be no rewriting services as there will be no Gateway installed in Open Portal mode
This means that all URLs accessed from the Desktop must be resolvable and reachable by either the Client Host or the Web Proxy the client is configured to use.

HTTP Basic Authentication

This feature is not available in Open Portal.
The Gateway provides a single sign on service for HTTP Basic Authentication. When a user requests a web page that is password protected, web servers will return an HTTP Basic Auth request for the username and password. The user types in the username and password and the page is returned by the web server. The iPlanet Portal Server Gateway listens for this interaction and stores the username and password in the user profile so the next time the user does not have to enter the information. The Gateway responds on behalf of the user.

One iPlanet Portal Server installation may be configured to support both Open and Secure portal.

For example, a company may want to create a portal which resides within the intranet:

  • When users access the portal from the intranet, log in to the server directly using http

  • When accessing the portal from the internet use https through the Gateway residing in the DMZ


Configuring Open Portal Mode

  1. Install iPlanet Portal Server 3.0 software on the Portal server.

    When prompted for Gateway Name, use the name of the Portal server.


    Note iPlanet Portal Server 3.0 Gateway software is not installed for Open Portal mode.


  2. Apply iPlanet Portal Server 3.0 Service Pack 1 on the Portal server.

  3. Stop and restart the Portal Server:

    # /etc/init.d/ipsserver start


Updating an Existing Gateway/Server Installation to Open Portal Mode

  1. Install iPS 3.0 Service Pack 1 on the Portal server, then do the following:

    • To completely remove the Gateway on a different machine from the Portal server, remove the SUNWwtgwd and SUNWwtsd packages.

    • To completely remove the Gateway, and the Gateway and Portal server are on the same machine, only remove the SUNWwtgwd package.

    • To shut down the gateway, only, run the ipsgateway stop script.


Logging Into the Open Portal

To log into the Open Portal use the following rules:


Note Users should always use the fully qualified name of the server.


  • If the server name is my.sun.com and the server is running http use the following URL:

    http://my.sun.com:port

or

http://my.sun.com if port 80 is configured.

  • If the server name is my.sun.com and the server is running https use the following URL:

    https://my.sun.com:port

or

https://my.sun.com if port 443 is used.


Multi-hosting in Open Portal Mode

Service Pack 1 adds functionality which allows the server to access multiple DNS and IP addresses from a single server installation.

Access to the iPlanet Portal Server is through either:

  • http://server:port

  • https://server:port (if the server was configured to https)

    Where server is the Portal server name, and port is the Portal server port.

To log in to a different domain on the Portal, use the following URL:

http://server:port/login/domain_name

Where domain_name is a Portal domain name.


URL to Domain Mapping

If the existing installation of portal server contains multi servers and multi domains, a URL to domain mapping allows the portal server to find the domain automatically without the need to provide the domain name in the URL. The following is an example on how to map a URL to a specific domain:

If the iPlanet Portal Server installation has one server (server1), and two domains (domain1 and domain2), the following URL to domain mapping is needed:

    • http://server1:port/domain1 ---> go to domain1

    • http://server1:port/domain2 ---> go to domain2

To map a URL to a domain, do the following in the Administration console:

  1. Logon as Super Administrator.

  2. Select the Manage Domains link from the left frame.

  3. In the Portal Server Domains page, do the following:

    • Select one of the domains.

  4. In the Domain, Role and Users page:

    1. Expand Profiles link.

    2. Select Authentication link.

    3. Scroll to the Domain URLs field, add the URLs for that domain.

      See the Domain URL Mapping List.

    4. Select Add.

    5. Select Submit.

Repeat these steps for the second domain.


Domain URL Mapping List

The domain URL list for domain1 must contain the following URLs:

    • /domain1

    • server1/domain1

    • server1_IP/domain1

    • /domain2

    • server1/domain2

    • server1_IP/domain2

  1. Add the following two lines to obj.conf (as shown in Code Example 1, in bold text).

The obj.conf is located at:

/install_dir/netscape/server4/https-server1/config/obj.conf

Where install_dir is the directory that the iPlanet Portal Server 3.0 software was installed, and https-server1 is the iPlanet Portal Server name.

  1. Stop and restart the server.

    Code Example 1 obj.conf (portion of)
    Init fn=flex-init access="/opt/netscape/server4/https-smyrna.iplanet.com/logs/access" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] '
    %Req->reqpb.clf-request%' %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%"
    Init fn=load-types mime-types=mime.types
    Init fn="load-modules" shlib="/opt/netscape/server4/bin/https/lib/libNSServletPlugin.so" funcs="NSServletEarlyInit,NSServletLateInit,NSServletNameTrans,NSServletService " shlib_flags="(global|now)"
    Init fn="NSServletEarlyInit" EarlyInit=yes
    Init fn="NSServletLateInit" LateInit=yes

    <Object name=default>
    NameTrans fn="NSServletNameTrans" name="servlet"
    NameTrans fn="pfx2dir" from="/servlet" dir="/opt/SUNWips/servlets"
    name="Servlet ByExt"
    NameTrans fn="pfx2dir" from="/jsp.092" dir="/opt/SUNWips/public_html/jsp.092" name="jsp092"
    NameTrans fn=pfx2dir from=/ns-icons dir="/opt/netscape/server4/ns-icons"
    name="es-internal"
    NameTrans fn=pfx2dir from=/mc-icons dir="/opt/netscape/server4/ns-icons" name="es-internal"
    NameTrans fn="pfx2dir" from="/help" dir="/opt/netscape/server4/manual/https/ug"
    name="es-internal"
    NameTrans fn="pfx2dir" from="/manual" dir="/opt/netscape/server4/manual/https"
    name="es-internal"
    NameTrans fn="pfx2dir" from="/cgi-bin" dir="/opt/SUNWips/cgi-bin" name="cgi"
    NameTrans fn="pfx2dir" from="/NetMail" dir="/opt/SUNWips/public_html/NetMail"
    NameTrans fn="pfx2dir" from="apps" dir="/opt/SUNWips/public_html/"
    NameTrans fn="pfx2dir" from="/content" dir="/opt/SUNWips/public_html/content"
    NameTrans fn="pfx2dir" from="/locale" dir="/opt/SUNWips/locale"
    NameTrans fn=document-root root="/opt/SUNWips/public_html"
    NameTrans fn="redirect" from="/domain1" url="/login/domain1"
    NameTrans fn="redirect" from="/domain2" url="/login/domain2"
    PathCheck fn=unix-uri-clean
    PathCheck fn="check-acl" acl="default"
    PathCheck fn=find-pathinfo
    PathCheck fn=find-index index-names="index.html,home.html"
    ObjectType fn=type-by-extension
    ObjectType fn=force-type type=text/plain
    Service type="magnus-internal/jsp" fn="NSServletService"
    Service method=(GET|HEAD) type=magnus-internal/imagemap fn=imagemap
    Service method=(GET|HEAD) type=magnus-internal/directory fn=index-common
    Service method=(GET|HEAD|POST) type=*~magnus-internal/* fn=send-file
    AddLog fn=flex-log name="access"
    </Object>

The following is another example:

If there are three servers (server1, server2, and server3) and two domains (domain1 and domain2), the following are the URL to domain mappings:

http://server1:port ---> go to domain 1

http://server2:port ---> go to domain 2

http://server3:port ---> go to domain 2

To map a URL to a domain, do the following in the Administration console:

  1. Logon as Super Administrator.

  2. Select the Manage Domains link from the left frame.

  3. In the Portal Server Domains page, do the following:

    • Select one of the domains.

  4. In the Domain, Role and Users page:

    1. Expand Profiles link.

    2. Select Authentication link.

    3. Scroll to the Domain URLs field, add the URLs for that domain.

      See the Domain URL Mapping List.

    4. Select Add.

    5. Select Submit.

Repeat these steps for the second domain.


Domain URL Mapping List

The domain URL list for domain1 must contain the following URLs:

    • server1

    • server1_IP

    • server1/domain1

    • server1_IP/domain1

    • /domain1

    • server1/login

    • server1_IP/login

The domain URL list for domain2 must contain the following URLs:

    • server2

    • server2_IP

    • server2/domain2

    • server2_IP/domain2

    • /domain2

    • server2/login

    • server2_IP/login

    • server3

    • server3_IP

    • server3/domain2

    • server3_IP/domain2

    • server3/login

    • server3_IP/login


URL Scraping with No Gateway Server Installed

In the Administration console, the Gateway Component Profile page is accessed from Gateway Management >> Manage Gateway Profile.
When the Open Portal mode is installed the selections on this page are not greyed out even though most selections are disabled because there is no Gateway running.

Some rewriting facilities from the Gateway Component Profile are used when configuring parameters for URL scraping. These parameters include:

  • Rewrite HTML attributes

  • Rewrite HTML attributes containing JavaScript

  • Rewrite JavaScript function parameters

  • Rewrite JavaScript variables in URLs

  • Rewrite JavaScript variables functions

  • Rewrite JavaScript function parameters in HTML

  • Rewrite JavaScript variables in HTML

  • Rewrite Applet parameter values list



Known Problems and Workarounds

Here are workarounds to known problems with the iPlanet Portal Server 3.0 software that have not been fixed in Service Pack 1:


Administration

4342320

If the Portal server is down, the Gateway server will hang if rebooted.

Prevention:

Edit the script on the Gateway server, as shown in Code Example 2, to change the while loop to a loop that will not run infinitely.

Workaround:

  1. In a terminal window, become root.

  2. Edit /etc/rc3.d/S90ipsgateway script:

    Add an entry (as shown in bold text) after line 110

    Code Example 2 /etc/rc3.d/S90ipsgateway (Line 105 through 118)
    # waiting for server ready!
    server=`grep "ips.profile.host=" $PLATFORM_CONF | sed -e"s/ips.profile.host
    port=`grep "ips.server.port=" $PLATFORM_CONF | sed -e "s/ips.server.port=//"`
    while [ 1 ]
    do
    $IPS_HOME/bin/checkport $server $port 3
    exit 0
    if [ $? -eq 0 ]
    then
    break
    fi
    echo "`$gettext 'iPS Gateway is waiting for iPS server to start first!'`"
    sleep 10
    done

  3. Restart the Gateway.

    # /etc/init.d/ipsgateway start


Authentication

4339793

UNIX authentication may fail after running for a couple days.

Workaround:

  1. In a terminal window on the Portal server, become root, and type the following command:

    # ps -efl | grep doUnix

    If doUnix does not return an output, restart the Portal server helpers.

  2. In a terminal window, become root, and type the following command:

    # ps -efl | grep doUnix
    8 S root 18128 15582 0 41 20 ? 117 ? 20:28:33 pts/4 0:00 grep doUnix
    8 S root 25341 1 0 41 20 ? 196 ? May 23 ? 0:00 /opt/SUNWips/bin/doUnix -c 8946

    If doUnix is running, but the Portal server is not responding, restart the helper, as follows:

    # $IPS_BASE/SUNWips/bin/doUnix -c 8946


Desktop

4329229

Detached providers are not being handled properly by operations in the Content link.

Workaround:

None

4319604

Disabling the Netlet provider in the Administration console for a user causes error message: "Document contained no data".

Workaround:

Remove the provider from the channel list in the Administration console.


Gateway

4324617

External bookmark URLs are not redirected.

Prevention:

Remove open URL from the Gateway profile "rewrite JavaScript function parameters".

Workaround:

Create a second bookmark channel to handle external sites.

The bookmark provider can not be used for URLs which reference Internet URLs that the Gateway cannot or should not fetch.


ipsadmin

4319514

The command ipsadmin does not check for the syntax of boolean flags.

Workaround:

When creating an XML file, if the attribute type is boolean, add a true or false statement, as shown in bold in the following example:

Code Example 3 Boolean True/False Statement in XML File
desc="Trust Proxy Feature"
type="boolean"
idx="X-x1"
userConfigurable="TRUE">
<Val>false</Val>
<Rperm>ADMIN</Rperm><Rperm>OWNER</Rperm>
<Wperm>ADMIN</Wperm>
</iwt:Att>


NetFile

4342453

The hour glass occasionally keeps running after attempting to add a share in Netfile Java.

Workaround:

Select some other part of NetFile to clear up the hour glass.


NetMail

4321516

A race condition occurs if when replying to a message, selecting send and then immediately deleting the message.

Workaround:

Wait for the reply flag to be set (slow down) or delete the message again.

4307367

IMAP password is displayed in clear text in source of edit.

Workaround:

None



Bugs Fixed in Service Pack 1

The following bugs have been fixed in iPlanet Portal Server 3.0 Service Pack 1:


Table 1 Fixed Bug List

Bug ID

Bug Description

Status

Administration Console

 

4343322  

Server restart from Administration Console did not work.  

Fixed  

Desktop  

 

 

4338083  

Removing channel with thin-thick-thin layout caused null pointer  

Fixed  

4335174  

URL rewriting did not work for relative URLs in URL scraper.  

Fixed  

4330685  

The URL scraper failed when it tried to fetch a URL which resulted in a redirect.  

Fixed  

4343673  

URL scraper provider did not handle redirects.  

Fixed  

4343674  

RSS and URL scraper did not support using a proxy.  

Fixed  

Gateway  

 

 

4340633  

Gateway did not re authenticate when its session died.  

Fixed  

4335199  

Rewriter for applet tags could only rewrite limited number of URLs in a parameter.  

Fixed  

4338888  

Membership Module did allow a blank password to authenticate.  

Fixed  

4330036  

Rewriter didn't work if there was a URL with no leading http:// and a port number specified.  

Fixed  

4343671  

authd did not support Open Portal login.  

Fixed  

ipsadmin  

 

 

4336880  

ipsadmin did not work if server was running on SSL mode.  

Fixed  

4337917  

ipsadmin did not encrypt "protected" attributes.  

Fixed  

Japanese Language Version

 

4336096  

On Japanese localization, Netfile Java did not work on Solaris and Windows NT.  

Fixed  

Logging  

 

 

4343009  

When logging was disabled, client API threw exceptions.  

Fixed  

4352291  

Ability to turn Gateway logging on or off  

Fixed  

NetMail  

 

 

4340200  

Session timed out when running NetMail without the Gateway.  

Fixed  

NetFile  

 

 

4342428  

NetMail was unable to receive mail with attached text file sent from NetFile.  

Fixed  

4340074  

Session timed out when running NetFile without the Gateway.  

Fixed  

Profile  

 

 

4341571  

External LDAP attribute mappings did not work with binary type attributes.  

Fixed  

4339191  

Domain search did not search for users mapped from external LDAP.

Fix limitations: Search limit for external LDAP users is 400 users only.  

Fixed  

Documentation  

 

 

4343016  

Incorrect URL for documentation.  

Fixed  

4344856  

New documentation: see Using the Netlet Proxy".  

Fixed  



Documentation Updates and Corrections



Where to Go for More Information

For document information about the iPlanet Portal Server 3.0, visit:

http://docs.iplanet.com/docs/manuals/portal.html


Setting Session Time-out to the Maximum Value

  1. As Super Administrator, access Session Profile.

  2. Make value of Inactivity to the maximum value of: 15372286720912930.

  3. Make value of Maximum to the maximum value of: 15372286720912930.


Using the Netlet Proxy

The Netlet proxy is used for the following reasons:

  1. To minimize the use of extra IP addresses and ports from the Gateway through an internal firewall in a significantly sized deployment environment.

  2. To provide encryption for each transaction through the Netlet to the iPlanet Portal Server server. This application of the Netlet proxy offers improved security benefits through data encryption but may increase the use of system resources.



Figure 1 Netlet Proxy Implementation


Configuring the Netlet Proxy

In the iPlanet Portal Server Administration Console, do the following:

  1. Logon as Super Administrator.

  2. Select the Gateway Management link from the left frame.

  3. Select the Manage Gateway Profile link in the right frame.

  4. In the Component Profile: Gateway page, do the following:

    1. Scroll to the end of the page and select the Show Advanced Options button.

    2. Scroll to near the bottom of the page to the Netlet Proxy Enabled check box, and select the box to enable the netlet proxy.

    3. In the Netlet Proxy Port, type in the desired (unused) port number to be used (for example: 8048).


      Tip From the command line, type:

      netstat -a

      This will print out all ports currently assigned and in use.


    4. Select the Submit button at the bottom of the page to commit these changes to the profile server.

  5. Select the Continue button on the Profile Successfully Updated page.


Configuring Restart of the Netlet Proxy

To automatically configure a restart of the Netlet proxy whenever rebooting the system server, use the command line interface on the Gateway server to do the following:


Note If using more than one server, repeat these steps for each server's platform.conf file.


  1. From a terminal window, use a text editor to edit the platform.conf file:

    /etc/opt/SUNWips/platform.conf


    Note Configure the Netlet Proxy in the iPlanet Portal Server Administration Console before editing the platform.conf file. See Configuring the Netlet Proxy" for instructions.


  2. Add the following command (shown in bold text) to the ips.daemons line:

    Code Example 4 Sample /etc/opt/SUNWips/platform.conf file
    # Copyright 03/22/00 Sun Microsystems, Inc. All Rights Reserved.
    # "@(#)platform.conf 1.29 00/03/22 Sun Microsystems"
    #

    ips.defaultDomain=iplanet.com
    ips.server.protocol=http
    ips.server.host=smyrna.iplanet.com
    ips.server.port=8080
    ips.profile.host=smyrna.iplanet.com
    ips.gateway.protocol=https
    ips.gateway.host=smyrna.iplanet.com
    ips.gateway.port=443
    ips.virtualhost=smyrna.iplanet.com 192.101.107.10
    ips.naming.url=http://smyrna.iplanet.com:8080/namingservice
    ips.notification.url=http://smyrna.iplanet.com:8080/notificationservice
    ips.daemons=securid radius safeword unix skey ipsnetletd
    securidHelper.port=8943
    radiusHelper.port=8944
    safewordHelper.port=8945
    unixHelper.port=8946
    skeyHelper.port=8947
    ipsnetletdHelper.port=8048

    ips.cookie.name=iPlanetPortalServer
    ips.locale=en_US
    ips.debug=error
    ips.version=3.0
    ips.basedir=/opt
    ips.logdelimiter=&&

  3. Run the Netlet Proxy as follows:

    # /$IPS_BASE/SUNWips/bin/ipsnetletd start


Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.

Last Updated August 31, 2000