Chapter 3 Setting Administration Preferences

This chapter describes how to configure administration preferences using the Administration Server. Cookies must be enabled in your browser to run the CGI programs necessary for configuring your server.

This chapter contains the following sections:

• Creating and Managing Listen Sockets

• Changing Superuser Settings

• Allowing Multiple Administrators

• Specifying Log File Options

• Using Directory Services

• Restricting Server Access

• SNMP Master Agent Settings

Creating and Managing Listen Sockets

Before the server can process a request, the request must be accepted by a listen socket and then directed to the correct server. When the Proxy Server is installed, one listen socket (ls1) is created automatically. This listen socket uses the IP address 0.0.0.0 and the port number specified as the Administration Server port number during installation.

Listen sockets are added, edited, and deleted using the Administration Server’s Edit Listen Sockets page. You must have at least one listen socket with which to access the server. You cannot delete a listen socket if it is the only one listed.

This section describes how to add, edit, and delete listen sockets.

To Add Listen Sockets

1. Access the Administration Server and select the Preferences tab.

2. Click the Edit Listen Sockets link.

3. Click the New button.

4. Specify the settings and click OK.

   For more information about specific fields, see the online Help.

To Edit Listen Sockets

1. Access the Administration Server and select the Preferences tab.

2. Click the Edit Listen Sockets link.

3. Click the link for the listen socket you want to edit.

4. Make the desired changes, and then click OK.

To Delete Listen Sockets

1. Access the Administration Server and select the Preferences tab.

2. Click the Edit Listen Sockets link.

3. Select the checkbox next to the listen socket you want to delete and click OK.

4. When prompted to confirm deletion, click OK.

   You must have at least one listen socket with which to access the server. You cannot delete the listen socket if it is the only one listed.

Changing Superuser Settings

Superuser access can be configured for the Administration Server. These settings affect only the superuser account. If the Administration Server uses distributed administration, additional access controls must be configured for the permitted administrators.

---

Caution –

If Oracle Directory Server Enterprise Edition is used to manage users and groups, the superuser entry must be updated in the directory before changing the superuser user name or password. If you do not update the directory first, you will not be able to access the Users and Groups interface in the Administration Server. You then must either access the Administration Server with an administrator account that does have access to the directory, or update the directory using the Directory Server console or configuration files.

---

To Change Superuser Settings for the Administration Server

1. Access the Administration Server and select the Preferences tab.

2. Click the Control Superuser Access link.

3. Make the desired changes and click OK.

   For more information about specific fields, see the online Help.

   The superuser’s user name and password are kept in a file called admpw, located in server-root/proxy-admserv/config. The file has the format username:password. You can view this file to obtain the user name, but the password is encrypted and unreadable. If you forget the password, you can change to a new password.

To Change the Superuser Password

1. Edit the admpw file and delete the encrypted password.

2. Access the Administration Server with the user name and no password.

3. Click the Preferences tab.

4. Click the Control Superuser Access link.

5. Provide a new password and click OK.

   ---

   Caution –

   Because the admpw file can be edited, the server computer must be kept in a secure place and access to its file system must be restricted.

   On UNIX and Linux systems, consider changing file ownership so that the file is writable only by root or whatever system user runs the Administration Server daemon. On Windows systems, restrict file ownership to the user account used by the Administration Server.

   ---

Allowing Multiple Administrators

Multiple administrators can change specific parts of the server through distributed administration. A directory server must be installed before distributed administration can be enabled. The default directory service must be LDAP-based.

The two levels of users for distributed administration are superuser and administrator.

• Superuser is the user listed in server-root/proxy-admserv/config/admpw. This is the user name and password specified during installation. This user has full access to all forms in the Administration Server except the Users and Groups forms, the access for which depends on the superuser having a valid account in an LDAP server.

• Administrators go directly to the Server Manager forms for a specific server, including the Administration Server. The forms they see depend on the access control rules configured for them, usually by the superuser. Administrators can perform limited administrative tasks and also make changes that affect other users, such as adding users or changing access control.

For more information about access control, see Chapter 8, Controlling Access to Your Server.

To Enable Distributed Administration

1. Verify that a directory server is installed.

2. Access the Administration Server.

3. (Optional) After a directory server has been installed, you might also need to create an administration group if you have not already done so. To create a group:

   1. Click the Users and Groups tab.

   2. Click the Create Group link.

   3. Create an administrators group in the LDAP directory, and add the names of the users to whom you are granting permission to configure the Administration Server or any of the servers installed in its server root.

      For more information about specific fields, see the online Help.

      All users in the administrators group have full access to the Administration Server, but access control can be used to limit the servers and forms they are allowed to configure.

      Once an access control list is created, the distributed administration group is added to that list. If the name of the administrators group is changed, you must manually edit the access control list to change the group it references.

4. Click the Preferences tab.

5. Click the Configure Distributed Administration link.

6. Select Yes, specify the administrator group, and then click OK.

Specifying Log File Options

The Administration Server log files record data about the Administration Server, including the types of errors encountered and information about server access. The log information enables you to monitor server activity and troubleshoot problems. You can specify the type and format of the data recorded in the Administration Server logs using the many options on the Log Preferences pages. You can choose the Common Logfile Format, which provides a fixed amount of information about the server, or you can create a custom log file format that better suits your requirements.

To access the Administration Server Log Preferences pages, click the Preferences tab, then click the Set Access Log Preferences or Set Error Log Preferences link. For detailed information about the log files and setting log file options, see Chapter 9, Using Log Files. Also see the online Help.

Viewing Log Files

Administration Server log files are located in server-root/proxy-admserv/logs. You can view both the error and access log through the Proxy Server administration console, or with a text editor.

Access Log File

The access log file records information about requests to and responses from the server.

To View the Access Log File

1. Access the Administration Server and click the Preferences tab.

2. Click the View Access Log link.

   For more information about specific fields, see the online Help. Also see Chapter 9, Using Log Files.

Error Log File

The error log lists all errors the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started, and who tried to log in but failed.

To View the Error Log File

1. Access the Administration Server and click the Preferences tab.

2. Click the View Error Log link.

   For more information about specific fields, see the online Help. Also see Chapter 9, Using Log Files.

Using Directory Services

You can store and manage information such as user names and passwords in a single directory server using LDAP. You can also configure the server to allow users to retrieve directory information from multiple, easily accessible network locations. For more information about using directory services, see Chapter 4, Managing Users and Groups.

Restricting Server Access

When the Proxy Server evaluates an incoming request, access is determined based on a hierarchy of rules called access control entries (ACEs), and then matching entries are used to determine if the request should be allowed or denied. Each ACE specifies whether the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access control list (ACL).

Access control can be configured for access to the Administration Server and to specific resources within a server instance, such as files, directories, and file types. Access control to the Administration Server is configured from the Global Settings tab in the Administration Server. Access control for resources within a server instance is configured from the Preferences tab in the Server Manager. For more information about setting access control, see Chapter 8, Controlling Access to Your Server.

---

Note –

Distributed administration must be enabled before you can restrict server access. For more information, see Allowing Multiple Administrators.

---

SNMP Master Agent Settings

Simple Network Management Protocol (SNMP) is a protocol used to exchange data about network activity. This information is transferred between a network management station and the server through the use of subagents and master agents.

SNMP master agent settings are configured using the Global Settings tab in the Administration Server. The master agent is installed with the Administration Server. For detailed information about SNMP and agent settings, see Chapter 10, Monitoring Servers. Also see the online Help for master agent pages on the Global Settings tab in the Administration Server, and for the subagent pages on the Server Status tab in the Server Manager.