The following issues with Web servers may arise:
Symptom
You are running an Apache Web server, and an OAM Server fails, displaying the following message:
libthread panic: cannot create new lwp (PID: 9035 LWP 2). stackrace: ff3424cc 0
This symptom may be caused by the Apache Web server launching more instances of itself. This can happen when the server determines that more instances are needed to service the number of connections between one or more Webgates and the OAM Server.
The additional instances create even more connections, which exceed the number of connections by the OAM Server.
Solution
Reduce the number of MinSpareServers
, MaxSpareServers
, StartServers
, and MaxClients
parameters.
Go to the OAM Server's configuration directory and open the http.d
configuration file.
Recommended parameter settings:
MinSpareServers
1
MaxSpareServers
5
StartServers
3
MaxClients
5
When running Apache v2 on HP-UX, do not use nobody
for User or Group, because shared memory may not work. Instead, use your login name as User Name with a your group as Group Name On HP-UX (on Solaris, "www" is equivalent to "nobody").
When running Apache v2 on HPUX 11.11, ensure that the AcceptMutex
directive in the Apache httpd.conf file is set to "fcntl
". If the directive is not present, add it to the httpd.conf file (AcceptMutex fcntl
). For more information, see:
Problem
After installing a Webgate on vendor-bundled Apache, the Web server may give the following error upon startup:
Error: Cannot load libgcc_s.so.1 library - Permission denied.
Solution
Change the Security-Enhanced Linux (SELinux) policy rules for Access Manager Webgates as described in "Tuning Apache/IHS v2 Webgates for Access Manager".
Errors might be reported in WebServer logs/console when starting a Web server on Linux distributions, which have stricter SELinux policies in place, after installing an Access Manager Web component. You can avoid these errors by running appropriate chcon
commands for the installed Web component before restarting the Web server.
See Also:
The following item is required only if you compile Apache v2 for Webgate on UNIX with the mpm_worker_module. In this case, you need to modify the thread.c file from the Apache source for the UNIX environment. Making this change ensures that the default pthread stacksize for Webgate produces optimal performance during multi-threaded server implementation. If this change is not made, the default pthread stack size would not be sufficient for Webgate and could result in a crash.
Apache 2.0 does not support the ThreadStackSize option. Therefore:
With UNIX-based Apache v2.1 and later you must use the ThreadStackSize directive to set the size of the stack (for autodata) of threads that handle client connections and call modules to help process those connections.
With UNIX-based Apache 2, it is best to use the compilable source while adding the mpm_worker_module and changing the thread.c file to avoid a stack overflow.
The following procedure shows how to modify the Apache v2.0 thread.c file to provide the default pthread stacksize needed by Webgate for optimal performance during multi-threaded server implementation. For details about the Apache v2.1+ ThreadStackSize directive, see http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadstacksize.
Note:
The following procedure should be performed only for the Apache 2.0 Webgate. Otherwise, the default pthread stack size is not sufficient for the Webgate and could result in a crash.
To modify the Apache v2.0 thread.c file for Webgate in a UNIX environment
Locate the thread.c file. For example:
APACHE 2.0.52 source/srclib/apr/threadproc/unix/thread.c
Locate the function named apr_threadattr_create(apr_threadattr_t **new,apr_pool_t *pool) in the following code segment:
**new,apr_pool_t *pool) in the following code segment: 1-----> apr_status_t stat; 2 3-----> (*new) = (apr_threadattr_t *)apr_pcalloc(pool, sizeof(apr_threadattr_t)); 4-----> (*new)->attr = (pthread_attr_t *)apr_pcalloc(pool, sizeof(pthread_attr_t)); 5 6-----> if ((*new) == NULL || (*new)->attr == NULL) { 7-----> return APR_ENOMEM; 8-----> } 9 10----->(*new)->pool = pool; 11----->stat = pthread_attr_init((*new)->attr); 12 13-----> if (stat == 0) { 14-----> return APR_SUCCESS; 15-----> } 16----->#ifdef PTHREAD_SETS_ERRNO 17----->stat = errno; 18----->#endif 19 20----->return stat; 21
Add the following code before line 13 shown earlier.
int stacksize = 1 << 20; pthread_attr_setstacksize(&(*new)->attr, stacksize);
Run configure, make, and make install to set up the Apache Web server with the mpm_worker_module.
Failure Authentication Event: For Domino Web servers, the redirection of a URL through Access Manager may not work if the authentication type is set as Basic Over LDAP and the URL to be redirected is mentioned as one of the following:
To overcome a failure authentication event, you must set the redirected URL with a computer name that is not defined under the host identifier group. For example, the IP address of the computer.
This problem does not occur with a form-based authentication type.
Header Variables: It may not be possible to pass header variables other than REMOTE_USER to Webgates installed on Lotus Notes Domino Web servers when using Client Certificate authentication scheme.
For example, header variables cannot be set on the one request where Client Certificate authentication occurs. However, all other requests do allow header variables to be set.
For more information, see Configuring Lotus Domino Web Servers for 10g WebGates.
Symptom
If you installed Access Manager on UNIX under a different user ID than you used to create your Web server instance, Access Manager can become unstable. Users may experience behavior such as:
Random bug report pages
Failure to write to log file errors
Loss of access to Web pages
Solution
Change file permissions using the chown command. Change the Access Manager directory to the same user ID that you used to create your Web server instance.
Webgate uses ISAPI extension for displaying user deny error message and for displaying the diagnostic page. However, ISA 2006 does not support extensions. Therefore:
If the user is denied access by Webgate, the user gets Page Cannot be displayed error message instead of Access Manager denied access error message.
The following diagnostic URL does not work for ISA: http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1 for webgate.
Problem
After installing a Webgate instance on an Oracle HTTP Server, the server does not start up.
Note:
When running Access Manager, LinuxThreads is used by default. This requires setting the environment variable LD_ASSUME_KERNEL to 2.4.19. If you are using NPTL with Access Manager, you do not set LD_ASSUME_KERNEL to 2.4.19.9
Cause
This occurs because Access Manager uses an older Linux threading model.
Solution
When using LinuxThreads mode, comment out the Perl module in the httpd.conf file, update the LD_ASSUME_KERNEL environment variable, and restart, as described in the following procedure.
To resolve the failure to start Oracle HTTP Server in LinuxThreads mode
Comment out the perl module in the httpd.conf file in the following location:
Oracle HTTP Server 11g: $ORACLE_INSTANCE/config/OHS
/ohs_name/
httpd.conf
Oracle HTTP Server v2: OH$
/ohs/conf/httpd.conf
Oracle HTTP Server v1.3: OH$
/Apache/Apache/conf/httpd.conf
To update the LD_ASSUME_KERNEL value, open the following file in a text editor:
OH$/opmn/conf/opm.xml
Find the following line:
<process-type id="HTTP_Server" module-id="OHS">
Add the following information under the line you found in the previous step:
<environment> <variable id="LD_ASSUME_KERNEL" value="2.4.19" /> </environment>
Save this file.
Run the following commands to implement your changes:
opmnctl stopall opmnctl startall
This situation might arise whether you are using Access Manager with LinuxThreads or NPTL.
Symptom
Webgate fails to initialize when installed on an Oracle HTTP Server running Red Hat Enterprise Server version 4.0 with a kernel version lower than 2.6.9-34.EL. Version 2.6.9-34.EL is supplied with the Red Hat version 4, update 3.
Solution
To prevent this problem, you must upgrade to Red Hat version 4, update 3 or higher.
Problem
With Oracle Application Server 10.1.x, OC4J, when the httpd.conf file is modified automatically during Webgate installation, it can be corrupted.
Solution
Before installing Webgate, run the following command to prevent the httpd.conf file from being overwritten.
$ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs
On IIS 6 Web servers only, you must run the WWW service in IIS 5.0 isolation mode, which is a requirement of the ISAPI postgate filter. This scenario will work if you have 32-bit Access Manager binaries running on a 32-bit Windows operating system. However, there is an issue if you attempt to run a 32-bit postgate.dll on a 64-bit Windows machine with IIS running in 32-bit mode.
Problem
When running IIS in IIS5.0 isolation mode, you see the following message:
"ISAPI Filter 'C:\webgate\access\oblix\apps\webgate\bin\webgate.dll' could not be loaded due to a configuration problem.
Cause
The current configuration only supports loading images built for an AMD 64-bit processor architecture. The data field contains the error number.
Solution
To learn more about this issue, including how to troubleshoot this kind of processor architecture mismatch error, see the following Web site:
http://go.microsoft.com/fwlink/?LinkId=29349
For more information, see Help and Support Center at:
http://go.microsoft.com/fwlink/events.asp
Problem
IIS5 never existed as 64-bit. However, IIS v6's IIS5 Compatibility Mode on 64-bit Windows computers only runs as 64-bit.
Cause
It is architecturally impossible run IIS5 Isolation Mode 32- bit on 64-bit Windows, as described in documentation available through the following URLs:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.pu blic.inetserver.iis&tid=5dd07102-8896-40cc-86cb-809060fa9426&cat=en_US_ 02ceb021-bb43-476d-8f8f-6c00a363ccf5&lang=en&cr=US&p=1
http://blogs.msdn.com/david.wang/archive/2005/12/14/HOWTO-Diagnose-one-cause-of-W3 SVC-failing-to-start-with-Win32-Error-193-on-64bit-Windows.aspx
Symptom
When attempting to start the Sun Web server, you get an error like the following:
Unable to start, PCLOSE
Solution
Solution: A number of problems can cause this error:
A syntax error in your obj.conf
file
Leading spaces in your obj.conf
file
Installing Access Manager as a different user ID than what you used to create your Web server instance
A carriage return at the end of the obj.conf
file
When Access Manager is running with Microsoft's IIS Web server, you must manually uninstall and reinstall the following ISAPI filters when reinstalling Access Manager.
tranfilter.dll
oblixlock.dll
(if you installed Webgate)
webgate.dll
(if you installed Webgate)
To remove and reinstall IIS DLLs
Uninstall Access Manager.
Manually uninstall the preceding DLLs.
Reinstall Access Manager.Active Directory.
Manually reinstall the DLLs.
Note:
These filters can change depending on the version of IIS you are using. If these filters do not exist or there are others present, contact Oracle to determine if the filters that are present need to be removed.