E.38 Web Server Issues

E.38.1 Server Fails on an Apache Web Server

Symptom

You are running an Apache Web server, and an OAM Server fails, displaying the following message:

libthread panic: cannot create new lwp
(PID: 9035 LWP 2). stackrace:
ff3424cc
0

This symptom may be caused by the Apache Web server launching more instances of itself. This can happen when the server determines that more instances are needed to service the number of connections between one or more Webgates and the OAM Server.

The additional instances create even more connections, which exceed the number of connections by the OAM Server.

Solution

Reduce the number of MinSpareServers, MaxSpareServers, StartServers, and MaxClients parameters.

Go to the OAM Server's configuration directory and open the http.d configuration file.

Recommended parameter settings:

  • MinSpareServers 1

  • MaxSpareServers 5

  • StartServers 3

  • MaxClients 5

E.38.2 Apache v2 on HP-UX

When running Apache v2 on HP-UX, do not use nobody for User or Group, because shared memory may not work. Instead, use your login name as User Name with a your group as Group Name On HP-UX (on Solaris, "www" is equivalent to "nobody").

When running Apache v2 on HPUX 11.11, ensure that the AcceptMutex directive in the Apache httpd.conf file is set to "fcntl". If the directive is not present, add it to the httpd.conf file (AcceptMutex fcntl). For more information, see:

http://issues.apache.org/bugzilla/show_bug.cgi?id=22484

E.38.3 Apache v2 Bundled with Red Hat Enterprise Linux 4

Problem

After installing a Webgate on vendor-bundled Apache, the Web server may give the following error upon startup:

Error: Cannot load libgcc_s.so.1 library - Permission denied. 

Solution

Change the Security-Enhanced Linux (SELinux) policy rules for Access Manager Webgates.

E.38.4 Apache v2 Bundled with Security-Enhanced Linux

Errors might be reported in WebServer logs/console when starting a Web server on Linux distributions, which have stricter SELinux policies in place, after installing an Access Manager Web component. You can avoid these errors by running appropriate chcon commands for the installed Web component before restarting the Web server.

See Also:

"SELinux Issues"

E.38.5 Apache v2 on UNIX with the mpm_worker_module for Webgate

The following item is required only if you compile Apache v2 for Webgate on UNIX with the mpm_worker_module. In this case, you need to modify the thread.c file from the Apache source for the UNIX environment. Making this change ensures that the default pthread stacksize for Webgate produces optimal performance during multi-threaded server implementation. If this change is not made, the default pthread stack size would not be sufficient for Webgate and could result in a crash.

Apache 2.0 does not support the ThreadStackSize option. Therefore:

  • With UNIX-based Apache v2.1 and later you must use the ThreadStackSize directive to set the size of the stack (for autodata) of threads that handle client connections and call modules to help process those connections.

  • With UNIX-based Apache 2, it is best to use the compilable source while adding the mpm_worker_module and changing the thread.c file to avoid a stack overflow.

The following procedure shows how to modify the Apache v2.0 thread.c file to provide the default pthread stacksize needed by Webgate for optimal performance during multi-threaded server implementation. For details about the Apache v2.1+ ThreadStackSize directive, see http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadstacksize.

Note:

The following procedure should be performed only for the Apache 2.0 Webgate. Otherwise, the default pthread stack size is not sufficient for the Webgate and could result in a crash.

To modify the Apache v2.0 thread.c file for Webgate in a UNIX environment

  1. Locate the thread.c file. For example:

    APACHE 2.0.52 source/srclib/apr/threadproc/unix/thread.c
    
  2. Locate the function named apr_threadattr_create(apr_threadattr_t **new,apr_pool_t *pool) in the following code segment:

    **new,apr_pool_t *pool) in the following code segment:
    1-----> apr_status_t stat; 
    2 
    3-----> (*new) = (apr_threadattr_t *)apr_pcalloc(pool, sizeof(apr_threadattr_t)); 
    4-----> (*new)->attr = (pthread_attr_t *)apr_pcalloc(pool, sizeof(pthread_attr_t)); 
    5 
    6-----> if ((*new) == NULL || (*new)->attr == NULL) { 
    7----->              return APR_ENOMEM; 
    8-----> } 
    9 
    10----->(*new)->pool = pool; 
    11----->stat = pthread_attr_init((*new)->attr); 
    12 
    13-----> if (stat == 0) { 
    14----->            return APR_SUCCESS; 
    15-----> } 
    16----->#ifdef PTHREAD_SETS_ERRNO 
    17----->stat = errno; 
    18----->#endif 
    19 
    20----->return stat; 
    21 
    
  3. Add the following code before line 13 shown earlier.

    int stacksize = 1 << 20; 
    pthread_attr_setstacksize(&(*new)->attr, stacksize);
    
  4. Run configure, make, and make install to set up the Apache Web server with the mpm_worker_module.

E.38.6 Domino Web Server Issues

Failure Authentication Event: For Domino Web servers, the redirection of a URL through Access Manager may not work if the authentication type is set as Basic Over LDAP and the URL to be redirected is mentioned as one of the following:

  • Either a relative path present on the same Web server
  • Or the Full path URL on the same Web server containing a computer name defined in the host identifier string combinations.

To overcome a failure authentication event, you must set the redirected URL with a computer name that is not defined under the host identifier group. For example, the IP address of the computer.

This problem does not occur with a form-based authentication type.

Header Variables: It may not be possible to pass header variables other than REMOTE_USER to Webgates installed on Lotus Notes Domino Web servers when using Client Certificate authentication scheme.

For example, header variables cannot be set on the one request where Client Certificate authentication occurs. However, all other requests do allow header variables to be set.

For more information, see Configuring Lotus Domino Web Servers for 10g WebGates.

E.38.7 Errors, Loss of Access, and Unpredictable Behavior

Symptom

If you installed Access Manager on UNIX under a different user ID than you used to create your Web server instance, Access Manager can become unstable. Users may experience behavior such as:

  • Random bug report pages

  • Failure to write to log file errors

  • Loss of access to Web pages

Solution

Change file permissions using the chown command. Change the Access Manager directory to the same user ID that you used to create your Web server instance.

E.38.8 Known Issues for ISA Web Server

Webgate uses ISAPI extension for displaying user deny error message and for displaying the diagnostic page. However, ISA 2006 does not support extensions. Therefore:

  • If the user is denied access by Webgate, the user gets Page Cannot be displayed error message instead of Access Manager denied access error message.

  • The following diagnostic URL does not work for ISA: http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1 for webgate.

E.38.9 Oracle HTTP Server Fails to Start with LinuxThreads

Problem

After installing a Webgate instance on an Oracle HTTP Server, the server does not start up.

Note:

When running Access Manager, LinuxThreads is used by default. This requires setting the environment variable LD_ASSUME_KERNEL to 2.4.19. If you are using NPTL with Access Manager, you do not set LD_ASSUME_KERNEL to 2.4.19.9

Cause

This occurs because Access Manager uses an older Linux threading model.

Solution

When using LinuxThreads mode, comment out the Perl module in the httpd.conf file, update the LD_ASSUME_KERNEL environment variable, and restart, as described in the following procedure.

To resolve the failure to start Oracle HTTP Server in LinuxThreads mode

  1. Comment out the perl module in the httpd.conf file in the following location:

    Oracle HTTP Server 11g: $ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf

    Oracle HTTP Server v2: OH$/ohs/conf/httpd.conf

    Oracle HTTP Server v1.3: OH$/Apache/Apache/conf/httpd.conf

  2. To update the LD_ASSUME_KERNEL value, open the following file in a text editor:

    OH$/opmn/conf/opm.xml
    
  3. Find the following line:

    <process-type id="HTTP_Server" module-id="OHS">
    
  4. 
    

    Add the following information under the line you found in the previous step:

    <environment>
    <variable id="LD_ASSUME_KERNEL" value="2.4.19" />
    </environment>
    
  5. Save this file.

  6. Run the following commands to implement your changes:

    opmnctl stopall
    opmnctl startall
    

E.38.10 Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4

This situation might arise whether you are using Access Manager with LinuxThreads or NPTL.

Symptom

Webgate fails to initialize when installed on an Oracle HTTP Server running Red Hat Enterprise Server version 4.0 with a kernel version lower than 2.6.9-34.EL. Version 2.6.9-34.EL is supplied with the Red Hat version 4, update 3.

Solution

To prevent this problem, you must upgrade to Red Hat version 4, update 3 or higher.

E.38.11 Oracle HTTP Server Web Server Configuration File Issue

Problem

With Oracle Application Server 10.1.x, OC4J, when the httpd.conf file is modified automatically during Webgate installation, it can be corrupted.

Solution

Before installing Webgate, run the following command to prevent the httpd.conf file from being overwritten.

$ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs 

E.38.12 Issues with IIS v6 Web Servers

On IIS 6 Web servers only, you must run the WWW service in IIS 5.0 isolation mode, which is a requirement of the ISAPI postgate filter. This scenario will work if you have 32-bit Access Manager binaries running on a 32-bit Windows operating system. However, there is an issue if you attempt to run a 32-bit postgate.dll on a 64-bit Windows machine with IIS running in 32-bit mode.

Problem

When running IIS in IIS5.0 isolation mode, you see the following message:

"ISAPI Filter 'C:\webgate\access\oblix\apps\webgate\bin\webgate.dll' could not be loaded due to a configuration problem.

Cause

The current configuration only supports loading images built for an AMD 64-bit processor architecture. The data field contains the error number.

Solution

To learn more about this issue, including how to troubleshoot this kind of processor architecture mismatch error, see the following Web site:

http://go.microsoft.com/fwlink/?LinkId=29349

For more information, see Help and Support Center at:

http://go.microsoft.com/fwlink/events.asp

Problem

IIS5 never existed as 64-bit. However, IIS v6's IIS5 Compatibility Mode on 64-bit Windows computers only runs as 64-bit.

Cause

It is architecturally impossible run IIS5 Isolation Mode 32- bit on 64-bit Windows, as described in documentation available through the following URLs:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.pu
blic.inetserver.iis&tid=5dd07102-8896-40cc-86cb-809060fa9426&cat=en_US_
02ceb021-bb43-476d-8f8f-6c00a363ccf5&lang=en&cr=US&p=1
http://blogs.msdn.com/david.wang/archive/2005/12/14/HOWTO-Diagnose-one-cause-of-W3
SVC-failing-to-start-with-Win32-Error-193-on-64bit-Windows.aspx

E.38.13 PCLOSE Error When Starting Sun Web Server

Symptom

When attempting to start the Sun Web server, you get an error like the following:

Unable to start, PCLOSE

Solution

Solution: A number of problems can cause this error:

  • A syntax error in your obj.conf file

  • Leading spaces in your obj.conf file

  • Installing Access Manager as a different user ID than what you used to create your Web server instance

  • A carriage return at the end of the obj.conf file

E.38.14 Removing and Reinstalling IIS DLLs

When Access Manager is running with Microsoft's IIS Web server, you must manually uninstall and reinstall the following ISAPI filters when reinstalling Access Manager.

  • tranfilter.dll

  • oblixlock.dll (if you installed Webgate)

  • webgate.dll (if you installed Webgate)

To remove and reinstall IIS DLLs

  1. Uninstall Access Manager.

  2. Manually uninstall the preceding DLLs.

  3. Reinstall Access Manager.Active Directory.

  4. Manually reinstall the DLLs.

Note:

These filters can change depending on the version of IIS you are using. If these filters do not exist or there are others present, contact Oracle to determine if the filters that are present need to be removed.