1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE ENTREPRISE SERVER 6.1 - 04-2002...
  6. Administrator's manual

Netscape ENTREPRISE SERVER 6.1 - 04-2002 ADMINISTRATOR Administrator's Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
Table of Contents

Advertisement

Quick Links

Download this manual
Administrator's Guide
Netscape Enterprise Server
Version 6.1
April 2002 (Draft)

Advertisement

Table of Contents
loading

Related Manuals for Netscape NETSCAPE ENTREPRISE SERVER 6.1 - 04-2002 ADMINISTRATOR

Summary of Contents for Netscape NETSCAPE ENTREPRISE SERVER 6.1 - 04-2002 ADMINISTRATOR

  • Page 1 Administrator’s Guide Netscape Enterprise Server Version 6.1 April 2002 (Draft)
  • Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents About This Guide ............. . 17 What’s In This Guide? .
  • Page 4 UNIX and Linux Platforms ............35 Virtual Server Configuration .
  • Page 5 Using LDIF ............... . . 61 Creating Users .
  • Page 6 Chapter 5 Securing Your Enterprise Server ........87 Requiring Authentication .
  • Page 7 Selecting the Certificate Name for a Connection Group ....... 119 FIPS-140 Standard .
  • Page 8 Setting the Termination Timeout ........... . . 150 Restarting the Server (UNIX/Linux) .
  • Page 9 Writing Customized Expressions ........... . . 188 Turning Off Access Control .
  • Page 10 Running the Log Analyzer ............. 216 Viewing Events (Windows NT/Windows 2000) .
  • Page 11 The obj.conf File ..............249 Virtual Servers in a Class .
  • Page 12 Editing Virtual Server Settings ............276 Editing Using the Virtual Server Manager .
  • Page 13 Chapter 14 Content Management ..........309 Setting the Primary Document Directory .
  • Page 14 Syntax ................336 Parameters .
  • Page 15 Appendix D International Content Support ........359 Entering UTF-8 Data .
  • Page 16 Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 17: About This Guide

    About This Guide This guide describes how to configure and administer Netscape® Enterprise Server, Version 6.1. It is intended for information technology administrators in the corporate enterprise who want to extend client-server applications to a broader audience through the World Wide Web. This preface includes the following sections: •...

  • Page 18: How This Guide Is Organized

    How This Guide Is Organized How This Guide Is Organized This guide is divided into five parts, plus a glossary, and a comprehensive index. If you are new to Netscape Enterprise Server 6.1, begin with Part I, “Server Basics” for an overview of the product. If you are already familiar with this version of Enterprise Server, skim the material in Part I, “Server Basics”...

  • Page 19: Part Iii: Configuring, Monitoring, And Performance Tuning

    How This Guide Is Organized • Chapter 4, “Managing Users and Groups” describes how to how to use the Administration Server Users and Groups forms to configure your Enterprise Servers. • Chapter 5, “Securing Your Enterprise Server” describes how to configure your Enterprise Server security.

  • Page 20: Part Iv: Managing Virtual Servers And Services

    Conventions Used In This Guide Part IV: Managing Virtual Servers and Services This part provides information for using the Server Manager to programs and configuration styles. The following chapters are included: • Chapter 11, “Using Virtual Servers” describes how to set up and administer virtual servers using your Enterprise Server.

  • Page 21: Using The Enterprise Server Documentation

    Using the Enterprise Server Documentation This typeface is used for book titles, emphasis, and any text that is a placeholder for text you need to replace for your system. For example, in a URL that contains a reference to your server’s port number, the URL might contain portnumber in italics.
  • Page 22 Using the Enterprise Server Documentation Enterprise Server Table 1 Documentation (Continued) For information about See the following The administration server and global information on topics such as Managing Servers with Netscape encryption, access control, and performance monitoring. Console Planning your directory service. How you can use the directory Netscape Directory Server Deployment server to support simple usage that involves only a few hundred Manual...

  • Page 23: Part 1 Server Basics

    Part 1 Server Basics Chapter 1, “Introduction to Enterprise Server” Chapter 2, “Administering Enterprise Servers”...
  • Page 24 Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 25: Chapter 1 Introduction To Enterprise Server

    Chapter 1 Introduction to Enterprise Server This chapter introduces Netscape Enterprise Server and discusses some of the fundamental server concepts. Read it to obtain an overview of how Enterprise Server works. This chapter includes the following sections: • Enterprise Server •...

  • Page 26: Enterprise Server Features

    Enterprise Server Enterprise Server Features Enterprise Server is primarily designed to provide access to your business HTML files. In addition, it offers the following features: • Enterprise-wide manageability—Including delegated administration, cluster management, and LDAP (Lightweight Directory Access Protocol) support. LDAP integration with Directory Server enables you to store users and groups in a centralized directory.

  • Page 27: Administering And Managing Enterprise Servers

    Enterprise Server Architecture Administering and Managing Enterprise Servers You can manage your Enterprise Server(s) via the following user interfaces: • Enterprise Server Administration Server • Server Manager • Class Manager • Virtual Server Manager In previous releases, the Enterprise Server and other Netscape servers were administered by a single server, called the Administration Server.

  • Page 28: Content Engines

    Enterprise Server Architecture • Application Services These server modules are described in the following sections. Content Engines Enterprise Server content engines are designed for manipulating customer data. The following two content engines make up the content layer of the Enterprise Server architecture: HTTP (Web Server), Content Management, and Search.

  • Page 29: Runtime Environments

    Enterprise Server Configuration Java Servlets and JavaServer Pages extensions enable all Java servlet and JavaServer page meta-functions, including instantiation, initialization, destruction, access from other components, and configuration management. Java servlets and JavaServer pages are reusable Java applications that run on a web server rather than in a web browser.

  • Page 30: Enterprise Server Component Options

    Enterprise Server Configuration The server includes a number configuration files which are stored in when server_root/https-server_id/config server_root/https-admserv/config installed on your computer. This section includes the following topics: • Enterprise Server Component Options • Enterprise Server Configuration Files • Single-Server Configuration •...
  • Page 31 Enterprise Server Configuration The main Enterprise Server configuration files are: magnus.conf obj.conf , and These configuration files are described in this mime.types server.xml. section. NOTE There are a number of configuration files Enterprise Server uses when your server is set up as part of a cluster of Enterprise Servers (these files include a .

  • Page 32: Dynamic Reconfiguration

    Enterprise Server Configuration For more information, see “Specifying a Default MIME Type,” on page 316 in Chapter 14, “Content Management.” Dynamic Reconfiguration Dynamic reconfiguration allows you to make configuration changes to a live web server without having to stop and restart the web server for the changes to take effect.
  • Page 33 Enterprise Server Configuration directory contains the log analysis tool that runs through the log_anly Server Manager. This log analyzer analyzes files in common log format only. • httpacl contains the files that store access control configuration information in server-id server-id files.
  • Page 34 Enterprise Server Configuration contains classes and Java files, generated as result of the ClassCache compilation of JavaServer pages. contains backup copies of the server’s configuration files. conf_bk contains the server instance configuration files. config contains the server instance log files. logs is the script used to reconfigure the server dynamically.

  • Page 35: Unix And Linux Platforms

    Enterprise Server Configuration contains information for your server’s access control lists. nsacl contains the required files for the Resonate load-balancer loadbal integration plugin. contains header files and example code for creating your own nsapi functions using NSAPI. contains information for your server’s search plugins. search contains information for your server’s SNMP plugins.

  • Page 36: Virtual Server Configuration

    Administration Server Virtual Server Configuration Virtual servers allow you, with a single installed server, to offer companies or individuals domain names, IP addresses, and some server administration capabilities. You can configure virtual servers using the Virtual tab of the Server Manager, as well as the Class Manager interface and the file.

  • Page 37: Server Manager

    Server Manager The first page you see when you access the Administration Server, is called Servers. You use the buttons on this page to manage, add, remove, and migrate your Enterprise Servers. The Administration Server provides the following tabs for your administration-level tasks: •...

  • Page 38: Using The Resource Picker

    Server Manager You use the links on the Preferences page to manage options such as thread pool settings, and to turn the web server on and off. In addition, the Server Manager provides the following tabs for additional Enterprise Server managerial tasks: •...

  • Page 39: Wildcards Used In The Resource Picker

    Class Manager Wildcards Used in the Resource Picker In many parts of the server configuration, you specify wildcard patterns to represent one or more items to configure. Please note that the wildcards for access control and text search may be different from those discussed in this section. Wildcard patterns use special characters.

  • Page 40: Virtual Server Manager

    Virtual Server Manager Virtual Server Manager To access the Virtual Server Manager, go to the Virtual Servers tab in the Class Manager, then select a virtual server from the list on the Manager Virtual Servers page and click Manage, or click on the link to a virtual server under the tree view. The pages provided in the Virtual Server Manager allow you to check the status and settings, set the Java web applications state to on, and generate reports for the selected virtual server.

  • Page 41: Chapter 2 Administering Enterprise Servers

    Chapter 2 Administering Enterprise Servers This chapter describes how to administer Netscape Enterprise Server with the Enterprise Server Administration Server. Using the Administration Server, you can manage servers, add and remove servers, and migrate servers from a previous release. This chapter includes the following sections: •...

  • Page 42: Windows Nt/Windows 2000 Platforms

    Accessing the Administration Server Windows NT/Windows 2000 Platforms The Enterprise Server installation program creates a program group with several icons for Windows NT/Windows 2000 platforms. The program group includes the following icons: • Release Notes • Start Administration Server • Uninstall Enterprise Server 6.1 •...

  • Page 43: Running Multiple Servers

    Running Multiple Servers Running Multiple Servers There are two ways you can have multiple web servers running on your system: • Use virtual servers • Install multiple instances of the server Virtual Servers Virtual servers allow you, with a single installed server, to offer companies or individuals domain names, IP addresses, and some server administration capabilities.

  • Page 44: Removing A Server

    Removing a Server If you installed your server before configuring your system to host multiple IP addresses, configure your system to respond to different IP addresses. Then you can either install IP virtual servers or change the server’s bind address using the Server Manager and install separate instances of the server for each IP address.

  • Page 45: Migrating A Server

    Migrating a Server Migrating a Server You can migrate a server instance from iPlanet™ Web Server 4.x to Enterprise Server 6.1. Your iPlanet Web Server 4.x server instance is preserved, and a new Enterprise Server 6.1 server using the same settings is created. You should stop running iPlanet Web Server 4.x before migrating settings.
  • Page 46 Migrating a Server Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 47: Part 2 Using The Administration Server

    Part 2 Using the Administration Server Chapter 3, “Setting Administration Preferences” Chapter 4, “Managing Users and Groups” Chapter 5, “Securing Your Enterprise Server” Chapter 6, “Managing Server Clusters”...
  • Page 48 Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 49: Chapter 3 Setting Administration Preferences

    Chapter 3 Setting Administration Preferences You can configure your Netscape Enterprise Server Administration Server using the pages on the Preferences and Global Settings tabs. Note that you must enable cookies and JavaScript in your browser to configure your server. This chapter includes the following sections: •...

  • Page 50: Editing Listen Socket Settings

    Editing Listen Socket Settings You can stop the server using one of the following methods: • Access the Administration Server, choose the Preferences tab, select the Shut Down link, and click “Shut down the administration server button!”. For more information, see The Shut Down Page in the online help. •...

  • Page 51: Changing The Superuser Settings

    Changing the Superuser Settings You do not need to specify a server user if you chose a port number greater than 1024 and are not running as the user (in this case, you do not need to be root logged on as to start the server).

  • Page 52: Allowing Multiple Administrators

    Allowing Multiple Administrators To change the superuser settings for the Administration Server, perform the following steps: Access the Administration Server and choose the Preferences tab. Click the Superuser Access Control link. Make the desired changes and click OK.. The superuser’s user name and password are kept in a file called .
  • Page 53 Allowing Multiple Administrators • end users can view read-only data stored in the database. Additionally, end users may be granted access permissions to change only specific data. For an in-depth discussion of access control for Enterprise Server, see “What Is Access Control?,”...

  • Page 54: Specifying Log File Options

    Specifying Log File Options Specifying Log File Options The Enterprise Server Administration Server log files record data about the server, including the types of errors encountered and information about server access. Viewing these logs allows you to monitor server activity and troubleshoot problems by providing data like the type of error encountered and the time certain files were accessed.

  • Page 55: The Error Log File

    Specifying Log File Options The Error Log File The error log lists all the errors the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log in to the server. To view the error log file, perform the following steps: Access the Enterprise Server Administration Server and choose the Preferences tab.

  • Page 56: Configuring Directory Services

    Configuring Directory Services To restart, start, or stop cron control, perform the following steps: Access the Enterprise Server Administration Server and choose the Global Settings tab. Click the Cron Control link. Click Restart, Start, or Stop to change the cron controls. Note that any time you add a task to cron, you need to restart the daemon.

  • Page 57: Configuring Jre/Jdk Paths

    Configuring JRE/JDK Paths You can set access control globally for all servers through the Enterprise Server Administration Server or for a resource within a specific server instance through the Server Manager. For more information about setting access control for a resource, see “Setting Access Control,”...
  • Page 58 Configuring JRE/JDK Paths Click the radio button corresponding to the feature to enable. For instance, click JDK to supply the path to the Java Development Kit installed on your machine. Enter the appropriate information and click OK. You must restart your server for changes to become effective. See The Configure JRE/JDK Paths Page in the online help for more information.

  • Page 59: Chapter 4 Managing Users And Groups

    Chapter 4 Managing Users and Groups This chapter describes how to add, delete, and edit the users and groups who can access your Netscape Enterprise Server. This chapter includes the following sections: • Using Directory Services to Manage Users and Groups •...

  • Page 60: Understanding Distinguished Names (Dns)

    Using Directory Services to Manage Users and Groups Since Enterprise Server does not support local LDAP, you must have a directory server installed before you can add users and groups. Understanding Distinguished Names (DNs) Use the Users and Groups tab of the Administration Server to create or modify users, groups, and organizational units.

  • Page 61: Using Ldif

    Creating Users Using LDIF If you do not currently have a directory, or if you want to add a new subtree to an existing directory, you can use the Directory Server’s Administration Server LDIF import function. This function accepts a file containing LDIF and attempts to build a directory or a new subtree from the LDIF entries.

  • Page 62: How To Create A New User Entry

    Creating Users • The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the Directory Server command line utility (if available) to create a ldapmodify...

  • Page 63: Directory Server User Entries

    Creating Users Directory Server User Entries The following user entry notes may be of interest to the directory administrator: • User entries use the , and inetOrgPerson organizationalPerson person object classes. • By default, the distinguished name for users is of the form: cn=full name, ou=organization, ...,o=base organization, c=country For example, if a user entry for Babs Jensen is created within the organizational unit Marketing, and the directory’s base DN is o=Example Corporation, c=US,...

  • Page 64: Managing Users

    Managing Users • Sometimes a user’s name can be more accurately represented in characters of a language other than the default language. You can select a preferred language for users so that their names will display in the characters of the that language, even when the default language is English.

  • Page 65: Building Custom Search Queries

    Managing Users A name. Enter a full name or a partial name. All entries that equally match the search string will be returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.
  • Page 66 Managing Users • The left-most pull-down list allows you to specify the attribute on which the search will be based. The available search attribute options are described in the following table: Table 4-3 Search Attribute Options Option Name Description full name Search each entry’s full name for a match.

  • Page 67: Editing User Information

    Managing Users Table 4-4 Search Type Options Option Name Description Causes an approximate, or phonetic, search to be performed. Use this sounds like option if you know an attribute’s value, but you are unsure of the spelling. For example, if you are not sure if a user’s name is spelled “Sarret,”...

  • Page 68: Managing A User's Password

    Managing Users In addition, note that you can change the user’s first, last, and full name field from this form, but to fully rename the entry (including the entry’s distinguished name), you need to use the Rename User form. For more information on how to rename an entry, see “Renaming Users,”...

  • Page 69: Renaming Users

    Managing Users Access the Enterprise Server Administration Server and choose the Users & Groups tab. Display the user entry as described in “Finding User Information,” on page 64. Click the Licenses link at the top of the User Edit form. Make the desired changes and click OK.

  • Page 70: Removing Users

    Creating Groups server_root/https-admserv/config/dsgw-orgperson.conf For more information, see The Manage Users Page in the online help. Removing Users To delete a user entry, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab. Display the user entry as described in “Finding User Information,” on page 64. Click Delete User.

  • Page 71: Static Groups

    Creating Groups For static and dynamic groups, members can share a common attribute from a certificate if you use the . Note that these will only work memberCertDescription if the ACL uses the SSL method. Once you create a new group, you can add users, or members, to it. This section includes the following topics for creating groups: •...

  • Page 72: Dynamic Groups

    Creating Groups For more information, see The New Group Page in the online help. Dynamic Groups A dynamic group has an , and has zero or more objectclass groupOfURLs attributes, each of which is a LDAP URL that describes a set of objects. memberURL Enterprise Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to...

  • Page 73: Groups Can Be Static And Dynamic

    Creating Groups The DNs are included automatically, without your having to add each individual to the group. The group changes dynamically, because Enterprise Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the attribute of the objects in the LDAP database.
  • Page 74 Creating Groups • Enter the group’s LDAP URL using the following format (without host info, since these parameters are ignored): port ldap:///<basedn>?<attributes>?<scope>?<(filter)> The required parameters are described in the following table: Table 4-5 Dynamic Groups: Required Parameters Parameter Name Description The Distinguished Name (DN) of the search base, or point from <base_dn>...

  • Page 75: To Create A Dynamic Group

    Managing Groups • If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory’s root point, or top-most entry. •...

  • Page 76: Finding Group Entries

    Managing Groups Finding Group Entries Before you can edit a group entry, first you must find and display the entry. To find a group entry, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab.

  • Page 77: Editing Group Attributes

    Managing Groups For more information regarding how to build a custom search filter, see “Building Custom Search Queries,” on page 65. Editing Group Attributes To edit a group entry, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab.

  • Page 78: Adding Groups To The Group Members List

    Managing Groups A name. Enter a full name or a partial name. All entries whose name matches the search string is returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sounds like the search string are found.

  • Page 79: Removing Entries From The Group Members List

    Managing Groups Removing Entries from the Group Members List To delete an entry from the group members list, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab. Click the Manage Groups link, locate the group you want to manage as described in “Finding Group Entries,”...

  • Page 80: Removing Groups

    Managing Groups You manage see alsos the same way as you manage the group members list. The following table shows you which section to read for more information: Table 4-7 Additional Information Task You Want to Complete Read Section Add users to see alsos “Adding Group Members,”...

  • Page 81: Renaming Groups

    Creating Organizational Units Renaming Groups To rename a group, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab. Click the Manage Groups link and locate the group you want to manage as described in “Finding Group Entries,”...

  • Page 82: Managing Organizational Units

    Managing Organizational Units ou=new organization, ou=parent organization, ...,o=base organization, c=country For example, if you create a new organization called Accounting within the organizational unit West Coast, and your Base DN is o=Example Corporation, US, then the new organization unit’s DN is: ou=Accounting, ou=West Coast, o=Example Corporation, c=US Managing Organizational Units You edit and manage organizational units from the Organizational Unit Edit form.

  • Page 83: The "Find All Units Whose" Field

    Managing Organizational Units As an alternative, use the pull down menus in the Find all units whose field to narrow the results of your search. In the Look within field, select the organizational unit under which you want to search for entries. The default is the root point of the directory.

  • Page 84: Renaming Organizational Units

    Managing Organizational Units Renaming Organizational Units To rename an organizational unit entry, access the Enterprise Server Administration Server and perform the following steps: Make sure no other entries exist in the directory under the organizational unit that you want to rename. Locate the organizational unit you want to edit as described in “Finding Organizational Units,”...

  • Page 85: Managing A Preferred Language List

    Managing a Preferred Language List Managing a Preferred Language List Enterprise Server enables you to display and maintain the list of preferred languages. To manage the preferred language list, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab.
  • Page 86 Managing a Preferred Language List Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 87: Chapter 5 Securing Your Enterprise Server

    Chapter 5 Securing Your Enterprise Server This chapter describes how to activate the various security features designed to safeguard your data, deny intruders access, and allow access to those you want. Netscape Enterprise Server 6.1 incorporates the security architecture of all Netscape servers: it’s built on industry standards and public protocols for maximum interoperability and consistency.

  • Page 88: Requiring Authentication

    Requiring Authentication • Considering Additional Security Issues Requiring Authentication Authentication is the process of confirming an identity. In the context of network interactions, authentication is the confident identification of one party by another party. Certificates are one way of supporting authentication. Using Certificates for Authentication A certificate consists of digital data that specifies the name of an individual, company, or other entity, and certifies that the public key, included in the...

  • Page 89: Virtual Server Certificates

    Creating a Trust Database Virtual Server Certificates You can have a different certificate database per virtual server. Each virtual server database can contain multiple certificates. Virtual servers can also have different certificates within each instance. Creating a Trust Database Before requesting a server certificate, you must create a trust database. In Enterprise Server the Administration Server and each server instance can have its own trust database.

  • Page 90: Using Password.conf

    Creating a Trust Database For the Server Manager, click Apply, and then Restart for changes to take effect. After creating a certificate trust database for your server, you can request a certificate and submit it to a Certificate Authority (CA). If your company has its own internal CA, request your certificate from them.

  • Page 91: Start An Ssl-Enabled Server Automatically

    Requesting and Installing a VeriSign Certificate Start an SSL-enabled Server Automatically If security risks are not a concern for you, follow these steps to start your SSL-enabled server automatically: Make sure SSL is on. See “Turning Security On,” on page 110. Create a new file in the subdirectory of the server...

  • Page 92: Installing A Verisign Certificate

    Requesting and Installing Other Server Certificates Follow the VeriSign procedure. Installing a VeriSign Certificate If you request and receive approval for a VeriSign certificate, it should appear in the drop-down list of the Install VeriSign Certificate page in one to three days. To install a VeriSign Certificate, perform the following steps: Access either the Enterprise Server Administration Server or the Server Manager and choose the Security tab.

  • Page 93: Required Ca Information

    Requesting and Installing Other Server Certificates Required CA Information Before you begin the request process, make sure you know what information your CA requires. Whether you are requesting a server certificate from a commercial CA or an internal CA, you need to provide the following information: •...

  • Page 94: Requesting Other Server Certificates

    Requesting and Installing Other Server Certificates Some commercial CAs offer certificates with greater detail and veracity to organizations or individuals who provide more thorough identification. For example, you might be able to purchase a certificate stating that the CA has not only verified that you are the rightful administrator of the www.example.com computer, but that you are a company that has been in business for three years,...
  • Page 95 Requesting and Installing Other Server Certificates NOTE There are many factors that affect SSL performance, such as server load, operating system and SSL hardware accelerators. Also, older browsers might have problems with the larger key size. Do not change the key size without first determining if it is necessary for your environment.

  • Page 96: Installing Other Server Certificates

    Requesting and Installing Other Server Certificates The CA will notify you if it agrees to issue you a certificate. In most cases, the CA will send your certificate via email. If your organization is using a certificate server, you may be able to search for the certificate by using the certificate server’s forms. NOTE Not everyone who requests a certificate from a commercial CA is given one.

  • Page 97: Installing A Certificate

    Requesting and Installing Other Server Certificates Installing a Certificate To install a certificate, perform the following steps: Access either the Enterprise Server Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list.
  • Page 98 Requesting and Installing Other Server Certificates If you copy and paste the text, be sure to include the headers -Begin , including the beginning and Certificate- -End Certificate- ending hyphens. Click OK. Select either: Add Certificate if you are installing a new certificate. Replace Certificate if you are installing a certificate renewal.

  • Page 99: Migrating Certificates When You Upgrade

    Migrating Certificates When You Upgrade The certificate is stored in the server’s certificate database. The filename will be . For example: <alias>-cert7.db https-serverid-hostname-cert7.db Migrating Certificates When You Upgrade Key-pair files and certificates are migrated only if your server has security enabled. You can also migrate keys and certificates by themselves using the Security tabs in the Enterprise Server Administration Server page and the Server Manager page.

  • Page 100: Using The Built-In Root Certificate Module

    Managing Certificates Enter the Alias. Enter the Password. Click OK. For the Server Manager, click Apply, and then Restart for changes to take effect. Using the Built-in Root Certificate Module The dynamically loadable root certificate module included with Enterprise Server 6.1 contains the root certificates for many CAs, including VeriSign.
  • Page 101 Managing Certificates To manage certificate lists, perform the following steps: Access either the Enterprise Server Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list. Click the Manage Certificates link.

  • Page 102: Installing And Managing Crls And Ckls

    Installing and Managing CRLs and CKLs Installing and Managing CRLs and CKLs Certificate revocation lists (CRLs) and compromised key lists (CKLs) make known any certificates and keys that either client or server users should no longer trust. If data in a certificate changes, for example, a user changes offices or leaves the organization before the certificate expires, the certificate is revoked, and its data appears in a CRL.

  • Page 103: Managing Local Crls And Ckls

    Installing and Managing CRLs and CKLs If you selected Compromised Key List, the Add Compromised Key List page will appear listing CKL information. NOTE If a CRL or CKL list already exists in the database, a Replace Certificate Revocation List or Replace Compromised Key List page appears.

  • Page 104: Configuring Remote Crls

    Configuring Remote CRLs Configuring Remote CRLs Configure automatic CRL downloads to help ensure that your CRLs are kept up to date with minimal inconvenience. Enterprise Server supports CRL downloads over HTTP, HTTP over SSL, LDAP, and LDAP over SSL. Once a CRL is downloaded, Enterprise Server stores the information in memory.
  • Page 105 Configuring Remote CRLs how often the CRL is updated the system time for the CRL download server whether the CRL has a Next Update field Access either the Enterprise Server Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list.
  • Page 106 Configuring Remote CRLs NOTE If a CRL download URL uses the HTTPS or the LDAPS protocol, verify with the CA that the certificate for the CRL server has not been revoked. Enterprise Server will not communicate with a client or server with a revoked certificate. At startup, Enterprise Server does not yet have any CRLs stored in memory, so if the certificate has been revoked, the initial CRL update succeeds.

  • Page 107: Reducing The Ssl3/Tls Session Cache Timeout

    Configuring Remote CRLs When you are ready to save your configuration settings, click OK. A popup message tells you your Automatic/Remote Certificate Revocation List (CRL) Settings have been updated. Click OK to dismiss the popup. The page reloads with your updated settings. Repeat Step 6 through Step 10 as needed for all the CRLs you want to configure for automatic downloading.

  • Page 108: Setting Security Preferences

    Setting Security Preferences Setting Security Preferences Once you have a certificate, you can begin securing your server. Several security elements are provided by Enterprise Server. Encryption is the process of transforming information so it is unintelligible to anyone but the intended recipient. Decryption is the process of transforming encrypted information so that it is intelligible again.

  • Page 109: Ssl And Tls Protocols

    Setting Security Preferences SSL and TLS Protocols Enterprise Server 6.1 supports the Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) protocols for encrypted communication. SSL and TLS are application independent, and higher level protocols can be layered transparently on them.

  • Page 110: Enabling Security For Connection Groups

    Setting Security Preferences Enabling Security for Connection Groups You can secure your server’s connection groups by: • Turning the security on • Selecting a server certificate for a connection group • Selecting ciphers Turning Security On You must turn security on before you can configure the other security settings for your connection group.

  • Page 111: Selecting A Server Certificate For A Connection Group

    Setting Security Preferences Access either the Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list. Select the Preferences tab, if not already displayed. Choose the Edit Listen Sockets link.

  • Page 112: Selecting Ciphers

    Setting Security Preferences Click the Attributes link. The Security Settings of Listen Socket page appears. NOTE If you have an external module installed, the Manage Server Certificates page will appear requiring the external module’s password before you can continue. Select a server certificate from the drop-down CertificateName list for the connection group.
  • Page 113 Setting Security Preferences Click the Edit Listen Sockets link. The Listen Socket Table page appears. Use the drop-down Action list to select Edit, if not already displayed, for the connection group you are enabling security for. Use the drop-down list to turn Security on for that connection group, if it is off. Click OK.

  • Page 114: Configuring Security Globally

    Setting Security Preferences For the Server Manager, click Apply, and then Restart for changes to take effect. NOTE When you apply changes after turning on security for a connection group, the file is automatically modified to show magnus.conf security on, and all virtual servers associated with the connection group are automatically assigned the default security parameters.

  • Page 115: Sslsessiontimeout

    Using External Encryption Modules Enter the values for: SSLSessionTimeout SSLCacheEntires SSL3SessionTimeout Click OK Click Apply, and then Restart for changes to take effect. These SSL Configuration File Directives are described below: SSLSessionTimeout directive controls SSL2 session caching. SSLSessionTimeout Syntax seconds SSLSessionTimeout is the number of seconds until a cached SSL session becomes invalid.

  • Page 116: Installing The Pkcs#11 Module

    Using External Encryption Modules • FIPS-140 You will need to add the PKCS #11 module before activating the FIPS-140 encryption standard. Installing the PKCS#11 Module Enterprise Server supports Public Key Cryptography Standard (PKCS) #11, which defines the interface used for communication between SSL and PKCS#11 modules. PKCS#11 modules are used for standards-based connectivity to SSL hardware accelerators.

  • Page 117: Using Pk12Util

    Using External Encryption Modules Perform the actions required. For example, to add the PCKS#11 module in UNIX you would enter: PCKS#11_file_name PCKS#11_libfile modutil -add -libfile -nocertdb db_directory -dbdir . Using pk12util allows you to export certificates and keys from your internal pk12util database and to import them into an internal or external PKCS#11 module.
  • Page 118 Using External Encryption Modules Enter password. pkcs12 Importing with pk12util To import a certificate and key into an internal or external PKCS#11 module, perform the following steps: Go to the containing the databases. server_root/alias directory to your PATH. server_root/bin/https/admin/bin Locate pk12util server_root/bin/https/admin/bin Set the environment.

  • Page 119: Selecting The Certificate Name For A Connection Group

    Using External Encryption Modules The server always tries to start with the certificate named “Server-Cert.” However, certificates in external PKCS#11 modules include one of the module’s token names in their identifier. For example, a server certificate installed on an external smartcard reader called “smartcard0”...

  • Page 120: Fips-140 Standard

    Using External Encryption Modules To find what value to use for , go to the server’s Security tab and select $TOKENNAME the Manage Certificates link. When you log in to the external module where Server-Cert is stored, its certificates are displayed in the list in the form token_name nickname NOTE...

  • Page 121: Setting Client Security Requirements

    Setting Client Security Requirements To enable FIPS-140, perform the following steps: Install the plug-in following the FIPS-140 instructions. Access either the Administration Server or the Server Manager and choose the Preferences tab. For the Server Manager you must first select the server instance from the drop-down list.

  • Page 122: Requiring Client Authentication

    Setting Client Security Requirements Requiring Client Authentication You can enable the connection groups for your Administration Server and each server instance to require client authentication. When client authentication is enabled, the client’s certificate is required before the server will send a response to a query.

  • Page 123: To Require Client Authentication

    Setting Client Security Requirements To Require Client Authentication To require client authentication, perform the following steps: Access either the Administration Server or the Server Manager and choose the Preferences tab. For the Server Manager you must first select the server instance from the drop-down list.
  • Page 124 Setting Client Security Requirements The server tries to match the CA to the list of trusted CAs in the Administration Server. If there isn’t a match, Enterprise Server ends the connection. If there is a match, the server continues processing the request. After verifying the certificate is from a trusted CA, the server maps the certificate to an LDAP entry by: •...

  • Page 125: Using The Certmap.conf File

    Setting Client Security Requirements Using the certmap.conf File Certificate mapping determines how a server looks up a user entry in the LDAP directory. You can use to configure how a certificate, designated by certmap.conf name, is mapped to an LDAP entry. You edit this file and add entries to match the organization of your LDAP directory and to list the certificates you want your users to have.
  • Page 126 Setting Client Security Requirements • is a list of comma-separated attributes used to determine where in the DNComps LDAP directory the server should start searching for entries that match the user’s information (that is, the owner of the client certificate). The server gathers values for these attributes from the client certificate and uses the values to form an LDAP DN, which then determines where the server starts its search in the LDAP directory.
  • Page 127 Setting Client Security Requirements Table 5-2 Attributes for x509v3 Certificates Attribute Description Organizational unit User ID Email address email The attribute names for the filters need to be attribute names from the certificate, not from the LDAP directory. For example, some certificates have attribute for the user’s email address;...

  • Page 128: Creating Custom Properties

    Setting Client Security Requirements Creating Custom Properties You can use the client certificate API to create your own properties. For information on programming and using the client certificate API, see the Netscape Enterprise Server NSAPI Programmer’s Guide. Once you have a custom mapping, you reference the mapping as follows: <name>:library <path_to_shared_library>...
  • Page 129 Setting Client Security Requirements certmap usps ou=United States Postal Service, o=usps, c=US usps:DNComps ou,o,c usps:FilterComps e usps:verifycert on When the server gets a certificate from anyone other than the US Postal Service, it uses the default mapping, which starts at the top of the LDAP tree and searches for an entry matching the client’s email and userid.

  • Page 130: Setting Stronger Ciphers

    Setting Stronger Ciphers Setting Stronger Ciphers The Stronger Ciphers option presents a choice of 168, 128, or 56-bit secret key size for access, or no restriction. You can specify a file to be served when the restriction is not met. If no file is specified, Enterprise Server returns a “Forbidden” status. If you select a key size for access that is not consistent with the current cipher settings under Security Preferences, Enterprise Server displays a popup dialog warning that you need to enable ciphers with larger secret key sizes.

  • Page 131: Considering Additional Security Issues

    Considering Additional Security Issues Select Stronger Ciphers. Choose to edit: from the drop down list by clicking Browse by clicking Wildcard Select the secret key size restriction: 168 bit or larger 128 bit or larger 56 bit or larger No restrictions Enter the file location of the message to reject access.

  • Page 132: Limit Physical Access

    Considering Additional Security Issues • Preventing Clients from Caching SSL Files • Limiting Ports • Knowing Your Server’s Limits • Making Additional Changes to Protect Servers Limit Physical Access This simple security measure is often forgotten. Keep the server machine in a locked room that only authorized people can enter.

  • Page 133: Creating Hard-To-Crack Passwords

    Considering Additional Security Issues A good password is one you’ll remember but others won’t guess. For example, you could remember MCi12!mo as “My Child is 12 months old!” A bad password is your child’s name or birthdate. Creating Hard-to-Crack Passwords There are some simple guidelines that will help you create a stronger password.

  • Page 134: Limiting Other Applications On The Server

    Considering Additional Security Issues Access either the Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list. Select the Change Password link. Select the security token on which you want to change the password from the drop-down list.

  • Page 135: Windows Nt/Windows 2000

    Considering Additional Security Issues Windows NT/Windows 2000 Carefully consider which drives and directories you share with other machines. Also, consider which users have accounts or Guest privileges. Similarly, be careful about what programs you put on your server, or allow other people to install on your server.

  • Page 136: Making Additional Changes To Protect Servers

    Considering Additional Security Issues Making Additional Changes to Protect Servers If you want to have both protected and unprotected servers, you should operate the unprotected server on a different machine from the protected one. If your resources are limited and you must run an unprotected server on the same machine as your protected server, do the following.

  • Page 137: Specifying Chroot For A Virtual Server Class Cgis (Unix/Linux Only)

    Considering Additional Security Issues Specifying chroot for a Virtual Server Class CGIs (UNIX/Linux Only) You can specify the directory for virtual server class CGIs by performing chroot the following steps: Access the Server Manager and select the server instance from the drop-down list.
  • Page 138 Considering Additional Security Issues You can also specify the directory for a virtual server using the Class chroot Manager Virtual Servers tab and the CGI Settings link. For more information regarding how to specify a directory for a virtual chroot server, see the Netscape Enterprise Server Programmer’s Guide.

  • Page 139: Chapter 6 Managing Server Clusters

    Chapter 6 Managing Server Clusters This chapter describes the concept of clustering Netscape Enterprise Servers and explains how you can use them to share configurations among servers. This chapter includes the following sections: • About Clusters • Guidelines for Using Server Clusters •...

  • Page 140: Guidelines For Using Server Clusters

    Guidelines for Using Server Clusters • Share one or more configuration files between servers • Start and stop all servers from one “master” Administration Server • View the access and error logs for the servers you selected By clustering your Enterprise Servers, you’re able to specify a master Administration Server for administering all of your clusters.

  • Page 141: Setting Up A Cluster

    Setting Up a Cluster • Install all of the servers you want to include in a particular cluster prior to creating any clusters. • Make sure all servers in a cluster are version 6.1 Enterprise Servers. • Make sure all cluster-specific Administration Servers have the same userid and password as the master administration server.

  • Page 142: Adding A Server To A Cluster

    Adding a Server to a Cluster Administer a remote server by accessing its Server Manager forms from the cluster form or by copying a configuration file from one server in the cluster to another. NOTE After changing the configuration for a remote server, restart the remote server.

  • Page 143: Modifying Server Information

    Modifying Server Information Your master Administration Server now attempts to contact the remote server. This can take a few minutes. You will receive a message confirming the server is added to the cluster. Click OK. NOTE If you have two or more servers on different computers that use the same identifier, the server identifier and the hostname for each computer are displayed.

  • Page 144: Removing Servers From A Cluster

    Removing Servers from a Cluster Removing Servers from a Cluster To remove a server from the cluster, perform the following steps: Go to the master Administration Server and choose the Cluster Mgmt tab. Click the Remove Server link. Select the remote server or servers to modify by: Checking a specific server Clicking Select All Click Reset Selection to undo all selections.

  • Page 145: Adding Variables

    Adding Variables Clicking Select All to select all of the servers in the cluster Click Reset Selection to undo all selections. Select Start or Stop remote servers from the drop down menu. Select View Access or View Error log records from the drop down menu and enter the number of lines you wish to view.
  • Page 146 Adding Variables Click OK. The variable must also be added to the server’s configuration file you are transferring to the slave. For example: if port was the variable added. SERVERPORT $Port You can set variables with different values for each slave in the configuration file. Once added, variables can also be edited and deleted using the drop-down Option list in the Add Variables page.

  • Page 147: Part 3 Configuring, Monitoring, And Performance Tuning

    Part 3 Configuring, Monitoring, and Performance Tuning Chapter 7, “Configuring Server Preferences” Chapter 8, “Controlling Access to Your Server” Chapter 9, “Using Log Files” Chapter 10, “Monitoring Servers” Chapter 11, “Tuning Your Server for Performance” ”...
  • Page 148 Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 149: Chapter 7 Configuring Server Preferences

    Chapter 7 Configuring Server Preferences This chapter describes how to configure server preferences for your Netscape Enterprise Server. This chapter contains the following sections: • Starting and Stopping the Server • Tuning Your Server for Performance • Editing the magnus.conf File •...

  • Page 150: Setting The Termination Timeout

    Starting and Stopping the Server The status of the server appears in the Server On/Off page. You can start and stop the server using one of the following methods: • Click the Server On or Server Off in the Server On/Off page. •...

  • Page 151: Restarting The Server (Unix/Linux)

    Starting and Stopping the Server where seconds represents the number of seconds the server will wait before timing out. Restarting the Server (UNIX/Linux) You can restart the server using one of the following methods: • Automatically restart it from the file.

  • Page 152: Restarting The Server Manually (Unix/Linux)

    Starting and Stopping the Server server_root /https-identifier/start Replace server_root with the directory where you installed the server. Restarting the Server Manually (UNIX/Linux) To restart the server from the command line, log in as root if the server runs on ports with numbers lower than 1024; otherwise, log in as root or with the server’s user account.

  • Page 153: Using The Automatic Restart Utility (Windows Nt/Windows 2000)

    Starting and Stopping the Server For Windows NT/Windows 2000, perform the following steps: In the Control Panel double-click the Services icon. Scroll through the list of services and select the service for your server. Check Automatic to have your computer start the server each time the computer starts or reboots.

  • Page 154: Tuning Your Server For Performance

    Tuning Your Server for Performance Type the time interval (in seconds) that will elapse between startup and the time the server can restart automatically. The interval can be in binary, decimal, or hexadecimal format. Click the numerical format for the value you entered in the previous step (binary, decimal, or hexadecimal).

  • Page 155: Editing The Magnus.conf File

    Editing the magnus.conf File The minimum limit is a goal for how many threads the server attempts to keep in state. This number is just a goal. The number of actual threads WaitingThreads in this state may go slightly above or below this value. The default value is 48. The maximum threads represents a hard limit for the maximum number of active threads that can run simultaneously, which can become a bottleneck for performance.

  • Page 156: Adding And Editing Listen Sockets

    Adding and Editing Listen Sockets Adding and Editing Listen Sockets Before the server can process a request, it must accept the request via a listen socket, then direct the request to the correct connection group and virtual server. When you install Enterprise Server, one listen socket, ls1, is created automatically. This listen socket uses the IP address 0.0.0.0 (equivalent to “all addresses on this machine”) and the port number you specified as your HTTP server port number during installation (the default is 80).

  • Page 157: Restricting Access

    Restricting Access Restricting Access You can control access to the entire server or to parts of the server (that is, directories, files, file types) using the Server Manager’s Restrict Access page. When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access-control entries (ACEs), and then it uses the matching entries to determine if the request is allowed or denied.

  • Page 158: Configuring The File Cache

    Configuring the File Cache Configuring the File Cache The Enterprise Server uses a file cache to serve static information faster. In the previous version of the server, there was also an accelerator cache which routed requests to the file cache, but the accelerator cache is no longer used. The file cache contains information about files, and static file content.

  • Page 159: Thread Pools (Unix/Linux)

    Adding and Using Thread Pools Thread Pools (UNIX/Linux) Since threads on UNIX/Linux are always OS-scheduled (as opposed to user-scheduled) UNIX/Linux users do not need to use the , and do not NativePool have a Server Manager page for editing its settings. However, UNIX/Linux users can still create thread pools.
  • Page 160 Adding and Using Thread Pools Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 161: Chapter 8 Controlling Access To Your Server

    Chapter 8 Controlling Access to Your Server This chapter discusses the various methods you can use to control access to the Administration Server and to the files or directories on your web site. For example, for the Administration Server, you can specify who has full control of all the servers installed on a machine and who has partial control of one or more servers.

  • Page 162: Setting Access Control For User-Group

    What Is Access Control? • Which programs they can access • Who can access the files or directories on your web site You can control access to the entire server or to parts of the server, or the files or directories on your web site.

  • Page 163: Default Authentication

    What Is Access Control? User-Group authentication requires users to authenticate themselves before getting access to the Administration Server, or the files and directories on your web site. With authentication users verify their identity by entering a username and password, using a client certificate, or digest authentication plug-in. Using client certificates requires encryption.

  • Page 164: Ssl Authentication

    What Is Access Control? The following dialog appears to prompt users to authenticate themselves to the server: Figure 8-1 Example of Username and Password Prompt After clicking OK, the user will see: • The Server Administration page, if authenticated to access Enterprise Application Server •...

  • Page 165: Digest Authentication

    What Is Access Control? • Checks the ACL rules specified for that user if the certificate maps correctly. Even if the certificate maps correctly, ACL rules can deny the user access. Requiring client authentication for controlling access to specific resources differs from requiring client authentication for all connections to the server.
  • Page 166 What Is Access Control? In order for this to work, your directory server needs access to the user’s password in cleartext. Later versions of Directory Server include a reversible password plug-in using a symmetric encryption algorithm to store data in an encrypted form, that can later be decrypted to its original form.
  • Page 167 What Is Access Control? Gets request-digest value from directory server and checks for match to client’s request-digest. If not, generates 401 response, and process stops. Constructs Authorization-Info header and inserts into server headers. Installing the Digest Authentication Plug-in on UNIX The Digest Authentication plug-in consists of a shared library found in both: •...

  • Page 168: Using Other Ldap Attributes For Authentication

    What Is Access Control? Copy them into either: \Winnt\system32 Directory Server install directory: server_root\bin\sldap\server Setting the Directory Server to Use the DES Algorithm The DES algorithm is needed to encrypt the attribute where the digest password is stored. To set the Directory Server to use the DES algorithm, perform the following steps: Launch the Directory Server Console.

  • Page 169: Other Authentication

    What Is Access Control? You can use to specify any attribute that will return a single entry uniqueattr when the LDAP server is queried. If a query returns multiple entries, the authentication will fail. When you use an alternative attribute for user authentication, you can still use normal syntax in your ACL entries unless the LDAP entry returned by a query will include spaces (for example, ).

  • Page 170: Using Access Control Files

    What Is Access Control? Host-IP authentication does not require DNS to be configured on your server. If you choose to use Host-IP authentication, you must have DNS running in your network and your server must be configured to use it. You can enable DNS on your server through the Performance Tuning page in the Preferences tab on your Server Manager.

  • Page 171: How Access Control Works

    How Access Control Works you use a large number for this value, you may need to restart Enterprise Server when changes are made to the LDAP entries. For example, if this value is set to 120 seconds, Enterprise Server might be out of sync with the LDAP directory for as long as two minutes.
  • Page 172 How Access Control Works # since this example is using the "basic" method of # authentication. A client must be in the directory server # to gain access to this default directory since "anyone" # not in the directory server is denied, and "all" in the # directory server are allowed.

  • Page 173: Setting Access Control

    Setting Access Control (ip = "208.12.54.76"); # The following ACL rule denies everyone not in the directory # server and everyone in the directory server except for # GroupA and GroupB access to the directory "my_stuff" acl "path=/export/user/990628.1/docs/my_stuff/"; authenticate (user,group) { database = "default";...

  • Page 174: Setting Access Control Globally

    Setting Access Control You can set access control globally for all servers through the Administration Server. Each option is described in detail in the following section, Selecting the Access Control Options. NOTE Distributed administration must be configured and activated before global access control can be created. Setting Access Control Globally To create or edit access control globally for all servers, perform the following steps: Access the Administration Server and choose the Global Settings tab.
  • Page 175 Setting Access Control To create or edit the global ACL, click on Deny in the Action column. The Allow/Deny page is displayed in the lower frame: Figure 8-3 Allow/Deny Page Select Allow, if it isn’t already selected as the default, and click Update. Click on anyone in the Users/Groups column.
  • Page 176 Setting Access Control The User/Group page appears in the lower frame: Figure 8-4 User/Group Page Select which users and groups you will allow access to and click Update. Clicking List for Group and User will provide lists for you to choose from. Click on anyplace in the From Host column.
  • Page 177 Setting Access Control Figure 8-5 Programs Select the Program Groups or enter the specific file name in the Program Items field you will allow access to, and click Update. (Optional) Click the x under the Extra column to add a customized ACL expression.

  • Page 178: Setting Access Control For A Server Instance

    Setting Access Control Setting Access Control for a Server Instance You can create, edit, or delete access control for a specific server instance using the Server Manager. NOTE If deleting, you should not delete all the ACL rules from the ACL files.
  • Page 179 Setting Access Control The Access Control List Management Page offering three options appears: Figure 8-6 Access Control List Management Page Select one of the following: Pick a resource to specify a wildcard pattern for files or directories (such as ), choose a directory or a filename to restrict, or browse for a file or *.html directory.
  • Page 180 Setting Access Control Table 8-2 describes the resource wildcards you can use. Table 8-2 Server Resource Wildcards Resource wildcard What it means default A named ACL created during installation that restricts write access so only users in the LDAP directory can publish documents.
  • Page 181 Setting Access Control To create or edit the ACL for this server instance, click on Deny in the Action column. The Allow /Deny page is displayed in the lower frame: Allow /Deny Page Figure 8-8 Select Allow, if it isn’t already selected as the default, and click Update. Click on anyone in the Users/Groups column.
  • Page 182 Setting Access Control Select which users and groups you will allow access to and click Update. Clicking List for Group and User will provide lists for you to choose from. Click on anyplace in the From Host column. Enter Host Names and IP Addresses allowed access and click Update. Click on all in the Rights column.

  • Page 183: Selecting Access Control Options

    Selecting Access Control Options Click Submit to store the new access control rules in the ACL file. NOTE Clicking Revert will remove all of the settings you’ve just created. Repeat all steps above for each server instance you wish to establish access control for.
  • Page 184 Selecting Access Control Options Enterprise Server checks lists of users and groups stored in an LDAP server, such as Directory Server. You can allow or deny access to everyone in the database, you can allow or deny specific people by using wildcard patterns, or you can select who to allow or deny from lists of users and groups.

  • Page 185: Specifying The From Host

    Selecting Access Control Options Basic uses the HTTP method to get authentication information from the client. The username and password are only encrypted if encryption is turned on for the server. SSL uses the client certificate to authenticate the user. To use this method, SSL must be turned on for the server.

  • Page 186: Restricting Access To Programs

    Selecting Access Control Options You can only use the wildcard notation for wildcard patterns that match the computers’ host names or IP addresses. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matches all hosts from that domain, such as .

  • Page 187: Setting Access Rights

    Selecting Access Control Options The Program Groups listed reflect the tabs of the Administration Server, for example, Preferences and Global Settings, and represent access to those pages. When an administrator accesses the Administration Server, the server uses their username, host, and IP to determine what pages they can view. •...

  • Page 188: Writing Customized Expressions

    Selecting Access Control Options Execute allows users to execute server-side applications, such as CGI programs, and Java applets Delete allows users who also have write privileges to delete files or directories. List allows users to access lists of the files in directories that don’t contain file.

  • Page 189: Responding When Access Is Denied

    Limiting Access to Areas of Your Server From the Administration Server, you could create and turn on access control for a specific server instance and leave it off (which is the default) for other servers. For example, you could deny all access to the Server Manager pages from the Administration Server.

  • Page 190: Restricting Access To The Entire Server

    Limiting Access to Areas of Your Server The following procedures are described in this section: • Restricting Access to the Entire Server • Restricting Access to a Directory (Path) • Restricting Access to a URI (Path) • Restricting Access to a File Type •...

  • Page 191: Restricting Access To A Directory (Path)

    Limiting Access to Areas of Your Server Restricting Access to a Directory (Path) You can allow users in a group to read or run applications in directories, and its subdirectories and files, that are controlled by an owner of the group. For example, a project manager might update status information for a project team to review.

  • Page 192: Restricting Access To A Uri (Path)

    Limiting Access to Areas of Your Server Restricting Access to a URI (Path) You can use a URI to control access to a single user’s content on the web server. URIs are paths and files relative to the server’s document root directory. Using URIs is an easy way to manage your server’s content if you frequently rename or move all or part of it (for example, for disk space).

  • Page 193: Restricting Access Based On Time Of Day

    Limiting Access to Areas of Your Server Click Wildcard in the Pick a resource section and enter a wildcard pattern. For example, *.cgi. Click Edit Access Control. Create a new rule to allow read access to all users. Create another rule that allows write and delete access only to a specified group.

  • Page 194: Restricting Access Based On Security

    Limiting Access to Areas of Your Server Enter the days of the week and the times of day to be allowed. Example: user = "anyone" and dayofweek = "sat,sun" or (timeofday >= 1800 and timeofday <= 600) The message “Unrecognized expressions” will be displayed in the Users/Groups and From Host fields when you create a custom expression.

  • Page 195: Working With Dynamic Access Control Files

    Working with Dynamic Access Control Files Enter ssl="on" Example: user = "anyone" and ssl="on" Submit and Apply your changes. Any errors in the custom expression will generate an error message. Make corrections and submit again. Working with Dynamic Access Control Files Server content is seldom managed entirely by one person.

  • Page 196: Enabling .Htaccess From The User Interface

    Working with Dynamic Access Control Files You can use files in combination with the server’s standard access .htaccess control. The standard access controls are always applied before any .htaccess access control, regardless of the ordering of directives. Do not require PathCheck user authentication with both standard and access control when...

  • Page 197: Enabling .Htaccess From Magnus.conf

    Working with Dynamic Access Control Files Enabling .htaccess from magnus.conf To manually enable your server to use the , you need to first modify the .htaccess server’s file to load, initialize, and activate the plug-in. magnus.conf Open n the server_root identifier file.

  • Page 198: Converting Existing .Nsconfig Files To .Htaccess Files

    Working with Dynamic Access Control Files </Object> processing should be the last directive in the object. .htaccess PathCheck To activate file processing for particular server directories, .htaccess place the directive in the corresponding definition in PathCheck obj.conf To name your files something other than , you must .htaccess...

  • Page 199: Using Htaccess-Register

    Working with Dynamic Access Control Files To convert your files, at the command prompt, enter the path to Perl on your system, the path to the plug-in script, and the path to your file. For server.xml example: server_root \install\perl server_root/plugins/htaccess/htconvert server_root /https-identifier/config/server.xml files are converted to...

  • Page 200: Example Of An .Htaccess File

    Working with Dynamic Access Control Files Example of an .htaccess File The following example shows an file: .htaccess <Limit> GET POST order deny,allow deny from all allow from all </Limit> <Limit> PUT DELETE order deny,allow deny from all </Limit> AuthName mxyzptlk.kawaii.com AuthUserFile /server_root/mxyz-docs/service.pwd AuthGroupFile /server_root/mxyz-docs/service.grp Supported .htaccess Directives...

  • Page 201: Deny

    Working with Dynamic Access Control Files deny Syntax Deny from host where: • host is all, to deny access from all client hosts • host is all or the last part of a DNS host name • host is a full or partial IP address Does not need to be enclosed in a range but usually is.

  • Page 202: Authname

    Working with Dynamic Access Control Files Effect Specifies that the named user file is to be used for any user names referenced in a require user or require valid-user directive. Note that the use of in the groups-with-users=yes Init fn=htaccess-init directive in , or specifying an directive with the same...

  • Page 203: Limitexcept

    Working with Dynamic Access Control Files Effect Applies the enclosed directives only for requests using the specified HTTP methods. <LimitExcept> Syntax <LimitExcept method method ...> allow, deny, order, or require directives </LimitExcept> where method is an HTTP method such as GET, POST, or PUT. Any method that the web server understands can be used here.

  • Page 204: Require

    Controlling Access for Virtual Servers require Syntax • requires group groupname groupname • requires user username username • requires valid-user Does not need to be enclosed within a range, but <Limit> <LimitExcept> usually is. Effect • requires group requires the authenticated user to be a member of one of the specified groups.

  • Page 205: Accessing Databases From Virtual Servers

    Controlling Access for Virtual Servers This configuration allows multiple virtual servers to share the same ACL file. If you want to require user-group authentication for a virtual server, you must add one or more USERDB tags to its definition. These USERDB tags create a connection between the database names in your ACL file and the actual databases found in dbswitch.conf The following example maps the ACLs with no ‘database’...

  • Page 206: Specifying Ldap Databases In The User Interface

    Controlling Access for Virtual Servers Specifying LDAP Databases in the User Interface After you have defined one or more user authentication databases in , you can use the Class Manager to configure which databases each dbswitch.conf of your virtual servers will use for authentication. You can also use the Class Manger to add a newly created database definition from for the dbswitch.conf...
  • Page 207 Controlling Access for Virtual Servers Click on the virtual server class link where you wish to specify the LDAP database listed under Tree View of the Server. Select the Virtual Servers tab, if not already displayed. Click the ACL Settings link. Choose Edit or Delete from the drop-down list in the Option field for each virtual server you wish to change.
  • Page 208 Controlling Access for Virtual Servers Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 209: Chapter 9 Using Log Files

    Chapter 9 Using Log Files You can monitor your server’s activity using several different methods. This chapter discusses how to monitor your server by recording and viewing log files. For information on using the built-performance monitoring services, quality of service features, or SNMP, see Chapter 10, “Monitoring Servers.” This chapter contains the following sections: •...

  • Page 210: Viewing An Access Log File

    Viewing an Access Log File NOTE Due to limitations in the operating system, Enterprise Server cannot work with log files larger than 2GB on Linux. When the maximum file size is reached, logging will cease. Viewing an Access Log File You can view the server’s active and archived access log files.

  • Page 211: Viewing The Error Log File

    Viewing the Error Log File Table 9-1 The fields in the last line of the sample access log file Access Log Field Example Hostname or IP address of arrow.example.com. (In this case, the hostname is shown client because the web server’s setting for DNS lookups is enabled;...

  • Page 212: Archiving Log Files

    Archiving Log Files To view the Administration Server’s error log file, from the Administration Server, choose the Preferences tab, and choose the View Error Log page. To view a server instance’s error log file, from the Server Manager, choose the Logs tab, and choose the View Error Log page.

  • Page 213: Internal-Daemon Log Rotation

    Archiving Log Files Internal-daemon Log Rotation This type of log rotation happens within the HTTP daemon and can only be configured at startup time. Internal daemon log rotation allows the server to rotate logs internally without requiring a server restart. Logs rotated using this method are saved in the following format: access.<4-digit year><2-digit month><2-digit day><4-digit 24-hr time>...

  • Page 214: Setting Log Preferences

    Setting Log Preferences Once the rotation starts, Enterprise Server creates a new time stamped log file when there is a request or error that needs to be logged to the access or error log file and it occurs after the prior-scheduled “next rotate time.” NOTE You should archive the server logs before running the log analyzer.

  • Page 215: Cookie Logging

    Setting Log Preferences Click the Vsid check box. Alternatively to this, you can click the Custom Format: radio button and add the string %vsid% NOTE When adding the custom format string , you must use a new %vsid% access log file. For information on the directive in , see the section “Error...

  • Page 216: Running The Log Analyzer

    Running the Log Analyzer Running the Log Analyzer The server_root directory contains the log analysis tool that runs /extras/log_anly through the Server Manager user interface. This log analyzer analyzes files in common log format only. The HTML document in the directory that log_anly explains the tool’s parameters.
  • Page 217 Running the Log Analyzer The following describes the syntax. flexanlg -h.): -P: proxy log format Default: no -n servername: The name of the server -x : Output in HTML Default: no -r : Resolve IP addresses to hostnames Default: no -p [c,t,l]: Output order (counts, time stats, lists) Default: ctl -i filename: Input log file(s)

  • Page 218: Viewing Events (Windows Nt/Windows 2000)

    Viewing Events (Windows NT/Windows 2000) Viewing Events (Windows NT/Windows 2000) In addition to logging errors to the server error log (see “Viewing the Error Log File” on page 211), Enterprise Server logs severe system errors to the Event Viewer. The Event Viewer lets you monitor events on your system. Use the Event Viewer to see errors resulting from fundamental configuration problems, which can occur before the error log can be opened.

  • Page 219: Chapter 10 Monitoring Servers

    Chapter 10 Monitoring Servers This chapter contains information on ways to monitor your server, including the built-in monitoring tool, the quality of service features, and Simple Network Management Protocol (SNMP). You can use SNMP together with Netscape management information bases (MIB) and network management software such as HP OpenView to monitor your servers in real-time just as you monitor other devices in your network.

  • Page 220: Monitoring The Server Using Statistics

    Monitoring the Server Using Statistics • Enabling the Subagent • Understanding SNMP Messages Monitoring the Server Using Statistics You can use the statistics feature to monitor your server’s current activity. The statistics show you how many requests your server is handling and how well it is handling these requests.

  • Page 221: Using Statistics

    Using Quality of Service Click Apply to apply your changes. You do not need to restart the server. For more information on enabling statistics, see the online help. Using Statistics Once you’ve enabled statistics, you can get a variety of information on how your server instance and your virtual servers are running.

  • Page 222: Quality Of Service Example

    Using Quality of Service You can enable these settings for the entire server or for a class of virtual servers in the Server Manager from the Monitor tab. However, you can override these server or class-level settings for an individual virtual server. For more information on setting quality of service limits for an individual server, see “Configuring Virtual Server Quality of Service Settings,”...

  • Page 223: Setting Up Quality Of Service

    Using Quality of Service At 1 second, the bandwidth is calculated for the 10th time (1000 milliseconds/ 100 milliseconds). The total traffic is 5000 bytes, which is divided by 30 seconds. The bandwidth is 5000/30 = 166 bytes per second. At 30 seconds, the bandwidth is calculated for the 300th time.
  • Page 224 Using Quality of Service If your site has a lot of large file transfers, use a large value (several minutes or more) in this field. A large file transfer might take up all the allowed bandwidth for a short metric interval, and result in connections being denied if you’ve enforced the maximum bandwidth setting.

  • Page 225: Required Changes To Obj.conf

    Using Quality of Service Required Changes to obj.conf To enable quality of service, you must include directives in your obj.conf invoke two Server Application Functions (SAFs): an AuthTrans qos-handler an Error qos-error AuthTrans directive must be the first configured in qos-handler AuthTrans the default object in order to work properly.
  • Page 226 Using Quality of Service If chunked encoding is enabled in either or both directions, the chunking layer removes the chunk headers and they are not counted in the traffic. Other headers or protocol items are counted. • The quality of service features cannot accurately measure traffic from calls.

  • Page 227: Snmp Basics

    SNMP Basics • The concurrent connections are computed with a different granularity for virtual servers than for virtual server classes and the global server instance. The connection counter for an individual virtual server is incremented atomically immediately after the request is parsed and routed to the virtual server.

  • Page 228: The Enterprise Server Mib

    The Enterprise Server MIB NOTE After making any SNMP configuration changes, you must click the Apply button, then restart SNMP subagent. The master agent exchanges information between the various subagents and the NMS. The master agent is installed with the Administration Server. You can have multiple subagents installed on a host computer, but only one master agent.
  • Page 229 The Enterprise Server MIB The Enterprise Server MIB is located in the server_root directory /plugins/snmp and has an object identifier of: http 61 (nes61 OBJECT IDENTIFIER ::= {http 61 }) You can see administrative information about your web server and monitor the server in real time using the Enterprise Server MIB.
  • Page 230 The Enterprise Server MIB Table 10-1 nes.mib managed objects and descriptions (Continued) Managed object Description Number of 200-level (Successful) nesInstanceCount2xx responses issued by the server instance. Number of 300-level (Redirection) nesInstanceCount3xx responses issued by the server instance. Number of 400-level (Client Error) nesInstanceCount4xx responses issued by the server instance.
  • Page 231 The Enterprise Server MIB Table 10-1 nes.mib managed objects and descriptions (Continued) Managed object Description Number of 200-level (Successful) nesVsCount2xx responses issued by the virtual server. Number of 300-level (Redirection) nesVsCount3xx responses issued by the virtual server. Number of 400-level (Client Error) nesVsCount4xx responses issued by the virtual server.
  • Page 232 The Enterprise Server MIB Table 10-1 nes.mib managed objects and descriptions (Continued) Managed object Description Maximum number of connections nesProcessConnectionQueueMax allowed in connection queue. Number of connections that have been nesProcessConnectionQueueTotal accepted. Number of connections rejected due to nesProcessConnectionQueueOverflows connection queue overflow. Number of connections currently in nesProcessKeepaliveCount keepalive queue.

  • Page 233: Setting Up Snmp

    Setting Up SNMP Setting Up SNMP In general, to use SNMP you must have a master agent and at least one subagent installed and running on a your system. You need to install the master agent before you can enable a subagent. The procedures for setting up SNMP are different depending upon your system.

  • Page 234: Using A Proxy Snmp Agent (Unix/Linux)

    Using a Proxy SNMP Agent (UNIX/Linux) Table 10-2 Overview of procedures for enabling SNMP master agents and subagents If your server meets these conditions..follow these procedures. These are discussed in detail in the following sections. • Native agent is currently running 1.

  • Page 235: Installing The Proxy Snmp Agent

    Using a Proxy SNMP Agent (UNIX/Linux) Installing the Proxy SNMP Agent If an SNMP agent is running on your system and you want to continue using the native SNMP daemon, follow the steps in these sections: Install the SNMP master agent. See “Installing the SNMP Master Agent” on page 236.

  • Page 236: Starting The Proxy Snmp Agent

    Installing the SNMP Master Agent Here is an example of a file: CONFIG AGENT AT PORT 1161 WITH COMMUNITY public SUBTREES 1.3.6.1.2.1.1, 1.3.6.1.2.1.2, 1.3.6.1.2.1.3, 1.3.6.1.2.1.4, 1.3.6.1.2.1.5, 1.3.6.1.2.1.6, 1.3.6.1.2.1.7, 1.3.6.1.2.1.8 FORWARD ALL TRAPS; Starting the Proxy SNMP Agent To start the proxy SNMP agent, at the command prompt, enter: # sagt -c CONFIG&...

  • Page 237: Enabling And Starting The Snmp Master Agent

    Enabling and Starting the SNMP Master Agent Check whether an SNMP daemon ( ) is running on port 161. snmpd If no SNMP daemon is running, go to Step 4. If an SNMP daemon is running, make sure you know how to restart it and which MIB trees it supports.

  • Page 238: Starting The Master Agent On Another Port

    Enabling and Starting the SNMP Master Agent • Manually Configuring the SNMP Master Agent • Editing the Master Agent CONFIG File • Defining sysContact and sysLocation Variables • Configuring the SNMP Master Agent • Starting the SNMP Master Agent Starting the Master Agent on Another Port The Administration Interface will not start the SNMP master agent on ports other than 161.

  • Page 239: Editing The Master Agent Config File

    Enabling and Starting the SNMP Master Agent Editing the Master Agent CONFIG File file defines the community and the manager that master agent will CONFIG work with. The manager value should be a valid system name or an IP address. Here is an example of a basic file: CONFIG...

  • Page 240: Configuring The Snmp Subagent

    Enabling and Starting the SNMP Master Agent Configuring the SNMP Subagent You can configure the SNMP subagent to monitor your server. To configure the SNMP subagent, perform the following steps: From the Administration Server, select the server instance and click Manage. Select the Monitor tab.

  • Page 241: Starting The Snmp Master Agent Using The Administration Server

    Configuring the SNMP Master Agent Method one: In the file, specify a transport mapping for each interface over CONFIG which the master agent listens for SNMP requests from managers. Transport mappings allow the master agent to accept connections at the standard port and at a nonstandard port.

  • Page 242: Configuring The Community String

    Enabling the Subagent Configuring the Community String A community string is a text string that an SNMP agent uses for authorization. This means that a network management station would send a community string with each message it sends to the agent. The agent can then verify whether the network management station is authorized to get information.

  • Page 243: Understanding Snmp Messages

    Understanding SNMP Messages Once you have enabled the subagent, you can start, stop or restart it from the SNMP Subagent Control page or the Services Control Panel for Windows NT/Windows 2000. NOTE After making any SNMP configuration changes, you must click the Apply button, then restart SNMP subagent.
  • Page 244 Understanding SNMP Messages The NMS displays the information textually or graphically through its network management application. Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 245: Part 4 Managing Virtual Servers And Services

    Part 4 Managing Virtual Servers and Services Chapter 11, “Using Virtual Servers” Chapter 12, “Creating and Configuring Virtual Servers” Chapter 13, “Extending Your Server With Programs” Chapter 14, “Content Management” Chapter 15, “Applying Configuration Styles”...
  • Page 246 Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 247: Chapter 11 Using Virtual Servers

    Chapter 11 Using Virtual Servers This chapter explains how to set up and administer virtual servers using your Netscape Enterprise Server Administration Server. This chapter contains the following sections: • Virtual Servers Overview • Using Enterprise Server Features with Virtual Servers •...

  • Page 248: Multiple Server Instances

    Virtual Servers Overview To set up virtual servers, you need to set up the following: • Virtual Server Classes • Listen Sockets • Connection Groups • Virtual Servers The settings for virtual servers are stored in the file, found in the server.xml server_root/ identifier/...

  • Page 249: Virtual Server Classes

    Virtual Servers Overview Virtual Server Classes Virtual servers are grouped into classes. Using classes you can configure similar virtual servers at the same time, so you don’t have to configure each one separately. Though all virtual servers in a class share the same basic configuration information, you can also set variables and change configuration per virtual server.

  • Page 250: Virtual Servers In A Class

    Virtual Servers Overview Virtual Servers in a Class A virtual server that belongs to a class is called a member of that class. Some virtual server settings are configured for all virtual servers in a class, and some are configured individually. These settings are configured on the Class Manager’s Virtual Servers tab.

  • Page 251: Connection Groups

    Virtual Servers Overview In addition, you specify the number of acceptor threads (sometimes called accept threads) in the listen socket. Accept threads are threads that wait for connections. The threads accept connections and put them in a queue where they are then picked up by worker threads.

  • Page 252: Types Of Virtual Servers

    Virtual Servers Overview This section includes the following topics: • Types of Virtual Servers • IP-Address-Based Virtual Servers • URL-Host-Based Virtual Servers • Default Virtual Server Types of Virtual Servers In previous versions of Enterprise Server, there were two kinds of virtual servers: hardware and software.

  • Page 253: Url-Host-Based Virtual Servers

    Virtual Servers Overview URL-Host-Based Virtual Servers You can set up URL-host-based virtual servers by giving them unique URL hosts. The contents of the Host request header directs the server to the correct virtual server. For example, if you want to set up virtual servers for customers a, b, and c) so that each customer can have an individual domain name, you first configure DNS to recognize that each customer’s URL, , resolves...

  • Page 254: Virtual Server Selection For Request Processing

    Virtual Servers Overview The default virtual server is set by connection group. You specify a default virtual server when you create a listen socket. That becomes the default virtual server of the connection group created by default for the listen socket. You can always change the default virtual server.

  • Page 255: Document Root

    Virtual Servers Overview Document Root The primary document directory or document root is the central directory that contains all the virtual server’s files to make available to remote clients. The document root directory provides an easy way to restrict access to the files on a virtual server.

  • Page 256: Migrating Virtual Servers From A Previous Release

    Using Enterprise Server Features with Virtual Servers Migrating Virtual Servers from a Previous Release If you used virtual servers in a previous version of Enterprise Server, you may be able to migrate them to the current release using the migration tools. For more information, see the Netscape Enterprise Server Installation and Migration Guide.

  • Page 257: Using Access Control With Virtual Servers

    Using Enterprise Server Features with Virtual Servers One way to implement SSL with virtual servers is to have two listen sockets, one using SSL and listening to port 443, and one that is not using SSL. A user would typically access the virtual server through the non-SSL listen socket. When the need to have secure transactions arises, users could click a button on the web page to start initiating secure transactions.

  • Page 258: Using The Virtual Server User Interface

    Using the Virtual Server User Interface Using the Virtual Server User Interface To create and edit virtual servers, you can use the user interface or a command line utility. The user interface for administering virtual servers has three parts: • The Server Manager contains settings that affect the server as a whole (or all virtual servers).

  • Page 259: Using Variables

    Using the Virtual Server User Interface Click Manage Virtual Servers. Choose a virtual server and click Manage. You can also click the virtual server name in the tree view of the server. You can use a command line utility, , to perform the same virtual HttpServerAdmin server tasks as you can perform using the user interface.

  • Page 260: Setting Up Virtual Servers

    Setting Up Virtual Servers On Windows NT/Windows 2000, the dynamic reconfiguration script is a batch file called located in each instance’s directory. There are no command reconfig.bat line arguments. You can run the reconfiguration script by simply typing reconfig from the server instance’s directory. reconfig.bat When run, this script initiates a dynamic reconfiguration of the server, similar to the user interface, and displays the server messages related to reconfiguration.

  • Page 261: Creating A Connection Group

    Setting Up Virtual Servers Fill in the fields. Listen sockets must have a unique combination of port number and IP address. You can use either IPV4 or IPV6 addresses. If you want to create a listen socket for IP-address-based virtual servers, the IP address must be 0.0.0.0 , meaning it listens on all IP addresses on that port.

  • Page 262: Creating A Virtual Server Class

    Setting Up Virtual Servers Creating a Virtual Server Class To create a virtual server class, follow these steps: From the Server Manager, click the Virtual Server Class tab. Click Add Class. Name the class. Insert a document root for the class. The directory must already exist.

  • Page 263: Specifying Services Associated With A Virtual Server Class

    Allowing Users to Monitor Individual Virtual Servers Click OK. The class is changed or deleted. Specifying Services Associated with a Virtual Server Class Some of the characteristics that differentiate one class of virtual servers from another are the services that are enabled for that class of virtual servers. For example, one class of virtual servers might have CGIs enabled while another doesn’t.
  • Page 264 Allowing Users to Monitor Individual Virtual Servers For security reasons, this administration user interface is on a separate port from either the administration server port or the Enterprise Server instance port. This user interface runs on a virtual server within the Administration Server. This virtual server is set up by default and is called useradmin.
  • Page 265 Allowing Users to Monitor Individual Virtual Servers Create a new listen socket that runs a port separate from the port that the Administration Server uses. For example, if your Administration Server runs on port 8888, this new listen socket must have a different port number. Using a different listen socket helps safeguard your Administration Server.

  • Page 266: Access Control

    Allowing Users to Monitor Individual Virtual Servers Updated useradmin Code Example 11-2 <VSCLASS id="userclass" objectfile="userclass.obj.conf" rootobject="default" > <VS id="useradmin" connections="group2" state="on" mime="mime1" urlhosts="user-app" aclids="acl1"> <VARS webapps_file="user-apps.xml" webapps_enable="on"/> <USERDB id="default" database="default" /> </VS> </VSCLASS In this example, the connection group is set to , the group created group2 previously, and the state is set to...

  • Page 267: Deploying Virtual Servers

    Deploying Virtual Servers Deploying Virtual Servers Enterprise Server’s virtual server architecture is very flexible. A server instance can have any number of listen sockets, both secure and non-secure. You can associate any number of virtual servers with these sockets through connection groups. You can have both IP-address-based and URL-host-based virtual servers.
  • Page 268 Deploying Virtual Servers Figure 11-2 Default configuration In this configuration, connections to the following reach the server and are served by virtual server • (initiated on http://127.0.0.1/ example.com • (initiated on http://localhost/ example.com • http://example.com/ • http://10.0.0.1/ Use this configuration for traditional Enterprise Server use. You do not need to add additional virtual servers or listen sockets.

  • Page 269: Example 2: Secure Server

    Deploying Virtual Servers Example 2: Secure Server If you want to use SSL in the default configuration, you can simply change the listen socket to secure mode. This is a similar to the way you set security in previous versions of the Enterprise Server. You can also add a new secure listen socket configured to and associate ANY:443...

  • Page 270: Example 3: Intranet Hosting

    Deploying Virtual Servers Example 3: Intranet Hosting A more complex configuration of the Enterprise Server is one in which the server hosts a few virtual servers for an intranet deployment. For example, you have three internal sites where employees can look up other users’ phone numbers, look at maps of the campus, and track the status of their requests to the Information Services department.
  • Page 271 Deploying Virtual Servers While URL-host-based virtual servers are easy to set up, they have the following disadvantages: • Supporting SSL in this configuration requires non-standard setup using wildcard certificates. For more information see Chapter 5, “Securing Your Enterprise Server.” • URL-host-based virtual servers don’t work with legacy HTTP clients Intranet hosting using IP-addressed-based virtual servers Figure 11-5...
  • Page 272 Deploying Virtual Servers The disadvantages are: • They require configuration changes on the host computer (configuration of real or virtual network interfaces) • They don’t scale to configurations with thousands of virtual servers Both configurations require setting up name-to-address mappings for the three names.

  • Page 273: Example 4: Mass Hosting

    Deploying Virtual Servers Compared to the original configuration for IP-address-based virtual servers with one listen socket on , the configuration with multiple listen sockets may ANY:80 give you a minimal performance gain because the server does not have to find out the address the request came in on.
  • Page 274 Deploying Virtual Servers Figure 11-7 Mass Hosting Notice that the virtual server installed when you installed the server, VS1, still exists in defaultclass Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 275: Chapter 12 Creating And Configuring Virtual Servers

    Chapter 12 Creating and Configuring Virtual Servers A class of virtual servers has virtual servers (members of the class) associated with it. You can override some of the class-level settings at the virtual server level. This chapter describes how you can create and configure individual virtual servers. For information on configuring virtual server classes, see Chapter 14, “Content Management.”...

  • Page 276: Editing Virtual Server Settings

    Editing Virtual Server Settings Choose a name for the virtual server. Choose a connection group for the virtual server. Choose a URL host for the virtual server. You can type more than one URL host, separated by spaces. Click OK. These settings are all that is required for creating a virtual server.

  • Page 277: Generating Reports For A Virtual Server

    Editing Using the Virtual Server Manager • ACL file • MIME types file • CGI settings If you are editing a single virtual server, it’s convenient to use the Virtual Server Manager and change all these settings on one page. The Logs tab contains a single page allowing you to generate reports for the selected virtual server.
  • Page 278 Editing Using the Virtual Server Manager Set the value of using the drop-down list. LogVSid You can also manually set by adding in the LogVSid LogVSid on file. magnus.conf Click OK. Click Apply. Click Apply Changes for your changes to take effect. Go to the Logs tab in the Server Manager for the server instance and select Log Preferences.

  • Page 279: Editing Using The Class Manager

    Editing Using the Class Manager Select the Logs tab. The Generate Reports page appears. This page will not appear unless a virtual server has been created and LogVSid , as described above. (Optional) change the settings if desired. Click OK to generate the report. Editing Using the Class Manager Use the following Class Manager pages to edit virtual server settings.

  • Page 280: Configuring Virtual Server Mime Settings

    Editing Using the Class Manager Type the URL Hosts you want to use, if different than displayed under Urlhosts column. You can type more than one URL host, separated by spaces. When you are through editing virtual servers click OK. Configuring Virtual Server MIME Settings You can set the MIME types file for an individual virtual server.

  • Page 281: Configuring Virtual Server Quality Of Service Settings

    Editing Using the Class Manager For more information on security, see Chapter 5, “Securing Your Enterprise Server.” Configuring Virtual Server Quality of Service Settings Quality of service refers to the performance limits you set for a virtual server. For example, an ISP might want to charge different amounts of money for virtual servers depending on how much bandwidth allowed them.

  • Page 282: Configuring Virtual Server Log Settings

    Editing Using the Class Manager Choose whether or not to enforce the maximum connections setting. If you choose to enforce the maximum connections, once the server reaches its limit additional connections are refused. If you do not enforce the maximum connections, when the maximum is exceeded the server logs a message to the error log.

  • Page 283: Configuring Virtual Server Java Web Application Settings

    Deleting a Virtual Server Configuring Virtual Server Java Web Application Settings A web application is a collection of Java servlets, JSPs, HTML pages, classes and other resources. All the resources are stored in a directory, and all requests to that directory run the application.
  • Page 284 Deleting a Virtual Server Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 285: Chapter 13 Extending Your Server With Programs

    Chapter 13 Extending Your Server With Programs This chapter discusses how to install programs on the Netscape Enterprise Server that dynamically generate HTML pages in response to requests from clients. These programs are known as server-side applications. (Client-side applications, which are downloaded to the client, run on the client machine.) This chapter includes the following sections: •...

  • Page 286: Types Of Server-Side Applications That Run On The Server

    Java Servlets and JavaServer Pages (JSP) Types of Server-Side Applications That Run on the Server The Enterprise Server can run the following types of server-side applications to dynamically generate content: • Java servlets • CGI programs The Enterprise Server can also run programs that extend or modify the behavior of the server itself.

  • Page 287: Overview Of Servlets And Javaserver Pages

    Java Servlets and JavaServer Pages (JSP) • Overview of Servlets and JavaServer Pages • What the Server Needs to Run Servlets and JSPs • Working with Web Applications • Deploying Web Applications Using wdeploy • Deploying and Editing Web Applications with the User Interface •...

  • Page 288: What The Server Needs To Run Servlets And Jsps

    Java Servlets and JavaServer Pages (JSP) http://java.sun.com/products/jsp/index.html For information about developing servlets and JSPs for use with Enterprise Server, see the Netscape Enterprise Server Programmer’s Guide to Servlets. What the Server Needs to Run Servlets and JSPs To enable servlets, select the Java tab in the Server manager, then select the Enable/Disable Servlets/JSP tab.

  • Page 289: Working With Web Applications

    Java Servlets and JavaServer Pages (JSP) • You can specify it after the server is installed. To specify the path to the JDK, switch to the Enterprise Application Server, select the Global Settings tab, and use the Configure JRE/JDK Paths page, as described in “Configuring JRE/JDK Paths,”...
  • Page 290 Java Servlets and JavaServer Pages (JSP) You can use the utility at the command line to deploy a WAR file into a wdeploy virtual server web application environment: wdeploy deploy -u uri_path -i instance -v vs_id [-d directory] war_file -n You can also delete a virtual server web application: wdeploy delete -u uri_path -i instance -v vs_id mode -n You can also list the web application URIs and directories for a virtual server:...
  • Page 291 Java Servlets and JavaServer Pages (JSP) For example: wdeploy deploy -u /hello -i server.example.com -v netscape.com -d /nes61/https-server.example.com/netscape.com/web-apps/hello /nes61/plugins/servlets/examples/web-apps/HelloWorld/HelloWorld.war This utility results in the following entry: web-apps.xml <vs> <web-app uri="/hello" dir="/nes61/https-server.example.com/netscape.com/webapps/hello"/> </vs> /nes61/https-server.example.com/netscape.com/web-apps/hello directory has the following contents: colors index.jsp META-INF WEB-INF/ web.xml...

  • Page 292: Deploying And Editing Web Applications With The User Interface

    Java Servlets and JavaServer Pages (JSP) Accessing Deployed Web Applications After you have deployed an application, you can access it from a browser as follows: http[s]://vs_urlhost[:vs_port]/uri_path/[index_page] The parts of the URL have the following meanings: vs_urlhost One of the urlhosts values for the virtual server. vs_port (optional) Only needed if the virtual server uses a non-default port.
  • Page 293 Java Servlets and JavaServer Pages (JSP) Enter the path on the local or server machine to the file containing the web application in the field provided. On server machines enter the absolute path to the WAR file. On local machines you can browse the available paths. Clicking browse will bring up the File Upload window, allowing you to select the WAR file to upload to your server.

  • Page 294: Deploying Servlets And Jsps Not In Web Applications

    Java Servlets and JavaServer Pages (JSP) Click OK. Click Apply. Select Dynamic Reconfiguration for your web application to be deployed. Deploying Servlets and JSPs Not in Web Applications You can deploy 4.x servlets and JSPs outside of web applications, but only in the default virtual server.

  • Page 295: Installing Cgi Programs

    Installing CGI Programs The server uses two directories to cache information for JavaServer Pages (JSP) and servlets: • ClassCache The server uses the following directory to cache information for JavaServer Pages (JSP): server_root server_id virtual_server_id webapp_uri /https- /ClassCache/ When the server serves a JSP page, it creates a and a file .java...

  • Page 296: Overview Of Cgi

    Installing CGI Programs In addition, the following sections discuss how to install CGI programs specific to Windows NT/Windows 2000: • Installing Windows NT/Windows 2000 CGI Programs • Installing Shell CGI Programs for Windows NT/Windows 2000 Overview of CGI Common Gateway Interface (CGI) programs can be defined with any number of programming languages.
  • Page 297 Installing CGI Programs Regardless of the programming language, all CGI programs accept and return data in the same manner. For information about writing CGI programs, see the following sources of information: • Netscape Enterprise Server Programmer’s Guide • The Common Gateway Interface at: http://hoohoo.ncsa.uiuc.edu/cgi/overview.html There are two ways to store CGI programs on your server machine: •...

  • Page 298: Specifying A Cgi Directory

    Installing CGI Programs Specifying a CGI Directory To specify a CGI-only directory for a class of virtual servers, perform the following steps: From the Class Manager, choose the Programs tab. The CGI Directory window appears. In the URL Prefix field, type the URL prefix to use for this directory. That is, the text you type appears as the directory for the CGI programs in URLs.

  • Page 299: Specifying Cgi As A File Type

    Installing CGI Programs In the CGI Group text field, type the name of the group to execute CGI programs as. In the CGI Directory text field, type the directory to chdir to after chroot but before execution begins. (UNIX only) In the CGI Nice text field, type an increment that determines the CGI program's priority relative to the server.

  • Page 300: Installing Windows Nt/Windows 2000 Cgi Programs

    Installing Windows NT/Windows 2000 CGI Programs One solution to this problem is to compress the executable files that you want users to be able to download, so that the extension is not . This solution has the .exe added benefit of making the download time shorter. Another possible solution is to remove as a file extension from the .exe...

  • Page 301: Specifying A Windows Nt/Windows 2000 Cgi Directory

    Installing Windows NT/Windows 2000 CGI Programs Although Windows NT/Windows 2000 CGI programs behave like regular CGI programs, your server processes the actual programs slightly differently. Therefore, you need to specify different directories for Windows NT/Windows 2000 CGI programs. If you enable the Windows NT/Windows 2000 CGI file type, it uses the file extension .wcg Enterprise Servers support the Windows NT/Windows 2000 CGI 1.3a informal...
  • Page 302 Installing Windows NT/Windows 2000 CGI Programs That is, the text you type appears as the directory for the Windows NT/Windows 2000 CGI programs in URLs. For example, if you type as the URL prefix, then all URLs to these Windows wcgi-programs NT/Windows 2000 CGI programs have the following structure: yourserver[.

  • Page 303: Specifying Windows Nt/Windows 2000 Cgi As A File Type

    Installing Shell CGI Programs for Windows NT/Windows 2000 Specifying Windows NT/Windows 2000 CGI as a File Type To specify a file extension for Windows NT/Windows 2000 CGI files, perform the following steps: From the Server Manager, choose the Server Preferences tab. Click the MIME Types link.

  • Page 304: Overview Of Shell Cgi Programs For Windows Nt/Windows 2000

    Installing Shell CGI Programs for Windows NT/Windows 2000 Overview of Shell CGI Programs for Windows NT/Windows 2000 Shell CGI is a server configuration that lets you run CGI applications using the file associations set in Windows NT/Windows 2000. For example, if the server gets a request for a shell CGI file called , the hello.pl server uses the Windows NT/Windows 2000 file associations to run the file using...

  • Page 305: Specifying Shell Cgi As A File Type (Windows Nt/Windows 2000)

    Installing Shell CGI Programs for Windows NT/Windows 2000 In the URL Prefix field, enter the URL prefix you want to associate with your shell CGI directory. For example, suppose you store all shell CGI files in a directory called , but you want users to see the directory C:/docs/programs/cgi/shell-cgi yourserver[.domain.dom][:port] .

  • Page 306: Using The Query Handler

    Using the Query Handler The Global MIME Types window appears. For more information on the Global MIME Types, see “Choosing MIME Types,” on page 156. Add a new MIME type with these settings: Type: type Content type: magnus-internal/shellcgi File Suffix: Enter the file suffixes that you want the server to associate with shell CGI.
  • Page 307 Using the Query Handler Use the Editing Picker to select the resource you want to set with a default query handler. If you choose a directory, the query handler you specify runs only when the server receives a URL for that directory or any file in that directory. In the Default Query Handler field, enter the full path for the CGI program you want to use as the default for the resource you chose.
  • Page 308 Using the Query Handler Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 309: Chapter 14 Content Management

    Chapter 14 Content Management This chapter describes how you can configure and manage content for classes of virtual servers and virtual servers. This chapter contains the following sections: • Setting the Primary Document Directory • Setting Additional Document Directories • Customizing User Public Information Directories (UNIX/Linux) •...

  • Page 310: Setting The Primary Document Directory

    Setting the Primary Document Directory Setting the Primary Document Directory The primary document directory (also called the document root) is the central directory where you store all the files you want to make available to remote clients. When you add a class, you specify a document directory with an absolute path. If you do not use a variable as part of that path, the document root for every virtual server in the class will default to the same directory.

  • Page 311: Setting Additional Document Directories

    Setting Additional Document Directories Setting Additional Document Directories Most of the time, the documents for a virtual or server instance are in the primary document directory. Sometimes, though, you may want to serve documents from a directory outside of the document root. You can do this by setting additional document directories.

  • Page 312: Customizing User Public Information Directories (Unix/Linux)

    Customizing User Public Information Directories (UNIX/Linux) Customizing User Public Information Directories (UNIX/Linux) Sometimes users want to maintain their own web pages. You can configure public information directories that let all the users on a server create home pages and other documents without your intervention. You can only set these up for the entire class.

  • Page 313: Restricting Content Publication

    Customizing User Public Information Directories (UNIX/Linux) Choose whether to load the password database at startup. For more information, see “Loading the Entire Password File on Startup,” on page 313. Choose whether to apply a configuration style. Click OK. For more information, see the online help for the User Document Directories page. Another way to give users separate directories is to create a URL mapping to a central directory that all of your users can modify.

  • Page 314: Using Configuration Styles

    Enabling Remote File Manipulation Using Configuration Styles You can apply a configuration style for the server to control access to directories from public information directories. This prevents users from creating symbolic links to information you do not want made public. For more information on configuration files, see Chapter 15, “Applying Configuration Styles.”...

  • Page 315: Setting The Document Preferences

    Configuring Document Preferences • Selecting Directory Indexing • Specifying a Server Home Page • Specifying a Default MIME Type • Parsing the Accept Language Header These settings are all configured for the class, not individual virtual servers. Setting the Document Preferences To set the document preferences, follow these steps: From the Class Manager, click the Content Management tab.

  • Page 316: Specifying A Server Home Page

    Configuring Document Preferences The server indexes directories by searching the directory for an index file called , which is a file you create and maintain as an overview index.html home.html of the directory’s contents. For more information, see the previous section, “Entering an Index Filename”...

  • Page 317: Parsing The Accept Language Header

    Configuring URL Forwarding Parsing the Accept Language Header When clients contact a server using HTTP 1.1, they can send header information describing the languages they accept. You can configure your server to parse this language information. For example, if you store documents in Japanese and English, you could choose to parse the accept language header.

  • Page 318: Customizing Error Responses

    Customizing Error Responses To configure URL forwarding, follow these steps: From the Class Manager, click the Content Management tab. Click URL Forwarding. Type the URL prefix you want to redirect, and whether you want to redirect it to another prefix or to a static URL. Click OK.

  • Page 319: Changing The Character Set

    Changing the Character Set Changing the Character Set The character set of a document is determined in part by the language it is written in. You can override a client’s default character set setting for a document, a set of documents, or a directory by selecting a resource and entering a character set for that resource.

  • Page 320: Setting The Document Footer

    Setting the Document Footer To change the character set, follow these steps: From the Class Manager, click the Content Management tab. Click International Characters. Choose Entire Server from the resource picker to apply your change to the whole class, or navigate to the document root for a specific virtual server, or to a specific directory or within a specific virtual server.

  • Page 321: Using .Htaccess

    Using .htaccess For more information see the online help for the Document Footer page. Using .htaccess For information on using htaccess, see “Using .htaccess Files,” on page 195. Restricting Symbolic Links (UNIX/Linux) You can limit the use of the file system links in your server. File system links are references to files stored in other directories or file systems.

  • Page 322: Setting Up Server-Parsed Html

    Setting up Server-Parsed HTML For more information, see the online help for the Symbolic Link page. Setting up Server-Parsed HTML HTML is normally sent to the client exactly as it exists on disk without any server intervention. However, the server can search HTML files for special commands (that is, it can parse the HTML) before sending documents.

  • Page 323: Setting Cache Control Directives

    Setting Cache Control Directives Setting Cache Control Directives Cache-control directives are a way for Enterprise Server to control what information is cached by a proxy server. Using cache-control directives, you override the default caching of the proxy to protect sensitive information from being cached, and perhaps retrieved later.
  • Page 324 Using Stronger Ciphers Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 325: Chapter 15 Applying Configuration Styles

    Chapter 15 Applying Configuration Styles Configuration styles are an easy way to apply a set of options to specific files or directories that your various virtual servers maintain. For example, you can create a configuration style that sets up access logging. When you apply that configuration style to the files and directories that you want to log, you don’t have to individually configure access logging for all the files and directories in your virtual server.
  • Page 326 Creating a Configuration Style From the drop-down list, choose a configuration style to edit and click Edit this Style. From the list of links available, click the category you want to configure for your style. You can configure the information listed in Table 15-1. Fill out the form that appears, and click OK.

  • Page 327: Assigning A Configuration Style

    Assigning a Configuration Style Table 15-1 Configuration Style Categories (Continued) Category Description Remote file Enables you to allow clients to upload files, delete files, create manipulation directories, remove directories, list the contents of a directory, and rename files on your server. Require Stronger Allows you to enforce stronger security requirements.

  • Page 328: Listing Configuration Style Assignments

    Listing Configuration Style Assignments Listing Configuration Style Assignments After you have created configuration styles and applied them to files or directories, you can get a list of the configuration styles and where you applied them. To list the configuration style assignments, perform the following steps: Access the Class Manager.

  • Page 329: Removing A Configuration Style

    Removing a Configuration Style When you choose a style to edit, your Resource Picker lists configuration styles instead of other resources. After you have finished editing a style, click OK and Save and Apply. The Resource Picker exits the styles mode. You can also choose to exit the styles mode by choosing Exit styles mode from the Resource Picker.
  • Page 330 Removing a Configuration Style Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 331: Part 5 Appendices

    Part 5 Appendices Appendix A, “Command Line Utilities” Appendix B, “HyperText Transfer Protocol” Appendix C, “ACL File Syntax”...
  • Page 332 Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 333: Appendix A Command Line Utilities

    Appendix A Command Line Utilities This appendix provides instructions for using command line utilities in place of the user interface screens. This appendix contains the following sections: • Formatting LDIF Entries • HttpServerAdmin (Virtual Server Administration) Formatting LDIF Entries LDIF consists of one or more directory entries separated by a blank line. Each LDIF entry consists of an optional entry ID, a required distinguished name, one or more object classes, and multiple attribute definitions.

  • Page 334: Httpserveradmin (Virtual Server Administration)

    HttpServerAdmin (Virtual Server Administration) HttpServerAdmin (Virtual Server Administration) is a command line utility that performs the same administrative HttpServerAdmin functions as the virtual server user interface in the Server Manager and the Class Manager. If you prefer to set up your virtual servers using the command line interface, use HttpServerAdmin is in server_root...

  • Page 335: Control Command

    HttpServerAdmin (Virtual Server Administration) There are four possible values for the command_name parameter: • control • create • delete • list Each command has its own set of command options. For more information, see the sections in this chapter that describe each command. Regardless of the value of the command parameter, the parameters shown in Table A-1 can apply to all uses of the command.

  • Page 336: Syntax

    HttpServerAdmin (Virtual Server Administration) Table A-2 Control command options Options Value Disables the specified virtual server, or all virtual servers in -disable the class if no virtual server is specified. Syntax HttpServerAdmin control -cl classname, -control_option [-id virtual_server] -d server_root -sinst http_instance Parameters Use these parameters with the command options to control virtual servers Table A-3...

  • Page 337: Options

    HttpServerAdmin (Virtual Server Administration) Options Use the options shown in Table A-4 with the command to create classes, create listen sockets, and virtual servers. Create command options Table A-4 Option Value Creates a virtual server class. Creates a connection group. Creates a listen socket.

  • Page 338: Create Connection Group

    HttpServerAdmin (Virtual Server Administration) Example HttpServerAdmin create -c -cl myclass1 -d /export/netscape/servers -sinst https-netscape.com Create Connection Group Use this option of the create command to create a connection group. Syntax HttpServerAdmin create -g group_ID -lsid listen_socket -ip IPaddress -sname server_name -defaultvs default_virtual_server -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-8 with the command option to...

  • Page 339: Create Virtual Server

    HttpServerAdmin (Virtual Server Administration) Syntax HttpServerAdmin create -l -ip ip_address -port port_number -sname server_name -defaultvs default_virtual_server [-sec security] [-acct number_of_accept_threads] -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-7 with the command option to create -l create listen sockets. Table A-7 Create listen socket parameters Parameter...
  • Page 340 HttpServerAdmin (Virtual Server Administration) Syntax HttpServerAdmin create -v -id virtual_server -cl classname -urlh urlhosts -conngroupid connection_group_ID[-state state][-docroot document_root] [-mime mime_types_file] [-aclid acl_ID] -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-8 with the command option to create -v create virtual servers.

  • Page 341: Delete Command

    HttpServerAdmin (Virtual Server Administration) delete Command Use the delete command to delete classes of virtual servers, virtual servers, and listen sockets. Options Use the options shown in Table A-9 with the command to delete classes. delete Delete command options Table A-9 Option Value Deletes the specified virtual server class.

  • Page 342: Delete Connection Group

    HttpServerAdmin (Virtual Server Administration) Delete Connection Group Use this option of the delete command to delete a connection group. Syntax HttpServerAdmin delete -g -id connection_group -lsid listen_socket -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-9 with the command to delete a delete connection group.

  • Page 343: Delete Virtual Server

    HttpServerAdmin (Virtual Server Administration) Example HttpServerAdmin delete -l -id ls3 -d /export/netscape/server6 -sinst https-netscape.com Delete Virtual Server Use this option of the delete command to delete a virtual server. Syntax HttpServerAdmin delete -v -id virtual_server -cl classname -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-9 with the command to delete a...

  • Page 344: Options

    HttpServerAdmin (Virtual Server Administration) Options Table A-14 List command options Option Value Lists all virtual server classes. -g -lsid listen_socket Lists all connection groups for a listen socket. Lists all listen sockets. Lists all virtual servers. Example HttpServerAdmin list -c -d /export/netscape/server6 -sinst https-netscape.com HttpServerAdmin list -l -d /export/netscape/server6 -sinst https-netscape.com...

  • Page 345: Appendix B Hypertext Transfer Protocol

    Appendix B HyperText Transfer Protocol This appendix provides a short introduction to the HyperText Transfer Protocol (HTTP). For more information on HTTP, see the Internet Engineering Task Force (IETF) home page at http://www.ietf.org/home.html This appendix contains the following sections: • About HyperText Transfer Protocol (HTTP) •...

  • Page 346: Requests

    Requests Netscape Enterprise Server supports HTTP 1.1. Some previous versions of the server supported HTTP 1.0. The server is conditionally compliant with the HTTP 1.1 proposed standard, as approved by the Internet Engineering Steering Group (IESG) and the Internet Engineering Task Force (IETF) HTTP working group. For more information on the criteria for being conditionally compliant, see the Hypertext Transfer Protocol—HTTP/1.1 specification (RFC 2068) at: http://www.ietf.org/html.charters/http-charter.html...

  • Page 347: Request Header

    Responses Request Header The client can send header fields to the server. Most are optional. Some commonly used request headers are shown in Table B-1. Table B-1 Common request headers Request header Description The file types the client can accept. Accept Used if the client wants to authenticate itself with a server;...

  • Page 348: Status Code

    Responses Status Code When a client makes a request, one item the server sends back is a status code, which is a three-digit numeric code. There are four categories of status codes: • Status codes in the 100–199 range indicate a provisional response. •...

  • Page 349: Response Header

    Responses Table B-2 Common HTTP status codes Status code Meaning Server error. A server-related error occurred. The server administrator should check the server’s error log to see what happened. Response Header The response header contains information about the server and information about the document that will follow.
  • Page 350 Responses Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 351: Appendix C Acl File Syntax

    Appendix C ACL File Syntax This appendix describes the access-control list (ACL) files and their syntax. ACL files are text files that contain lists that define who can access resources stored on your web server. By default, the web server uses one ACL file that contains all of the lists for access to your server.

  • Page 352: Authentication Methods

    ACL File Syntax • URI (Uniform Resource Indicator) ACLs specify a directory or file relative to the server’s document root. • Named ACLs specify a name that is referenced in resources in the obj.conf file. The server comes with a “default” named resource that allows read access to anyone and write access to users in the LDAP directory.

  • Page 353: Authorization Statements

    ACL File Syntax SSL requires the user to have a client certificate. The web server must have encryption turned on, and the user’s certificate issuer must be in the list of trusted CAs to be authenticated. By default, the server uses the Basic method for any ACL that doesn’t specify a method.

  • Page 354: Hierarchy Of Authorization Statements

    ACL File Syntax subdirectory that allows access to a few users, the access /my_stuff/personal control on the subdirectory won’t work because anyone allowed access to the directory will also be allowed access to the /my_stuff directory. To prevent this, create a rule for the subdirectory /my_stuff/personal that first denies access to anyone and then allows it for the few users who need access.

  • Page 355: Attribute Expressions

    ACL File Syntax If there are more than one ACLs that match, the server uses the last statement that matches. However, if you use an absolute statement, then the server stops looking for other matches and uses the ACL containing the absolute statement. If you have two absolute statements for the same resource, the server uses the first one in the file and stops looking for other resources that match.

  • Page 356: Operators For Expressions

    ACL File Syntax You can also restrict access to your server by time of day (based on the local time on the server) by using the attribute. For example, you can use the timeofday attribute to restrict access to certain users during specific hours. timeofday NOTE Use 24-hour time to specify times.

  • Page 357: The Default Acl File

    Referencing ACLs in obj.conf • (greater than or equal to) >= • (less than or equal to) <= The Default ACL File After installation, the file server_root/httpacl/generated.https-serverid.acl provided default settings for the server. The server uses the working file until you create settings in the user interface. When genwork.https-serverid.acl editing an ACL file, you could make changes in the file, then save and...
  • Page 358 Referencing ACLs in obj.conf In the previous example, the first line is the object that states which server resource you want to restrict access to. The second line is the directive that uses PathCheck function to bind the name ACL ( ) to the object in which the check-acl testacl...

  • Page 359: Appendix D International Content Support

    Appendix D International Content Support The following information covers the international considerations for general server capabilities: • Entering UTF-8 Data • Using the Accept-language Header Entering UTF-8 Data If you want to enter data on the Server Manager or the Administration UTF-8 Server pages, you need to be aware of the following issues: File or Directory Names...

  • Page 360: Using The Accept-Language Header

    Using the Accept-language Header When clients contact a server using HTTP, they can send header information that describes the various languages they accept. You can configure your server to parse this language information as described in Chapter 14, “Content Management”. You can enable or disable the server to the directive in the acceptlanguage...

  • Page 361: Search Information

    Search Information If none of these are found, the server tries: http://www.example.com/somepage.html NOTE Keep in mind when naming your localized files that country codes like CH and TW are converted to lower case and dashes (-) are converted to underscores (_). Search Information Search capabilities are supported for the following languages: •...

  • Page 362: Document Formats

    Search Information Query operators for Japanese Table D-2 Operator Japanese Character CONTAINS ENDS MATCHES NEAR NEAR/N PHRASE STARTS English only STEM SUBSTRING WILDCARD * WILDCARD ? WORD Document Formats This release supports the following document formats for the Japanese language: •...

  • Page 363: Searching In Japanese

    Servlet Internationalization • NEWS • MAIL NOTE The PDF document format is not supported for Japanese. Searching in Japanese The following sections give additional information about searching in the Japanese character set. Document Encodings This release supports the following document encodings for the Japanese language: •...

  • Page 364: Auto

    Servlet Internationalization • Does not send any charset information in the header Content-Type On the server side, if a servlet tries to access data using POST getParameter , the servlet container does not have any information about getParameterValues which character encoding to use for strings.

  • Page 365: None

    Posting to JSPs This option is typically used if the servlet that is reading the data does not necessarily know what the charset of the posted data is. The hint parameter name, which by default is can be changed using j_encoding element in parameter-encoding...
  • Page 366 Posting to JSPs %> <h1>The Entered Name is : <%= request.getParameter("test") %> </h1> </body> </html> Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 367: Glossary

    Glossary Access Control Entries (ACEs) A hierarchy of rules which the web server uses to evaluate incoming access requests. Access Control List (ACL) A collection of ACEs. An ACL is a mechanism for defining which users have access to your server. You can define ACL rules that are specific to a particular file or directory, granting or denying access to one or more users and groups.
  • Page 368 Certificate Revocation List (CRL) CA list, provided by the CA, of all revoked certificates. Certification Authority (CA) An internal or third-party organization that issues digital files used for encrypted transactions. Common Gateway Interface (CGI) An interface by which external programs communicate with the HTTP server.
  • Page 369 digest authentication. Allows the user to authenticate without sending the username and password as cleartext. The browser uses the MD5 algorithm to create a digest value. The server uses the Digest Authentication plug-in to compare the digest value provided by the client. DNS Domain Name System.
  • Page 370 file extension The last part of a filename that typically defines the type of file. For example, in the filename the file extension is index.html html File Transfer Protocol (FTP) An Internet protocol that allows files to be transferred from one computer to another over a network. file type The format of a given file.
  • Page 371 HTTPS A secure version of HTTP, implemented using the Secure Sockets Layer, SSL. HyperText Markup Language (HTML) A formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as Netscape how to display text, position graphics and form items, and display links to other pages.
  • Page 372 Java An object-oriented programming language created by Sun Microsystems used to create real-time, interactive programs called applets. JavaScript A compact, object-based scripting language for developing client and server Internet applications. JavaServer Pages Extensions that enable all JavaServer page metafunctions, including instantiation, initialization, destruction, access from other components, and configuration management.
  • Page 373 mime.types The MIME (Multi-purpose Internet Mail Extension) type configuration file. This file maps file extensions to MIME types, to enable the server to determine the type of content being requested. For example, requests for resources with .html extensions indicate that the client is requesting an HTML file, while requests for resources with .gif extensions indicate that the client is requesting an image file in GIF format.
  • Page 374 pk12util Software utility required to export the certificate and key databases from your internal machine, and import them into an external PKCS#11 module. primary document directory See document root. protocol A set of rules that describes how devices on a network exchange information.
  • Page 375 server daemon A process that, once running, listens for and accepts requests from clients. Server Plug-in API An extension that allows you to extend and/or customize the core functionality of Netscape servers and provide a scalable, efficient mechanism for building interfaces between the HTTP server and back-end applications. Also known as NSAPI.
  • Page 376 sym-links (UNIX) Abbreviation for symbolic links, which is a type of redirection used by the UNIX operating system. Sym-links let you create a pointer from one part of your file system to an existing file or directory on another part of the file system.
  • Page 377 URL mapping The process of mapping a document directory’s physical pathname to a user-defined alias so that files within the directory need only refer to the directory’s alias instead of the file’s full physical pathname. Thus, instead of identifying a file as usr/netscape/servers/docs/index.html, you could identify the file as /myDocs/index.html.
  • Page 378 Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

  • Page 379: Index

    Index SYMBOLS NUMERICS != (not equal to) 356 200 - 500 status codes 348 $, in wildcards 21, 63, 66, 74, 124, 180 $TOKENNAME 120 %vsid%, adding to log file format string 214 %vsid%, in log file format string 214 *, in wildcards 21, 63, 66, 74, 124, 180 accelerators, hardware .acl...
  • Page 380 files 170 deactivating 188 hostnames 185 default file 357 hostnames and IP addresses 162 distributed administration and 53 introduction to 171 editing settings for virtual servers 206 IP addresses 185 file, defines the mapping from an ACL to an LDAP directories and 185 LDAP database 73 methods (Basic, SSL) 163 files, syntax 351...
  • Page 381 stopping 50 JVM, configuring 294 UI overview 27 x509v3 certificates 126 URL navigation to 36 authentication administration, distributed client certificate 164 enabling 52 hostnames 169 SSL 165 administrator’s userid (superuser) 36 users and groups 162 administrators Authentication Database 185 distributed administration 52 authentication methods admpw 33, 52 types 184...
  • Page 382 using the built-in root certificate module 100 virtual servers 89 c 126 x509v3, attributes 126 certmap.conf 125, 164 approval process (one day to two months) 96 default properties 125 definition (Certificate Authority) 88 LDAP searches 124 trusting 97 sample mappings 128 types 122 using 125 cache control directives...
  • Page 383 check-acl 357 defined 368 chroot 136 command line specifying directory for virtual server 137 using flexanlg to analyze access log files 216 specifying directory for virtual server class 137 Common Gateway Interface (CGI) ciphers architecture overview 28 definition 108 overview 296 setting options 130 server extension, overview of 28 TLS and SSL3 for Netscape Navigator 6.0 113...
  • Page 384 category, Character Set 326 conventions, used in this book 20 category, Default Query Handler 326 cookies category, Document Footer 326 logging, easy 215 category, Dynamic Configuration 326 cp367 319 category, Error Responses 326 cp819 319 category, Log preferences 326 CRLs (certificate revocation lists) category, remote file manipulation 327 installing and managing 102 category, Require Stronger Security 327...
  • Page 385 default listen socket (ls1) 50 definition 60 defaultclass distinguished names virtual server class 250 mapping certificates to LDAP entries 124 DELETE 187 distributed administration Directory Server, required for 53 delete access 188 enabling 52 deleting groups web applications 290 ACLs and 53 deleting users 70 required for access control 161 deny 201...
  • Page 386 dsgw.conf 33 error logs 211 virtual servers, configuring 282 dsgwfilter.conf 33 Error qos-error 225 dsgwlanguage.conf 33 error responses, customizing 318 dsgw-orgperson.conf 33 errors dsgwserarchprefs.conf 33 customizing responses 318 dynamic configuration files euc 363 working with 195 event variables dynamic group traps 228 definition 72 Event Viewer 218...
  • Page 387 defined 370 finding 76 managing 75 files renaming 81 access control 170 restricting access 162 certmap.conf 125 groups, static filter 74 definition 70 memberURL 70 guidelines for creating 71 FilterComps 126 groups, users FIPS 120 about 60 FIPS-140 groups-with-users 199 enabling 121 guidelines flex_anlg 216...
  • Page 388 htconvert 198 info access 188 HTML 362 INIT 240 defined 371 init-clf 215 server-parsed, setting up 322 InitFn 127 HTML, server-parsed inittab 90, 151, 152 file cache 158 defined 371 HTTP editing 151 compliance with 1.1 346 restarting servers 151 defined 371 starting the server with 151 requests 346...
  • Page 389 configuring paths 57 key-pair file download location 57 introduction 89 securing 134 Java Runtime Environment (JRE) 288 configuring paths 57 keys exporting with pk12util 117 Java Servlet API 287 importing with pk12util 118 Java Servlets architecture overview 29 Java Servlets and JavaServer Pages server extensions, overview of 29 Java Virtual Machine (JVM) runtime environment 29...
  • Page 390 entries, formatting 333 specifying options 54 import and export functions, about 61 virtual servers 255, 266 lib directory 34 log preferences setting 214 libdigest-plugin.ldif 167 log rotation libdigest-plugin.lib 167 cron-based 213 libnssckbi.sl 100 internal daemon 213 libnssckbi.so 100 log, access Library 127 location 209 LICENSE.txt 35...
  • Page 391 managed objects 228, 243 MKDIR 187 Management Information Base (MIB) MMappedSessionManager 295 location, Netscape 228 MMapSessionManager 33, 34 management information base (MIB) modules defines managed objects 228 PKCS#11, adding 116 manual directory 34 modules, software 27 master agent modutil CONFIG file, editing 239 installing PKCS#11 modules 116 SNMP 228 MortalityTimeSecs 154...
  • Page 392 nesInstanceStatusChange 232 netscapeReversiblePassword 168 nesInstanceTable 229 netscapeReversiblePasswordobject 168 nesInstanceUptime 229 network management station (NMS) 227 nesInstanceVersion 229 NEWS 363 nesListenAddress 232 NIS, defined 373 nesListenEntry 232 NMS-initiated communication 243 nesListenId 232 NNTP defined 373 nesListenIndex 232 nobody user account 51 nesListenPort 232 nonce 166 nesListenSecurity 232...
  • Page 393 operators exporting certificates and keys with pk12util 117 attribute expressions 356 importing certificates and keys with pk12util 118 for Chinese, Japanese, and Korean 361 installing using modutil 116 module, adding 116 options components available at installation 30 plugins directory 34 OR 362 pool parameter 159 or 356...
  • Page 394 module, adding 116 remote servers adding to a cluster 142 PUT 187, 346 REQ_ABORTED 130 REQ_NOACTION 130 REQ_PROCEED 130 request data 347 request headers qos-error, Error 225 list of 347 qos-handler, AuthTrans 225 request-digest 167 quality of service requests concurrent connections, virtual servers 227 HTTP 346 example 222 require 204...
  • Page 395 Security & Access Control application services overview 29 SAF samples security directives 115 location 225 See alsos sagt 235 managing 79 sagt, command for starting Proxy SNMP agent 236 Server 349 samples directory 34 server scope 74 general capabilities, international search considerations 359 document formats, for Japanese, Korean, and...
  • Page 396 migrating to 6.0 45 setup directory 35 ports under 1024 51 shell CGI 303 remote, adding to a cluster 142 shell programs removing from a cluster 144 installing CGI, Windows NT/2000 303 restart time interval, changing 153 shutting down the Administration Server 50 restarting (NT) 152 sjis 363 restarting (Unix) 151...
  • Page 397 authentication 165 quality of service bandwidth lost when server defined 375 reconfigured dynamically 226 enabling 112 settings for measuring traffic 222 enabling on Administration Server 109 types available for monitoring server 220 information needed to enable 93 stats-xml 220 parameters, one set of per virtual server status codes connection group 269 HTTP 348...
  • Page 398 two-way encryption, ciphers 108 type, search options telephoneNumber 63 list of 66 telnet 376 termination timeout magnus.conf 150 setting 150 testacl 358 thread limit, tuning 154 uid 63, 127 thread pools defined 376 information you specify to add 158 uniqueMembers 70 syntax in virtual server class obj.conf 159 unit, organizational time interval, server restarts...
  • Page 399 changing 67 VeriSign Certificate creating new 62 installing 92 default language 64 requesting 91 deleting 70 version files Directory Server 63 deleting, JSPs and servlets 295 finding 64 Viewer, Event 218 guidelines for creating 61 viewing 211 how to remove the old full name or uid values viewing events 218 when renaming 69 virtual server class...
  • Page 400 deploying 267 when requiring different trusted CAs 123 deploying servlets and JSPs outside of web vs_port 290, 292 applications 294 vs_urlhost 290, 292 document preferences, setting 315 dynamic reconfiguration 259 each class has separate configuration information 248 editing ACL settings 206 editing settings via Class Manager 279 WaitingThreads 155 editing settings via Virtual Server Manager 276...
  • Page 401 x-euc-jp 319 x-mac-roman 319 x-sjis 319 Index...
  • Page 402 Netscape Enterprise Server Administrator’s Guide • April 2002 (Draft)

This manual is also suitable for:

Entreprise server 6.1

Table of Contents