Netscape ENTREPRISE SERVER 6.1 - 08-2002 ADMINISTRATOR Administrator's Manual

page of 396

/ 396
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

Administrator's Guide

Netscape Enterprise Server

Version 6.1

August 2002

Table of Contents

Summary of Contents for Netscape NETSCAPE ENTREPRISE SERVER 6.1 - 08-2002 ADMINISTRATOR

Page 1 Administrator’s Guide Netscape Enterprise Server Version 6.1 August 2002...
Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.
Page 3: Table Of Contents
Contents About This Guide ............. . 17 What’s In This Guide? .
Page 4 UNIX and Linux Platforms ............35 Virtual Server Configuration .
Page 5 Using LDIF ............... . . 61 Creating Users .
Page 6 Chapter 5 Securing Your Enterprise Server ........87 Requiring Authentication .
Page 7 Selecting the Certificate Name for a Connection Group ....... 118 FIPS-140 Standard .
Page 8 Accessing stdout() and stderr() Messages (UNIX/Linux) ....... . . 150 Setting the Termination Timeout .
Page 9 Setting Access Rights ............. . . 186 Writing Customized Expressions .
Page 10 Cookie Logging ..............213 Running the Log Analyzer .
Page 11 Virtual Server Classes ............. . . 247 The obj.conf File .
Page 12 Chapter 12 Creating and Configuring Virtual Servers ......273 Creating a Virtual Server ............. . . 273 Editing Virtual Server Settings .
Page 13 Using the Query Handler ............. . 304 Chapter 14 Content Management .
Page 14 control Command ..............333 Options .
Page 15 Appendix D International Content Support ........357 Entering UTF-8 Data .
Page 16 Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 17: About This Guide
About This Guide This guide describes how to configure and administer Netscape® Enterprise Server, Version 6.1. It is intended for information technology administrators in the corporate enterprise who want to extend client-server applications to a broader audience through the World Wide Web. This preface includes the following sections: •...
Page 18: How This Guide Is Organized
How This Guide Is Organized How This Guide Is Organized This guide is divided into five parts, plus a glossary, and a comprehensive index. If you are new to Netscape Enterprise Server 6.1, begin with Part I, “Server Basics” for an overview of the product. If you are already familiar with this version of Enterprise Server, skim the material in Part I, “Server Basics”...
Page 19: Part Iii: Configuring, Monitoring, And Performance Tuning
How This Guide Is Organized • Chapter 4, “Managing Users and Groups” describes how to how to use the Administration Server Users and Groups forms to configure your Enterprise Servers. • Chapter 5, “Securing Your Enterprise Server” describes how to configure your Enterprise Server security.
Page 20: Part V: Appendices
Conventions Used In This Guide • Chapter 11, “Using Virtual Servers” describes how to set up and administer virtual servers using your Enterprise Server. • Chapter 12, “Creating and Configuring Virtual Servers” describes how you can create and configure individual virtual servers. •...
Page 21: Using The Enterprise Server Documentation
Using the Enterprise Server Documentation This typeface is used for any text that you should type. It’s also used for functions, examples, URLs, filenames, and directory paths. Using the Enterprise Server Documentation The following table lists the tasks and concepts that are described in the Enterprise Server manuals and online README file.
Page 22 Using the Enterprise Server Documentation Enterprise Server Table 1 Documentation (Continued) For information about See the following Planning your directory service. How you can use the directory Netscape Directory Server Deployment server to support simple usage that involves only a few hundred Manual users and some key server applications, as well as how you can scale the directory server to support millions of users.
Page 23: Part 1 Server Basics
Part 1 Server Basics Chapter 1, “Introduction to Enterprise Server” Chapter 2, “Administering Enterprise Servers”...
Page 24 Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 25: Chapter 1 Introduction To Enterprise Server
Chapter 1 Introduction to Enterprise Server This chapter introduces Netscape Enterprise Server and discusses some of the fundamental server concepts. Read it to obtain an overview of how Enterprise Server works. This chapter includes the following sections: • Enterprise Server •...
Page 26: Enterprise Server Features
Enterprise Server Enterprise Server Features Enterprise Server is primarily designed to provide access to your business HTML files. In addition, it offers the following features: • Enterprise-wide manageability—Including delegated administration, cluster management, and LDAP (Lightweight Directory Access Protocol) support. LDAP integration with Directory Server enables you to store users and groups in a centralized directory.
Page 27: Administering And Managing Enterprise Servers
Enterprise Server Architecture Administering and Managing Enterprise Servers You can manage your Enterprise Server(s) via the following user interfaces: • Enterprise Server Administration Server • Server Manager • Class Manager • Virtual Server Manager In previous releases, the Enterprise Server and other Netscape servers were administered by a single server, called the Administration Server.
Page 28: Content Engines
Enterprise Server Architecture • Application Services These server modules are described in the following sections. Content Engines Enterprise Server content engines are designed for manipulating customer data. The following content engines make up the content layer of the Enterprise Server architecture: •...
Page 29: Runtime Environments
Enterprise Server Configuration Java Servlets and JavaServer Pages extensions enable all Java servlet and JavaServer page meta-functions, including instantiation, initialization, destruction, access from other components, and configuration management. Java servlets and JavaServer pages are reusable Java applications that run on a web server rather than in a web browser.
Page 30: Enterprise Server Component Options
Enterprise Server Configuration The server includes a number configuration files which are stored in when server_root/https-server_id/config server_root/https-admserv/config installed on your computer. This section includes the following topics: • Enterprise Server Component Options • Enterprise Server Configuration Files • Single-Server Configuration •...
Page 31: Dynamic Reconfiguration
Enterprise Server Configuration magnus.conf: contains global server configuration information (such as security and default language selection). This file sets the values for variables that configure the server during initialization. Enterprise Server reads this file and executes the variable settings on startup. The server does not read this file again until it is restarted, so you must restart the server every time you make changes to this file.
Page 32: Single-Server Configuration
Enterprise Server Configuration To access the dynamic reconfiguration screen and install a new configuration dynamically, click the Apply link found in the upper right corner of the Server Manager, Class Manager, and Virtual Server Manager pages, then click the Load Configuration Files button on the Apply Changes page.
Page 33 Enterprise Server Configuration This directory contains shell scripts to start, stop, and restart the server, start JVM, and a script to rotate log files. contains classes and Java files, generated as result of the ClassCache compilation of JavaServer Pages. contains backup copies of the Administration Server’s conf_bk configuration files.
Page 34 Enterprise Server Configuration is the script that restarts the server. restart rotates server log files without affecting users who may be rotate connected to the server. contains session database data from SessionData MMapSessionManager is the script that starts the Server Manager. The Server startsvr.bat Manager lets you configure all servers installed in the server root directory.
Page 35: Unix And Linux Platforms
Enterprise Server Configuration • README.txt is the readme file that contains a link to the Netscape Enterprise Server Release Notes. UNIX and Linux Platforms In addition to the files and directories described in “All Platforms,” on page 32 the following files are created at the directory for UNIX®...
Page 36: Multiple-Server Configuration
Administration Server Multiple-Server Configuration You can have multiple web servers running on the same server machine. Multiple web servers can be configured from a single-server administration interface called the Administration Server. Administration Server The Administration Server is a web-based server that contains the Java forms you use to configure all of your Enterprise Servers.
Page 37: Server Manager
Server Manager • Cluster Mgmt (Cluster Management) NOTE Enterprise Server requires a browser that supports frames and has JavaScript and cookies enabled. For more information on using the Administration Server, including information regarding these administration-level tasks, see Chapter 2, “Administering Enterprise Servers.”...
Page 38: Using The Resource Picker
Server Manager • Legacy Servlets For more information, see the Server Manager in the online help. Using the Resource Picker Most of the Server Manager and Class Manager pages configure the entire Enterprise Server or an entire class. However, some pages can configure either the entire server (or class) or files and directories that the server (or class) maintains.
Page 39: Class Manager
Class Manager Class Manager The Class Manager is a web-based interface that contains the Java forms you use to configure your virtual Enterprise Servers. The user interface for virtual servers has two parts, the Server Manager and the Class Manager. The Class Manager contains settings that affect a single class or single virtual server.
Page 40 Virtual Server Manager The Virtual server Manager provides the following tabs to manage your Enterprise Server virtual servers: • Preferences • Logs • Web Applications Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 41: Chapter 2 Administering Enterprise Servers
Chapter 2 Administering Enterprise Servers This chapter describes how to administer Netscape Enterprise Server with the Enterprise Server Administration Server. Using the Administration Server, you can manage servers, add and remove servers, and migrate servers from a previous release. This chapter includes the following sections: •...
Page 42: Windows Nt/Windows 2000 Platforms
Accessing the Administration Server Windows NT/Windows 2000 Platforms The Enterprise Server installation program creates a program group with several icons for Windows NT/Windows 2000 platforms. The program group includes the following icons: • Release Notes • Start Administration Server • Uninstall Enterprise Server 6.1 •...
Page 43: Running Multiple Servers
Running Multiple Servers Running Multiple Servers There are two ways you can have multiple web servers running on your system: • Use virtual servers • Install multiple instances of the server Virtual Servers Virtual servers allow you, with a single installed server, to offer companies or individuals domain names, IP addresses, and some server administration capabilities.
Page 44: Removing A Server
Removing a Server If you installed your server before configuring your system to host multiple IP addresses, configure your system to respond to different IP addresses. Then you can either install IP virtual servers or change the server’s bind address using the Server Manager and install separate instances of the server for each IP address.
Page 45: Migrating A Server
Migrating a Server Migrating a Server You can migrate a server instance from iPlanet™ Web Server 4.x to Enterprise Server 6.1. Your iPlanet Web Server 4.x server instance is preserved, and a new Enterprise Server 6.1 server using the same settings is created. You should stop running iPlanet Web Server 4.x before migrating settings.
Page 46 Migrating a Server Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 47: Part 2 Using The Administration Server
Part 2 Using the Administration Server Chapter 3, “Setting Administration Preferences” Chapter 4, “Managing Users and Groups” Chapter 5, “Securing Your Enterprise Server” Chapter 6, “Managing Server Clusters”...
Page 48 Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 49: Chapter 3 Setting Administration Preferences
Chapter 3 Setting Administration Preferences You can configure your Netscape Enterprise Server Administration Server using the pages on the Preferences and Global Settings tabs. Note that you must enable cookies and JavaScript in your browser to configure your server. This chapter includes the following sections: •...
Page 50: Editing Listen Socket Settings
Editing Listen Socket Settings You can stop the server using one of the following methods: • Access the Administration Server, choose the Preferences tab, select the Shut Down link, and click “Shut down the administration server button!”. For more information, see The Shut Down Page in the online help. •...
Page 51: Changing The Superuser Settings
Changing the Superuser Settings You do not need to specify a server user if you chose a port number greater than 1024 and are not running as the user (in this case, you do not need to be root logged on as to start the server).
Page 52: Allowing Multiple Administrators
Allowing Multiple Administrators To change the superuser settings for the Administration Server, perform the following steps: Access the Administration Server and choose the Preferences tab. Click the Superuser Access Control link. Make the desired changes and click OK.. The superuser’s user name and password are kept in a file called .
Page 53 Allowing Multiple Administrators • end users can view read-only data stored in the database. Additionally, end users may be granted access permissions to change only specific data. For an in-depth discussion of access control for Enterprise Server, see “What Is Access Control?,”...
Page 54: Specifying Log File Options
Specifying Log File Options Specifying Log File Options The Enterprise Server Administration Server log files record data about the server, including the types of errors encountered and information about server access. Viewing these logs allows you to monitor server activity and troubleshoot problems by providing data like the type of error encountered and the time certain files were accessed.
Page 55: The Error Log File
Specifying Log File Options The Error Log File The error log lists all the errors the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log in to the server. To view the error log file, perform the following steps: Access the Enterprise Server Administration Server and choose the Preferences tab.
Page 56: Configuring Directory Services
Configuring Directory Services To restart, start, or stop cron control, perform the following steps: Access the Enterprise Server Administration Server and choose the Global Settings tab. Click the Cron Control link. Click Restart, Start, or Stop to change the cron controls. Note that any time you add a task to cron, you need to restart the daemon.
Page 57: Configuring Jre/Jdk Paths
Configuring JRE/JDK Paths You can set access control globally for all servers through the Enterprise Server Administration Server or for a resource within a specific server instance through the Server Manager. For more information about setting access control for a resource, see “Setting Access Control,”...
Page 58 Configuring JRE/JDK Paths Click the radio button corresponding to the feature to enable. For instance, click JDK to supply the path to the Java Development Kit installed on your machine. Enter the appropriate information and click OK. You must restart your server for changes to become effective. See The Configure JRE/JDK Paths Page in the online help for more information.
Page 59: Chapter 4 Managing Users And Groups
Chapter 4 Managing Users and Groups This chapter describes how to add, delete, and edit the users and groups who can access your Netscape Enterprise Server. This chapter includes the following sections: • Using Directory Services to Manage Users and Groups •...
Page 60: Understanding Distinguished Names (Dns)
Using Directory Services to Manage Users and Groups Since Enterprise Server does not support local LDAP, you must have a directory server installed before you can add users and groups. Understanding Distinguished Names (DNs) Use the Users and Groups tab of the Administration Server to create or modify users, groups, and organizational units.
Page 61: Using Ldif
Creating Users Using LDIF If you do not currently have a directory, or if you want to add a new subtree to an existing directory, you can use the Directory Server’s Administration Server LDIF import function. This function accepts a file containing LDIF and attempts to build a directory or a new subtree from the LDIF entries.
Page 62: How To Create A New User Entry
Creating Users • The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the Directory Server command line utility (if available) to create a ldapmodify...
Page 63: Directory Server User Entries
Creating Users Directory Server User Entries The following user entry notes may be of interest to the directory administrator: • User entries use the , and inetOrgPerson organizationalPerson person object classes. • By default, the distinguished name for users is of the form: cn=full name, ou=organization, ...,o=base organization, c=country For example, if a user entry for Babs Jensen is created within the organizational unit Marketing, and the directory’s base DN is o=Example Corporation, c=US,...
Page 64: Managing Users
Managing Users • Sometimes a user’s name can be more accurately represented in characters of a language other than the default language. You can select a preferred language for users so that their names will display in the characters of the that language, even when the default language is English.
Page 65: Building Custom Search Queries
Managing Users A name. Enter a full name or a partial name. All entries that equally match the search string will be returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.
Page 66 Managing Users • The left-most pull-down list allows you to specify the attribute on which the search will be based. The available search attribute options are described in the following table: Table 4-3 Search Attribute Options Option Name Description full name Search each entry’s full name for a match.
Page 67: Editing User Information
Managing Users Table 4-4 Search Type Options Option Name Description Causes an approximate, or phonetic, search to be performed. Use this sounds like option if you know an attribute’s value, but you are unsure of the spelling. For example, if you are not sure if a user’s name is spelled “Sarret,”...
Page 68: Managing A User's Password
Managing Users In addition, note that you can change the user’s first, last, and full name field from this form, but to fully rename the entry (including the entry’s distinguished name), you need to use the Rename User form. For more information on how to rename an entry, see “Renaming Users,”...
Page 69: Renaming Users
Managing Users Access the Enterprise Server Administration Server and choose the Users & Groups tab. Display the user entry as described in “Finding User Information,” on page 64. Click the Licenses link at the top of the User Edit form. Make the desired changes and click OK.
Page 70: Removing Users
Creating Groups server_root/https-admserv/config/dsgw-orgperson.conf For more information, see The Manage Users Page in the online help. Removing Users To delete a user entry, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab. Display the user entry as described in “Finding User Information,” on page 64. Click Delete User.
Page 71: Static Groups
Creating Groups For static and dynamic groups, members can share a common attribute from a certificate if you use the . Note that these will only work memberCertDescription if the ACL uses the SSL method. Once you create a new group, you can add users, or members, to it. This section includes the following topics for creating groups: •...
Page 72: Dynamic Groups
Creating Groups For more information, see The New Group Page in the online help. Dynamic Groups A dynamic group has an , and has zero or more objectclass groupOfURLs attributes, each of which is a LDAP URL that describes a set of objects. memberURL Enterprise Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to...
Page 73: Groups Can Be Static And Dynamic
Creating Groups The DNs are included automatically, without your having to add each individual to the group. The group changes dynamically, because Enterprise Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the attribute of the objects in the LDAP database.
Page 74 Creating Groups • Enter the group’s LDAP URL using the following format (without host info, since these parameters are ignored): port ldap:///<basedn>?<attributes>?<scope>?<(filter)> The required parameters are described in the following table: Table 4-5 Dynamic Groups: Required Parameters Parameter Name Description The Distinguished Name (DN) of the search base, or point from <base_dn>...
Page 75: To Create A Dynamic Group
Managing Groups • If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory’s root point, or top-most entry. •...
Page 76: Finding Group Entries
Managing Groups Finding Group Entries Before you can edit a group entry, first you must find and display the entry. To find a group entry, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab.
Page 77: Editing Group Attributes
Managing Groups For more information regarding how to build a custom search filter, see “Building Custom Search Queries,” on page 65. Editing Group Attributes To edit a group entry, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab.
Page 78: Adding Groups To The Group Members List
Managing Groups A name. Enter a full name or a partial name. All entries whose name matches the search string is returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sounds like the search string are found.
Page 79: Removing Entries From The Group Members List
Managing Groups Removing Entries from the Group Members List To delete an entry from the group members list, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab. Click the Manage Groups link, locate the group you want to manage as described in “Finding Group Entries,”...
Page 80: Removing Groups
Managing Groups You manage see alsos the same way as you manage the group members list. The following table shows you which section to read for more information: Table 4-7 Additional Information Task You Want to Complete Read Section Add users to see alsos “Adding Group Members,”...
Page 81: Renaming Groups
Creating Organizational Units Renaming Groups To rename a group, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab. Click the Manage Groups link and locate the group you want to manage as described in “Finding Group Entries,”...
Page 82: Managing Organizational Units
Managing Organizational Units ou=new organization, ou=parent organization, ...,o=base organization, c=country For example, if you create a new organization called Accounting within the organizational unit West Coast, and your Base DN is o=Example Corporation, US, then the new organization unit’s DN is: ou=Accounting, ou=West Coast, o=Example Corporation, c=US Managing Organizational Units You edit and manage organizational units from the Organizational Unit Edit form.
Page 83: The "Find All Units Whose" Field
Managing Organizational Units As an alternative, use the pull down menus in the Find all units whose field to narrow the results of your search. In the Look within field, select the organizational unit under which you want to search for entries. The default is the root point of the directory.
Page 84: Renaming Organizational Units
Managing Organizational Units Renaming Organizational Units To rename an organizational unit entry, access the Enterprise Server Administration Server and perform the following steps: Make sure no other entries exist in the directory under the organizational unit that you want to rename. Locate the organizational unit you want to edit as described in “Finding Organizational Units,”...
Page 85: Managing A Preferred Language List
Managing a Preferred Language List Managing a Preferred Language List Enterprise Server enables you to display and maintain the list of preferred languages. To manage the preferred language list, perform the following steps: Access the Enterprise Server Administration Server and choose the Users & Groups tab.
Page 86 Managing a Preferred Language List Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 87: Chapter 5 Securing Your Enterprise Server
Chapter 5 Securing Your Enterprise Server This chapter describes how to activate the various security features designed to safeguard your data, deny intruders access, and allow access to those you want. Netscape Enterprise Server 6.1 incorporates the security architecture of all Netscape servers: it’s built on industry standards and public protocols for maximum interoperability and consistency.
Page 88: Requiring Authentication
Requiring Authentication • Considering Additional Security Issues Requiring Authentication Authentication is the process of confirming an identity. In the context of network interactions, authentication is the confident identification of one party by another party. Certificates are one way of supporting authentication. Using Certificates for Authentication A certificate consists of digital data that specifies the name of an individual, company, or other entity, and certifies that the public key, included in the...
Page 89: Virtual Server Certificates
Creating a Trust Database Virtual Server Certificates You can have a different certificate database per virtual server. Each virtual server database can contain multiple certificates. Virtual servers can also have different certificates within each instance. Creating a Trust Database Before requesting a server certificate, you must create a trust database. In Enterprise Server the Administration Server and each server instance can have its own trust database.
Page 90: Using Password.conf
Creating a Trust Database For the Server Manager, click Apply, and then Restart for changes to take effect. After creating a certificate trust database for your server, you can request a certificate and submit it to a Certificate Authority (CA). If your company has its own internal CA, request your certificate from them.
Page 91: Start An Ssl-Enabled Server Automatically
Requesting and Installing a VeriSign Certificate Start an SSL-enabled Server Automatically If security risks are not a concern for you, follow these steps to start your SSL-enabled server automatically: Make sure SSL is on. See “Turning Security On,” on page 109. Create a new file in the subdirectory of the server...
Page 92: Installing A Verisign Certificate
Requesting and Installing Other Server Certificates Follow the VeriSign procedure. Installing a VeriSign Certificate If you request and receive approval for a VeriSign certificate, it should appear in the drop-down list of the Install VeriSign Certificate page in one to three days. To install a VeriSign Certificate, perform the following steps: Access either the Enterprise Server Administration Server or the Server Manager and choose the Security tab.
Page 93: Required Ca Information
Requesting and Installing Other Server Certificates Required CA Information Before you begin the request process, make sure you know what information your CA requires. Whether you are requesting a server certificate from a commercial CA or an internal CA, you need to provide the following information: •...
Page 94: Requesting Other Server Certificates
Requesting and Installing Other Server Certificates Some commercial CAs offer certificates with greater detail and veracity to organizations or individuals who provide more thorough identification. For example, you might be able to purchase a certificate stating that the CA has not only verified that you are the rightful administrator of the www.example.com computer, but that you are a company that has been in business for three years,...
Page 95 Requesting and Installing Other Server Certificates NOTE There are many factors that affect SSL performance, such as server load, operating system and SSL hardware accelerators. Also, older browsers might have problems with the larger key size. Do not change the key size without first determining if it is necessary for your environment.
Page 96: Installing Other Server Certificates
Requesting and Installing Other Server Certificates The CA will notify you if it agrees to issue you a certificate. In most cases, the CA will send your certificate via email. If your organization is using a certificate server, you may be able to search for the certificate by using the certificate server’s forms. NOTE Not everyone who requests a certificate from a commercial CA is given one.
Page 97: Installing A Certificate
Requesting and Installing Other Server Certificates Installing a Certificate To install a certificate, perform the following steps: Access either the Enterprise Server Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list.
Page 98: Migrating Certificates When You Upgrade
Migrating Certificates When You Upgrade If you copy and paste the text, be sure to include the headers -Begin , including the beginning and Certificate- -End Certificate- ending hyphens. Click OK. Select either: Add Certificate if you are installing a new certificate. Replace Certificate if you are installing a certificate renewal.
Page 99: Using The Built-In Root Certificate Module
Migrating Certificates When You Upgrade From your local machine, access either the Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list. Choose: Migrate 3.X Certificates link from the Administration Server Migrate Certificate link from the Server Manager.
Page 100: Managing Certificates
Managing Certificates If you later wish to restore the root certificate module, you can copy the extension from (UNIX and HP-UX) or (Windows bin/https/lib bin\https\bin NT/Windows 2000) back into the subdirectory. alias You can modify the trust information of the root certificates. The trust information is written to the certificate database for the server instance being edited, not back to the root certificate module itself.
Page 101: Installing And Managing Crls And Ckls
Installing and Managing CRLs and CKLs For the Server Manager, click Apply, and then Restart for changes to take effect. Certificate information includes the owner and who issued it. Trust settings allow you to set client trust or unset server trust. For LDAP server certificates the server must be trusted.
Page 102: Managing Local Crls And Ckls
Installing and Managing CRLs and CKLs If you selected Certificate Revocation List, the Add Certificate Revocation List page will appear listing CRL information. If you selected Compromised Key List, the Add Compromised Key List page will appear listing CKL information. NOTE If a CRL or CKL list already exists in the database, a Replace Certificate Revocation List or Replace Compromised Key List page...
Page 103: Configuring Remote Crls
Configuring Remote CRLs Configuring Remote CRLs Configure automatic CRL downloads to help ensure that your CRLs are kept up to date with minimal inconvenience. Enterprise Server supports CRL downloads over HTTP, HTTP over SSL, LDAP, and LDAP over SSL. Once a CRL is downloaded, Enterprise Server stores the information in memory.
Page 104 Configuring Remote CRLs how often the CRL is updated the system time for the CRL download server whether the CRL has a Next Update field Access either the Enterprise Server Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list.
Page 105 Configuring Remote CRLs NOTE If a CRL download URL uses the HTTPS or the LDAPS protocol, verify with the CA that the certificate for the CRL server has not been revoked. Enterprise Server will not communicate with a client or server with a revoked certificate. At startup, Enterprise Server does not yet have any CRLs stored in memory, so if the certificate has been revoked, the initial CRL update succeeds.
Page 106: Reducing The Ssl3/Tls Session Cache Timeout
Configuring Remote CRLs When you are ready to save your configuration settings, click OK. A popup message tells you your Automatic/Remote Certificate Revocation List (CRL) Settings have been updated. Click OK to dismiss the popup. The page reloads with your updated settings. Repeat Step 6 through Step 10 as needed for all the CRLs you want to configure for automatic downloading.
Page 107: Setting Security Preferences
Setting Security Preferences Setting Security Preferences Once you have a certificate, you can begin securing your server. Several security elements are provided by Enterprise Server. Encryption is the process of transforming information so it is unintelligible to anyone but the intended recipient. Decryption is the process of transforming encrypted information so that it is intelligible again.
Page 108: Ssl And Tls Protocols
Setting Security Preferences SSL and TLS Protocols Enterprise Server 6.1 supports the Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) protocols for encrypted communication. SSL and TLS are application independent, and higher level protocols can be layered transparently on them.
Page 109: Enabling Security For Connection Groups
Setting Security Preferences Enabling Security for Connection Groups You can secure your server’s connection groups by: • Turning the security on • Selecting a server certificate for a connection group • Selecting ciphers Turning Security On You must turn security on before you can configure the other security settings for your connection group.
Page 110: Selecting A Server Certificate For A Connection Group
Setting Security Preferences Access either the Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list. Select the Preferences tab, if not already displayed. Choose the Edit Listen Sockets link.
Page 111: Selecting Ciphers
Setting Security Preferences Click the Attributes link. The Security Settings of Listen Socket page appears. NOTE If you have an external module installed, the Manage Server Certificates page will appear requiring the external module’s password before you can continue. Select a server certificate from the drop-down CertificateName list for the connection group.
Page 112 Setting Security Preferences Click the Edit Listen Sockets link. The Listen Socket Table page appears. Use the drop-down Action list to select Edit, if not already displayed, for the connection group you are enabling security for. Use the drop-down list to turn Security on for that connection group, if it is off. Click OK.
Page 113: Configuring Security Globally
Setting Security Preferences For the Server Manager, click Apply, and then Restart for changes to take effect. NOTE When you apply changes after turning on security for a connection group, the file is automatically modified to show magnus.conf security on, and all virtual servers associated with the connection group are automatically assigned the default security parameters.
Page 114: Sslsessiontimeout
Using External Encryption Modules Enter the values for: SSLSessionTimeout SSLCacheEntires SSL3SessionTimeout Click OK Click Apply, and then Restart for changes to take effect. These SSL Configuration File Directives are described below: SSLSessionTimeout directive controls SSL2 session caching. SSLSessionTimeout Syntax seconds SSLSessionTimeout is the number of seconds until a cached SSL session becomes invalid.
Page 115: Installing The Pkcs#11 Module
Using External Encryption Modules • FIPS-140 You will need to add the PKCS #11 module before activating the FIPS-140 encryption standard. Installing the PKCS#11 Module Enterprise Server supports Public Key Cryptography Standard (PKCS) #11, which defines the interface used for communication between SSL and PKCS#11 modules. PKCS#11 modules are used for standards-based connectivity to SSL hardware accelerators.
Page 116: Using Pk12Util
Using External Encryption Modules Perform the actions required. For example, to add the PCKS#11 module in UNIX you would enter: PCKS#11_file_name PCKS#11_libfile modutil -add -libfile -nocertdb db_directory -dbdir . Using pk12util allows you to export certificates and keys from your internal pk12util database and to import them into an internal or external PKCS#11 module.
Page 117 Using External Encryption Modules Enter password. pkcs12 Importing with pk12util To import a certificate and key into an internal or external PKCS#11 module, perform the following steps: Go to the containing the databases. server_root/alias directory to your PATH. server_root/bin/https/admin/bin Locate pk12util server_root/bin/https/admin/bin Set the environment.
Page 118: Selecting The Certificate Name For A Connection Group
Using External Encryption Modules The server always tries to start with the certificate named “Server-Cert.” However, certificates in external PKCS#11 modules include one of the module’s token names in their identifier. For example, a server certificate installed on an external smartcard reader called “smartcard0”...
Page 119: Fips-140 Standard
Using External Encryption Modules To find what value to use for , go to the server’s Security tab and select $TOKENNAME the Manage Certificates link. When you log in to the external module where Server-Cert is stored, its certificates are displayed in the list in the form token_name nickname NOTE...
Page 120: Setting Client Security Requirements
Setting Client Security Requirements To enable FIPS-140, perform the following steps: Install the plug-in following the FIPS-140 instructions. Access either the Administration Server or the Server Manager and choose the Preferences tab. For the Server Manager you must first select the server instance from the drop-down list.
Page 121: Requiring Client Authentication
Setting Client Security Requirements Requiring Client Authentication You can enable the connection groups for your Administration Server and each server instance to require client authentication. When client authentication is enabled, the client’s certificate is required before the server will send a response to a query.
Page 122: To Require Client Authentication
Setting Client Security Requirements To Require Client Authentication To require client authentication, perform the following steps: Access either the Administration Server or the Server Manager and choose the Preferences tab. For the Server Manager you must first select the server instance from the drop-down list.
Page 123 Setting Client Security Requirements The server tries to match the CA to the list of trusted CAs in the Administration Server. If there isn’t a match, Enterprise Server ends the connection. If there is a match, the server continues processing the request. After verifying the certificate is from a trusted CA, the server maps the certificate to an LDAP entry by: •...
Page 124: Using The Certmap.conf File
Setting Client Security Requirements Using the certmap.conf File Certificate mapping determines how a server looks up a user entry in the LDAP directory. You can use to configure how a certificate, designated by certmap.conf name, is mapped to an LDAP entry. You edit this file and add entries to match the organization of your LDAP directory and to list the certificates you want your users to have.
Page 125 Setting Client Security Requirements • is a list of comma-separated attributes used to determine where in the DNComps LDAP directory the server should start searching for entries that match the user’s information (that is, the owner of the client certificate). The server gathers values for these attributes from the client certificate and uses the values to form an LDAP DN, which then determines where the server starts its search in the LDAP directory.
Page 126 Setting Client Security Requirements Table 5-2 Attributes for x509v3 Certificates Attribute Description Organizational unit User ID Email address email The attribute names for the filters need to be attribute names from the certificate, not from the LDAP directory. For example, some certificates have attribute for the user’s email address;...
Page 127: Creating Custom Properties
Setting Client Security Requirements Creating Custom Properties You can use the client certificate API to create your own properties. For information on programming and using the client certificate API, see the Netscape Enterprise Server NSAPI Programmer’s Guide. Once you have a custom mapping, you reference the mapping as follows: <name>:library <path_to_shared_library>...
Page 128 Setting Client Security Requirements certmap usps ou=United States Postal Service, o=usps, c=US usps:DNComps ou,o,c usps:FilterComps e usps:verifycert on When the server gets a certificate from anyone other than the US Postal Service, it uses the default mapping, which starts at the top of the LDAP tree and searches for an entry matching the client’s email and userid.
Page 129: Setting Stronger Ciphers
Setting Stronger Ciphers Setting Stronger Ciphers The Stronger Ciphers option presents a choice of 168, 128, or 56-bit secret key size access, or no restriction. You can specify a file to be served when the restriction is not met. If no file is specified, Enterprise Server returns a “Forbidden” status. If you select a key size for access that is not consistent with the current cipher settings under Security Preferences, Enterprise Server displays a popup dialog warning that you need to enable ciphers with larger secret key sizes.
Page 130: Considering Additional Security Issues
Considering Additional Security Issues Select Stronger Ciphers. Choose to edit: from the drop down list by clicking Browse by clicking Wildcard Select the secret key size restriction: 168 bit or larger 128 bit or larger 56 bit or larger No restrictions Enter the file location of the message to reject access.
Page 131: Limit Physical Access
Considering Additional Security Issues • Preventing Clients from Caching SSL Files • Limiting Ports • Knowing Your Server’s Limits • Making Additional Changes to Protect Servers Limit Physical Access This simple security measure is often forgotten. Keep the server machine in a locked room that only authorized people can enter.
Page 132: Creating Hard-To-Crack Passwords
Considering Additional Security Issues A good password is one you’ll remember but others won’t guess. For example, you could remember MCi12!mo as “My Child is 12 months old!” A bad password is your child’s name or birthdate. Creating Hard-to-Crack Passwords There are some simple guidelines that will help you create a stronger password.
Page 133: Limiting Other Applications On The Server
Considering Additional Security Issues Access either the Administration Server or the Server Manager and choose the Security tab. For the Server Manager you must first select the server instance from the drop-down list. Select the Change Password link. Select the security token on which you want to change the password from the drop-down list.
Page 134: Windows Nt/Windows 2000
Considering Additional Security Issues Windows NT/Windows 2000 Carefully consider which drives and directories you share with other machines. Also, consider which users have accounts or Guest privileges. Similarly, be careful about what programs you put on your server, or allow other people to install on your server.
Page 135: Making Additional Changes To Protect Servers
Considering Additional Security Issues Making Additional Changes to Protect Servers If you want to have both protected and unprotected servers, you should operate the unprotected server on a different machine from the protected one. If your resources are limited and you must run an unprotected server on the same machine as your protected server, do the following.
Page 136: Specifying Chroot For A Virtual Server Class Cgis (Unix/Linux Only)
Considering Additional Security Issues Specifying chroot for a Virtual Server Class CGIs (UNIX/Linux Only) You can specify the directory for virtual server class CGIs by performing chroot the following steps: Access the Server Manager and select the server instance from the drop-down list.
Page 137 Considering Additional Security Issues You can also specify the directory for a virtual server using the Class chroot Manager Virtual Servers tab and the CGI Settings link. For more information regarding how to specify a directory for a virtual chroot server, see the Netscape Enterprise Server Programmer’s Guide.
Page 138 Considering Additional Security Issues Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 139: Chapter 6 Managing Server Clusters
Chapter 6 Managing Server Clusters This chapter describes the concept of clustering Netscape Enterprise Servers and explains how you can use them to share configurations among servers. This chapter includes the following sections: • About Clusters • Guidelines for Using Server Clusters •...
Page 140: Guidelines For Using Server Clusters
Guidelines for Using Server Clusters • Share one or more configuration files between servers • Start and stop all servers from one “master” Administration Server • View the access and error logs for the servers you selected By clustering your Enterprise Servers, you’re able to specify a master Administration Server for administering all of your clusters.
Page 141: Setting Up A Cluster
Setting Up a Cluster • Install all of the servers you want to include in a particular cluster prior to creating any clusters. • Make sure all servers in a cluster are version 6.1 Enterprise Servers. • Make sure all cluster-specific Administration Servers have the same userid and password as the master administration server.
Page 142: Adding A Server To A Cluster
Adding a Server to a Cluster Administer a remote server by accessing its Server Manager forms from the cluster form or by copying a configuration file from one server in the cluster to another. NOTE After changing the configuration for a remote server, restart the remote server.
Page 143: Modifying Server Information
Modifying Server Information Your master Administration Server now attempts to contact the remote server. This can take a few minutes. You will receive a message confirming the server is added to the cluster. Click OK. NOTE If you have two or more servers on different computers that use the same identifier, the server identifier and the hostname for each computer are displayed.
Page 144: Removing Servers From A Cluster
Removing Servers from a Cluster Removing Servers from a Cluster To remove a server from the cluster, perform the following steps: Go to the master Administration Server and choose the Cluster Mgmt tab. Click the Remove Server link. Select the remote server or servers to modify by: Checking a specific server Clicking Select All Click Reset Selection to undo all selections.
Page 145: Adding Variables
Adding Variables Clicking Select All to select all of the servers in the cluster Click Reset Selection to undo all selections. Select Start or Stop remote servers from the drop down menu. Select View Access or View Error log records from the drop down menu and enter the number of lines you wish to view.
Page 146 Adding Variables Click OK. The variable must also be added to the server’s configuration file you are transferring to the slave. For example: if port was the variable added. SERVERPORT $Port You can set variables with different values for each slave in the configuration file. Once added, variables can also be edited and deleted using the drop-down Option list in the Add Variables page.
Page 147: Part 3 Configuring, Monitoring, And Performance Tuning
Part 3 Configuring, Monitoring, and Performance Tuning Chapter 7, “Configuring Server Preferences” Chapter 8, “Controlling Access to Your Server” Chapter 9, “Using Log Files” Chapter 10, “Monitoring Servers” Chapter 11, “Tuning Your Server for Performance”...
Page 148 Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 149: Chapter 7 Configuring Server Preferences
Chapter 7 Configuring Server Preferences This chapter describes how to configure server preferences for your Netscape Enterprise Server. This chapter contains the following sections: • Starting and Stopping the Server • Tuning Your Server for Performance • Editing the magnus.conf File •...
Page 150: Accessing Stdout() And Stderr() Messages (Unix/Linux)
Starting and Stopping the Server The status of the server appears in the Server On/Off page. You can start and stop the server using one of the following methods: • Click the Server On or Server Off in the Server On/Off. •...
Page 151: Setting The Termination Timeout
Starting and Stopping the Server To have Enterprise Server return messages to the console stdout() stderr() from which it was started, start Enterprise Server with the (for stdout() (for ), and options in conjunction with the process. For stderr() uxwdog information about the option, see “Restarting the Server (UNIX/Linux),”...
Page 152: Restarting With Inittab (Unix/Linux)
Starting and Stopping the Server Restarting With Inittab (UNIX/Linux) To restart the server using , put the following text on one line in the inittab file: /etc/inittab http:2:respawn:server_root/type-identifier/start -start -i where server_root is the directory where you installed the server, and type-identifier is the server’s directory.
Page 153: Restarting The Server (Windows Nt/Windows 2000)
Starting and Stopping the Server To stop the server manually, log in as or use the server’s user account (if that root is how you started the server), and then type the following at the command line: server_root /https-identifier/stop Restarting the Server (Windows NT/Windows 2000) You can restart the server by: •...
Page 154 Starting and Stopping the Server Changing the Time Interval (Windows NT/Windows 2000) To change the time interval that elapses between startup and the time the server can automatically restart, perform the following steps: Start the Registry Editor. Select your server’s key (in the left side of the Registry Editor window, located HKEY_LOCAL_MACHINE\SOFTWARE\Netscape\Enterprise\6.1 Choose Add Value from the Edit menu.
Page 155: Tuning Your Server For Performance
Tuning Your Server for Performance Tuning Your Server for Performance There are two ways to tune the thread limit: through editing the file magnus.conf and through the Server Manager. If you edit the file, is the minimum value magnus.conf RqThrottleMinPerSocket is the maximum value.
Page 156: Adding And Editing Listen Sockets
Adding and Editing Listen Sockets Make the desired changes to the settings and click OK. For more information about each Settings page, see The Magnus Editor Page in the online help. Adding and Editing Listen Sockets Before the server can process a request, it must accept the request via a listen socket, then direct the request to the correct connection group and virtual server.
Page 157: Restricting Access
Restricting Access Click the MIME Types link. Make the desired changes and click OK. For more information, see The MIME Settings Page in the online help and Chapter 11, “Using Virtual Servers.” Restricting Access You can control access to the entire server or to parts of the server (that is, directories, files, file types) using the Server Manager’s Restrict Access page.
Page 158: Configuring The File Cache
Configuring the File Cache For more information, see The Restore Configuration Page in the online help. Configuring the File Cache The Enterprise Server uses a file cache to serve static information faster. In the previous version of the server, there was also an accelerator cache which routed requests to the file cache, but the accelerator cache is no longer used.
Page 159: Thread Pools (Unix/Linux)
Adding and Using Thread Pools You can create as many generic thread pools as you want, for as many purposes as you want. To create generic thread pools, access the Generic Thread Pools in the Server Manager. Thread Pools (UNIX/Linux) Since threads on UNIX/Linux are always OS-scheduled (as opposed to user-scheduled) UNIX/Linux users do not need to use the , and do not...
Page 160 Adding and Using Thread Pools You can also designate a thread pool by using the parameter of the pool function in vsclass. , where vsclass is the virtual server class load-modules obj.conf name. pool="name_of_pool" In addition, you can use the parameter on any NSAPI function so that only pool that NSAPI function runs on the pool you specify.
Page 161: Chapter 8 Controlling Access To Your Server
Chapter 8 Controlling Access to Your Server This chapter discusses the various methods you can use to control access to the Administration Server and to the files or directories on your web site. For example, for the Administration Server, you can specify who has full control of all the servers installed on a machine and who has partial control of one or more servers.
Page 162: Setting Access Control For User-Group
What Is Access Control? • Which programs they can access • Who can access the files or directories on your web site You can control access to the entire server or to parts of the server, or the files or directories on your web site.
Page 163: Default Authentication
What Is Access Control? User-Group authentication requires users to authenticate themselves before getting access to the Administration Server, or the files and directories on your web site. With authentication users verify their identity by entering a username and password, using a client certificate, or digest authentication plug-in. Using client certificates requires encryption.
Page 164: Ssl Authentication
What Is Access Control? The following dialog appears to prompt users to authenticate themselves to the server: Figure 8-1 Example of Username and Password Prompt After clicking OK, the user will see: • The Server Administration page, if authenticated to access Enterprise Application Server •...
Page 165: Digest Authentication
What Is Access Control? • Checks the ACL rules specified for that user if the certificate maps correctly. Even if the certificate maps correctly, ACL rules can deny the user access. Requiring client authentication for controlling access to specific resources differs from requiring client authentication for all connections to the server.
Page 166 What Is Access Control? In order for this to work, your directory server needs access to the user’s password in cleartext. Later versions of Directory Server include a reversible password plug-in using a symmetric encryption algorithm to store data in an encrypted form, that can later be decrypted to its original form.
Page 167 What Is Access Control? Gets request-digest value from directory server and checks for match to client’s request-digest. If not, generates 401 response, and process stops. Constructs Authorization-Info header and inserts into server headers. Installing the Digest Authentication Plug-in on UNIX The Digest Authentication plug-in consists of a shared library found in both: •...
Page 168: Using Other Ldap Attributes For Authentication
What Is Access Control? Copy them into either: \Winnt\system32 Directory Server install directory: server_root\bin\sldap\server Setting the Directory Server to Use the DES Algorithm The DES algorithm is needed to encrypt the attribute where the digest password is stored. To set the Directory Server to use the DES algorithm, perform the following steps: Launch the Directory Server Console.
Page 169: Other Authentication
What Is Access Control? You can use to specify any attribute that will return a single entry uniqueattr when the LDAP server is queried. If a query returns multiple entries, the authentication will fail. When you use an alternative attribute for user authentication, you can still use normal syntax in your ACL entries unless the LDAP entry returned by a query will include spaces (for example, ).
Page 170: Using Access Control Files
What Is Access Control? Host-IP authentication does not require DNS to be configured on your server. If you choose to use Host-IP authentication, you must have DNS running in your network and your server must be configured to use it. You can enable DNS on your server through the Performance Tuning page in the Preferences tab on your Server Manager.
Page 171: How Access Control Works
How Access Control Works you use a large number for this value, you may need to restart Enterprise Server when changes are made to the LDAP entries. For example, if this value is set to 120 seconds, Enterprise Server might be out of sync with the LDAP directory for as long as two minutes.
Page 172 How Access Control Works # since this example is using the "basic" method of # authentication. A client must be in the directory server # to gain access to this default directory since "anyone" # not in the directory server is denied, and "all" in the # directory server are allowed.
Page 173: Setting Access Control
Setting Access Control (ip = "208.12.54.76"); # The following ACL rule denies everyone not in the directory # server and everyone in the directory server except for # GroupA and GroupB access to the directory "my_stuff" acl "path=/export/user/990628.1/docs/my_stuff/"; authenticate (user,group) { database = "default";...
Page 174: Setting Access Control Globally
Setting Access Control You can set access control globally for all servers through the Administration Server. Each option is described in detail in the following section, Selecting the Access Control Options. NOTE Distributed administration must be configured and activated before global access control can be created. Setting Access Control Globally To create or edit access control globally for all servers, perform the following steps: Access the Administration Server and choose the Global Settings tab.
Page 175 Setting Access Control To create or edit the global ACL, click on Deny in the Action column. The Allow/Deny page is displayed in the lower frame: Figure 8-3 Allow/Deny Page Select Allow, if it isn’t already selected as the default, and click Update. Click on anyone in the Users/Groups column.
Page 176 Setting Access Control Enter Host Names and IP Addresses allowed access and click Update. Click on all programs in the Programs column. Figure 8-5 Programs Select the Program Groups or enter the specific file name in the Program Items field you will allow access to, and click Update. (Optional) Click the x under the Extra column to add a customized ACL expression.
Page 177: Setting Access Control For A Server Instance
Setting Access Control Setting Access Control for a Server Instance You can create, edit, or delete access control for a specific server instance using the Server Manager. NOTE If deleting, you should not delete all the ACL rules from the ACL files.
Page 178 Setting Access Control The Access Control List Management Page offering three options appears: Figure 8-6 Access Control List Management Page Select one of the following: Pick a resource to specify a wildcard pattern for files or directories (such as ), choose a directory or a filename to restrict, or browse for a file or *.html directory.
Page 179 Setting Access Control Table 8-2 describes the resource wildcards you can use. Table 8-2 Server Resource Wildcards Resource wildcard What it means default A named ACL created during installation that restricts write access so only users in the LDAP directory can publish documents.
Page 180 Setting Access Control To create or edit the ACL for this server instance, click on Deny in the Action column. The Allow /Deny page is displayed in the lower frame: Allow /Deny Page Figure 8-8 Select Allow, if it isn’t already selected as the default, and click Update. Click on anyone in the Users/Groups column.
Page 181 Setting Access Control Select which users and groups you will allow access to and click Update. Clicking List for Group and User will provide lists for you to choose from. Click on anyplace in the From Host column. Enter Host Names and IP Addresses allowed access and click Update. Click on all in the Rights column.
Page 182: Selecting Access Control Options
Selecting Access Control Options Click Submit to store the new access control rules in the ACL file. NOTE Clicking Revert will remove all of the settings you’ve just created. Repeat all steps above for each server instance you wish to establish access control for.
Page 183 Selecting Access Control Options Enterprise Server checks lists of users and groups stored in an LDAP server, such as Directory Server. You can allow or deny access to everyone in the database, you can allow or deny specific people by using wildcard patterns, or you can select who to allow or deny from lists of users and groups.
Page 184: Specifying The From Host
Selecting Access Control Options Basic uses the HTTP method to get authentication information from the client. The username and password are only encrypted if encryption is turned on for the server. SSL uses the client certificate to authenticate the user. To use this method, SSL must be turned on for the server.
Page 185: Restricting Access To Programs
Selecting Access Control Options You can only use the wildcard notation for wildcard patterns that match the computers’ host names or IP addresses. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matches all hosts from that domain, such as .
Page 186: Setting Access Rights
Selecting Access Control Options The Program Groups listed reflect the tabs of the Administration Server, for example, Preferences and Global Settings, and represent access to those pages. When an administrator accesses the Administration Server, the server uses their username, host, and IP to determine what pages they can view. •...
Page 187: Writing Customized Expressions
Selecting Access Control Options Execute allows users to execute server-side applications, such as CGI programs, and Java applets Delete allows users who also have write privileges to delete files or directories. List allows users to access lists of the files in directories that don’t contain file.
Page 188: Responding When Access Is Denied
Limiting Access to Areas of Your Server From the Administration Server, you could create and turn on access control for a specific server instance and leave it off (which is the default) for other servers. For example, you could deny all access to the Server Manager pages from the Administration Server.
Page 189: Restricting Access To The Entire Server
Limiting Access to Areas of Your Server The following procedures are described in this section: • Restricting Access to the Entire Server • Restricting Access to a Directory (Path) • Restricting Access to a URI (Path) • Restricting Access to a File Type •...
Page 190: Restricting Access To A Directory (Path)
Limiting Access to Areas of Your Server Restricting Access to a Directory (Path) You can allow users in a group to read or run applications in directories, and its subdirectories and files, that are controlled by an owner of the group. For example, a project manager might update status information for a project team to review.
Page 191: Restricting Access To A Uri (Path)
Limiting Access to Areas of Your Server Restricting Access to a URI (Path) You can use a URI to control access to a single user’s content on the web server. URIs are paths and files relative to the server’s document root directory. Using URIs is an easy way to manage your server’s content if you frequently rename or move all or part of it (for example, for disk space).
Page 192: Restricting Access Based On Time Of Day
Limiting Access to Areas of Your Server Click Wildcard in the Pick a resource section and enter a wildcard pattern. For example, *.cgi. Click Edit Access Control. Create a new rule to allow read access to all users. Create another rule that allows write and delete access only to a specified group.
Page 193: Restricting Access Based On Security
Limiting Access to Areas of Your Server Enter the days of the week and the times of day to be allowed. Example: user = "anyone" and dayofweek = "sat,sun" or (timeofday >= 1800 and timeofday <= 600) The message “Unrecognized expressions” will be displayed in the Users/Groups and From Host fields when you create a custom expression.
Page 194: Working With Dynamic Access Control Files
Working with Dynamic Access Control Files Enter ssl="on" Example: user = "anyone" and ssl="on" Submit and Apply your changes. Any errors in the custom expression will generate an error message. Make corrections and submit again. Working with Dynamic Access Control Files Server content is seldom managed entirely by one person.
Page 195: Enabling .Htaccess From The User Interface
Working with Dynamic Access Control Files You can use files in combination with the server’s standard access .htaccess control. The standard access controls are always applied before any .htaccess access control, regardless of the ordering of directives. Do not require PathCheck user authentication with both standard and access control when...
Page 196: Enabling .Htaccess From Magnus.conf
Working with Dynamic Access Control Files Enabling .htaccess from magnus.conf To manually enable your server to use the , you need to first modify the .htaccess server’s file to load, initialize, and activate the plug-in. magnus.conf Open n the server_root identifier file.
Page 197: Converting Existing .Nsconfig Files To .Htaccess Files
Working with Dynamic Access Control Files </Object> processing should be the last directive in the object. .htaccess PathCheck To activate file processing for particular server directories, .htaccess place the directive in the corresponding definition in PathCheck obj.conf To name your files something other than , you must .htaccess...
Page 198: Using Htaccess-Register
Working with Dynamic Access Control Files To convert your files, at the command prompt, enter the path to Perl on your system, the path to the plug-in script, and the path to your file. For server.xml example: server_root \install\perl server_root/plugins/htaccess/htconvert server_root /https-identifier/config/server.xml files are converted to...
Page 199: Example Of An .Htaccess File
Working with Dynamic Access Control Files Example of an .htaccess File The following example shows an file: .htaccess <Limit> GET POST order deny,allow deny from all allow from all </Limit> <Limit> PUT DELETE order deny,allow deny from all </Limit> AuthName mxyzptlk.kawaii.com AuthUserFile /server_root/mxyz-docs/service.pwd AuthGroupFile /server_root/mxyz-docs/service.grp Supported .htaccess Directives...
Page 200: Deny
Working with Dynamic Access Control Files deny Syntax Deny from host where: • host is all, to deny access from all client hosts • host is all or the last part of a DNS host name • host is a full or partial IP address Does not need to be enclosed in a range but usually is.
Page 201: Authname
Working with Dynamic Access Control Files Effect Specifies that the named user file is to be used for any user names referenced in a require user or require valid-user directive. Note that the use of in the groups-with-users=yes Init fn=htaccess-init directive in , or specifying an directive with the same...
Page 202: Limitexcept
Working with Dynamic Access Control Files Effect Applies the enclosed directives only for requests using the specified HTTP methods. <LimitExcept> Syntax <LimitExcept method method ...> allow, deny, order, or require directives </LimitExcept> where method is an HTTP method such as GET, POST, or PUT. Any method that the web server understands can be used here.
Page 203: Require
Controlling Access for Virtual Servers require Syntax • requires group groupname groupname • requires user username username • requires valid-user Does not need to be enclosed within a range, but <Limit> <LimitExcept> usually is. Effect • requires group requires the authenticated user to be a member of one of the specified groups.
Page 204: Accessing Databases From Virtual Servers
Controlling Access for Virtual Servers This configuration allows multiple virtual servers to share the same ACL file. If you want to require user-group authentication for a virtual server, you must add one or more USERDB tags to its definition. These USERDB tags create a connection between the database names in your ACL file and the actual databases found in dbswitch.conf The following example maps the ACLs with no ‘database’...
Page 205: Specifying Ldap Databases In The User Interface
Controlling Access for Virtual Servers Specifying LDAP Databases in the User Interface After you have defined one or more user authentication databases in , you can use the Class Manager to configure which databases each dbswitch.conf of your virtual servers will use for authentication. You can also use the Class Manger to add a newly created database definition from for the dbswitch.conf...
Page 206 Controlling Access for Virtual Servers Click on the virtual server class link where you wish to specify the LDAP database listed under Tree View of the Server. Select the Virtual Servers tab, if not already displayed. Click the ACL Settings link. Choose Edit or Delete from the drop-down list in the Option field for each virtual server you wish to change.
Page 207: Chapter 9 Using Log Files
Chapter 9 Using Log Files You can monitor your server’s activity using several different methods. This chapter discusses how to monitor your server by recording and viewing log files. For information on using the built-performance monitoring services, quality of service features, or SNMP, see Chapter 10, “Monitoring Servers.” This chapter contains the following sections: •...
Page 208: Viewing An Access Log File
Viewing an Access Log File NOTE Due to limitations in the operating system, Enterprise Server cannot work with log files larger than 2GB on Linux. When the maximum file size is reached, logging will cease. Viewing an Access Log File You can view the server’s active and archived access log files.
Page 209: Viewing The Error Log File
Viewing the Error Log File Table 9-1 The fields in the last line of the sample access log file Access Log Field Example Hostname or IP address of arrow.example.com. (In this case, the hostname is shown client because the web server’s setting for DNS lookups is enabled;...
Page 210: Archiving Log Files
Archiving Log Files To view the Administration Server’s error log file, from the Administration Server, choose the Preferences tab, and choose the View Error Log page. To view a server instance’s error log file, from the Server Manager, choose the Logs tab, and choose the View Error Log page.
Page 211: Internal-Daemon Log Rotation
Archiving Log Files Internal-daemon Log Rotation This type of log rotation happens within the HTTP daemon and can only be configured at startup time. Internal daemon log rotation allows the server to rotate logs internally without requiring a server restart. Logs rotated using this method are saved in the following format: access.<4-digit year><2-digit month><2-digit day><4-digit 24-hr time>...
Page 212: Setting Log Preferences
Setting Log Preferences Once the rotation starts, Enterprise Server creates a new time stamped log file when there is a request or error that needs to be logged to the access or error log file and it occurs after the prior-scheduled “next rotate time.” NOTE You should archive the server logs before running the log analyzer.
Page 213: Cookie Logging
Setting Log Preferences Click the Vsid check box. Alternatively to this, you can click the Custom Format: radio button and add the string %vsid% NOTE When adding the custom format string , you must use a new %vsid% access log file. For information on the directive in , see the section “Error...
Page 214: Running The Log Analyzer
Running the Log Analyzer Running the Log Analyzer The server_root directory contains the log analysis tool that runs /extras/log_anly through the Server Manager user interface. This log analyzer analyzes files in common log format only. The HTML document in the directory that log_anly explains the tool’s parameters.
Page 215 Running the Log Analyzer The following describes the syntax. flexanlg -h.): -P: proxy log format Default: no -n servername: The name of the server -x : Output in HTML Default: no -r : Resolve IP addresses to hostnames Default: no -p [c,t,l]: Output order (counts, time stats, lists) Default: ctl -i filename: Input log file(s)
Page 216: Viewing Events (Windows Nt/Windows 2000)
Viewing Events (Windows NT/Windows 2000) Viewing Events (Windows NT/Windows 2000) In addition to logging errors to the server error log (see “Viewing the Error Log File” on page 209), Enterprise Server logs severe system errors to the Event Viewer. The Event Viewer lets you monitor events on your system. Use the Event Viewer to see errors resulting from fundamental configuration problems, which can occur before the error log can be opened.
Page 217: Chapter 10 Monitoring Servers
Chapter 10 Monitoring Servers This chapter contains information on ways to monitor your server, including the built-in monitoring tool, the quality of service features, and Simple Network Management Protocol (SNMP). You can use SNMP together with Netscape management information bases (MIB) and network management software such as HP OpenView to monitor your servers in real-time just as you monitor other devices in your network.
Page 218: Monitoring The Server Using Statistics
Monitoring the Server Using Statistics • Enabling the Subagent • Understanding SNMP Messages Monitoring the Server Using Statistics You can use the statistics feature to monitor your server’s current activity. The statistics show you how many requests your server is handling and how well it is handling these requests.
Page 219: Using Statistics
Monitoring the Server Using Statistics From the Server Manager, click the Monitor tab. Click Monitor Current Activity. Click Yes to enable statistics. Click OK. Click Apply to apply your changes. You do not need to restart the server. For more information on enabling statistics, see the online help. Using Statistics Once you’ve enabled statistics, you can get a variety of information on how your server instance and your virtual servers are running.
Page 220: Using Quality Of Service
Using Quality of Service Using Quality of Service Quality of Service refers to the performance limits you set for a server instance virtual server class, or virtual server. For example, if you are an ISP, you might want to charge different amounts of money for virtual servers depending on how much bandwidth you allow them.
Page 221: Setting Up Quality Of Service
Using Quality of Service The recompute interval works similarly. The server’s recompute interval is 100ms. Continuing with the example, the bandwidth gets recomputed periodically every 100 milliseconds. The calculation is based on the amount of traffic as well as the metric interval.
Page 222 Using Quality of Service Choose the Metric Interval. The metric interval is the interval in seconds during which the traffic is measured. The default is 30 seconds. All bandwidth measured during this time is averaged to give the bytes per second. If your site has a lot of large file transfers, use a large value (several minutes or more) in this field.
Page 223: Required Changes To Obj.conf
Using Quality of Service Click OK. Required Changes to obj.conf To enable quality of service, you must include directives in your obj.conf invoke two Server Application Functions (SAFs): an AuthTrans qos-handler an Error qos-error AuthTrans directive must be the first configured in qos-handler AuthTrans...
Page 224 Using Quality of Service If SSL is enabled, handshakes and client certificate exchanges add to the traffic but are not measured. If chunked encoding is enabled in either or both directions, the chunking layer removes the chunk headers and they are not counted in the traffic. Other headers or protocol items are counted.
Page 225: Snmp Basics
SNMP Basics • The concurrent connections are computed with a different granularity for virtual servers than for virtual server classes and the global server instance. The connection counter for an individual virtual server is incremented atomically immediately after the request is parsed and routed to the virtual server.
Page 226: The Enterprise Server Mib
The Enterprise Server MIB NOTE After making any SNMP configuration changes, you must click the Apply button, then restart SNMP subagent. The master agent exchanges information between the various subagents and the NMS. The master agent is installed with the Administration Server. You can have multiple subagents installed on a host computer, but only one master agent.
Page 227 The Enterprise Server MIB The Enterprise Server MIB is located in the server_root directory /plugins/snmp and has an object identifier of: http 61 (nes61 OBJECT IDENTIFIER ::= {http 61 }) You can see administrative information about your web server and monitor the server in real time using the Enterprise Server MIB.
Page 228 The Enterprise Server MIB Table 10-1 nes.mib managed objects and descriptions (Continued) Managed object Description Number of 200-level (Successful) nesInstanceCount2xx responses issued by the server instance. Number of 300-level (Redirection) nesInstanceCount3xx responses issued by the server instance. Number of 400-level (Client Error) nesInstanceCount4xx responses issued by the server instance.
Page 229 The Enterprise Server MIB Table 10-1 nes.mib managed objects and descriptions (Continued) Managed object Description Number of 200-level (Successful) nesVsCount2xx responses issued by the virtual server. Number of 300-level (Redirection) nesVsCount3xx responses issued by the virtual server. Number of 400-level (Client Error) nesVsCount4xx responses issued by the virtual server.
Page 230 The Enterprise Server MIB Table 10-1 nes.mib managed objects and descriptions (Continued) Managed object Description Maximum number of connections nesProcessConnectionQueueMax allowed in connection queue. Number of connections that have been nesProcessConnectionQueueTotal accepted. Number of connections rejected due to nesProcessConnectionQueueOverflows connection queue overflow. Number of connections currently in nesProcessKeepaliveCount keepalive queue.
Page 231: Setting Up Snmp
Setting Up SNMP Setting Up SNMP In general, to use SNMP you must have a master agent and at least one subagent installed and running on a your system. You need to install the master agent before you can enable a subagent. The procedures for setting up SNMP are different depending upon your system.
Page 232: Using A Proxy Snmp Agent (Unix/Linux)
Using a Proxy SNMP Agent (UNIX/Linux) Table 10-2 Overview of procedures for enabling SNMP master agents and subagents If your server meets these conditions..follow these procedures. These are discussed in detail in the following sections. • Native agent is currently running 1.
Page 233: Installing The Proxy Snmp Agent
Using a Proxy SNMP Agent (UNIX/Linux) Installing the Proxy SNMP Agent If an SNMP agent is running on your system and you want to continue using the native SNMP daemon, follow the steps in these sections: Install the SNMP master agent. See “Installing the SNMP Master Agent” on page 234.
Page 234: Starting The Proxy Snmp Agent
Installing the SNMP Master Agent Here is an example of a file: CONFIG AGENT AT PORT 1161 WITH COMMUNITY public SUBTREES 1.3.6.1.2.1.1, 1.3.6.1.2.1.2, 1.3.6.1.2.1.3, 1.3.6.1.2.1.4, 1.3.6.1.2.1.5, 1.3.6.1.2.1.6, 1.3.6.1.2.1.7, 1.3.6.1.2.1.8 FORWARD ALL TRAPS; Starting the Proxy SNMP Agent To start the proxy SNMP agent, at the command prompt, enter: # sagt -c CONFIG&...
Page 235: Enabling And Starting The Snmp Master Agent
Enabling and Starting the SNMP Master Agent Check whether an SNMP daemon ( ) is running on port 161. snmpd If no SNMP daemon is running, go to Step 4. If an SNMP daemon is running, make sure you know how to restart it and which MIB trees it supports.
Page 236: Starting The Master Agent On Another Port
Enabling and Starting the SNMP Master Agent • Manually Configuring the SNMP Master Agent • Editing the Master Agent CONFIG File • Defining sysContact and sysLocation Variables • Configuring the SNMP Master Agent • Starting the SNMP Master Agent Starting the Master Agent on Another Port The Administration Interface will not start the SNMP master agent on ports other than 161.
Page 237: Editing The Master Agent Config File
Enabling and Starting the SNMP Master Agent Editing the Master Agent CONFIG File file defines the community and the manager that master agent will CONFIG work with. The manager value should be a valid system name or an IP address. Here is an example of a basic file: CONFIG...
Page 238: Configuring The Snmp Subagent
Enabling and Starting the SNMP Master Agent Configuring the SNMP Subagent You can configure the SNMP subagent to monitor your server. To configure the SNMP subagent, perform the following steps: From the Administration Server, select the server instance and click Manage. Select the Monitor tab.
Page 239: Starting The Snmp Master Agent Using The Administration Server
Configuring the SNMP Master Agent Method one: In the file, specify a transport mapping for each interface over CONFIG which the master agent listens for SNMP requests from managers. Transport mappings allow the master agent to accept connections at the standard port and at a nonstandard port.
Page 240: Configuring The Community String
Enabling the Subagent Configuring the Community String A community string is a text string that an SNMP agent uses for authorization. This means that a network management station would send a community string with each message it sends to the agent. The agent can then verify whether the network management station is authorized to get information.
Page 241: Understanding Snmp Messages
Understanding SNMP Messages Once you have enabled the subagent, you can start, stop or restart it from the SNMP Subagent Control page or the Services Control Panel for Windows NT/Windows 2000. NOTE After making any SNMP configuration changes, you must click the Apply button, then restart SNMP subagent.
Page 242 Understanding SNMP Messages The NMS displays the information textually or graphically through its network management application. Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 243: Part 4 Managing Virtual Servers And Services
Part 4 Managing Virtual Servers and Services Chapter 11, “Using Virtual Servers” Chapter 12, “Creating and Configuring Virtual Servers” Chapter 13, “Extending Your Server With Programs” Chapter 14, “Content Management” Chapter 15, “Applying Configuration Styles”...
Page 244 Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 245: Chapter 11 Using Virtual Servers
Chapter 11 Using Virtual Servers This chapter explains how to set up and administer virtual servers using your Netscape Enterprise Server Administration Server. This chapter contains the following sections: • Virtual Servers Overview • Using Enterprise Server Features with Virtual Servers •...
Page 246: Multiple Server Instances
Virtual Servers Overview To set up virtual servers, you need to set up the following: • Virtual Server Classes • Listen Sockets • Connection Groups • Virtual Servers The settings for virtual servers are stored in the file, found in the server.xml server_root/ identifier/...
Page 247: Virtual Server Classes
Virtual Servers Overview Virtual Server Classes Virtual servers are grouped into classes. Using classes you can configure similar virtual servers at the same time, so you don’t have to configure each one separately. Though all virtual servers in a class share the same basic configuration information, you can also set variables and change configuration per virtual server.
Page 248: Virtual Servers In A Class
Virtual Servers Overview Virtual Servers in a Class A virtual server that belongs to a class is called a member of that class. Some virtual server settings are configured for all virtual servers in a class, and some are configured individually. These settings are configured on the Class Manager’s Virtual Servers tab.
Page 249: Connection Groups
Virtual Servers Overview In addition, you specify the number of acceptor threads (sometimes called accept threads) in the listen socket. Accept threads are threads that wait for connections. The threads accept connections and put them in a queue where they are then picked up by worker threads.
Page 250: Types Of Virtual Servers
Virtual Servers Overview This section includes the following topics: • Types of Virtual Servers • IP-Address-Based Virtual Servers • URL-Host-Based Virtual Servers • Default Virtual Server Types of Virtual Servers In previous versions of Enterprise Server, there were two kinds of virtual servers: hardware and software.
Page 251: Url-Host-Based Virtual Servers
Virtual Servers Overview URL-Host-Based Virtual Servers You can set up URL-host-based virtual servers by giving them unique URL hosts. The contents of the Host request header directs the server to the correct virtual server. For example, if you want to set up virtual servers for customers a, b, and c) so that each customer can have an individual domain name, you first configure DNS to recognize that each customer’s URL, , resolves...
Page 252: Virtual Server Selection For Request Processing
Virtual Servers Overview The default virtual server is set by connection group. You specify a default virtual server when you create a listen socket. That becomes the default virtual server of the connection group created by default for the listen socket. You can always change the default virtual server.
Page 253: Document Root
Virtual Servers Overview Document Root The primary document directory or document root is the central directory that contains all the virtual server’s files to make available to remote clients. The document root directory provides an easy way to restrict access to the files on a virtual server.
Page 254: Migrating Virtual Servers From A Previous Release
Using Enterprise Server Features with Virtual Servers Migrating Virtual Servers from a Previous Release If you used virtual servers in a previous version of Enterprise Server, you may be able to migrate them to the current release using the migration tools. For more information, see the Netscape Enterprise Server Installation and Migration Guide.
Page 255: Using Access Control With Virtual Servers
Using Enterprise Server Features with Virtual Servers One way to implement SSL with virtual servers is to have two listen sockets, one using SSL and listening to port 443, and one that is not using SSL. A user would typically access the virtual server through the non-SSL listen socket. When the need to have secure transactions arises, users could click a button on the web page to start initiating secure transactions.
Page 256: Using The Virtual Server User Interface
Using the Virtual Server User Interface Using the Virtual Server User Interface To create and edit virtual servers, you can use the user interface or a command line utility. The user interface for administering virtual servers has three parts: • The Server Manager contains settings that affect the server as a whole (or all virtual servers).
Page 257: Using Variables
Using the Virtual Server User Interface Click Manage Virtual Servers. Choose a virtual server and click Manage. You can also click the virtual server name in the tree view of the server. You can use a command line utility, , to perform the same virtual HttpServerAdmin server tasks as you can perform using the user interface.
Page 258: Setting Up Virtual Servers
Setting Up Virtual Servers On Windows NT/Windows 2000, the dynamic reconfiguration script is a batch file called located in each instance’s directory. There are no command reconfig.bat line arguments. You can run the reconfiguration script by simply typing reconfig from the server instance’s directory. reconfig.bat When run, this script initiates a dynamic reconfiguration of the server, similar to the user interface, and displays the server messages related to reconfiguration.
Page 259: Creating A Connection Group
Setting Up Virtual Servers Fill in the fields. Listen sockets must have a unique combination of port number and IP address. You can use either IPV4 or IPV6 addresses. If you want to create a listen socket for IP-address-based virtual servers, the IP address must be 0.0.0.0 , meaning it listens on all IP addresses on that port.
Page 260: Creating A Virtual Server Class
Setting Up Virtual Servers Creating a Virtual Server Class To create a virtual server class, follow these steps: From the Server Manager, click the Virtual Server Class tab. Click Add Class. Name the class. Insert a document root for the class. The directory must already exist.
Page 261: Specifying Services Associated With A Virtual Server Class
Allowing Users to Monitor Individual Virtual Servers Click OK. The class is changed or deleted. Specifying Services Associated with a Virtual Server Class Some of the characteristics that differentiate one class of virtual servers from another are the services that are enabled for that class of virtual servers. For example, one class of virtual servers might have CGIs enabled while another doesn’t.
Page 262 Allowing Users to Monitor Individual Virtual Servers For security reasons, this administration user interface is on a separate port from either the administration server port or the Enterprise Server instance port. This user interface runs on a virtual server within the Administration Server. This virtual server is set up by default and is called useradmin.
Page 263 Allowing Users to Monitor Individual Virtual Servers Create a new listen socket that runs a port separate from the port that the Administration Server uses. For example, if your Administration Server runs on port 8888, this new listen socket must have a different port number. Using a different listen socket helps safeguard your Administration Server.
Page 264: Access Control
Allowing Users to Monitor Individual Virtual Servers Updated useradmin Code Example 11-2 <VSCLASS id="userclass" objectfile="userclass.obj.conf" rootobject="default" > <VS id="useradmin" connections="group2" state="on" mime="mime1" urlhosts="user-app" aclids="acl1"> <VARS webapps_file="user-apps.xml" webapps_enable="on"/> <USERDB id="default" database="default" /> </VS> </VSCLASS In this example, the connection group is set to , the group created group2 previously, and the state is set to...
Page 265: Deploying Virtual Servers
Deploying Virtual Servers Deploying Virtual Servers Enterprise Server’s virtual server architecture is very flexible. A server instance can have any number of listen sockets, both secure and non-secure. You can associate any number of virtual servers with these sockets through connection groups. You can have both IP-address-based and URL-host-based virtual servers.
Page 266 Deploying Virtual Servers Figure 11-2 Default configuration In this configuration, connections to the following reach the server and are served by virtual server • (initiated on http://127.0.0.1/ example.com • (initiated on http://localhost/ example.com • http://example.com/ • http://10.0.0.1/ Use this configuration for traditional Enterprise Server use. You do not need to add additional virtual servers or listen sockets.
Page 267: Example 2: Secure Server
Deploying Virtual Servers Example 2: Secure Server If you want to use SSL in the default configuration, you can simply change the listen socket to secure mode. This is a similar to the way you set security in previous versions of the Enterprise Server. You can also add a new secure listen socket configured to and associate ANY:443...
Page 268: Example 3: Intranet Hosting
Deploying Virtual Servers Example 3: Intranet Hosting A more complex configuration of the Enterprise Server is one in which the server hosts a few virtual servers for an intranet deployment. For example, you have three internal sites where employees can look up other users’ phone numbers, look at maps of the campus, and track the status of their requests to the Information Services department.
Page 269 Deploying Virtual Servers While URL-host-based virtual servers are easy to set up, they have the following disadvantages: • Supporting SSL in this configuration requires non-standard setup using wildcard certificates. For more information see Chapter 5, “Securing Your Enterprise Server.” • URL-host-based virtual servers don’t work with legacy HTTP clients Intranet hosting using IP-addressed-based virtual servers Figure 11-5...
Page 270 Deploying Virtual Servers The disadvantages are: • They require configuration changes on the host computer (configuration of real or virtual network interfaces) • They don’t scale to configurations with thousands of virtual servers Both configurations require setting up name-to-address mappings for the three names.
Page 271: Example 4: Mass Hosting
Deploying Virtual Servers Compared to the original configuration for IP-address-based virtual servers with one listen socket on , the configuration with multiple listen sockets may ANY:80 give you a minimal performance gain because the server does not have to find out the address the request came in on.
Page 272 Deploying Virtual Servers Figure 11-7 Mass Hosting Notice that the virtual server installed when you installed the server, VS1, still exists in defaultclass Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 273: Chapter 12 Creating And Configuring Virtual Servers
Chapter 12 Creating and Configuring Virtual Servers A class of virtual servers has virtual servers (members of the class) associated with it. You can override some of the class-level settings at the virtual server level. This chapter describes how you can create and configure individual virtual servers. For information on configuring virtual server classes, see Chapter 14, “Content Management.”...
Page 274: Editing Virtual Server Settings
Editing Virtual Server Settings Choose a name for the virtual server. Choose a connection group for the virtual server. Choose a URL host for the virtual server. You can type more than one URL host, separated by spaces. Click OK. These settings are all that is required for creating a virtual server.
Page 275: Generating Reports For A Virtual Server
Editing Using the Virtual Server Manager • ACL file • MIME types file • CGI settings If you are editing a single virtual server, it’s convenient to use the Virtual Server Manager and change all these settings on one page. The Logs tab contains a single page allowing you to generate reports for the selected virtual server.
Page 276 Editing Using the Virtual Server Manager Set the value of using the drop-down list. LogVSid You can also manually set by adding in the LogVSid LogVSid on file. magnus.conf Click OK. Click Apply. Click Apply Changes for your changes to take effect. Go to the Logs tab in the Server Manager for the server instance and select Log Preferences.
Page 277: Editing Using The Class Manager
Editing Using the Class Manager Select the Logs tab. The Generate Reports page appears. This page will not appear unless a virtual server has been created and LogVSid , as described above. (Optional) change the settings if desired. Click OK to generate the report. Editing Using the Class Manager Use the following Class Manager pages to edit virtual server settings.
Page 278: Configuring Virtual Server Mime Settings
Editing Using the Class Manager Type the URL Hosts you want to use, if different than displayed under Urlhosts column. You can type more than one URL host, separated by spaces. When you are through editing virtual servers click OK. Configuring Virtual Server MIME Settings You can set the MIME types file for an individual virtual server.
Page 279: Configuring Virtual Server Quality Of Service Settings
Editing Using the Class Manager For more information on security, see Chapter 5, “Securing Your Enterprise Server.” Configuring Virtual Server Quality of Service Settings Quality of service refers to the performance limits you set for a virtual server. For example, an ISP might want to charge different amounts of money for virtual servers depending on how much bandwidth allowed them.
Page 280: Configuring Virtual Server Log Settings
Editing Using the Class Manager Choose whether or not to enforce the maximum connections setting. If you choose to enforce the maximum connections, once the server reaches its limit additional connections are refused. If you do not enforce the maximum connections, when the maximum is exceeded the server logs a message to the error log.
Page 281: Configuring Virtual Server Java Web Application Settings
Deleting a Virtual Server Configuring Virtual Server Java Web Application Settings A web application is a collection of Java servlets, JSPs, HTML pages, classes and other resources. All the resources are stored in a directory, and all requests to that directory run the application.
Page 282 Deleting a Virtual Server Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 283: Chapter 13 Extending Your Server With Programs
Chapter 13 Extending Your Server With Programs This chapter discusses how to install programs on the Netscape Enterprise Server that dynamically generate HTML pages in response to requests from clients. These programs are known as server-side applications. (Client-side applications, which are downloaded to the client, run on the client machine.) This chapter includes the following sections: •...
Page 284: Types Of Server-Side Applications That Run On The Server
Java Servlets and JavaServer Pages (JSP) Types of Server-Side Applications That Run on the Server The Enterprise Server can run the following types of server-side applications to dynamically generate content: • Java servlets • CGI programs The Enterprise Server can also run programs that extend or modify the behavior of the server itself.
Page 285: Overview Of Servlets And Javaserver Pages
Java Servlets and JavaServer Pages (JSP) • Overview of Servlets and JavaServer Pages • What the Server Needs to Run Servlets and JSPs • Working with Web Applications • Deploying Web Applications Using wdeploy • Deploying and Editing Web Applications with the User Interface •...
Page 286: What The Server Needs To Run Servlets And Jsps
Java Servlets and JavaServer Pages (JSP) http://java.sun.com/products/jsp/index.html For information about developing servlets and JSPs for use with Enterprise Server, see the Netscape Enterprise Server Programmer’s Guide to Servlets. What the Server Needs to Run Servlets and JSPs To enable servlets, select the Java tab in the Server manager, then select the Enable/Disable Servlets/JSP tab.
Page 287: Working With Web Applications
Java Servlets and JavaServer Pages (JSP) • You can specify it after the server is installed. To specify the path to the JDK, switch to the Enterprise Application Server, select the Global Settings tab, and use the Configure JRE/JDK Paths page, as described in “Configuring JRE/JDK Paths,”...
Page 288 Java Servlets and JavaServer Pages (JSP) You can use the utility at the command line to deploy a WAR file into a wdeploy virtual server web application environment: wdeploy deploy -u uri_path -i instance -v vs_id [-d directory] war_file -n You can also delete a virtual server web application: wdeploy delete -u uri_path -i instance -v vs_id mode -n You can also list the web application URIs and directories for a virtual server:...
Page 289 Java Servlets and JavaServer Pages (JSP) For example: wdeploy deploy -u /hello -i server.example.com -v netscape.com -d /nes61/https-server.example.com/netscape.com/web-apps/hello /nes61/plugins/servlets/examples/web-apps/HelloWorld/HelloWorld.war This utility results in the following entry: web-apps.xml <vs> <web-app uri="/hello" dir="/nes61/https-server.example.com/netscape.com/webapps/hello"/> </vs> /nes61/https-server.example.com/netscape.com/web-apps/hello directory has the following contents: colors index.jsp META-INF WEB-INF/ web.xml...
Page 290: Deploying And Editing Web Applications With The User Interface
Java Servlets and JavaServer Pages (JSP) Accessing Deployed Web Applications After you have deployed an application, you can access it from a browser as follows: http[s]://vs_urlhost[:vs_port]/uri_path/[index_page] The parts of the URL have the following meanings: vs_urlhost One of the urlhosts values for the virtual server. vs_port (optional) Only needed if the virtual server uses a non-default port.
Page 291 Java Servlets and JavaServer Pages (JSP) Enter the path on the local or server machine to the file containing the web application in the field provided. On server machines enter the absolute path to the WAR file. On local machines you can browse the available paths. Clicking browse will bring up the File Upload window, allowing you to select the WAR file to upload to your server.
Page 292: Deploying Servlets And Jsps Not In Web Applications
Java Servlets and JavaServer Pages (JSP) Click OK. Click Apply. Select Dynamic Reconfiguration for your web application to be deployed. Deploying Servlets and JSPs Not in Web Applications You can deploy 4.x servlets and JSPs outside of web applications, but only in the default virtual server.
Page 293: Installing Cgi Programs
Installing CGI Programs The server uses two directories to cache information for JavaServer Pages (JSP) and servlets: • ClassCache The server uses the following directory to cache information for JavaServer Pages (JSP): server_root server_id virtual_server_id webapp_uri /https- /ClassCache/ When the server serves a JSP page, it creates a and a file .java...
Page 294: Overview Of Cgi
Installing CGI Programs In addition, the following sections discuss how to install CGI programs specific to Windows NT/Windows 2000: • Installing Windows NT/Windows 2000 CGI Programs • Installing Shell CGI Programs for Windows NT/Windows 2000 Overview of CGI Common Gateway Interface (CGI) programs can be defined with any number of programming languages.
Page 295 Installing CGI Programs Regardless of the programming language, all CGI programs accept and return data in the same manner. For information about writing CGI programs, see the following sources of information: • Netscape Enterprise Server Programmer’s Guide • The Common Gateway Interface at: http://hoohoo.ncsa.uiuc.edu/cgi/overview.html There are two ways to store CGI programs on your server machine: •...
Page 296: Specifying A Cgi Directory
Installing CGI Programs Specifying a CGI Directory To specify a CGI-only directory for a class of virtual servers, perform the following steps: From the Class Manager, choose the Programs tab. The CGI Directory window appears. In the URL Prefix field, type the URL prefix to use for this directory. That is, the text you type appears as the directory for the CGI programs in URLs.
Page 297: Specifying Cgi As A File Type
Installing CGI Programs In the CGI Group text field, type the name of the group to execute CGI programs as. In the CGI Directory text field, type the directory to chdir to after chroot but before execution begins. (UNIX only) In the CGI Nice text field, type an increment that determines the CGI program's priority relative to the server.
Page 298: Installing Windows Nt/Windows 2000 Cgi Programs
Installing Windows NT/Windows 2000 CGI Programs One solution to this problem is to compress the executable files that you want users to be able to download, so that the extension is not . This solution has the .exe added benefit of making the download time shorter. Another possible solution is to remove as a file extension from the .exe...
Page 299: Specifying A Windows Nt/Windows 2000 Cgi Directory
Installing Windows NT/Windows 2000 CGI Programs Although Windows NT/Windows 2000 CGI programs behave like regular CGI programs, your server processes the actual programs slightly differently. Therefore, you need to specify different directories for Windows NT/Windows 2000 CGI programs. If you enable the Windows NT/Windows 2000 CGI file type, it uses the file extension .wcg Enterprise Servers support the Windows NT/Windows 2000 CGI 1.3a informal...
Page 300 Installing Windows NT/Windows 2000 CGI Programs That is, the text you type appears as the directory for the Windows NT/Windows 2000 CGI programs in URLs. For example, if you type as the URL prefix, then all URLs to these Windows wcgi-programs NT/Windows 2000 CGI programs have the following structure: yourserver[.
Page 301: Specifying Windows Nt/Windows 2000 Cgi As A File Type
Installing Shell CGI Programs for Windows NT/Windows 2000 Specifying Windows NT/Windows 2000 CGI as a File Type To specify a file extension for Windows NT/Windows 2000 CGI files, perform the following steps: From the Server Manager, choose the Server Preferences tab. Click the MIME Types link.
Page 302: Overview Of Shell Cgi Programs For Windows Nt/Windows 2000
Installing Shell CGI Programs for Windows NT/Windows 2000 Overview of Shell CGI Programs for Windows NT/Windows 2000 Shell CGI is a server configuration that lets you run CGI applications using the file associations set in Windows NT/Windows 2000. For example, if the server gets a request for a shell CGI file called , the hello.pl server uses the Windows NT/Windows 2000 file associations to run the file using...
Page 303: Specifying Shell Cgi As A File Type (Windows Nt/Windows 2000)
Installing Shell CGI Programs for Windows NT/Windows 2000 In the URL Prefix field, enter the URL prefix you want to associate with your shell CGI directory. For example, suppose you store all shell CGI files in a directory called , but you want users to see the directory C:/docs/programs/cgi/shell-cgi yourserver[.domain.dom][:port] .
Page 304: Using The Query Handler
Using the Query Handler The Global MIME Types window appears. For more information on the Global MIME Types, see “Choosing MIME Types,” on page 156. Add a new MIME type with these settings: Type: type Content type: magnus-internal/shellcgi File Suffix: Enter the file suffixes that you want the server to associate with shell CGI.
Page 305 Using the Query Handler Use the Editing Picker to select the resource you want to set with a default query handler. If you choose a directory, the query handler you specify runs only when the server receives a URL for that directory or any file in that directory. In the Default Query Handler field, enter the full path for the CGI program you want to use as the default for the resource you chose.
Page 306 Using the Query Handler Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 307: Chapter 14 Content Management
Chapter 14 Content Management This chapter describes how you can configure and manage content for classes of virtual servers and virtual servers. This chapter contains the following sections: • Setting the Primary Document Directory • Setting Additional Document Directories • Customizing User Public Information Directories (UNIX/Linux) •...
Page 308: Setting The Primary Document Directory
Setting the Primary Document Directory Setting the Primary Document Directory The primary document directory (also called the document root) is the central directory where you store all the files you want to make available to remote clients. When you add a class, you specify a document directory with an absolute path. If you do not use a variable as part of that path, the document root for every virtual server in the class will default to the same directory.
Page 309: Setting Additional Document Directories
Setting Additional Document Directories Setting Additional Document Directories Most of the time, the documents for a virtual or server instance are in the primary document directory. Sometimes, though, you may want to serve documents from a directory outside of the document root. You can do this by setting additional document directories.
Page 310: Customizing User Public Information Directories (Unix/Linux)
Customizing User Public Information Directories (UNIX/Linux) Customizing User Public Information Directories (UNIX/Linux) Sometimes users want to maintain their own web pages. You can configure public information directories that let all the users on a server create home pages and other documents without your intervention. You can only set these up for the entire class.
Page 311: Restricting Content Publication
Customizing User Public Information Directories (UNIX/Linux) Choose whether to load the password database at startup. For more information, see “Loading the Entire Password File on Startup,” on page 311. Choose whether to apply a configuration style. Click OK. For more information, see the online help for the User Document Directories page. Another way to give users separate directories is to create a URL mapping to a central directory that all of your users can modify.
Page 312: Using Configuration Styles
Enabling Remote File Manipulation Using Configuration Styles You can apply a configuration style for the server to control access to directories from public information directories. This prevents users from creating symbolic links to information you do not want made public. For more information on configuration files, see Chapter 15, “Applying Configuration Styles.”...
Page 313: Setting The Document Preferences
Configuring Document Preferences • Selecting Directory Indexing • Specifying a Server Home Page • Specifying a Default MIME Type • Parsing the Accept Language Header These settings are all configured for the class, not individual virtual servers. Setting the Document Preferences To set the document preferences, follow these steps: From the Class Manager, click the Content Management tab.
Page 314: Specifying A Server Home Page
Configuring Document Preferences The server indexes directories by searching the directory for an index file called , which is a file you create and maintain as an overview index.html home.html of the directory’s contents. For more information, see the previous section, “Entering an Index Filename”...
Page 315: Parsing The Accept Language Header
Configuring URL Forwarding Parsing the Accept Language Header When clients contact a server using HTTP 1.1, they can send header information describing the languages they accept. You can configure your server to parse this language information. For example, if you store documents in Japanese and English, you could choose to parse the accept language header.
Page 316: Customizing Error Responses
Customizing Error Responses To configure URL forwarding, follow these steps: From the Class Manager, click the Content Management tab. Click URL Forwarding. Type the URL prefix you want to redirect, and whether you want to redirect it to another prefix or to a static URL. Click OK.
Page 317: Changing The Character Set
Changing the Character Set Changing the Character Set The character set of a document is determined in part by the language it is written in. You can override a client’s default character set setting for a document, a set of documents, or a directory by selecting a resource and entering a character set for that resource.
Page 318: Setting The Document Footer
Setting the Document Footer To change the character set, follow these steps: From the Class Manager, click the Content Management tab. Click International Characters. Choose Entire Server from the resource picker to apply your change to the whole class, or navigate to the document root for a specific virtual server, or to a specific directory or within a specific virtual server.
Page 319: Using .Htaccess
Using .htaccess For more information see the online help for the Document Footer page. Using .htaccess For information on using htaccess, see “Using .htaccess Files,” on page 194. Restricting Symbolic Links (UNIX/Linux) You can limit the use of the file system links in your server. File system links are references to files stored in other directories or file systems.
Page 320: Setting Up Server-Parsed Html
Setting up Server-Parsed HTML For more information, see the online help for the Symbolic Link page. Setting up Server-Parsed HTML HTML is normally sent to the client exactly as it exists on disk without any server intervention. However, the server can search HTML files for special commands (that is, it can parse the HTML) before sending documents.
Page 321: Setting Cache Control Directives
Setting Cache Control Directives Setting Cache Control Directives Cache-control directives are a way for Enterprise Server to control what information is cached by a proxy server. Using cache-control directives, you override the default caching of the proxy to protect sensitive information from being cached, and perhaps retrieved later.
Page 322 Using Stronger Ciphers Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 323: Chapter 15 Applying Configuration Styles
Chapter 15 Applying Configuration Styles Configuration styles are an easy way to apply a set of options to specific files or directories that your various virtual servers maintain. For example, you can create a configuration style that sets up access logging. When you apply that configuration style to the files and directories that you want to log, you don’t have to individually configure access logging for all the files and directories in your virtual server.
Page 324 Creating a Configuration Style From the drop-down list, choose a configuration style to edit and click Edit this Style. From the list of links available, click the category you want to configure for your style. You can configure the information listed in Table 15-1. Fill out the form that appears, and click OK.
Page 325: Assigning A Configuration Style
Assigning a Configuration Style Table 15-1 Configuration Style Categories (Continued) Category Description Require Stronger Allows you to enforce stronger security requirements. Security Restrict Access Allows you to restrict access to the entire server or parts of it. For more information about access control, see Chapter 8, “Controlling Access to Your Server.”...
Page 326: Listing Configuration Style Assignments
Listing Configuration Style Assignments Listing Configuration Style Assignments After you have created configuration styles and applied them to files or directories, you can get a list of the configuration styles and where you applied them. To list the configuration style assignments, perform the following steps: Access the Class Manager.
Page 327: Removing A Configuration Style
Removing a Configuration Style When you choose a style to edit, your Resource Picker lists configuration styles instead of other resources. After you have finished editing a style, click OK and Save and Apply. The Resource Picker exits the styles mode. You can also choose to exit the styles mode by choosing Exit styles mode from the Resource Picker.
Page 328 Removing a Configuration Style Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 329: Part 5 Appendices
Part 5 Appendices Appendix A, “Command Line Utilities” Appendix B, “HyperText Transfer Protocol” Appendix C, “ACL File Syntax” Appendix D, “International Content Support”...
Page 330 Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 331: Appendix A Command Line Utilities
Appendix A Command Line Utilities This appendix provides instructions for using command line utilities in place of the user interface screens. This appendix contains the following sections: • Formatting LDIF Entries • HttpServerAdmin (Virtual Server Administration) Formatting LDIF Entries LDIF consists of one or more directory entries separated by a blank line. Each LDIF entry consists of an optional entry ID, a required distinguished name, one or more object classes, and multiple attribute definitions.
Page 332: Httpserveradmin (Virtual Server Administration)
HttpServerAdmin (Virtual Server Administration) HttpServerAdmin (Virtual Server Administration) is a command line utility that performs the same administrative HttpServerAdmin functions as the virtual server user interface in the Server Manager and the Class Manager. If you prefer to set up your virtual servers using the command line interface, use HttpServerAdmin is in server_root...
Page 333: Control Command
HttpServerAdmin (Virtual Server Administration) There are four possible values for the command_name parameter: • control • create • delete • list Each command has its own set of command options. For more information, see the sections in this chapter that describe each command. Regardless of the value of the command parameter, the parameters shown in Table A-1 can apply to all uses of the command.
Page 334: Syntax
HttpServerAdmin (Virtual Server Administration) Table A-2 Control command options Options Value Disables the specified virtual server, or all virtual servers in -disable the class if no virtual server is specified. Syntax HttpServerAdmin control -cl classname, -control_option [-id virtual_server] -d server_root -sinst http_instance Parameters Use these parameters with the command options to control virtual servers Table A-3...
Page 335: Options
HttpServerAdmin (Virtual Server Administration) Options Use the options shown in Table A-4 with the command to create classes, create listen sockets, and virtual servers. Create command options Table A-4 Option Value Creates a virtual server class. Creates a connection group. Creates a listen socket.
Page 336: Create Connection Group
HttpServerAdmin (Virtual Server Administration) Example HttpServerAdmin create -c -cl myclass1 -d /export/netscape/servers -sinst https-netscape.com Create Connection Group Use this option of the create command to create a connection group. Syntax HttpServerAdmin create -g group_ID -lsid listen_socket -ip IPaddress -sname server_name -defaultvs default_virtual_server -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-8 with the command option to...
Page 337: Create Virtual Server
HttpServerAdmin (Virtual Server Administration) Syntax HttpServerAdmin create -l -ip ip_address -port port_number -sname server_name -defaultvs default_virtual_server [-sec security] [-acct number_of_accept_threads] -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-7 with the command option to create -l create listen sockets. Table A-7 Create listen socket parameters Parameter...
Page 338 HttpServerAdmin (Virtual Server Administration) Syntax HttpServerAdmin create -v -id virtual_server -cl classname -urlh urlhosts -conngroupid connection_group_ID[-state state][-docroot document_root] [-mime mime_types_file] [-aclid acl_ID] -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-8 with the command option to create -v create virtual servers.
Page 339: Delete Command
HttpServerAdmin (Virtual Server Administration) delete Command Use the delete command to delete classes of virtual servers, virtual servers, and listen sockets. Options Use the options shown in Table A-9 with the command to delete classes. delete Delete command options Table A-9 Option Value Deletes the specified virtual server class.
Page 340: Delete Connection Group
HttpServerAdmin (Virtual Server Administration) Delete Connection Group Use this option of the delete command to delete a connection group. Syntax HttpServerAdmin delete -g -id connection_group -lsid listen_socket -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-9 with the command to delete a delete connection group.
Page 341: Delete Virtual Server
HttpServerAdmin (Virtual Server Administration) Example HttpServerAdmin delete -l -id ls3 -d /export/netscape/server6 -sinst https-netscape.com Delete Virtual Server Use this option of the delete command to delete a virtual server. Syntax HttpServerAdmin delete -v -id virtual_server -cl classname -d server_root -sinst http_instance Parameters Use the parameters shown in Table A-9 with the command to delete a...
Page 342: Options
HttpServerAdmin (Virtual Server Administration) Options Table A-14 List command options Option Value Lists all virtual server classes. -g -lsid listen_socket Lists all connection groups for a listen socket. Lists all listen sockets. Lists all virtual servers. Example HttpServerAdmin list -c -d /export/netscape/server6 -sinst https-netscape.com HttpServerAdmin list -l -d /export/netscape/server6 -sinst https-netscape.com...
Page 343: Appendix B Hypertext Transfer Protocol
Appendix B HyperText Transfer Protocol This appendix provides a short introduction to the HyperText Transfer Protocol (HTTP). For more information on HTTP, see the Internet Engineering Task Force (IETF) home page at http://www.ietf.org/home.html This appendix contains the following sections: • About HyperText Transfer Protocol (HTTP) •...
Page 344: Requests
Requests Netscape Enterprise Server supports HTTP 1.1. Some previous versions of the server supported HTTP 1.0. The server is conditionally compliant with the HTTP 1.1 proposed standard, as approved by the Internet Engineering Steering Group (IESG) and the Internet Engineering Task Force (IETF) HTTP working group. For more information on the criteria for being conditionally compliant, see the Hypertext Transfer Protocol—HTTP/1.1 specification (RFC 2068) at: www.ietf.org/rfc/rfc2068.txt?number=2068...
Page 345: Request Header
Responses Request Header The client can send header fields to the server. Most are optional. Some commonly used request headers are shown in Table B-1. Table B-1 Common request headers Request header Description The file types the client can accept. Accept Used if the client wants to authenticate itself with a server;...
Page 346: Status Code
Responses Status Code When a client makes a request, one item the server sends back is a status code, which is a three-digit numeric code. There are four categories of status codes: • Status codes in the 100–199 range indicate a provisional response. •...
Page 347: Response Header
Responses Table B-2 Common HTTP status codes Status code Meaning Server error. A server-related error occurred. The server administrator should check the server’s error log to see what happened. Response Header The response header contains information about the server and information about the document that will follow.
Page 348 Responses Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 349: Appendix C Acl File Syntax
Appendix C ACL File Syntax This appendix describes the access-control list (ACL) files and their syntax. ACL files are text files that contain lists that define who can access resources stored on your web server. By default, the web server uses one ACL file that contains all of the lists for access to your server.
Page 350: Authentication Methods
ACL File Syntax • URI (Uniform Resource Indicator) ACLs specify a directory or file relative to the server’s document root. • Named ACLs specify a name that is referenced in resources in the obj.conf file. The server comes with a “default” named resource that allows read access to anyone and write access to users in the LDAP directory.
Page 351: Authorization Statements
ACL File Syntax SSL requires the user to have a client certificate. The web server must have encryption turned on, and the user’s certificate issuer must be in the list of trusted CAs to be authenticated. By default, the server uses the Basic method for any ACL that doesn’t specify a method.
Page 352: Hierarchy Of Authorization Statements
ACL File Syntax subdirectory that allows access to a few users, the access /my_stuff/personal control on the subdirectory won’t work because anyone allowed access to the directory will also be allowed access to the /my_stuff /my_stuff/personal directory. To prevent this, create a rule for the subdirectory that first denies access to anyone and then allows it for the few users who need access.
Page 353: Attribute Expressions
ACL File Syntax If there are more than one ACLs that match, the server uses the last statement that matches. However, if you use an absolute statement, then the server stops looking for other matches and uses the ACL containing the absolute statement. If you have two absolute statements for the same resource, the server uses the first one in the file and stops looking for other resources that match.
Page 354: Operators For Expressions
ACL File Syntax You can also restrict access to your server by time of day (based on the local time on the server) by using the attribute. For example, you can use the timeofday attribute to restrict access to certain users during specific hours. timeofday NOTE Use 24-hour time to specify times.
Page 355: The Default Acl File
Referencing ACLs in obj.conf • (greater than or equal to) >= • (less than or equal to) <= The Default ACL File After installation, the file server_root/httpacl/generated.https-serverid.acl provided default settings for the server. The server uses the working file until you create settings in the user interface. When genwork.https-serverid.acl editing an ACL file, you could make changes in the file, then save and...
Page 356 Referencing ACLs in obj.conf In the previous example, the first line is the object that states which server resource you want to restrict access to. The second line is the directive that uses PathCheck function to bind the name ACL ( ) to the object in which the check-acl testacl...
Page 357: Appendix D International Content Support
Appendix D International Content Support The following information covers the international considerations for general server capabilities: • Entering UTF-8 Data • Using the Accept-language Header Entering UTF-8 Data If you want to enter data on the Server Manager or the Administration UTF-8 Server pages, you need to be aware of the following issues: File or Directory Names...
Page 358: Servlet Internationalization
Servlet Internationalization You can enable or disable the server to the directive in the acceptlanguage file. server.xml Table D-1 International Settings in server.xml Enables or disables the Accept-language acceptlanguage on, off header parsing. For example, if is set to , and a client sends the acceptlanguage Accept-language header with the value , when requesting the following...
Page 359: Auto
Servlet Internationalization • url-encodes the data POST • Sets the Content-Type to application/x-www-form-urlencoded • Does not send any charset information in the header Content-Type On the server side, if a servlet tries to access data using POST getParameter , the servlet container does not have any information about getParameterValues which character encoding to use for strings.
Page 360: None
Posting to JSPs This option is typically used if the servlet that is reading the data does not necessarily know what the charset of the posted data is. The hint parameter name, which by default is can be changed using j_encoding element in parameter-encoding...
Page 361 Posting to JSPs %> <h1>The Entered Name is : <%= request.getParameter("test") %> </h1> </body> </html> Appendix D International Content Support...
Page 362 Posting to JSPs Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 363: Glossary
Glossary Access Control Entries (ACEs) A hierarchy of rules which the web server uses to evaluate incoming access requests. Access Control List (ACL) A collection of ACEs. An ACL is a mechanism for defining which users have access to your server. You can define ACL rules that are specific to a particular file or directory, granting or denying access to one or more users and groups.
Page 364 Certificate Revocation List (CRL) CA list, provided by the CA, of all revoked certificates. Certification Authority (CA) An internal or third-party organization that issues digital files used for encrypted transactions. Common Gateway Interface (CGI) An interface by which external programs communicate with the HTTP server.
Page 365 DNS Domain Name System. The system that machines on a network use to associate standard IP addresses (such as ) with hostnames (such as 198.93.93.10 ). Machines normally get this translated information from a DNS www.example.com server, or they look it up in tables maintained on their systems. DNS alias A hostname that the DNS server knows points to a different host—specifically a DNS CNAME record.
Page 366 firewall A network configuration, usually both hardware and software, that protects networked computers within an organization from outside access. Firewalls are commonly used to protect information such as a network’s email and data files within a physical building or organization site. flexible log format A format used by the server for entering information into the access logs.
Page 367 HyperText Transfer Protocol (HTTP) The method for exchanging information between HTTP servers and clients. imagemap A process that makes areas of an image active, letting users navigate and obtain information by clicking the different regions of the image with a mouse. Imagemap can also refer to a CGI program called “imagemap,”...
Page 368 Java Servlets Extensions that enable all Java servlet metafunctions, including instantiation, initialization, destruction, access from other components, and configuration management. Java servlets are reusable Java applications that run on a web server rather than in a web browser. last-modified header The last modification time of the document file, returned in the HTTP response from the server.
Page 369 Multi-purpose Internet Mail Extensions (MIME) An emerging standard for multimedia email and messaging. Netscape Console A Java application that provides server administrators with a graphical interface for managing all Netscape servers from one central location anywhere within your enterprise network. From any installed instance of Netscape Console, you can see and access all the Netscape servers on your enterprise’s network to which you have been granted access rights.
Page 370 public key The encryption key used in public-key encryption. public information directories (UNIX) Directories not inside the document root that are in a UNIX user’s home directory, or directories that are under the user’s control. Quality of Service the performance limits you set for a server instance, virtual server class, or virtual server.
Page 371 simple index The opposite of fancy indexing—this type of directory listing displays only the names of the files without any graphical elements. SNMP Simple Network Management Protocol. SOCKS Firewall software that establishes a connection from inside a firewall to the outside when direct connection would otherwise be prevented by the firewall software or hardware (for example, the router configuration).
Page 372 Secure Sockets Layer. A software library establishing a secure connection between two parties (client and server) used to implement HTTPS, the secure version of HTTP. top (UNIX) A program on some UNIX systems that shows the current state of system resource usage. top-level domain authority The highest category of hostname classification, usually signifying either the type of organization the domain is (for example, .com is a company, .edu is an educational institution) or the country of its origin (for...
Page 373 web application A collection of servlets, JavaServer Pages, HTML documents, and other web resources which might include image files, compressed archives, and other data. A web application may be packaged into an archive (a WAR file) or exist in an open directory structure. Web Application Archive (WAR) An archive file that contains a complete web application in compressed form.
Page 374 Netscape Enterprise Server Administrator’s Guide • August 2002...
Page 375: Index
Index SYMBOLS NUMERICS != (not equal to) 354 200 - 500 status codes 346 $, in wildcards 21, 63, 66, 74, 123, 179 $TOKENNAME 119 %vsid%, adding to log file format string 212 %vsid%, in log file format string 212 *, in wildcards 21, 63, 66, 74, 123, 179 accelerators, hardware .acl...
Page 376 files 170 deactivating 187 hostnames 184 default file 355 hostnames and IP addresses 162 distributed administration and 53 introduction to 171 editing settings for virtual servers 205 IP addresses 184 file, defines the mapping from an ACL to an LDAP directories and 184 LDAP database 73 methods (Basic, SSL) 163 files, syntax 349...
Page 377 stopping 50 authentication UI overview 27 client certificate 164 URL navigation to 36 hostnames 169 SSL 165 administration, distributed users and groups 162 enabling 52 Authentication Database 184 administrator’s userid (superuser) 36 authentication methods administrators types 183 distributed administration 52 using htaccess-register to create your own 198 admpw 33, 52 authentication statements, ACL syntax 350...
Page 378 using the built-in root certificate module 99 virtual servers 89 c 125 x509v3, attributes 125 certmap.conf 124, 164 approval process (one day to two months) 96 default properties 124 definition (Certificate Authority) 88 LDAP searches 123 trusting 97 sample mappings 127 types 121 using 124 cache control directives...
Page 379 chroot 135 Common Gateway Interface (CGI) specifying directory for virtual server 136 architecture overview 28 specifying directory for virtual server class 136 overview 294 server extension, overview of 28 ciphers definition 107 Common Logfile Format setting options 129 definition 364 TLS and SSL3 for Netscape Navigator 6.0 112 example 208 TLS Rollback option (use for MS Internet Explorer...
Page 380 category, Dynamic Configuration 324 logging, easy 213 category, Error Responses 324 cp367 317 category, Log preferences 324 cp819 317 category, remote file manipulation 324 CRLs (certificate revocation lists) category, Require Stronger Security 325 installing and managing 101 category, Restrict Access 325 cron daemon category, Server Parsed HTML 325 using cron controls 55...
Page 381 virtual server class 248 mapping certificates to LDAP entries 123 DELETE 186 distributed administration Directory Server, required for 53 delete access 187 enabling 52 deleting groups web applications 288 ACLs and 53 deleting users 70 required for access control 161 deny 200 deploying web applications 288 string representation for the name of an entry in a...
Page 382 dsgwserarchprefs.conf 33 event variables traps 226 dynamic configuration files working with 194 Event Viewer 216 dynamic group events, viewing (Windows NT) 216 definition 72 executable files, downloading 297 dynamic groups execute access 187 creating 75 Expires 347 definition 70 Expires header, defined 365 guidelines for creating 73 expressions, attribute how they’re implemented 72...
Page 383 FIPS 119 about 60 FIPS-140 groups-with-users 198 enabling 120 guidelines flex_anlg 214 creating difficult passwords 132 flexanlg use and syntax 214 flexanlg directory 32 flex-init 213 flex-log 213 Handler, Query fonts, used in this book 20 using 304 forms, restricting access to 186 hard links, definition 319 hardware accelerators certificates and keys stored in secmod.db 115...
Page 384 requests 344 installation responses 345 CGI programs 293 status codes 346 Directory Server 26 multiple servers 43 HTTP (HyperText Transfer Protocol) overview 343 internal daemon log rotation 211 HTTP engine, architecture overview 28 international considerations general information 357 httpacl 170 LDAP users and groups 357 httpacl directory 32 IP addresses...
Page 385 Java Virtual Machine (JVM) language runtime environment 29 default, user entries 64 JavaServer Pages Language Header, Accept architecture overview 29 using 357 overview, how to install 285 language list, preferred managing 85 downloading 286 language settings JDK, JRE paths magnus.conf 358 switching 57 Last-modified 347 JRE, JDK paths...
Page 386 Limit 201 logging cookie, easy 213 LimitExcept 202 logs list access 187 access 212 listen socket logs directory 33 connection groups 249 creating via HttpServerAdmin create logs file 35 command 336 logs, error enabling security 109 viewing 209 ls1 156, 248 LogVsId, turning on 212 ls1 (the default listen socket) 50 Look Within directory...
Page 387 installing 234 starting 238 native SNMP daemon MaxProcs 223 restarting 234 MaxThreads 159 NativePool 158 MD5, defined 368 navigation memberCertDescriptions 70 access to Administration Server via URL 36 memberURL 72 ndex_page 290 memberURL filter 70 NES_SERVER_HOME memberURLs 70 environment variable 287 metric interval 220 nesInstanceContact 227 nesInstanceCount2xx - 5xx 228...
Page 388 nesProcessIndex 229 file cache settings 158 nesProcessKeepaliveCount 230 nssckbi.dll 99 nesProcessKeepaliveMax 230 NTFS file system password protection 90 nesProcessTable 229 nesProcessThreadCount 229 nesProcessThreadIdle 229 nesThreadPoolEntry 230 nesThreadPoolIndex 230 nesThreadPoolTable 230 o 125 nesVsCount2xx - 5xx 229 obj.conf 33, 56, 213, 350 nesVsCountOther 229 configuration file, overview 31 nesVsEntry 228...
Page 389 programs access control 186 parsed HTML 29 password file 369 how to store on server 295 loading on startup 311 properties password protection custom, creating 127 NTFS file system 90 protocol data units (PDUs) 241 password, user PROTOCOL_FORBIDDEN 129 to change or create 68 proxy agent, SNMP 232 password.conf 90, 153 installing 233...
Page 390 restart file 35 restart utility, automatic (Windows NT) 153 RestrictAccess 197 defined 370 restricting access to Enterprise Server rc.2.d 370 procedure 57 starting the server with 151 restricting symbolic links 319 rc.local 90 RMDIR 186 read access 186 root README.txt 35 defined 370 realm 166 server and 51...
Page 391 secret-keysize 129 dynamic groups, impact of 73 Secure Sockets Layer (SSL) server root, defined 370 encrypted communication protocol 108 Server Settings security accessing 51 .htaccess, considerations 203 Server, Administrator enabling FIPS-140 120 shutting down 50 enabling when creating a new listen socket 109 server.xml 113, 203, 246 enabling when editing a new listen socket 109 configuration file, overview 31...
Page 392 deploying outside of web applications 292 enabling and starting 235 servlets directory 34 snmpd, command for restarting native SNMP daemon 234 Session Management Service application services overview 29 SOCKS, defined 371 SessionData 33, 293 soft (symbolic) links definition 319 SessionData directory 34 software modules, Enterprise Server 27 SessionData file 35 sounds like...
Page 393 user account needed 51 restarting the server 152 starts with search type option 67 startsvr.bat 33, 34 static groups definition 70 telephoneNumber 63 guidelines for creating 71 telnet 371 statistics accessing 219 termination timeout quality of service bandwidth lost when server magnus.conf 151 reconfigured dynamically 224 setting 151...
Page 394 creating 89 configuring 310 password, changing 132 user directories (Unix) single certificate per server instance 122 customizing 310 trusting certificates 97 user entries two-way encryption, ciphers 107 changing 67 creating new 62 type, search options default language 64 list of 66 deleting 70 Directory Server 63 finding 64...
Page 395 settings in magnus.conf 155 default 251 defaultclass 248 verifycert 126 delete command 339 VeriSign deleting 281 certificate authority 91 deploying 265 VeriSign Certificate deploying servlets and JSPs outside of web installing 92 applications 292 requesting 91 document preferences, setting 313 version files dynamic reconfiguration 257 deleting, JSPs and servlets 293...
Page 396 using variables 257 viewing access logs 208 x509v3 certificates viewing error logs 210 attributes 125 web-apps.xml, using 287 x-euc-jp 317 when requiring different trusted CAs 122 x-mac-roman 317 vs_port 288, 290 x-sjis 317 vs_urlhost 288, 290 WaitingThreads 155 wdeploy utility 288, 373 web application defined 373 web application archive (WAR)

This manual is also suitable for:

Entreprise server 6.1

Netscape ENTREPRISE SERVER 6.1 - 08-2002 ADMINISTRATOR Administrator's Manual

About this Guide

Part 1 Server Basics

Chapter 1 Introduction to Enterprise Server

Chapter 2 Administering Enterprise Servers

Part 2 Using the Administration Server

Chapter 3 Setting Administration Preferences

Chapter 4 Managing Users and Groups

Chapter 5 Securing Your Enterprise Server

Chapter 6 Managing Server Clusters

Part 3 Configuring, Monitoring, and Performance Tuning

Chapter 7 Configuring Server Preferences

Chapter 8 Controlling Access to Your Server

Chapter 9 Using Log Files

Chapter 10 Monitoring Servers

Quick Links

Related Manuals for Netscape NETSCAPE ENTREPRISE SERVER 6.1 - 08-2002 ADMINISTRATOR

Summary of Contents for Netscape NETSCAPE ENTREPRISE SERVER 6.1 - 08-2002 ADMINISTRATOR