These release notes contain important information available at the time of the Version 4.2 (2001 Build) release of Netscape Console. New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Netscape Console. Use of this product is subject to the terms detailed in the license agreement accompanying it.

Netscape Console incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code, and the original compression sources are freely available on the Internet. Please visit http://www.info-zip.org/pub/infozip for more details.

The purpose of the 2001 Build release of Netscape Console 4.2 was to incorporate new components and various bug fixes found with 4.2, 2000 build. The 2001 Build release replaces Netscape Console 4.2 2000 Build which was shipped with Directory Server 4.12, and also replaces Netscape Console 4.2. This version originally shipped with Netscape Directory Server 4.13.

To determine which build of Netscape Console 4.2 you have installed, do the following:

1. If Console is not running, start Console.
2. In the Console Navigation Tree, single click the Netscape Administration Server icon to highlight. The pane to the right of the Navigation Tree displays general information about the highlighted server.
3. The value of the Build Number field reveals which build is installed. If the first 4 digits begin with "2001", you have the 2001 build of Console and Administration Server 4.2.
• If the first 4 digits begin with "2000", you have the 2000 build.
• If the first 4 digits begin with "1999", you have the original 4.2 bits.

• What's New in This Release
• Potential Problems and Solutions
• Where to Go for Other Information

---

What's New in This Release

• Administration Express -- The Administration Express page is an HTML based server management console. The Administration Express page allows you to quickly start or stop servers, or to view server logs and configuration data without having to launch Netscape Console. For more information, see the online manual located in your installation at: http://help.netscape.com/products/server/console/console.pdf.

• Perl script for IP address changes -- This Perl script is useful when the IP address for the Administration Server host changes. The script automatically makes the appropriate IP address change in both the Configuration Directory as well as in the Administration Server configuration.

The admin_ip.pl file gets installed in the <server_root>/shared/bin directory. To run the script, in the <server_root>/shared/bin directory, follow these instructions:

On Windows NT, enter:
 ..\..\install\perl admin_ip.pl <Directory_Manager_DN> <Directory_Manager_password> <old_IP> <new_IP> [port #]

On Unix, enter:
admin_ip.pl <Directory_Manager_DN> <Directory_Manager_password> <old_IP> <new_IP> [port #]

• Certificates using wildcards are accepted -- You can now install certificates that use wild characters (such as *.example.com). When using server certificates containing wild characters, keep the following in mind (390149):
• Security utility programs (such as certutil and keyutil) will not work.
• You will not be able to use Netscape Communicator to run Administration Express. If you want to access a server that is using a certificate containing wild characters, use Netscape Console.

---

Potential Problems and Solutions

• Installation
• Loss of Network Connection
• Admin Server Cannot Locate Directory Server
• Login Window is Hidden
• Proxied Administration Not Supported
• Setting Access Permissions for a Server
• Setting Access Permissions for a Server Task
• Specifying Multiple User Directories for Failover
• Server Instance Names
• Non Default UID
• Changing a User's Password
• 8-bit Characters
• Windows NT with DHCP
• Using Solaris
• Using HP-UX
• Using AIX with JRE 1.1.6
• Using Linux
• Opening Administration Server results in blank window
• Downloading a server's JAR files to Netscape Console
• Improving Administration Express performance
• Can't Start/Stop Local Windows NT Servers using Administration Express
• Enabling SSL on Directory Server 4.x using Console 4.2
• On Windows NT, End-User Page Not Accessible with SSL
• Using Netscape Console with Netscape Certificate Management System 4.x
• Using an external token to store certificates
• Installing a FORTEZZA PKCS #11 Module on Windows NT
• Logging in as Directory Manager
• Expired SIE Passwords Block Access to Administration Server Tasks
• Searching a Large User Directory
• Full Thread Dump
• Using SSL
• Using "objectClass: mailgroup" in Netscape Messaging Server 3.6
• Changing Configuration Directory Server Information
• Changing User Directory After SSL is Enabled on Windows NT
• Creating 8 bit Characters in Console

Installation

• On Windows NT, if you are upgrading from an earlier version of Console, do not choose the "Custom" option during installation. Doing so will cause the installation to fail. (112554)

• Netscape Server Products should be installed on a local disk drive. If you install a Netscape Server Product on a networked drive, the product may not work as designed. (336269)

• On HP-UX for 64-bit architectures, if you plan to use a double-byte Administration domain name, you must install patch PHSS_15840 before you begin installing Netscape Console. Without this patch, the Netscape Server Setup program will not work as designed. (355492)

Contact Hewlett-Packard for detailed information on obtaining and installing this patch.

• You can save the install cache when you install Netscape Console. When you save the install cache, all the values you specify during installation are saved to a file. This file is useful when you want to perform subsequent silent installations. To save the install cache, in the server root, enter setup -k . (339769)

For more information on silent installation, see Chapter 4 of the Netscape Directory Server 4.0 Installation Guide.

• If you log in from a remote HP workstation to OSF, and then run Netscape Console, the Console may occasionally hang. To avoid this problem, both install and run Netscape Console on an HP workstation. (341699)

• If your configuration directory is running on Netscape Directory Server 4.0 or lower, you may receive an "error 14" message when performing Console operations. This is because Console 4.1 and higher require schema updates to the directory. To fix this problem, install the latest version of Directory Server. (392925)

Loss of Network Connection

•  If you lose a network connection while Netscape Console is running, Netscape Console may become inoperable. Re-establish your network connection, then restart Netscape Console. (106714)

Admin Server Cannot Locate Directory Server

• If you are running Windows NT, Netscape Directory Server may start up after Netscape Administration Server. If this happens, Administration Server will not be able to retrieve configuration information from the directory. To solve the problem, restart Netscape Administration Server from the Windows NT Services Control Panel. (394281)

Login Window Is Hidden

• When starting Netscape Console using some window managers (Enlightenment, WindowMaker, or Gnome), the Login window may be hidden behind the Netscape Console splash screen, and you will not be able to log in (345545).

As a workaround, start Netscape Console at the command line by entering startconsole -x nologo.

Proxied Administration Not Supported

• Netscape Console does not support proxied administration.

Setting Access Permissions for a Server

• You can grant or deny server access to an individual user, but you cannot grant or deny server access to a group. If you select a server in the Netscape Console navigation tree, and attempt to use the Set Access Permissions command to specify a group of users, the permissions you set will not work as expected. (337487)

This is caused by an incorrectly defined Access Control Instruction (ACI) under o=NetscapeRoot. To work around this problem, use ldapmodify to patch this ACI with the following LDIF content:

dn: o=NetscapeRoot
changetype: modify
delete: aci

aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare)groupdnattr="ldap:///o=NetscapeRoot?uniquemember?sub";)

 -

add: aci

aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare)groupdnattr="uniquemember";)

If you are unfamiliar with ldapmodify and LDIF, refer to the Netscape Directory Server Administrator's Guide.

Setting Access Permissions for a Server Task

• If you create an ACI rule to grant or deny access to a server task, the rule will not take effect until you restart both the server, such as Directory Server or Messaging Server, as well as it's Administration Server. (345956, 342786)

Specifying Multiple User Directories for Failover Support

• When you specify more than one User Directory for failover purposes, do not use carriage returns to separate directory host names. If you use carriage returns, you'll get an error message. Instead of carriage returns, use spaces to separate host names. (345731)

For example: Eros.Netscape.com:389 Zeus.Example.com:389

Server Instance Names

•  Do not use a period (.) in server instance names. If you use a period in a server instance name, Netscape Console will not recognize the server instance. For example, the server instance msg.example.com is not acceptable; msg-example-com is acceptable. (311490)

Non Default Uid

• When the default language requires a uid in a form other than the default (user's first initial followed by last name), you must manually override the nsuserformat attribute in the configuration directory. (117507) To change the nsuseridformat attribute:
1. In the Netscape Console, open the Directory Server that contains the configuration directory you want to modify.
2. In the Directory Server, click Directory.
3. Expand the navigation tree to follow this path: NetscapeRoot/[administration domain]/Global Preferences.
4. In the navigation tree, select Global Preferences.
5. In the right pane double-click Common.
6. In the Property Editor window, locate the attribute nsuseridformat and enter one of the following values as appropriate:
• firstletter_lastname (this is the default value)
• givenname_firstletter
• lastname_givenname
• givenname_lastname
7. Click OK.
8. Restart Netscape Console.

Changing a User's Password

•  If you create a user without indicating a password, selecting the user and clicking on the Password button will allow you to assign a value for the user's password attribute. If you try to change this value by clicking on the Password button again, the new value will be stored alongside the old value and the user will have two valid passwords. To work around this: select the user, click on Edit, and then enter and confirm the new password in the Edit Entry dialog box. Alternatively, you can choose to assign a password when creating a new user. If you have already created a user with multiple passwords, perform a new search for the user and enter a new password using the Edit or Password button. This will discard any old values and assign a single password for the user

8-bit Characters

• When creating a new user or editing a user's personal data, do not use 8-bit characters in the First Name and Last Name fields. If you use 8-bit characters in the First Name or Last Name fields, the user ID is not automatically generated for you. Instead, use ASCII characters to enter the user's personal data. (117507)

Windows NT with DHCP

• You cannot install Administration Server 4.0 or Directory Server 4.0 on Windows NT with DHCP. As a workaround, you can install successfully using a static IP address. (105984)

Using Solaris

• If you're using the Japanese version of Netscape Console, in the Certificate Management window, when you click Edit to view certificate information, the Edit Certificate window may not display as designed (348831).

To solve this problem, download the JRE 1.1.8 file from the SunSoft website, and install it in the following directory: <server_root>/bin/base/jre.

• On Solaris, when you run the startconsole command, you may get the following error message (361080):

You must install a Solaris patch to run this version of the Java runtime. Please see the README and release note for more information.

If you get this message, go to the Sun Microsystems website for specific patch information: http://java.sun.com/products/jdk/1.1/packs/native-threads/README

Using HP-UX

• If Netscape Console randomly crashes, make sure you have the patch PHKL_14750 installed on your system. Contact Hewlett-Packard for detailed information on obtaining this patch.

• If you're using a multi-CPU system, you need to install this patch: PHNE_16645. This addresses the Administration Server process spinning problem. Contact Hewlett-Packard for detailed information on obtaining the patch.

• In the Japanese version, on HP-UX for 64-bit architectures, if you use the Japanese Input Method Editor (IME) when searching and modifying directory entries, Netscape Console will not accept the input. To solve this problem, install patch PHSS_15397. Contact Hewlett-Packard for detailed information on obtaining and installing this patch.

• When using the Users and Groups Search Directory, the screen may not draw properly. (291656) When this happens, click Search to perform the search again.

Using AIX with jre 1.1.6

• If Netscape Console crashes upon startup, you must disable JIT. (316827)

To disable JIT, invoke startconsole with the -nojit option.

Using Linux

• If Netscape Console hangs during log in, it may be due to a problem with NIS (349906). As a workaround, in /etc/nsswitch.conf, modify the nis and dns lookup ordering in the the hosts entry. Make sure dns comes before nis.

For example, change this entry: hosts: files nisplus nis dns
to this entry: hosts: files dns nisplus nis

Opening Administration Server Results in Blank Window

• If you log into Netscape Console using Administration Server 4.0 or 4.1, and then try to open an Administration Server 4.2 that is SSL-enabled, the Administration Server 4.2 window will be blank. The problem is due to an incompatibility between Netscape Console 4.2 and pre-4.2 SSL libraries. There is no workaround at this time. (353341)

Downloading a Server's JAR files to Netscape Console

• Generally, a server's JAR files used by Netscape Console are stored in the Administration Server. However, in Netscape Console 4.2, a server's JAR files can be stored on any HTTP server. If, for any reason, you choose to store a server's JAR files in a location other than the default location in the Administration Server, do not password protect the JAR files. Password protection may cause authentication to fail, and you will not be able to download the files to the Netscape Console. (357280)

Improving Administration Express Performance

• If the host computer for a server registered against the Configuration Directory is experiencing network problems, there could be a long delay when the Administration Express page tries to contact the server and create a status page. (355354)

To improve Administration Express performance, in the file <server_root>/admin-serv/config/adm.conf, add the following entry:

ExpressCGITimeout: x

In this entry, x is an integer representing how long (in seconds) Administration Express should continue trying to reach the remote server before timing out.

Can't Start/Stop Local Windows NT Servers using Administration Express

• When using Administration Express on Windows NT, you cannot start and stop servers on the local machine. You can view, start, and stop servers on UNIX machines and other Windows NT machines on the network. If you want to start or stop a server on the local machine, use the command line or Netscape Console. This problem does not affect you if you are using Administration Express on UNIX. (389488)

Enabling SSL on Directory Server 4.x using Console 4.2

• After installing Administration Server and Console 4.2, if you enable SSL on Netscape Directory Server 4.x, the directory server won't start. You will see the following message in the error log:

Failed to set SSL cipher preference information: unknown cipher tls_rsa_export1024_with_rc4_56_sha!

This message is generated because Console 4.2 includes two additional cipher suites that Directory Server 4.x does not recognize.
To work around this problem, do the following with encryption enabled and the directory not running:
1. Edit the dse.ldif file located in <server_root>/slapd-<server_name>/config/ as follows: Remove the two "-tls_" strings from the dse.ldif file. These strings exist under the attribute name nsssl3ciphers, which is found in the cn=encryption, cn=config node beneath the affected server instance SIE.
2. Start the Directory Server from the command-line with start-slapd. Once you have modified dse.ldif, you can disable and enable encryption for Directory Server by manually modifying the "security on/off" setting in slapd.conf. If you use Console to change your encryption settings or disable and then re-enable encryption, you will have to edit dse.ldif again.

On Windows NT, End-User Page Not Accessible with SSL

• On Windows NT, if you enable SSL on the Directory Server, you will not be able to access the End-User Page (see illustration).

Using Netscape Console with Netscape Certificate Management System 4.x

• If you specify a URL when using Console's Certificate Request Wizard with Netscape Certificate Management System 4.x (CMS), you must include a port number. For example, if CMS is running on port 443 of the cmsServer.example.com host, you must enter the URL as https://cmsServer:443. If you enter https://cmsServer, you will not be able to automatically request a certificate. (392984)

Using an external token to store certificates

• If you use an external token or smart device to store multiple security certificates, the device may run out of storage space. This happens when you repeatedly use the Certificate Setup Wizard to generate certificate requests without deleting previously installed public or private keys. (347448)

To avoid this problem, follow the instructions provided by the external device manufacturer to first back up your existing certificate(s), and then to clear the device's memory.

Installing a FORTEZZA PKCS #11 Module on Windows NT

• If the FORTEZZA PKCS #11 module you want to install is a DLL file (or shared library) and not a JAR file, do not use the "Manage PKCS #11" or "Add PKCS #11" commands in Netscape Console. If you use the Netscape Console graphical interface, you will not be able to activate FORTEZZA ciphers. Instead, use the modutil command line utility located at <server_root>/shared/bin/modutil.

To install a FORTEZZA PKCS #11 Module DLL File:
1. Locate the server instance for which you want to install the PKCS#11 module.
2. Open a terminal window.
3. Go to the Administration Server's configuration directory, which is located at <server_root>/admin-serv/config.
4. At the prompt, enter this command: <server_root>/shared/bin/modutil -dbdir . -create

This creates the required security module database file (secmod.db) in the Administration Server's configuration directory.
5. At the prompt, enter this command:

<server_root>/shared/bin/modutil -dbdir . -add <module_name> -libfile <library_file> -nocertdb
<library_file> specifies the path to the DLL or other library file containing the implementation of the PKCS #11 interface module.
<module_name> specifies the name of the PKCS #11 module (you specified this in step1 when you installed the drivers).

For example, if you are installing a Litronic token, you would enter:
<server_root>/shared/bin/modutil -dbdir . -add CryptOS -libfile core32

For detailed information about modutil, see Appendix B, "Administration Server Command Line Tools" in the Netscape Console documentation.

Logging in as Directory Manager

Expired SIE passwords block access to Administration Server tasks

• If a password expiration policy is enabled in Directory Server, and a connected Administration Server's SIE passwords expire, you will not be able to access the connected server. (343369)

As a workaround, you can delay the expiration date of the Administration Server passwords. Use the ldapmodify utility to change two administrative entries. In the following example, replace <hostname> with the hostname of the server, and finish the command with Ctl-Z:

 ldapmodify -D "cn=directory manager" -w password
 dn: uid=Configuration Administrator, ou=admin, ou=Topology Management,
 o=NetscapeRoot
 changetype: modify
 replace: userpassword
 userpassword: <newpassword>
 -
 replace: passwordexpirationtime
 passwordexpirationtime: 20011231000000

 dn: cn=admin-serv-<hostname>, cn=Netscape Administration Server,
 cn=Server Group, cn=<hostname>, ou=<hostname>.
 o=NetscapeRoot
 changetype: modify
 replace: userpassword
 userpassword: <newpassword>
 -
 replace: passwordexpirationtime
 passwordexpirationtime: 20011231000000

Searching a Large User Directory

• If you use the Search interface to list all users in a large directory (for example, more than 1000 entries), the search may return 0 results. (341275) To improve search results, simply restrict your search criteria.

Full Thread Dump

• If you're trying to run the command line, and a segmentation violation occurs resulting in a full thread dump output, you may have an incompatible version of JRE or JDK in your path. Adding the following lines to the adminconfig script will eliminate this problem:

JAVA_HOME=./bin/base/jre
export JAVA_HOME
CLASSPATH=
export CLASSPATH

Using SSL

• To start an SSL-enabled Administration Server without manually entering a password, do the following:
1. Create a text file that will contain your security device passwords.
2. Add entries to this file using the following format: <token name>: <password>

For instance, if you are using the internal software token, you would enter internal (software): <password> where <password> is the password for the token. If you are using additional tokens, add each one's name and password on a new line.
3. In the <server_root>/admin-serv/config directory, create a text file called custom.conf.
4. Add the following line to custom.conf: pinFile: <pin file> where <pin file> is the full path to the text file containing passwords.

Using "objectClass: mailgroup" in Netscape Messaging Server 3.6

• If you are using distribution lists on Netscape Messaging Server 3.6, you may receive the following error (370423):

A message was not delivered because a loop was found in the Mail eXchanger (MX) record database.  The destination host has an MX record that points to this host, but there is no account for the recipient.

This error appears if a group's directory entry contains objectClass: mailgroup instead of objectClass: mailGroup. To fix this problem, follow these steps:
1. Export all group entries to an LDIF file.
2. Edit the file, replacing mailgroup with mailGroup.
3. Delete each of the problem distribution lists.
4. Add the updated LDIF file by entering ldapmodify -a -f <name of LDIF file> at the command line.

(If you aren't familiar with LDIF or ldapmodify, see the Directory Server Administrator's Guide.)

Changing Configuration Directory Server Information

• If you want to change the port number of the Configuration Directory Server used by your Administration Server, do the following (391575):
1. In Console, select the Configuration Directory Server that you want to change, and then click Open.
2. Click the Configuration tab, click Settings, and then change the value for Port.
3. Click OK. The success dialog tells you to restart the server for the changes to take effect.
4. Quit Console.
5. Restart the Directory Server from the command line.
6. Go to the Administration Server's server root and make the following changes:
• Open /admin-serv/config/adm.conf and change ldapport to the new Configuration Directory Server port number.
• Open /shared/config/dbswitch.conf and change the directory default URL to reflect the new port number.
7. Restart the Administration Server. When you launch Console, it will point to the new Configuration Directory Server port.

• If you want the Administration Server to use a new Configuration Directory Server, do the following:
1. In the network tree, select the Administration Server that you specify when logging into Console.
2. Click Open to open the Administration Server management window, and then click the Configuration tab.
3. Click the Configuration DS tab, and then change the value for LDAP Host and LDAP Port to the host name and port number of the new Configuration Directory Server.
4. Quit Console and restart the Administration Server. When you launch Console, it will point to the new Configuration Directory Server.

• Note: These two procedures do not change the default URL for users and groups. To change the User Directory host name or port number for a domain, do the following:
1. Open Console.
2. In the network tree, select the administration domain that uses the new or changed Directory Server.
3. In the right-hand panel, click the Edit button.
4. In the "User Directory Host and Port" field, enter the new or changed Directory Server host name and port number.
5. Click OK.
All server instances in the administration domain will now use the new host name and port by default. If you want the instances in a particular server group to use a different User Directory Server, change the User DS settings for the server group's Administration Server.

Changing User Directory After SSL is Enabled on Windows NT

• If you want to change your User Directory you must do so before SSL is enabled on Directory Server. On the Windows NT platform, changing your User Directory after SSL is enabled on Directory Server results in a ugdsconfig.exe application error (530500).

Creating 8 bit Characters in Console

• Some 8 bit characters, for example, Ê and Ë, cannot be created in Console input fields. (529527)

To use these characters do the following:
1. Open a text editor of your choice.
2. Create the 8 bit character.
3. Copy the 8 bit character you created.
4. Paste the character, using crtl-v, into the appropriate Console input field.

---

Where to Go for Other Information