Netscape Console and Administration Server Release Notes

Version 6.0

Updated December 11, 2001

These release notes contain important information available at the time of the version 6 release of Netscape Console and Administration Server. New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Parenthetical numbers contained within, or following the topics, are tracking numbers. Tracking numbers are useful when discussing issues with Technical Support or Professional Services.

Read this document before you begin using Netscape Console and Administration Server.

These release notes contain the following sections:

Installation Issues

Installing and Upgrading Netscape Console

Silent Install Cache

You can save the installation cache when you install Netscape Console. All the values you specify during installation are saved to a file when you save the installation cache. This file is useful when you want to perform subsequent silent installations. To save the installation cache, navigate to the server root, and then enter setup -k at the command line (339769). For more information on silent installation, see your server's documentation.

NFS

You must install Netscape Administration Server and Console 6.0 into a directory on your local disk. You can not use an NFS mounted directory. (401888).

Install Over Telnet

Windows NT. You cannot use the Microsoft Windows NT telnet program to run the Netscape Server Products Setup program on a remote UNIX machine if you are installing 8-bit international versions of Netscape Administration Server and Console 6.0. You must use a special version of the telnet application that is either 8-bit or double-byte compliant (401888).

Default User Directory over SSL

If the default user directory for your administration domain is stored on an instance of Directory Server that is running SSL, you will not be able to install or upgrade Netscape Administration Server (395410). To work around this problem, follow the appropriate set of instructions:

To Install a New Instance of Administration Server for a Directory Server Using SSL

  1. In the navigation tree, select the administration domain that is communicating with SSL to Directory Server.
  2. In the right-hand panel, click Edit.
  3. Change the value for "User directory host and port" to the non-SSL port.
  4. Install Netscape Administration Server 6.0.
  5. Start Console and log into Netscape Administration Server.
  6. Change the value for "User directory host and port" back to the SSL port.
  7. Decide how you want to connect to the user directory and configure Administration Server accordingly:

To Upgrade an Existing Instance of Administration Server for a Directory Server Using SSL

  1. Configure the existing instance of Administration Server to communicate with a non-SSL Directory Server:
  2. Perform the upgrade by installing Netscape Administration Server 6.0 into your existing server root folder.

    3.  
  3. Start Console and log in to Administration Server.

    4.  
  4. If you want to connect to a user directory using encryption, configure either the administration domain or the upgraded instance of Administration Server to connect to the SSL port. To do this, follow the procedures outlined in step 1, substituting the SSL port for the non-SSL one.
Double Byte Domain Name

During Console installation, the setup utility retrieves the domain name from Directory server. If the domain name is a double byte value (e.g.. Chinese or Japanese character set) it is displayed incorrectly. The correct double byte domain name must be added manually. (521506)

Using Netscape Directory Server 4.0 or Earlier

If your configuration directory is running on Netscape Directory Server 4.0 or earlier, you may receive an "error 14" message when performing Console operations (392925). This is because Console 4.1 and higher require schema updates to the directory. To fix this problem, install the latest version of Netscape Directory Server.

Using Escape Characters During Installation

Do not use escape characters in domain names during Netscape Console installation. Using a traditional escaped character (such as \,) when specifying a domain name during installation will cause the Netscape Server Products Setup program to fail (420089). If you want to use escape characters in your domain names, you may use Console to add them after Console is installed and the domain is created.

Known Problems and Limitations

This section describes the following known problems and related solutions. Parenthetical numbers contained within, or following the topic, are tracking numbers. Tracking numbers are useful when discussing issues with Technical Support or Professional Services:

Login Window is Hidden

When starting Netscape Console using some window managers (Enlightenment, WindowMaker, or Gnome), the Login window may be hidden behind the Netscape Console splash screen, and you will not be able to log in (345545). As a workaround, start Netscape Console at the command line by entering startconsole -x nologo.

Asian Characters in Search Results

When Netscape Console returns user and group search results, Asian characters (Japanese, Chinese, or Korean) may appear as empty boxes (401889). To fix this problem, change your font settings. To do this:
  1. Select Preferences from the Edit menu option.
  2. Click the Fonts tab.
  3. Make sure that an available Asian font is assigned to each screen element. To see which fonts are available on your system, select a screen element, and then click the Change Font button.
  4. Click OK to save your font settings.
  5. Restart Netscape Console.
    6. Your font choices are preserved as part of your Console user preferences.

    For more information on changing Console fonts, see Chapter 3 of the Managing Servers with Netscape Console.

Administration Server Not Locating Directory Server

If you are running Windows NT, Netscape Directory Server may start up after Netscape Administration Server. If this happens, Administration Server will not be able to retrieve configuration information from the directory. To solve the problem, restart Netscape Administration Server from the Windows NT Services Control Panel (394281).

Distorted Fonts in Unix

If you are running Netscape Console on a remote Unix server, fonts may look awkward, resulting in clipped UI text. To fix this problem, adjust font settings through the Preferences dialog box under the Edit menu in Console (336626).

Problems With Help

  1. If clicking a Help button does not open your web browser, try the following:
  1. Links on the login help screen do not work. These are the links to the online help topics page, and to the HTML version of the manual. You can get to both of these from any other help screen. (600519)
  2. The Login help screen may not open when clicking the help button in the login dialog on a remote display of Console on Solaris. (600519)

Proxied Administration Not Supported

Netscape Console 6.0 does not support proxied administration.

Server Instance Names

Do not use a period (.) in server instance names. If you use a period in a server instance name, Netscape Console will not recognize the server instance.

For example, the server instance msg.example.com is not acceptable; msg-example-com is acceptable (311490).

Non-Default User ID

When the default language requires a user ID in a form other than the default (the user's first initial followed by the user's last name), you must manually override the nsuserformat attribute in the configuration directory (117507). To manually override the nsuseridformat attribute:
  1. In Netscape Console, open the management window for the instance of Directory Server containing the configuration directory you want to modify.
  2. Click the Directory tab.
  3. Expand the navigation tree to follow this path: NetscapeRoot/administrationDomain /Global Preferences.
  4. In the navigation tree, select Global Preferences.
  5. In the right pane double-click Common.
  6. In the Property Editor window, locate the attribute nsuseridformat and enter one of the following values as appropriate:
  7. firstletter_lastname (this is the default value)
  8. Click OK.
  9. Restart Netscape Console.

8-bit Characters in User Data

When creating a new user or editing a user's personal data, do not use 8-bit characters in the First Name and Last Name fields. If you use 8-bit characters in the First Name or Last Name fields, the user ID is not automatically generated for you. Instead, use ASCII characters to enter the user's personal data (117507).

Improving Administration Express Performance

If the host computer for a server registered in the configuration directory is experiencing network problems, there could be a long delay when the Administration Express page tries to contact the server and create a status page (355354). To improve Administration Express performance, do the following:
  1. Open the adm.conf file located in the server root, </server_root>/admin-serv/config/adm.conf,

    2.  
  2. Add the following entry: ExpressCGITimeout:x
    3. In this entry, x is an integer representing how long (in seconds) Administration Express should continue trying to reach the remote server before timing out.

Enabling SSL on Directory Server 4.x Using Console 6.0

After installing Netscape Console and Administration Server 6.0, if you enable SSL on Netscape Directory Server 4.x, the directory server won't start. You will see the following message in the error log:

"Failed to set SSL cipher preference information: unknown cipher tls_rsa_export1024_with_rc4_56_sha!"

This message is generated because Console 6.0 includes two additional cipher suites that Directory Server 4.x does not recognize.

To work around this problem, do the following with encryption enabled and the directory not running:

Edit the dse.ldif file located in </server_root> /slapd-serverName/config/ as follows:

  1. Remove the two "-tls_" strings from the dse.ldif file. These strings exist under the attribute name "nsssl3ciphers," which is found in the "cn=encryption, cn=config" node beneath the affected server instance SIE.

    2.  
  2. Start Directory Server from the command-line with start-slapd.

    3.  
Once you have modified dse.ldif, you can disable and enable encryption for Directory Server by manually modifying the "security on/off" setting in slapd.conf. If you use Console to change your encryption settings or disable and then re-enable encryption, you will have to edit dse.ldif again.

Installing a Fortezza PKCS #11 Module on Windows NT

If the Fortezza PKCS #11 module you want to install is a Dynamic Link Library file (or shared library) and not a JAR file, do not use the "Configure Security Modules" dialog box in Netscape Console. If you use Netscape Console's graphical interface, you will not be able to activate Fortezza ciphers. Instead, use the modutil command line utility located at </server_root> /shared/bin/modutil.

To install a Fortezza PKCS #11 Module DLL File:

  1. Locate the server instance for which you want to install the PKCS #11 module.
  2. Open a terminal window.
  3. Go to the Administration Server's configuration directory located at </server_root>/admin-serv/config.
  4. At the prompt, enter this command: </server_root> /shared/bin/modutil -dbdir . -create
  5. This creates the required security module database file (secmod.db) in the Administration Server's configuration directory.
  6. At the prompt, enter this command:
    7. </server_root> /shared/bin/modutil -dbdir . -addmoduleName-libfilelibraryFile-nocertdb
For example, if you are installing a Litronic token, you would enter: </server_root> /shared/bin/modutil -dbdir . -add CryptOS -libfile core32

For detailed information about modutil, see the Managing Servers with Netscape Console.

Automatically Starting an SSL-Enabled Instance of Administration Server

To start an SSL-enabled instance of Administration Server without manually entering a password, do the following:
  1. Under /admin-serv/config, create a text file called password.conf. The text file will contain your security device passwords.

    2.  
  2. Add lines to this file using the following format:
    3. <token name 1>:<password 1>
    <token name 2>:<password 2>
    ...
    <token name x>:<password x>
  3. Substitute the actual name of the token for <token name> and the password associated with the token for <password> . If you have selected multiple tokens in the Administration Server Encryption screen, add all the corresponding token names and passwords on additional new lines.

    4.  
  4. Most frequently you will use only internal software tokens. In this case the password.conf file must contain only the following:
    5. Communicator Certificate DB:<password>

    Substitute the password you selected when creating the key and certificate database files in the certificate setup wizard for <password> . (505061) (485321)

On UNIX Using Green Threads With an Encrypted Instance of Administration Server

If the instance of Administration Server that you want to log in to is running SSL, you cannot use the -g option to start Console using green threads on UNIX (400746).

Changing Configuration Directory Server Information

If you want to change the port number of the Configuration Directory Server used by your Administration Server, you can use either the following GUI or CLI instructions (391575)(391363):

GUI Instructions:

  1. Open the Directory Console and select the Configuration tab.

    2.  
  2. Change the LDAP port to a new value

    3.  
  3. Click OK. The success dialog tells you to restart the server for the changes to take effect. Do not quit Console.

    4.  
  4. Restart Directory Server from the command line.

    5.  
Next, change the Administration Server LDAP port with the following steps:
  1. In Console, select the administration server that you want to change, and then click Open.

    2.  
  2. Click the Configuration tab, click Settings, and then change the value for Port.

    3.  
  3. Click OK. The success dialog tells you to restart the server for the changes to take effect.

    4.  
  4. Quit Console.

    5.  
  5. Restart Administration Server
To change the Administration Server LDAP port from the command, use the following instructions:

Command Line Instructions:

  1. Go to the Administration Server's server root and make the following changes:
    2. Open /admin-serv/config/adm.conf and change LDAP port to the new Configuration Directory Server port number.

    Open /shared/config/dbswitch.conf and change the directory default URL to reflect the new port number.

  2. Restart Administration Server. When you launch Console, it will point to the new Configuration Directory Server port.

    3.  
  3. Note: The above steps are performed for each individual Administration Server in the topology that will use a new Configuration Directory Server.

    4.  
These two procedures do not change the default URL for users and groups. To change the User Directory host name or port number for a domain, do the following:
  1. Open Netscape Console

    2.  
  2. In the navigation tree, select the administration domain that uses the new or changed Directory Server.

    3.  
  3. In the right-hand panel, click the Edit button.

    4.  
  4. In the "User Directory Host and Port" field, enter the new or changed Directory Server host name and port number.

    5.  
  5. Click OK.

    6.  
All server instances in the administration domain will now use the new host name and port by default. If you want the instances in a particular server group to use a different User Directory Server, change the User DS settings for the server group's Administration Server.

Server Class Instantiate Error

Terminating the Console Java application while the class download for a server is in progress may leave the server class files in an inconsistent state. In this event, future attempts to access the particular server instance fail producing the error message: Server Class Instantiate Error. The following steps are needed to eliminate the error: (518823)
  1. Create a temporary directory. For example: <server_root> /java/jar/<save>

    2.  
  2. Move all files from your existing <server_root> /java/jar to the new temporary directory

    3.  
  3. Run the Console and download the server class files again by clicking on the particular server in the topology.

    4.  
  4. When the class download is successful, again move all the files from your existing <server_root> /java/jar to the new temporary directory.

    5.  
  5. Then, move the contents of temporary directory into <server_root>/java/jar and remove the temporary directory.

Misplaced Console Login Window

If the login window for Netscape Console appears in the top corner of the screen, making the fields inaccessible, right click the border of the login window and select Move from the menu that appears. Drag the login window to the desired location. If this is not possible, then remove the file $HOME/.mcc/Console.4.0.Login.preferences (521500).
 

Internet Explorer Client Authentication

Initial setup of the Netscape Console and Administration Server client authentication feature requires the use of Netscape Communicator to create the key3.db and cert7.db files needed for authentication. (522151)

Certificate Generation

You must type more than one character in each field of the Certificate Request form in the Certificate Set Up Wizard. If a certificate is installed that does not conform to this instruction when generated, Netscape Console and Administration Server will display the error message: InvalidNicknameException. (520956)

Viewing Administration Express Online Help

Online help for Administration Express in the Netscape Navigator browser opens near the end of the help contents. Online help for Administration Express in the Internet Explorer browser opens near the beginning of the help contents. Users must scroll to view the desired help topic. (521601)

Multiple Email Addresses Appearing Using Console 6.0 with Netscape Directory Server 4.x

Using the Advance Property Editor through Console 6.0 to Netscape Directory Server 4.x, causes duplication of the email text field content in the User Panel. This is caused by opening the Advance Property Editor and clicking OK, whether or not any modification takes place. If you click Cancel, no duplication occurs. To remove duplicate addresses, highlight and delete the duplicate entries in the Edit Entries window and click OK (485161).
 

Enabling SSL Over LDAP

If you wish to configure your Administration Server use a SSL-enabled Directory Server, do not enable SSL for Administration Server and specify an SSL-enabled Directory Server in the same session. After enabling SSL for Administration Server, you must restart, then specify an SSL-enabled Directory Server (532351).

  1. Install a server certificate in Administration Server.

    2.  
  2. Install a trusted CA certificate in Administration Server.

    3.  
  3. Enable SSL in the Administration Server.

    4.  
  4. Restart Administration Server.

    5.  
  5. Specify an SSL-enabled Directory Server in the Configuration DS tab.

    6.  
  6. Restart Administration Server.

    7.  


LC_CTYPE Shell Variable in Solaris 2.6

Console will not start if the LC_CTYPE shell variable is set in Solaris 2.6. To prevent the problem unset LC_CTYPE (533533).
 


© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2001 Netscape Communications Corporation. All rights reserved.