These release notes contain important information available at the time of the Service Pack 2 release of Netscape Enterprise Server (NES) Version 6.1. New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Enterprise Server.

Check the Enterprise Server Documentation page prior to installing and setting up your software and then periodically thereafter to obtain the latest release notes and manuals.

These release notes contain the following sections:

• What's New in This Release
• Deleted Features
• Required Patches
• JRE/JVM Versions
• Installation, Upgrade, and Migration Information
• Fixed Problems
• Known Problems and Solutions
• Platform-Specific Information
• Libraries
• Documentation
• PHP Support
• How to Report Problems

These release notes describe changes made since Version 6.1. For information regarding changes made prior to this release, see also:

• Netscape Enterprise Server 6.0 Release Notes
• Netscape Enterprise Server 6.1 Release Notes

---

What's New in This Release

• New magnus.conf directive: DisableMethods method
• New magnus.conf directive: ACLCacheStrictPassword [on|off]
• New magnus.conf directive: NetWriteTimeout n
• New magnus.conf directive: EnforceValidCerts [on|off]
• New magnus.conf directive: ParentAcceptLanguage [on|off]
• New magnus.conf directive: LDAPClientAuth [on|off]
• Importing the Client Certificate
• Certificate Mapping Considerations
• New flex-log option: %duration%
• New nsfc.conf parameter: ForceReload [on|off]
• Performance improvements due to optimized process-locking logic.
• Enterprise Server now checks the IP address or host name of authentication requests before checking the user ID/password

• New magnus.conf directive: DisableMethods method

The new magnus.conf directive DisableMethods can be used to disable HTTP methods that you choose not to process. Specify the methods you want to disable in a comma-separated list. For example, to disable the methods TRACE and OPTIONS, you would use:

DisableMethods TRACE,OPTIONS

No methods are disabled by default.

When you disable methods, error log messages similar to the following are generated:

[27/Jan/2003:09:38:33] info (14552): HTTP Method TRACE disabled.
[27/Jan/2003:09:40:08] info (14552): HTTP Method OPTIONS disabled.

NOTE: Methods that are part of the HTTP RFC (2068) should not be disabled lightly. If you disable these methods, your server will not be RFC-compliant, which could result in unexpected behavior from clients.

• New magnus.conf directive: ACLCacheStrictPassword [on|off]

The new magnus.conf directive ACLCacheStrictPassword invalidates an ACL cacheentry if a request contains an invalid password. This mechanism allows the LDAP policy to be invoked when unauthorized accesses are attemped.

• When ACLCacheStrictPassword is set to on, an invalid password automatically invalidates the cached uid/password combination. The cache is then forced to reload from the LDAP server upon the next request.
• When ACLCacheStrictPassword is set to off, invalid passwords do not invalidate the cache entry, so it does not reload from the LDAP server until the current entry expires.

The default setting is on.

See the Netscape Enterprise Server NSAPI Programmer's Guide for more information on tuning the ACL cache.

• New magnus.conf directive: NetWriteTimeout n

The magnus.conf directive NetWriteTimeout controls how long Enterprise Server should wait for a call to the net_write() function to complete. A valid value is an integer specifying the number of seconds to wait. The default value is 1800 (30 minutes).

• New magnus.conf directive: EnforceValidCerts [on|off]

Use the magnus.conf directive EnforceValidCerts to indicate how Enterprise Server should respond if the check of its certificate chain fails upon startup. The check verifies that:

• All the certificates in the certificate chain are checked to see that they have not expired.
• At least one of the certificates in the chain is a trusted authority.
• All the certificates in the certificate chain are checked for valid signatures. This check requires that each certificate's issuer certificate be present and detects missing CA certificates.

When the check of the certificate chain fails upon startup:

• If EnforceValidCerts is set to on, Enterprise Server does not start.
• If EnforceValidCerts is set to off, Enterprise Server starts up but logs the check failure.

The default setting is on.

• New magnus.conf directive: ParentAcceptLanguage [on|off]

The new magnus.conf directive ParentAcceptLanguage allows you to change how Enterprise Server checks the Accept-Language HTTP header for possible localized language versions.

When the server.xml attribute acceptlanguage is set to on, Enterprise Server parses the Accept-Language header and sends an appropriate language version based on which language the client can accept.

When the new magnus.conf directive ParentAcceptLanguage is set to off (or in previous versions), Enterprise Server takes the list from the Accept-Language header, sorts the list items, and for any items that contain a hyphen (for example, fr-ca, en-US) the parent/prefix language is added to the end of the list. For example, if the Accept-Language header is:

Accept-Language: fr-ca, de, en-US

the language list generated by Enterprise Server is:

fr_ca, de, en_US, fr, en

When ParentAcceptLanguage is set to on, Enterprise Server inserts the parent/prefix language into the language list after the associated hyphenated item. For example, if the Accept-Language header is:

Accept-Language: fr-ca, de, en-US

the language list generated by Enterprise Server is:

fr_ca, fr, de, en_US, en

The default setting is off.

Note that Enterprise Server still checks the value of the DefaultLanguage directive. DefaultLanguage specifies the default language for the server. The default language is used for both the client responses and administration. See the Netscape Enterprise Server NSAPI Programmer's Guide for details.

• New magnus.conf directive: LDAPClientAuth [on|off]

The new magnus.conf directive LDAPClientAuth is part of Enterprise Server's new support for LDAPS client authentication to ACLs. Previous versions of Enterprise server supported only username/password authentication to the LDAP(S) database.

In order for client authentication to work, the instance's certificate database that holds the client certificate must be opened. It must be opened because Enterprise Server is initiating an SSL connection as a client in this case. The database can be opened because either:

• Enterprise Server is running in SSL mode (Security is on).
• LDAPClientAuth is set to on.

The default setting is off.

If the database is not opened and someone tries to access the server, the connection to the LDAPS server fails with this message in the error log:

Client authentication bind failed: bad key or key password (89)

See "Importing the Client Certificate" for instructions on importing your client certificate into the the certificate database of the server.

Importing the Client Certificate

To import your client certificate into the certificate database of the server, perform the following steps:

1. Generate a client certificate for an existing user in your LDAP server. (You might find it useful to create a separate user just for authentication purposes.) See the certificate server documentation for instructions.

   The client certificate must be authorized to connect to the remote secure LDAP server and exported into the PKCS#12 file format. (Most browsers export certificate files in the PKCS#12 format.) Merely installing the client certificate into the server's database is not sufficient. The private key is also necessary, because this certificate is used to initiate an SSL connection.

2. Use the pk12util utility to import the client certificate into the certificate database of the server. The pk12util utility is located in server_root/bin/https/admin/bin/. The following example assumes that you saved the PKCS#12 file in the cert.p12 file:

   % cd server_root/alias
   % pk12util -P https-instance_name-host_name- -d . -i cert.p12

3. Provide the database password and then the client certificate password when prompted to do so.

4. Provide the client certificate password, when prompted to do so.

5. Use the certutil utility to verify that the certificate was imported successfully. The certutil utility is located in server_root/bin/https/admin/bin.

% certutil -P https-instance_name-host_name- -L -d .
Server-Cert                                                  u,u,u
client_cert_CA                                               CT,, 
client_cert                                                  u,u,u

You can also use the Administration Console to verify that the certificate was imported successfully:

1. In the Administration Console, select the instance into which you imported the client certificate
2. Select the Security tab.
3. Select the Manage Certificates page.

If you imported the client certificate successfully, it will be listed among the certificates displayed.

6. Once you have imported the client certificate, update the LDAPS server entry in dbswitch.conf to specify the nickname of the client certificate to use:

database:clauthnickname nickname

In the examples shown in step 5, the nickname of the client certificate is client_cert.

Once you have imported the client certificate and updated dbswitch.conf, set up certificate mapping in your LDAP server. See Certificate Mapping Considerations for additional information.

Certificate Mapping Considerations

Set up certificate mapping in your LDAP server to map the client certificate to an entry in your LDAP server. This is separate from the client-authentication mapping performed by Enterprise Server. See the Netscape Directory Server documentation for details.

Note: If the certificate mapping is misconfigured, no errors appear at startup. However, when someone attempts to authenticate to the web server protected by this database, the following error appears:

Client authentication bind failed: client certificate mapping failed (49)

• New flex-log option: %duration%

The optional flex-log parameter, %duration%, logs the amount of time in microseconds Enterprise Server spent executing a request. Statistics must be enabled for %duration% to work.

For information about other flex-log options, see Table 7-1 in the Netscape Enterprise Server NSAPI Programmer's Guide.

• New nsfc.conf parameter: ForceReload [on|off]

ForceReload controls the handling of files that have outlived the MaxAge value of the file cache.

• When ForceReload is disabled, the cache checks the vital statistics of the entry against the file on disk and, if appropriate, resets the age of the cache entry to allow its continued use.
• When enabled, ForceReload causes the entry to be marked for deletion regardless of the state of the file on disk. The next request for that file will create a new cache entry populated with the data on disk.

The default setting is off.

• Performance improvements due to optimized process-locking logic.

• Enterprise Server now checks the IP address or host name of authentication requests before checking the user ID/password

Enterprise Server now checks the IP address and/or hostname of requests before prompting for a username and password. You can use the Administration Console to change the hostnames and IP addresses to allow:

1. Select the Administration Server.
2. Select the Preference Tab.
3. Select the Superuser Access Control Page.
4. Specify the hostnames and/or IP addresses in the fields provided.

See the Administration Console help for details.

Introduced in Version 6.1 Service Pack 1

• New SAFs: set-variable, cond-match-variable, and match-browser

Three new SAFs help you manipulate variables:

• cond-match-variable evaluates <Client> tags for a variety of variables.
• match-browser matches specific strings in the User-Agent string supplied by the browser and, based upon the result, modifies the behavior of Enterprise Server by setting values for specified variables.
• set-variable allows you to change server settings based on conditional information in a request.

These SAFs are applicable in all stage directives. See the Netscape Enterprise Server NSAPI Programmer's Guide for details.

---

Deleted Features

As of Version 6.1, Netscape Enterprise Server no longer supports JSP 0.9. If you have a previous version of Enterprise Server, edit the obj.conf file and remove the entire <Object>/</Object> entry for the object jsp092. (603854)

---

Required Patches

• Sun™ Solaris™ Patches
• Windows Service Packs

Sun Solaris Patches

For each patch, use the listed revision or a higher revision. For example, if you need patch 111111-01, the later revision 111111-03 will also work.

Note that if you are using a JDK, you may need additional patches.

• Solaris 2.6

The following patch is required to run Enterprise Server 6.1 SP2 on Solaris 2.6: 105591-09

Note: You can determine if you have a patch by running the following command:

% showrev -p | grep 105591

• Solaris 7

  Use the latest Solaris patches for Solaris 7.

• Solaris 8

Use the "Recommended Solaris Patch Cluster" for Solaris 8 plus the following patches: 108827-19, 109472-07, 109234-05

Note: You can determine if you have the patch by running the following command:

% showrev -p | grep patch_id

• Compiler Patches for Solaris

The following Solaris 2.6 patch is recommended when using the CC4.2 compiler: 104668-09.

HP-UX Patches

You can find a list of patches for Java 1.2.2.07 at:

http://www.unix.hp.com/java/java2/sdkrte/infolibrary/release_notes_SDK_1-2-2-07.html

Windows Service Packs

Windows 2000 Server SP1 or later is required for running Enterprise Server 6.1 SP2.

---

JRE/JVM Versions

Platform	JRE / JVM / JIT Version	Comments
Solaris 2.8	Solaris VM  (build Solaris_JDK_1.4.0_00)	Comment out the -Xrs flag in config/jvm12.conf to generate stack traces. For more details, see the section "Generating a Stack Trace for Debugging" in the Netscape Enterprise Server Installation and Migration Guide. For JVMPI-based profiling (such as hprof) or debugging purposes (such as attaching Solaris dbx), use the reference implementation downloadable from: http://java.sun.com/j2se/1.4/
Windows NT 4.0	Java version 1.4.0_00 Classic VM
Windows 2000	Java version 1.4.0_00 Classic VM
HP-UX	Java version 1.3.1_05 JRE 1.3.1.05 Standard Edition (build 1.3.1.05-020425-12:07) Java HotSpot™ Server VM (build 1.2.1 1.3.1.05_20020425 PA2.0, mixed mode)
RedHat Linux 7.2	Java version 1.4.0_00 Classic VM

---

Installation, Upgrade, and Migration Information

The following table summarizes the supported platforms for Enterprise Server 6.1 SP2. All platforms, except for Microsoft Windows 2000, require a minimum of 128 MB memory (256 MB recommended) and 150 MB disk space. Windows 2000 requires at least 512 MB of memory and 2GB of disk space to run Enterprise Server 6.1 SP2 successfully.

Vendor	Architecture	Operating System
Hewlett-Packard	PA-RISC	HP-UX 11.0, 11.0 64-bit*, 11i*
Microsoft	Pentium	Windows NT 4.0 SP6a Windows 2000 Server SP1
RedHat	X86	Red Hat Linux Advanced Server, based on kernel 2.4.9 with glibc 2.1.2.4
Sun	UltraSPARC**	Solaris 2.6, 7*, 8

* Supported via binary compatibility.

**As of Enterprise Server 6.x, older SPARC CPUs are not supported. Enterprise Server 6.1 SP2 continues to support the UltraSPARC architecture.

Upgrade/Migration Issues

If you are running an earlier version of this product, see the table below to determine how to upgrade to Netscape Enterprise Server 6.1 SP2.

If you are running...	Then...
iPlanet™ Web Server 6.x	Install Netscape Enterprise Server 6.1 SP2 in the same server root.
iPlanet Web Server 4.x	Install Netscape Enterprise Server 6.1 SP2 in a different server root then migrate your data to the new server.
Netscape Enterprise Server 6.0	Install Netscape Enterprise Server 6.1 SP2 in the same server root.
Netscape Enterprise Server 3.x or earlier	Install Netscape Enterprise Server 6.1 SP2 in a different server root. There is no migration path.

See the Netscape Enterprise Server Installation and Migration Guide for details.

---

Fixed Problems

Startup/Shutdown

• The uxwdog process unexpectedly terminates on modern Linux distributions from RedHat, Gentoo, and so on. (614127)

• Server would throw error and stop initialization if a servlet failed to properly initialize. (600459)

• Enterprise Server is unable to start if Java is enabled and the entire server ("/") is being redirected to another location (605189)

Programming

• Deploying a web application from the command line to an unwritable directory fails with a misleading error. (607492)

• (Linux Only) Execution of a CGI with the Administration Server SAF admin-send-cgi causes waitpid() errors to be written to the server error log. (605359)

Security

• Switching from not requiring a client certificate to requiring one can lead to an inappropriate "Forbidden" message. (603524)

Miscellaneous

• Cookies are not retained when a browser request creates an internal request. (608175)

• Memory leak in Session Manager. (607798)

• Chunked Encoding can fail unexpectedly. (608872)

---

Known Problems and Solutions

• (Windows only) Problems running and uninstalling Enterprise Server 6.1 once other Netscape, SunONE or iPlanet servers are running on the same host (613054)

Some Netscape and SunONE/iPlanet servers install libraries into the System32 directory. This can cause Enterprise Server to function incorrectly. It is not recommended that multiple Netscape, SunONE, or iPlanet servers be installed on a single Windows host.

• Servlet output is cached in SHTML (612446)

When including servlet output in SHTML documents, use the <servlet...> method instead of the #include method. Using #include can lead to unexpected results from the servlet(s).

• Installer falsely detects inadequate disk space on Windows 2000 (606319)

When the installer is started on Windows 2000, a message reports erroneously that there is not enough space on the hard disk to extract the package, even though adequate space may be available.

• Installer: Cancel button doesn't work properly on Windows 2000 (606321)

• SSLClientAuthTimeout and SSLClientAuthDataLimit should not be global (601713)

A problem with the variable SSLClientAuthTimeout causes NSS to use an inappropriate timeout interval. To work around this problem, set the magnus.conf directive AcceptTimeout to 3600 seconds.

• Unable to find cert/key databases when instance name ends in ".SSL" (603012)

If an Enterprise Server instance name has the suffix .SSL, the names of databases created by the Adminstration Server based on the instance name will not match the names Enterprise Server will use to search for databases.

• Bad Request message appears when deploy to a "space" directory (562489)

When a web application is deployed to a Windows NT/2000 directory with spaces in its name, a "Bad Request" error message can result.

• Internationalization of Enterprise Server request parameter names is not supported (601332)

• Changing the Administration Server UID causes file system errors (603872)

Changing the Administration Server UID causes file permission problems that can prevent the Administration Server from starting.

• Initializing hangs if Access Log is a named pipe (603212)

• Cannot use distributed administration with LDAP over SSL (562134)

In order to use distributed administration, you must use LDAP, not LDAP over SSL.

• Rainbow SSL hardware accelerators don't work (603719)

  Due to problems with the drivers, Rainbow SSL hardware accelerators do not work with Enterprise Server 6.1 SP2.

• ADM:VS: Server Error page when disable ACL access is on (562558)

  When a virtual server is defined under a user-created class and access control is disabled, a server error page displays when a user's browser attempts to access the virtual server.

  To work around this problem, always leave Access Control ON under Restrict Access.

• Fail to start server after renewing ssl server cert with old key/subject name (603118)

  If you renew then import the Enterprise Server security certificate using the old key and subject name, Enterprise Server fails to start afterward. The resulting error message says the certificate or key necessary for authentication could not be found. To work around this problem, use a new key.

• Server fails to start with dlopen and undefined symbol errors (605032)

  If the environment variables SHLIB_PATH or LD_LIBRARY_PATH are set to something other than what is set in the Enterprise Server start script, unpredictable behavior can result (including being unable to start Enterprise Server at all).

  If Enterprise Server fails to start and logs an error indicating a dlopen failure and/or undefined symbol errors, check to see if these environment variables have been incorrectly set. You may choose to explicitly unset these environment variables in the start script.

• Internal redirect from CGI is not completely examined by obj.conf directives (602055)

If CGI code returns a location header but does not set a status header and if the location header is not a URL, lost data (including path-info) can generate what appears to be a PathCheck problem but is not.

To work around this problem, have the CGI that is returning the internal redirect append $PATH_INFO to Location before returning.

• Using OptimizeIt™ with Enterprise Server (603101)

Enterprise Server 6.1 SP2 supports Optimizeit 4.x. The instructions for enabling remote profiling with OptimizeIt have been updated. See the Netscape Enterprise Server Programmer's Guide to Servlets for details.

---

Platform-Specific Information

• Windows NT
• Windows 2000
• UNIX/Linux

Windows NT

• When installing on Windows NT, the JDK runtime path must use the following format:

  j2sdk_home/bin;j2sdk_home/jre/bin/server;j2sdk_home/jre/bin/classic

Windows 2000

• It is recommended that you use the Internet Explorer 5.X browser with Windows 2000 SP1 or later Server Edition.

• File associations under Windows have historically been available to the entire system. In Windows 2000, however, file associations have been changed to be user specific. This can affect the Shell-CGI subsystem's ability to execute shell CGIs (.bat, .pl, and so on). See the Microsoft document describing this at:

  http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257592

• When installing on Windows 2000, the JDK runtime path must use the following format:

  j2sdk_home/bin;j2sdk_home/jre/bin/server;j2sdk_home/jre/bin/classic

• When you remove a server instance on Windows 2000, the server content is removed, but the server directory (https-servername) is not. Because the directory is not removed, it still appears in the dropdown box on the Manage Servers page. To delete the server directory, you must remove it manually after deleting the server instance.

UNIX/Linux

• In versions of Enterprise Server prior to 6.0, users started Enterprise Server without the UNIX Watchdog process (uxwdog) in order to gain access to standard out (stdout()) and standard error (stderr()) messages. In version 6.0 and above, however, if uxwdog is not running during Enterprise Server initialization, Enterprise Server will not have adequate permission to acquire its listen socket and initialization will fail. To have Enterprise Server return stdout() and stderr() messages to the console from which it was started, start Enterprise Server with the -o (for stdout()), -e (for stderr()), and -i options in conjunction with the uxwdog process. (601088)
• If you are running Enterprise Server on HP-UX, problems arise when using JRE/JDK 1.4. This version of Enterprise Server includes JVM 1.3. If you must use JVM, Netscape recommends that you use the client JVM instead of the Server JVM. (604584)

---

Libraries

• NSS 3.7.1
• NSPR 4.2.2

Note: References in the Enterprise Server 6.1 documentation to cert7.db should now be interpreted to mean cert7.db (if migrated), cert8.db, or both.

For more information see http://www.mozilla.org/

---

Documentation

Netscape Enterprise Server documentation includes the following manuals, which are available online in HTML and PDF format:

• Netscape Enterprise Server Installation and Migration Guide (HTML, PDF)

• Netscape Enterprise Server Administrator's Guide (HTML, PDF)

• Netscape Enterprise Server NSAPI Programmer's Guide (HTML, PDF)

• Netscape Enterprise Server Programmer's Guide (HTML, PDF)

• Netscape Enterprise Server Programmer's Guide to Servlets (HTML, PDF)

• Netscape Enterprise Server Performance Tuning, Sizing and Scaling Guide (HTML, PDF)

---

PHP Support

Netscape Enterprise Server does not directly support the PHP scripting language. Support for the PHP scripting language can be added to Enterprise Server through two APIs supported by the PHP development team: CGI and NSAPI. For performance and scalability reasons, Netscape recommends that users interested in PHP utilitize the NSAPI implementation.

For more information on PHP see:

• PHP Web Site: http://www.php.net/
• PHP as NSAPI installation instructions: http://www.php.net/manual/en/install.netscape-enterprise.php
• PHP as CGI installation instructions: http://www.php.net/manual/en/install.commandline.php

---

How to Report Problems

So that we can best assist you in resolving problems, please be sure to include the following information:

• Description of the problem, including the situation where the problem occurs and its impact on your operation
• Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
• Detailed steps on the methods you have used to reproduce the problem
• Any error logs or core dumps

You might also find it useful to subscribe to the following newsgroups:

snews://secnews.netscape.com
snews://secnews.netscape.server
snews://secnews.netscape.devs-server.technical
snews://secnews.netscape.devs.jsp
snews://secnews.netscape.security
snews://secnews.netscape.server.enterprise
snews://secnews.netscape.devs-nsapi
snews://secnews.netscape.devs-java

Use of Netscape Enterprise Server is subject to the terms described in the license agreement accompanying it.
Software applications: © 2001 Sun Microsystems,Inc. Some software code: © 1999, 2003 Netscape Communications Corporation. All rights reserved.

Netscape and the Netscape N logo are registered trademarks of Netscape Communications Corporation in the United States and other countries. Other Netscape logos, product names, and service names are also trademarks of Netscape Communications Corporation, which may be registered in other countries. Other product and brand names are the exclusive property of their respective owners.