These release notes contain important information available at the time of the Service Pack 5 release of Netscape Enterprise Server (NES) Version 6.1. New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Enterprise Server.
Check the Enterprise Server Documentation Page page prior to installing and setting up your software and then periodically thereafter to obtain the latest release notes and manuals.
These release notes contain the following sections:
These release notes describe changes made since Version 6.1. For information regarding changes made prior to this release, see also:
A bug exists in the Netscape Security Services (NSS) library in versions prior to NSS 3.7.7 (NES 6.1 SP3 uses NSS 3.7.3). This bug can cause the server to crash if presented with an unusual but otherwise legal client certificate when doing client authentication. For further details, see the NSS bug report at mozilla.org http://bugzilla.mozilla.org/show_bug.cgi?id=204555.
Users who have SSL enabled are strongly encouraged to upgrade.
Multiple LDAP servers may be defined for a database entry in server_root/userdb/dbswitch.conf. The servers are used in the order defined in that file. If the first server goes down or otherwise becomes unavailable NES will automatically switch to the next server in the list (if any). Once NES finds a working server it will continue to use this server until either NES is restarted or this LDAP server becomes unavailable.
There is a limit of 64 servers per database.
The following caveats exist:
- If one has multiple "default" databases and uses the admin interface under Global Settings -> Configure Directory Service then the 1st entry will be duplicated for each additional "default" database. So don't use the admin interface to manage this.
- This is not round-robin. Only one LDAP server for a database entry is used at a time.
- There is no way to force the server to connect particular LDAP server without stopping other LDAP servers in the list and forcing rollover that way or by restarting NES.
- NES does not detect when an LDAP server becomes available again.
Here is a sample entry for dbswitch.conf for a database named ldapregular:
directory ldapregular ldap://dog.sample.com:389/o%3DSample
ldapregular:binddn uid=cn=Directory Manager
ldapregular:encoded bindpw YWRtaW4=
directory ldapregular ldap://cat.sample.com:3389/o%3DSample
ldapregular:binddn uid=cn=Directory Manager
ldapregular:encoded bindpw YWRtaW4=In this example, the LDAP server dog.sample.com on port 389 will be the first LDAP server used for the ACL database ldapregular. If it becomes unavailable then the LDAP server cat.sample.com on port 3389 will be tried. If this server is available then it will be used for all authentication requests against the database ldapregular.
The ssl-check directive in obj.conf is used to check the SSL secret-keysize. If the key-size is found to be smaller than required then the user may redirect the user to a static file using the bong-file parameter to ssl-check. A new parameter, url, is now available that can redirect the user to another site. Care must be taken with the URL target, if it is on the same server with the same restrictions then the user will end up in a request loop.
A sample obj.conf entry might look like:
PathCheck fn="ssl-check" secret-keysize="128" url="http://anotherhost.sample.com/keysize.html"
This is a variant of the function shexp_match with the added capability to return the number of characters matched
by the shell like regular expression.
To use the IBM JRE 1.4 you first need to update server-root/https-admserv/config/start-jvm to read
NSES_JRE=IBM_JAVA_HOME/jre;export NSES_JRE
NSES_JRE_RUNTIME_LIBPATH=${NSES_JRE}/lib:${NSES_JRE}/bin:${NSES_JRE}/bin/classic;
export NSES_JRE_RUNTIME_LIBPATH
Where IBM_JAVA_HOME is the location where the IBM JRE was installed. For reference, assume that the JRE was installed into /opt/IBMJava2-14/:
NSES_JRE=/opt/IBMJava2-14/jre;export NSES_JRE
NSES_JRE_RUNTIME_LIBPATH=${NSES_JRE}/lib:${NSES_JRE}/bin:${NSES_JRE}/bin/classic;
export NSES_JRE_RUNTIME_LIBPATH
Next, add this to the end of jvm.option in jvm12.conf:
-Xbootclasspath:IBM_JAVA_HOME/jre/lib/core.jar:IBM_JAVA_HOME/jre/lib/server.jar:IBM_JAVA_HOME/jre/lib/charsets.jar:IBM_JAVA_HOME/jre/lib/security.jar:IBM_JAVA_HOME/jre/lib/xml.jar:IBM_JAVA_HOME/jre/lib/graphics.jar
The new magnus.conf directive DisableMethods can be used to disable HTTP methods that you choose not to process. Specify the methods you want to disable in a comma-separated list. For example, to disable the methods TRACE and OPTIONS, you would use:
DisableMethods TRACE,OPTIONS
No methods are disabled by default.
When you disable methods, error log messages similar to the following are generated:
[27/Jan/2003:09:38:33] info (14552): HTTP Method
TRACE
disabled.
[27/Jan/2003:09:40:08] info (14552): HTTP Method OPTIONS disabled.
NOTE: Methods that are part of the HTTP RFC (2068) should not be disabled lightly. If you disable these methods, your server will not be RFC-compliant, which could result in unexpected behavior from clients.
The new magnus.conf directive ACLCacheStrictPassword invalidates an ACL cacheentry if a request contains an invalid password. This mechanism allows the LDAP policy to be invoked when unauthorized accesses are attempted.
The default setting is on.
See the Netscape Enterprise Server NSAPI Programmer's Guide for more information on tuning the ACL cache.
The magnus.conf directive NetWriteTimeout controls how long Enterprise Server should wait for a call to the net_write() function to complete. A valid value is an integer specifying the number of seconds to wait. The default value is 1800 (30 minutes).
Use the magnus.conf directive EnforceValidCerts to indicate how Enterprise Server should respond if the check of its certificate chain fails upon startup. The check verifies that:
When the check of the certificate chain fails upon startup:
The default setting is on.
The new magnus.conf directive ParentAcceptLanguage allows you to change how Enterprise Server checks the Accept-Language HTTP header for possible localized language versions.
When the server.xml attribute acceptlanguage is set to on, Enterprise Server parses the Accept-Language header and sends an appropriate language version based on which language the client can accept.
When the new magnus.conf directive ParentAcceptLanguage is set to off (or in previous versions), Enterprise Server takes the list from the Accept-Language header, sorts the list items, and for any items that contain a hyphen (for example, fr-ca, en-US) the parent/prefix language is added to the end of the list. For example, if the Accept-Language header is:
Accept-Language: fr-ca, de, en-US
the language list generated by Enterprise Server is:
fr_ca, de, en_US, fr, en
When ParentAcceptLanguage is set to on, Enterprise Server inserts the parent/prefix language into the language list after the associated hyphenated item. For example, if the Accept-Language header is:
Accept-Language: fr-ca, de, en-US
the language list generated by Enterprise Server is:
fr_ca, fr, de, en_US, en
The default setting is off.
Note that Enterprise Server still checks the value of the DefaultLanguage directive. DefaultLanguage specifies the default language for the server. The default language is used for both the client responses and administration. See the Netscape Enterprise Server NSAPI Programmer's Guide for details.
The new magnus.conf directive LDAPClientAuth is part of Enterprise Server's new support for LDAPS client authentication to ACLs. Previous versions of Enterprise server supported only username/password authentication to the LDAP(S) database.
In order for client authentication to work, the instance's certificate database that holds the client certificate must be opened. It must be opened because Enterprise Server is initiating an SSL connection as a client in this case. The database can be opened because either:
The default setting is off.
If the database is not opened and someone tries to access the server, the connection to the LDAPS server fails with this message in the error log:
Client authentication bind failed: bad key or key password (89)
See "Importing the Client Certificate" for instructions on importing your client certificate into the the certificate database of the server.
Importing the Client Certificate
To import your client certificate into the certificate database of the server, perform the following steps:
The client certificate must be authorized to connect to the remote secure LDAP server and exported into the PKCS#12 file format. (Most browsers export certificate files in the PKCS#12 format.) Merely installing the client certificate into the server's database is not sufficient. The private key is also necessary, because this certificate is used to initiate an SSL connection.
Use the pk12util utility to import the client certificate into the certificate database of the server. The pk12util utility is located in server_root/bin/https/admin/bin/. The following example assumes that you saved the PKCS#12 file in the cert.p12 file:
% cd server_root/alias
% pk12util -P https-instance_name-host_name-
-d . -i cert.p12
Provide the database password and then the client certificate password when prompted to do so.
Provide the client certificate password, when prompted to do so.
Use the certutil utility to verify that the certificate was imported successfully. The certutil utility is located in server_root/bin/https/admin/bin.
% certutil -P https-instance_name-host_name- -L -d .
Server-Cert u,u,u
client_cert_CA CT,,
client_cert u,u,u
You can also use the Administration Console to verify that the certificate was imported successfully:
If you imported the client certificate successfully, it will be listed among the certificates displayed.
Once you have imported the client certificate, update the LDAPS server entry in dbswitch.conf to specify the nickname of the client certificate to use:
database:clauthnickname nickname
In the examples shown in step 5, the nickname of the client certificate is client_cert.
Once you have imported the client certificate and updated dbswitch.conf, set up certificate mapping in your LDAP server. See Certificate Mapping Considerations for additional information.
Certificate Mapping Considerations
Set up certificate mapping in your LDAP server to map the client certificate to an entry in your LDAP server. This is separate from the client-authentication mapping performed by Enterprise Server. See the Netscape Directory Server documentation for details.
Note: If the certificate mapping is misconfigured, no errors appear at startup. However, when someone attempts to authenticate to the web server protected by this database, the following error appears:
Client authentication bind failed: client certificate mapping failed (49)
The optional flex-log parameter, %duration%, logs the amount of time in microseconds Enterprise Server spent executing a request. Statistics must be enabled for %duration% to work.
For information about other flex-log options, see Table 7-1 in the Netscape Enterprise Server NSAPI Programmer's Guide.
ForceReload controls the handling of files that have outlived the MaxAge value of the file cache.
The default setting is off.
Enterprise Server now checks the IP address and/or hostname of requests before prompting for a username and password. You can use the Administration Console to change the hostnames and IP addresses to allow:
See the Administration Console help for details.
Three new SAFs help you manipulate variables:
These SAFs are applicable in all stage directives. See the Netscape Enterprise Server NSAPI Programmer's Guide for details.
As of Version 6.1, Netscape Enterprise Server no longer
supports JSP
0.9. If you have a previous version of Enterprise Server, edit the obj.conf
file and remove the entire <Object>/</Object>
entry for the object jsp092. (603854)
Using a JDK prior to 1.4 with Netscape Enterprise Server is not recommended or supported.
For each patch, use the listed revision or a higher revision. For example, if you need patch 111111-01, the later revision 111111-03 will also work.
Note that if you are using a JDK, you may need additional patches.
The following patch is required to run Enterprise Server 6.1 SP5 on Solaris 2.6: 105591-09
Note: You can determine if you have a patch by running the following command:
% showrev -p | grep 105591
Use the latest Solaris patches for Solaris 7.
Use the "Recommended Solaris Patch Cluster" for Solaris 8 plus the following patches: 108827-19, 109472-07, 109234-05
Note: You can determine if you have the patch by running the following command:
% showrev -p | grep patch_id
The following Solaris 2.6 patch is recommended when using the CC4.2 compiler: 104668-09.
You can find a list of patches for Java at:
http://www.hp.com/products1/unix/java/patches/index.html
and
http://www.hp.com/products1/unix/java/java2/sdkrte14/downloads/index.html
Windows 2000 Server SP1 or later is required for running Enterprise Server 6.1 SP5.
| Platform | JRE / JVM / JIT Version | Comments |
|---|---|---|
| Solaris 2.8 | Solaris VM
(build Solaris_JDK_1.4.2) |
Comment out the -Xrs flag in config/jvm12.conf
to generate stack traces. For more details, see the section "Generating
a Stack Trace for Debugging" in the Netscape Enterprise Server
Installation and Migration Guide.
For JVMPI-based profiling (such as hprof) or debugging purposes (such as attaching Solaris dbx), use the reference implementation downloadable from: |
| Windows NT 4.0 | Java version 1.4.0_00 HotSpot VM |
|
| Windows 2000 | Java version 1.4.0_00 HotSpot VM |
|
| HP-UX | Java version 1.4.1_05 HotSpot VM
JRE 1.4.1.05 Standard Edition (build 1.3.1.05-020425-12:07) Java HotSpot™ Server VM (build 1.2.1 1.3.1.05_20020425 PA2.0, mixed mode) |
|
| RedHat Linux AS 2.1 | Java version 1.4.2 HotSpot VM |
The following table summarizes the supported platforms for Enterprise Server 6.1 SP5. All platforms, except for Microsoft Windows 2000, require a minimum of 128 MB memory (256 MB recommended) and 150 MB disk space. Windows 2000 requires at least 512 MB of memory and 2GB of disk space to run Enterprise Server 6.1 SP5 successfully.
* Supported via binary compatibility.
**As of Enterprise Server 6.x, older SPARC CPUs are not supported. Enterprise Server 6.1 SP5 continues to support the UltraSPARC architecture.
If you are running an earlier version of this product, see the table below to determine how to upgrade to Netscape Enterprise Server 6.1 SP5.
| If you are running... | Then... |
|---|---|
| iPlanet™ Web Server 6.x | Install Netscape Enterprise Server 6.1 SP5 in the same server root. |
| iPlanet Web Server 4.x | Install Netscape Enterprise Server 6.1 SP5 in a different server root then migrate your data to the new server. |
| Netscape Enterprise Server 6.0 | Install Netscape Enterprise Server 6.1 SP5 in the same server root. |
| Netscape Enterprise Server 3.x or earlier | Install Netscape Enterprise Server 6.1 SP5 in a different server root. There is no migration path. |
See the Netscape Enterprise Server Installation and Migration Guide for details.
Server finds old certificate after certificate renewal (623481). The algorithm for certificate selection was modified to pick the most recent, valid certificate that matches the certificate nickname provided. So if a certificate is renewed and the one one installed before the original one expires, the newest one will always be selected for use by the server.
htaccess causes the server to crash with more than 50 entries (623728)
Fixed problem on Windows 2000 where migrating would print '..' is not recognized as an internal or external command. (623829)
A new DTD header is installed into web-apps.xml when upgrading. (623851)
In certain cases Web Publishing directives could be left in obj.conf. Since this is no longer supported the server would fail to process requests. These directives are now properly removed when migrating. (624008)
Some paths to NSAPI shared libraries were not being migrated properly. (624019)
In migration location of the access log is moved to server.xml
and magnus.conf contains a pointer to $accesslog. (624027)
The evaluation of MIME extensions could pick the wrong type. (622722)
Made JVM configuration screen easier to use and understand. (546764)
Allow entry of URI and URL for Custom Error Responses. It will look like this in obj.conf (549992, 603161):
URL: Error fn="send-error" reason="Not Found" url="http://www.aol.com/images/notfound.gif"
URI: Error fn="send-error" reason="Server Error" uri="/errors/server_error.html"
Using Preferences->Server Settings to change the user the admin server runs as from root to a non-root account would leave the admin server non-functional. This is because of most of the directories and configuration files needed to be managed by the admin server would still be owned by root. The following files/directories are modified when this setting is selected: (603872)
Removed the requirement that a URL be present when doing remote CRL management. (604111)
Details of certificates containing a '#' key now be viewed. (614977)
Upgrade NSS to NSS 3.7.7 to fix client authentication crash bug. (622746)
Uninstaller now removes everything except https-*, alias, httpacl and userdb. (620208)
ACLs weren't created properly for protected resources defined in a web application deployed in the server root. (619765)
Opened jar files are now cached which speeds up servlet loading
significantly. (613460)
A certificate with no nickname will appear as "Invalid nickname" in the Edit Listen Sockets administration screen. (614669)
Fix timing attack on CBC mode block ciphers. (617429)
Improve server stability when performing SSL client authentication over an unsecure LDAP connection. (617430)
Certificates with the same nickname but different key usages
will now
work properly. (619052)
Non-numeric values are not allowed in File Cache Configuration. (620246)
When creating a new server, if the user to run the server as is not provided, after the error dialog box is closed the administration screen re-displays the Add Server page (620287)
A default Virtual Server will be selected on the Add Listen Socket page. It used to be possible to attempt to create a Listen Socket without associating it with a Virtual Server which resulted in an error. (620358)
Spaces are properly handled in the SNMP Community Name. (620420)
Fix crash when configuring Directory Service that used SSL. (620429)
Only digits and alphanumeric characters are allowed as Cluster variable names. (620552)
Migration error messages are more meaningful when trying to migrate a non-existent or invalid server. (620721)
Fixed Help button in Cluster Management. (620726)
Restrict valid characters in Mime Types filename. (620726)
Migration script fails on Unix - Unable to migrate from earlier versions of iPlanet™ Web Server (605334)
When the <Client> tag is in obj.conf and the server is migrated with the Convert Virtual Server option selected, the docroot disappears (607750)
<Client> migration is not functional unless Search is enabled (605337)
docroot substitutions in migrated Client configuration incorrectly changed (606377)
Default document-root gets lost in server.xml when migrating HVS from 4.x (607806)
Errors in migration from iWS 6.0 to ES 6.1 (603133)
Administration does not work after 6.0 to 6.1 migration (606055)
Search page still exists after migration (607212)
Errors when upgrading iws60 on Windows 2000 (607680)
Upgrade was not allowed on NES 6.0 (607888)
Error messages during migration on Windows 2000 (604321)
uninst.exe cannot be executed to uninstall Enterprise Server on Windows 2000 (606276)
NullPointerException generated at startup in Enterprise Server 6.1 when web.xml does not point to the Version 2.3 DTD (605075)
The -i option is prevented from working by start script (604085)
Printing JVM startup options via LogVerbose (606194)
Support for multiple jvm.option lines in jvm12.conf (606928)
Problems linking NSAPI plugins using "stat()" on Linux (604582)
JVM option -client is ignored by Enterprise Server (606227)
Chunked Encoding breaks CGI in odd ways (605395)
Server attempts to contact sun.com for Servlet 2.3 DTD (607044)
Java application cannot be deployed with wdeploy command (606764)
HttpUtils.getRequestURL() and getServerName() return incorrect results (601075)
PKCS#7 cert chain import fails - certificates must be imported one at a time (606060)
NES 6.1 SP1 should use NSS 3.4.2 (606287)
Multiple sessionIDs still being appended in 4.1sp9 (558419)
LDAP SDK 5.10 (606453)
The Mozilla web browser (upon which Netscape 7.x is based) has problems with browsing history in Frames. This has been resolved in newer builds of the browser.
Some Netscape and SunONE/iPlanet servers install libraries into the System32 directory. This can cause Enterprise Server to function incorrectly. It is not recommended that multiple Netscape, SunONE, or iPlanet servers be installed on a single Windows host.
When including servlet output in SHTML documents, use the <servlet...> method instead of the #include method. Using #include can lead to unexpected results from the servlet(s).
When the installer is started on Windows 2000, a message reports erroneously that there is not enough space on the hard disk to extract the package, even though adequate space may be available.
A problem with the variable SSLClientAuthTimeout causes NSS to use an inappropriate timeout interval. To work around this problem, set the magnus.conf directive AcceptTimeout to 3600 seconds.
When a web application is deployed to a Windows NT/2000 directory with spaces in its name, a "Bad Request" error message can result
In order to use distributed administration, you must use LDAP, not LDAP over SSL.
Due to a lack of a PKCS#11 driver, Rainbow SSL hardware accelerators do not work with Enterprise Server 6.1 SP5.
When a virtual server is defined under a user-created class and access control is disabled, a server error page displays when a user's browser attempts to access the virtual server.
To work around this problem, always leave Access Control ON under Restrict Access.
If the environment variables SHLIB_PATH or LD_LIBRARY_PATH are set to something other than what is set in the Enterprise Server start script, unpredictable behavior can result (including being unable to start Enterprise Server at all).
If Enterprise Server fails to start and logs an error indicating a dlopen failure and/or undefined symbol errors, check to see if these environment variables have been incorrectly set. You may choose to explicitly unset these environment variables in the start script.
If CGI code returns a location header but does not set a status header and if the location header is not a URL, lost data (including path-info) can generate what appears to be a PathCheck problem but is not.
To work around this problem, have the CGI that is returning the internal redirect append $PATH_INFO to Location before returning.
Enterprise Server 6.1 SP5 supports Optimizeit 4.x. The
instructions
for enabling remote profiling with Optimizeit have been updated. See
the Netscape Enterprise Server Programmer's Guide to Servlets
for
details.
j2sdk_home/bin;j2sdk_home/jre/bin/server;j2sdk_home/jre/bin/server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257592
j2sdk_home/bin;j2sdk_home/jre/bin/server;j2sdk_home/jre/bin/server
Note: References in the Enterprise Server 6.1 documentation to cert7.db should now be interpreted to mean cert7.db (if migrated), cert8.db, or both.
For more information see http://www.mozilla.org/
Netscape Enterprise Server documentation includes the following manuals, which are available online in HTML and PDF format:
Netscape Enterprise Server does not directly support the PHP scripting language. Support for the PHP scripting language can be added to Enterprise Server through two APIs supported by the PHP development team: CGI and NSAPI. For performance and scalability reasons, Netscape recommends that users interested in PHP utilitize the NSAPI implementation.
For more information on PHP see:
So that we can best assist you in resolving problems, please be sure to include the following information:
You might also find it useful to subscribe to the following newsgroups:
snews://secnews.netscape.com
snews://secnews.netscape.server
snews://secnews.netscape.devs-server.technical
snews://secnews.netscape.devs.jsp
snews://secnews.netscape.security
snews://secnews.netscape.server.enterprise
snews://secnews.netscape.devs-nsapi
snews://secnews.netscape.devs-java
Use of Netscape Enterprise Server is subject
to the
terms described in the license agreement accompanying it.
Software applications: ¨ 2001 Sun Microsystems,Inc. Some software
code: ¨ 1999, 2003 Netscape Communications Corporation. All rights
reserved.
Netscape and the Netscape N logo are registered trademarks of Netscape Communications Corporation in the United States and other countries. Other Netscape logos, product names, and service names are also trademarks of Netscape Communications Corporation, which may be registered in other countries. Other product and brand names are the exclusive property of their respective owners.