Administrator’s Guide
Netscape Enterprise Server
Version 6.1
August2002
NetscapeCommunications Corporation ("Netscape")and its licensors retain all ownershiprights to the software programs offeredby
Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation i s governed
by the license agreement for the Software and applicable copyright law.
Your right to copy thisdocumentation is limitedby copyright law. Making unauthorizedcopies, adaptations or compilation works is
prohibitedand constitutes a punishable violation of the law. Netscape may revise this documentation from time to time without
notice.
THIS DOCUMENTATION IS PROVIDED " AS IS" WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL NETSCAPE BE
LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING FROM ANY
ERROR IN THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS,
PROFITS, USE, OR DATA.
The Software and documentation are copyright © 2001 SunMicrosystems, Inc. Portions copyright1999, 2002 Netscape
Communications Corporation. All rights reserved.
This product includes software developed by Apache Software Foundation (http://www.apache.org/). Copyright (c) 1999 The
Apache Software Foundation. All rights reserved.
This product includes software developed by the University of California,Berkeley and its contributors. Copyright(c) 1990,1993,
1994 The Regents of the University of California. All rights reserved.
Netscapeand theNetscape N logo are registered trademarks of Netscape Communications Corporation in theUnited States and
other countries.Other Netscape logos, product names and service names are also trademarks of Netscape and may be registered in
some countries. Sun, Sun Microsystems, and the Sun logo, iPlanet, and the iPlanet logo are trademarks or registered trademarks of
Sun Microsystems, Inc. in the Un ited States and other countries. Other product and brand names are trademarks of their respective
owners.
The downloading, exporting, or reexporting of Netscape software or any underlying information or technology must be in full
compliance with all United States and other applicable laws and regulations. Any provision of N etscape software or d ocumentation
to the U.S. government is with restricted rights as described in the license agreement for that Software.
Contents
AboutThisGuide ..............................................................17
What’sInThisGuide? .................................................................. 17
HowThisGuideIsOrganized ........................................................... 18
PartI:ServerBasics .................................................................. 18
PartII:UsingtheAdministrationServer ................................................18
PartIII:Configuring,Monitoring,andPerformanceTuning ............................... 19
PartIV:ManagingVirtualServersandServices.......................................... 19
PartV:Appendices ..................................................................20
ConventionsUsedInThisGuide ......................................................... 20
UsingtheEnterpriseServerDocumentation ............................................... 21
Part 1 ServerBasics ........................................................ 23
Chapter 1 IntroductiontoEnterpriseServer.......................................25
EnterpriseServer....................................................................... 25
EnterpriseServerFeatures ............................................................ 26
AdministeringandManagingEnterpriseServers ........................................27
EnterpriseServerArchitecture ........................................................... 27
ContentEngines..................................................................... 28
ServerExtensions.................................................................... 28
RuntimeEnvironments............................................................... 29
ApplicationServices .................................................................29
EnterpriseServerConfiguration.......................................................... 29
EnterpriseServerComponentOptions .................................................30
EnterpriseServerConfigurationFiles ..................................................30
DynamicReconfiguration ............................................................ 31
Single-ServerConfiguration .......................................................... 32
AllPlatforms .....................................................................32
3
UNIXandLinuxPlatforms.........................................................35
VirtualServerConfiguration ..........................................................35
Multiple-ServerConfiguration ........................................................36
AdministrationServer .................................................................. 36
ServerManager ........................................................................ 37
UsingtheResourcePicker ............................................................38
WildcardsUsedintheResourcePicker ................................................. 38
ClassManager .........................................................................39
VirtualServerManager ................................................................. 39
Chapter 2 AdministeringEnterpriseServers ..................................... 41
AccessingtheAdministrationServer......................................................41
UNIX/LinuxPlatforms............................................................... 41
WindowsNT/Windows2000Platforms ................................................42
RunningMultipleServers ...............................................................43
VirtualServers ...................................................................... 43
Installing Multiple Instances of the Server . . ............................................ 43
RemovingaServer .....................................................................44
MigratingaServer .....................................................................45
Part 2 UsingtheAdministrationServer.........................................47
Chapter 3 SettingAdministrationPreferences .................................... 49
ShuttingDowntheEnterpriseServerAdministrationServer ................................. 49
EditingListenSocketSettings............................................................50
ChangingtheUserAccount(UNIX/Linux) ................................................50
ChangingtheSuperuserSettings .........................................................51
AllowingMultipleAdministrators ....................................................... 52
SpecifyingLogFileOptions ............................................................. 54
ViewingLogFiles ...................................................................54
TheAccessLogFile ...............................................................54
TheErrorLogFile ................................................................55
ArchivingLogFiles ..................................................................55
UsingCron-basedLogRotation(UNIX/Linux) ....................................... 55
ConfiguringDirectoryServices .......................................................... 56
RestrictingServerAccess................................................................56
ConfiguringJRE/JDKPaths .............................................................57
Chapter 4 ManagingUsersandGroups.......................................... 59
UsingDirectoryServicestoManageUsersandGroups...................................... 59
UnderstandingDistinguishedNames(DNs) ............................................60
4 Netscape Enterprise Server Administrator’s Guide • August 2002
UsingLDIF ......................................................................... 61
CreatingUsers......................................................................... 61
GuidelinesforCreatingUserEntries ...................................................61
HowtoCreateaNewUserEntry ...................................................... 62
DirectoryServerUserEntries .........................................................63
ManagingUsers ....................................................................... 64
FindingUserInformation.............................................................64
BuildingCustomSearchQueries ....................................................65
EditingUserInformation ............................................................. 67
ManagingaUser’sPassword.......................................................... 68
ManagingUserLicenses.............................................................. 68
RenamingUsers..................................................................... 69
RemovingUsers..................................................................... 70
CreatingGroups ....................................................................... 70
StaticGroups .......................................................................71
GuidelinesforCreatingStaticGroups ............................................... 71
ToCreateaStaticGroup ...........................................................71
DynamicGroups .................................................................... 72
HowEnterpriseServerImplementsDynamicGroups.................................. 72
GroupsCanBeStaticandDynamic ................................................. 73
DynamicGroupImpactonServerPerformance ....................................... 73
GuidelinesforCreatingDynamicGroups ............................................ 73
ToCreateaDynamicGroup........................................................ 75
ManagingGroups ...................................................................... 75
FindingGroupEntries ............................................................... 76
The“Findallgroupswhose”Field .................................................. 76
EditingGroupAttributes .............................................................77
AddingGroupMembers ............................................................. 77
AddingGroupstotheGroupMembersList ............................................. 78
RemovingEntriesfromtheGroupMembersList ........................................ 79
ManagingOwners ................................................................... 79
ManagingSeeAlsos .................................................................79
RemovingGroups ................................................................... 80
RenamingGroups ................................................................... 81
CreatingOrganizationalUnits ........................................................... 81
ManagingOrganizationalUnits .......................................................... 82
FindingOrganizationalUnits ......................................................... 82
The“Findallunitswhose”Field .................................................... 83
EditingOrganizationalUnitAttributes .................................................83
RenamingOrganizationalUnits .......................................................84
DeletingOrganizationalUnits......................................................... 84
ManagingaPreferredLanguageList......................................................85
5
Chapter 5 SecuringYourEnterpriseServer ...................................... 87
RequiringAuthentication ...............................................................88
UsingCertificatesforAuthentication...................................................88
ServerAuthentication .............................................................88
ClientAuthentication.............................................................. 88
VirtualServerCertificates..........................................................89
CreatingaTrustDatabase ............................................................... 89
CreatingaTrustDatabase..........................................................89
Usingpassword.conf................................................................. 90
StartanSSL-enabledServerAutomatically ........................................... 91
Requesting and Installing a VeriSign Certificate ............................................91
RequestingaVeriSignCertificate ...................................................... 91
Installing a VeriSign Certificate . . . . . ...................................................92
Requesting and Installing Other Server Certificates . ........................................ 92
RequiredCAInformation............................................................. 93
RequestingOtherServerCertificates ................................................... 94
Installing Other Server Certificates . . ...................................................96
Installing a Certificate . . . ..........................................................97
MigratingCertificatesWhenYouUpgrade ................................................ 98
MigratingaCertificate.............................................................98
UsingtheBuilt-inRootCertificateModule ..............................................99
ManagingCertificates .................................................................100
Installing and Managing CRLs and CKLs . . . . . . ........................................... 101
Installing a Local CRL or CKL . . . . . . ..................................................101
ManagingLocalCRLsandCKLs ..................................................... 102
ConfiguringRemoteCRLs.............................................................. 103
ConfiguringAutomatic/RemoteCRLDownloads ......................................103
ReducingtheSSL3/TLSSessionCacheTimeout .....................................106
SettingSecurityPreferences ............................................................107
SSLandTLSProtocols .............................................................. 108
UsingSSLtoCommunicatewithLDAP ............................................... 108
EnablingSecurityforConnectionGroups..............................................109
TurningSecurityOn .............................................................109
SelectingaServerCertificateforaConnectionGroup ................................. 110
SelectingCiphers ................................................................ 111
ConfiguringSecurityGlobally........................................................113
SSLSessionTimeout ..............................................................114
SSLCacheEntries.................................................................114
SSL3SessionTimeout ............................................................. 114
UsingExternalEncryptionModules ..................................................... 114
Installing the PKCS#11 Module . . . . . ..................................................115
UsingmodutiltoInstallaPKCS#11Module .........................................115
Usingpk12util...................................................................116
6 Netscape Enterprise Server Administrator’s Guide • August 2002
SelectingtheCertificateNameforaConnectionGroup ............................... 118
FIPS-140Standard .................................................................. 119
SettingClientSecurityRequirements ....................................................120
RequiringClientAuthentication ......................................................121
ToRequireClientAuthentication ..................................................122
MappingClientCertificatestoLDAP.................................................. 122
Usingthecertmap.confFile ..........................................................124
CreatingCustomProperties .......................................................127
SampleMappings................................................................127
SettingStrongerCiphers ...............................................................129
ConsideringAdditionalSecurityIssues ..................................................130
LimitPhysicalAccess ............................................................... 131
LimitAdministrationAccess .........................................................131
ChoosingPasswords ................................................................131
CreatingHard-to-CrackPasswords.................................................132
ChangingPasswordsorPINs ........................................................132
ChangingPasswords .............................................................132
LimitingOtherApplicationsontheServer ............................................. 133
UNIX/Linux .................................................................... 133
Windows NT/Windows 2000 . . ...................................................134
PreventingClientsfromCachingSSLFiles .............................................134
LimitingPorts...................................................................... 134
KnowingYourServer’sLimits ....................................................... 134
MakingAdditionalChangestoProtectServers .........................................135
SpecifyingchrootforaVirtualServerClassCGIs(UNIX/LinuxOnly) ..................136
SpecifyingchrootforaVirtualServerCGIs(UNIX/Linuxonly) ........................136
Chapter 6 ManagingServerClusters............................................139
AboutClusters........................................................................ 139
GuidelinesforUsingServerClusters..................................................... 140
SettingUpaCluster ...................................................................141
AddingaServertoaCluster............................................................142
ModifyingServerInformation .......................................................... 143
RemovingServersfromaCluster........................................................144
Controlling Server Clusters . . . .......................................................... 144
AddingVariables .....................................................................145
Part 3 Configuring,Monitoring,andPerformanceTuning ........................ 147
Chapter 7 ConfiguringServerPreferences.......................................149
StartingandStoppingtheServer ........................................................ 149
7
Accessingstdout()andstderr()Messages(UNIX/Linux).................................150
SettingtheTerminationTimeout ..................................................... 151
RestartingtheServer(UNIX/Linux) ..................................................151
RestartingWithInittab(UNIX/Linux) ..............................................152
RestartingWiththeSystemRCScripts(UNIX/Linux) ................................ 152
RestartingtheServerManually(UNIX/Linux).......................................152
StoppingtheServerManually(UNIX/Linux)........................................ 152
RestartingtheServer(WindowsNT/Windows2000)....................................153
UsingtheAutomaticRestartUtility(WindowsNT/Windows2000) .................... 153
TuningYourServerforPerformance..................................................... 155
Editingthemagnus.confFile............................................................155
AddingandEditingListenSockets ......................................................156
ChoosingMIMETypes ................................................................156
RestrictingAccess .....................................................................157
RestoringConfigurationSettings ........................................................ 157
ConfiguringtheFileCache .............................................................158
AddingandUsingThreadPools ........................................................ 158
The Native Thread Pool and Generic Thread Pools (Windows NT/Windows 2000) .......... 158
ThreadPools(UNIX/Linux) ......................................................... 159
EditingThreadPools................................................................ 159
UsingThreadPools................................................................. 159
Chapter 8 Controlling A ccess to Your Server . . . ................................. 161
WhatIsAccessControl? ............................................................... 161
SettingAccessControlforUser-Group ................................................ 162
DefaultAuthentication ........................................................... 163
BasicAuthentication ............................................................. 163
SSLAuthentication............................................................... 164
DigestAuthentication ............................................................165
UsingOtherLDAPAttributesforAuthentication ....................................168
OtherAuthentication............................................................. 169
SettingAccessControlforHost-IP .................................................... 169
UsingAccessControlFiles........................................................... 170
ConfiguringtheACLUserCache .....................................................170
HowAccessControlWorks ............................................................171
SettingAccessControl ................................................................. 173
SettingAccessControlGlobally ......................................................174
SettingAccessControlforaServerInstance ............................................ 177
SelectingAccessControlOptions........................................................ 182
SettingtheAction ..................................................................182
SpecifyingUsersandGroups ........................................................182
SpecifyingtheFromHost............................................................184
RestrictingAccesstoPrograms ....................................................... 185
8 Netscape Enterprise Server Administrator’s Guide • August 2002
SettingAccessRights ............................................................... 186
WritingCustomizedExpressions ..................................................... 187
TurningOffAccessControl ..........................................................187
RespondingWhenAccessisDenied ..................................................188
LimitingAccesstoAreasofYourServer..................................................188
RestrictingAccesstotheEntireServer.................................................189
RestrictingAccesstoaDirectory(Path)................................................190
RestrictingAccesstoaURI(Path).....................................................191
RestrictingAccesstoaFileType...................................................... 191
RestrictingAccessBasedonTimeofDay ..............................................192
RestrictingAccessBasedonSecurity .................................................. 193
WorkingwithDynamicAccessControlFiles..............................................194
Using.htaccessFiles ................................................................ 194
Enabling.htaccessfromtheUserInterface........................................... 195
Enabling.htaccessfrommagnus.conf ...............................................196
ConvertingExisting.nsconfigFilesto.htaccessFiles.................................. 197
Usinghtaccess-register ...........................................................198
Exampleofan.htaccessFile .......................................................199
Supported.htaccessDirectives ....................................................... 199
allow .............................................................................199
deny ..............................................................................200
AuthGroupFile.....................................................................200
AuthUserFile ...................................................................... 200
AuthName ........................................................................ 201
AuthType ......................................................................... 201
<Limit> ...........................................................................201
<LimitExcept> .....................................................................202
order ............................................................................. 202
require ............................................................................ 203
.htaccessSecurityConsiderations .....................................................203
Controlling Access for Virtual Servers ...................................................203
AccessingDatabasesfromVirtualServers .............................................204
SpecifyingLDAPDatabasesintheUserInterface ....................................205
EditingAccessControlListsforVirtualServers ........................................205
Chapter 9 UsingLogFiles ....................................................207
AboutLogFiles .......................................................................207
ViewinganAccessLogFile............................................................. 208
ViewingtheErrorLogFile .............................................................209
ArchivingLogFiles ................................................................... 210
Internal-daemonLogRotation ....................................................... 211
Cron-basedLogRotation ............................................................ 211
SettingLogPreferences ................................................................ 212
9
CookieLogging ....................................................................213
RunningtheLogAnalyzer ............................................................. 214
ViewingEvents(WindowsNT/Windows2000) ........................................... 216
Chapter 10 MonitoringServers................................................ 217
MonitoringtheServerUsingStatistics ...................................................218
EnablingStatistics ..................................................................218
UsingStatistics ..................................................................... 219
UsingQualityofService ...............................................................220
QualityofServiceExample .......................................................... 220
SettingUpQualityofService.........................................................221
RequiredChangestoobj.conf ........................................................223
KnownLimitationstoQualityofService...............................................223
SNMPBasics .........................................................................225
TheEnterpriseServerMIB ............................................................. 226
SettingUpSNMP .....................................................................231
UsingaProxySNMPAgent(UNIX/Linux) ............................................... 232
Installing the Proxy SNMP Agent . . . ..................................................233
StartingtheProxySNMPAgent ...................................................... 234
RestartingtheNativeSNMPDaemon .................................................234
Installing the SNMP Master Agent . . . . ..................................................234
EnablingandStartingtheSNMPMasterAgent ........................................... 235
StartingtheMasterAgentonAnotherPort.............................................236
ManuallyConfiguringtheSNMPMasterAgent ........................................236
EditingtheMasterAgentCONFIGFile................................................ 237
DefiningsysContactandsysLocationVariables.........................................237
ConfiguringtheSNMPSubagent ..................................................... 238
StartingtheSNMPMasterAgent ..................................................... 238
ManuallyStartingtheSNMPMasterAgent ......................................... 238
StartingtheSNMPMasterAgentUsingtheAdministrationServer ..................... 239
ConfiguringtheSNMPMasterAgent .................................................... 239
ConfiguringtheCommunityString ...................................................240
ConfiguringTrapDestinations .......................................................240
EnablingtheSubagent .................................................................240
UnderstandingSNMPMessages ........................................................241
Part 4 ManagingVirtualServersandServices .................................. 243
Chapter 11 UsingVirtualServers .............................................. 245
VirtualServersOverview ..............................................................245
MultipleServerInstances ............................................................ 246
10 Netscape Enterprise Server Administrator’s Guide • August 2002
VirtualServerClasses ............................................................... 247
Theobj.confFile .................................................................247
VirtualServersinaClass .........................................................248
TheDefaultClass ................................................................248
ListenSockets......................................................................248
ConnectionGroups ................................................................. 249
VirtualServers .....................................................................249
TypesofVirtualServers ..........................................................250
IP-Address-BasedVirtualServers ..................................................250
URL-Host-BasedVirtualServers ...................................................251
DefaultVirtualServer ............................................................251
VirtualServerSelectionforRequestProcessing .........................................252
DocumentRoot .................................................................... 253
LogFiles .......................................................................... 253
MigratingVirtualServersfromaPreviousRelease ...................................... 254
UsingEnterpriseServerFeatureswithVirtualServers .....................................254
UsingSSLwithVirtualServers ....................................................... 254
UsingAccessControlwithVirtualServers ............................................. 255
UsingCGIswithVirtualServers......................................................255
UsingConfigurationStyleswithVirtualServers ........................................255
UsingtheVirtualServerUserInterface................................................... 256
TheClassManager ................................................................. 256
TheVirtualServerManager.......................................................... 256
UsingVariables .................................................................... 257
DynamicReconfiguration ........................................................... 257
SettingUpVirtualServers..............................................................258
CreatingaListenSocket ............................................................. 258
CreatingaConnectionGroup ........................................................ 259
CreatingaVirtualServerClass ....................................................... 260
EditingorDeletingaVirtualServerClass.............................................. 260
SpecifyingServicesAssociatedwithaVirtualServerClass ............................... 261
CreatingaVirtualServer ............................................................261
SpecifyingSettingsAssociatedwithaVirtualServer .................................... 261
AllowingUserstoMonitorIndividualVirtualServers ..................................... 261
AccessControl .....................................................................264
LogFiles .......................................................................... 264
DeployingVirtualServers .............................................................. 265
Example1:DefaultConfiguration ....................................................265
Example2:SecureServer ............................................................267
Example3:IntranetHosting ......................................................... 268
Example4:MassHosting ............................................................ 271
11
Chapter 12 CreatingandConfiguringVirtualServers ............................. 273
CreatingaVirtualServer ...............................................................273
EditingVirtualServerSettings ..........................................................274
EditingUsingtheVirtualServerManager ................................................274
GeneratingReportsforaVirtualServer................................................ 275
EditingUsingtheClassManager........................................................ 277
EditingVirtualServerSettings .......................................................277
ConfiguringVirtualServerMIMESettings .............................................278
ConfiguringVirtualServerACLSettings ..............................................278
ConfiguringVirtualServerSecurity................................................... 278
ConfiguringVirtualServerQualityofServiceSettings...................................279
ConfiguringVirtualServerLogSettings ...............................................280
ConfiguringVirtualServerJavaWebApplicationSettings ...............................281
DeletingaVirtualServer ............................................................... 281
Chapter 13 ExtendingYourServerWithPrograms ............................... 283
OverviewofServer-SidePrograms ......................................................283
TypesofServer-SideApplicationsThatRunontheServer ...............................284
HowServer-SideApplicationsAreInstalledontheServer ...............................284
JavaServletsandJavaServerPages(JSP) ................................................. 284
OverviewofServletsandJavaServerPages ............................................285
WhattheServerNeedstoRunServletsandJSPs ........................................286
WorkingwithWebApplications ..................................................... 287
Usingtheweb-apps.xmlFile ......................................................287
DeployingWebApplicationsUsingwdeploy ........................................287
DeployingandEditingWebApplicationswiththeUserInterface ......................290
DeployingServletsandJSPsNotinWebApplications................................... 292
ConfiguringJVMAttributes ......................................................... 292
DeletingVersionFiles ...............................................................292
Installing CGI Programs . . .............................................................293
OverviewofCGI ................................................................... 294
SpecifyingaCGIDirectory ..........................................................296
ConfiguringUniqueCGIAttributesforEachSoftwareVirtualServer ...................296
SpecifyingCGIasaFileType ........................................................ 297
DownloadingExecutableFiles .......................................................297
Installing Windows NT/Windows 2000 CGI Programs . . . . . ................................ 298
OverviewofWindowsNT/Windows2000CGIPrograms ............................... 298
Specifying a Windows NT/Windows 2000 CGI Directory ................................ 299
SpecifyingWindowsNT/Windows2000CGIasaFileType.............................. 301
Installing Shell CGI Programs for Windows NT/Windows 2000 . ............................301
OverviewofShellCGIProgramsforWindowsNT/Windows2000 ....................... 302
Specifying a Shell C GI Directory (Windows NT/Windows 2000) . . . . . .....................302
SpecifyingShellCGIasaFileType(WindowsNT/Windows2000) ....................... 303
12 Netscape Enterprise Server Administrator’s Guide • August 2002
UsingtheQueryHandler .............................................................. 304
Chapter 14 ContentManagement...............................................307
SettingthePrimaryDocumentDirectory .................................................308
SettingAdditionalDocumentDirectories................................................. 309
CustomizingUserPublicInformationDirectories(UNIX/Linux) ............................ 310
RestrictingContentPublication....................................................... 311
LoadingtheEntirePasswordFileonStartup ........................................... 311
UsingConfigurationStyles .......................................................... 312
EnablingRemoteFileManipulation .....................................................312
ConfiguringDocumentPreferences......................................................312
SettingtheDocumentPreferences ....................................................313
EnteringanIndexFilename ..........................................................313
SelectingDirectoryIndexing .........................................................313
SpecifyingaServerHomePage....................................................... 314
SpecifyingaDefaultMIMEType ..................................................... 314
ParsingtheAcceptLanguageHeader ................................................. 315
ConfiguringURLForwarding .......................................................... 315
CustomizingErrorResponses...........................................................316
ChangingtheCharacterSet............................................................. 317
SettingtheDocumentFooter............................................................318
Using.htaccess ....................................................................... 319
RestrictingSymbolicLinks(UNIX/Linux) ................................................ 319
SettingupServer-ParsedHTML.........................................................320
SettingCacheControlDirectives ........................................................ 321
UsingStrongerCiphers ................................................................ 321
Chapter 15 ApplyingConfigurationStyles .......................................323
CreatingaConfigurationStyle .......................................................... 323
AssigningaConfigurationStyle.........................................................325
ListingConfigurationStyleAssignments .................................................326
EditingaConfigurationStyle ...........................................................326
RemovingaConfigurationStyle ........................................................327
Part 5 Appendices......................................................... 329
Appendix A CommandLineUtilities ............................................331
FormattingLDIFEntries ...............................................................331
ModifyingDatabaseEntriesUsingldapmodify .........................................331
HttpServerAdmin(VirtualServerAdministration) ........................................ 332
HttpServerAdminSyntax............................................................ 332
13
controlCommand ..................................................................333
Options.........................................................................333
Syntax..........................................................................334
Parameters......................................................................334
Examples ....................................................................... 334
createCommand ................................................................... 334
Options.........................................................................335
CreateVirtualServerClass ........................................................ 335
CreateConnectionGroup .........................................................336
CreateListenSocket.............................................................. 336
CreateVirtualServer ............................................................. 337
deleteCommand ...................................................................339
Options.........................................................................339
DeleteClass ..................................................................... 339
DeleteConnectionGroup .........................................................340
DeleteListenSocket ..............................................................340
DeleteVirtualServer .............................................................341
listCommand......................................................................341
Syntax..........................................................................341
Options.........................................................................342
Example ........................................................................342
Appendix B HyperTextTransferProtocol ....................................... 343
AboutHyperTextTransferProtocol(HTTP) .............................................. 343
Requests ............................................................................. 344
RequestMethod....................................................................344
RequestHeader .................................................................... 345
RequestData.......................................................................345
Responses............................................................................345
StatusCode........................................................................ 346
ResponseHeader ...................................................................347
ResponseData ..................................................................... 347
Appendix C ACLFileSyntax.................................................. 349
ACLFileSyntax.......................................................................349
AuthenticationMethods.............................................................350
AuthorizationStatements............................................................ 351
HierarchyofAuthorizationStatements .............................................352
AttributeExpressions ............................................................353
OperatorsForExpressions ........................................................ 354
TheDefaultACLFile ............................................................... 355
GeneralSyntaxItems .............................................................355
ReferencingACLsinobj.conf ...........................................................355
14 Netscape Enterprise Server Administrator’s Guide • August 2002
Appendix D InternationalContentSupport.......................................357
EnteringUTF-8Data ................................................................357
FileorDirectoryNames .......................................................... 357
LDAPUsersandGroups..........................................................357
UsingtheAccept-languageHeader ...................................................357
ServletInternationalization.............................................................358
auto .............................................................................. 359
none ..............................................................................360
anyvalidencoding ................................................................. 360
PostingtoJSPs ........................................................................ 360
Glossary .....................................................................363
Index........................................................................375
15
16 Netscape Enterprise Server Administrator’s Guide • August 2002
About This Guide
This guide describes how to configure and administer Netscape® Enterprise
Server, Version 6.1. It is intended for information technology administrators in th e
corporate enterprise who want to extend client-server applications to a broader
audience through the W o rld Wide Web.
This preface includes the following sections:
• What’sInThisGuide?
• How This Guide Is Organized
• Conventions Used In This Guide
• Using the Enterprise Server Documentation
What’s In This Guide?
This guide explains how to configure and administer the Enterpris e Server. After
configuring your ser ver, use this guide to help maintain your server.
After you install the s erver, this guide is available in HTML format at
manual/https/ag in your serverroot directory. By default, the server root
directory is
C:\Netscape\Server6\ or /usr/netscape/server6.
17
How This Guide Is Organized
How This Guide Is Organized
This guide is divided into five parts, plus a glossary, and a comprehensive index. If
you are new to Netscape Enterprise Server 6.1, begin with Part I, “Server Basics”
for an overview of the product. If you are already familiar with this version of
Enterprise Server, skim the materialin Part I, “Server Basics” before goingon to
Part II, “Using the Adminis tr ation Server.”
Once you are familiar with the fundamentals of using the Administration Server,
you can refer to Part III, “Configuring, Monitoring, and Performance Tuning,”
which includes examples of how to configure and monitor your Enterprise Servers.
Part IV, “Managing Virtual Servers and Services” provides information for using
programsand configuration styles.
Finally, Appendices address specific reference topics that describe the various
topics, including: HyperText TransferProtocol (HTTP), server configuration files,
ACL files, internationalization issues, server extensions, and the Netscape
Enterprise Server user interface reference, which you may want to review. Note
that the user interface appendix is available in the online v ersion only.
Part I: Server Basics
This part providesan overviewof the Enterprise Server. The following chaptersare
included:
• Chapter 1, “In troduction to Enterprise Server” provides an overview of
Enterprise Server.
• Chapter 2, “Administering Enterprise Servers” describes how to manage your
Enterprise Server with the Adminis tration Server.
Part II: Using the Administration S erver
This part provides conceptual and procedural details abo ut using the
Administration Server to administer your Enterprise Servers. The following
chapters are included:
• Chapter 3, “Setting Administration Preferences” describes how t o use the
Administration Server Preferences and Global Settings forms to configure your
Enterprise Servers.
18 Netscape Enterprise Server Administrator’s Guide • August 2002
How This Guide Is Organized
• Chapter 4, “Managing Usersand Groups” describes how to how to use the
Administration Server Users and Groups forms to configure your Enterprise
Servers.
• Chapter 5, “Securing Your Enterprise Server” describes how to configure your
Enterprise Server security. Note that before reading thischapter you shouldbe
familiar with the basic concepts of public-key crypt ography and the SSL
protocol. These concepts include encryption and decryption; keys; digital
certificates and signatures; CRLs and CKLs; and SSL encryption, ciphers, and
the major steps of the SSL handshake.
• Chapter 6, “M anaging Server Clusters” describes the concept of clustering
servers and explains how you can use them to shareconfigurations among
servers.
Part III: Configuring, Monitoring, and Performance Tuning
This part includes examples of how to use the Server Manager to configure and
monitor your Enterprise Servers. The following chapters are included:
• Chapter 7, “Configuring Server Preferences” describes how to configure server
preferences for your E nterprise Server.
• Chapter 8, “Contr olling Access to Your Server” describes how to specify who
can access parts of your server.
• Chapter 9, “Using Log Files” describes how to m o nitor your Enterprise Server
using the HyperText Transfer Protocol (HTTP), by recording and viewing log
files, or by using the per formance monitoring tools provided with y our
operating system.
• Chapter 10, “Monitoring Ser vers” describes how to monitor your Enterprise
Server using SNMP (Simple Network Management Protocol).
• Chapter 11, “T uning Your Server for Performance” refers you to the Netscape
Enterprise Server Performance Tuning, Sizing, and Scaling Guide.
Part IV: M anaging Virtual Servers and Services
This part provides information for using the Server Manager to programs and
configuration styles. The following chapters are included:
About This Guide 19
Conventions Used In This Guide
• Chapter 11, “Using Virtual Servers” describes how to set up and administer
virtual servers us ing your Enterprise Server.
• Chapter12, “Creating and Configuring Virtual Servers” describeshow you can
create and configure individual virtual servers.
• Chapter 13, “Extending Your Server With Programs” describes how to install
Java™ applets, CGI programs, and other plug-ins on to your server.
• Chapter 14, “C ontent Management” describes how you can configure and
manage your server’s content.
• Chapter 15, “Applying Configuration Styles” describes how to use
configuration styles with Enterprise Server.
Part V: Appendices
This section includes various appendices with reference material that you may
wish to review. T his section includes the following appendices:
• Appendix A, “Command Line Ut ilities” provides instructions for using
command line utilities in place of the user interface screens.
• Appendix B, “HyperText Transfer Protocol” provides a short introduction to a
few HTTP basic concepts.
• Appendix C, “ AC L File Syntax” describes the access-control list (ACL) files
and their syntax.
In addition, a glossary is included to define frequently used terms that may be
unfamiliar to Enterprise Server administrators.
Conventions Used In This Guide
The conventionsusedin this guide are as follows:
Italic
This typeface is used for book titles, emphasis, and any text thatis aplaceholder for
text you need t o replace for your system. For example, in a URL that contains a
reference to your server’s port number, the URL might contain portnumber in
italics. Replace the words in italics with the actual value for your server.
Monospaced font
20 Netscape Enterprise Server Administrator’s Guide • August 2002
Using the Enterprise Server Documentation
This typeface is used for any text that you should type. It’s also used for functions,
examples, URLs, filenames, and directory paths.
Using the Enterprise Server Documentation
The following table lists the tasks and concepts that are described in the Enterprise
Server manuals and online RE ADME file. If you are trying to accomplish a specific
task or learn more about a specific concept, refer to the appropriate manual.
NOTE
Table 1
For information about See the following
Late-breakinginformation about the software and the
documentation.
Installing Enterprise Server Netscape Enterprise Server Installation
Administering one or more Enterprise Servers using the
Administration Server to manage and configure your servers and
to p erform the following tasks:
• Setting up server security.
• Monitoring your serversusing HTTP, v ia log files, SNMP, or via
the tools provided with your OS.
• Defining your server workload and sizing your system to meet
your p erformance needs.
• Installing Java applets, CGI programs, and other plug-ins onto
your server.
The administration server and global information on topics such as
encryption, access control, and performance monitoring.
Enterprise Server Documentation
Enterprise Server manuals are also availablein PDF and HTML format at
enterprise.netscape.com/docs.
NetscapeEnterprise Server Release Notes
and Migration Guide
Netscape Enterprise Server
Administrator’s Guide
Managing Servers with Netscape
Console
About This Guide 21
Using the Enterprise Server Documentation
Table 1
For information about See the following
Planning your directory service. How you can use the directory
server to support simple usage that involves only a few hundred
Enterprise Server Documentation (Continued)
NetscapeDirectoryServer Deployment
Manual
users and some key server applications, as well as how you can
scale the directory server to support millions of users. You are also
introduced to the basic directory service concepts and specific
guidelines that you will need to deploy a production-grade
directory service.
An overview of the programming technologies and APIs you can
use to extend and modify Enterprise Server, to dynamically
Netscape Enterprise Server
Programmer’s Guide
generate content in response to client requests, and to modify the
content of the server. Links are provided to the individual books
that discuss each API. Use thisbook as the starting place for
developer-level information for En terprise Server. The book also
discusses the purpose and use of the configuration files, and
provides a comprehensive list of the directives and functions that
can be used in these configuration files.
How to enable and implement servlets and JavaServer Pages™
(JSP) in Enterprise Server.
How to use Netscape Server Application P rogrammer’s Interface
(NSAPI) to build plugins to extend and mo dify the Enterprise
Netscape Enterprise Server
Programmer’s Guide to Servlets
Netscape Enterprise Server NSAPI
Programmer’s Guide
Server. It also provides a reference of the NSAPI functions you can
usetodefinenewplugins.
22 Netscape Enterprise Server Administrator’s Guide • August 2002
Chapter 1, “Introduction to Enterprise Server”
Chapter 2, “Administering Enterprise Servers”
Part 1
Server Basics
23
24 Netscape Enterprise Server Administrator’s Guide • August 2002
Chapter 1
Introduction to Enterprise Server
This chapter introduces Netscape Enterprise Server and discusses so me of the
fundamental server concepts. Read it to obtain an overview of how Enterprise
Server works.
This chapter includes the following sections:
• Enterprise Server
• Enterprise Server Architecture
• Enterprise Server Configuration
• Administration Server
• Server M anager
•ClassManager
•VirtualServerManager
Enterprise Server
Enterprise Server 6.1 is a multi-process, multi-threaded, secure w eb server built on
open standards. It provides high performa n ce, reliability, scalability, and
manageability for any size enterprise.
This section includes the following topics:
• Enterprise Server Features
• Administering and Managing Enterprise Servers
25
Enterprise Server
Enterprise Server Features
Enterprise Server is primarily designed to provide access to your business HTML
files. In addition, it offers the following features:
• Enterprise-wide manageability—Including dele gated administration, cluster
management, and LDAP (Lightweight Directory Access Protocol) support.
LDAP integration with Directory Server enables you to store users and g roups
in a centralized directory. In addition, you can monitor your server in real-time
by using the Simple Network Management Protocol (SNMP). SNMP is a protocol
used to exchange data about network activity.
Note that in orderto addusersand groups to Enterprise Server, you musthave
a directoryserver installed,such asDirectoryServer.See the Netscape Enterprise
Server Installati on and Migration Guide for more information.
• Security—Users can establish encrypted and authenticated transactions
between clients and t he server through the Secure Sockets Layer (SSL) 3.0
protocol. In addition, Enterprise Server employs the following security-based
standards: Public Key Cryptog raphy Standard (PKCS) #11, which defines the
interface used for communication between SSL and PKCS #11 module s;
Federal Information Processing Standards (FIPS)-140; and special certificates
that w ork with 56, 128, or 168 bits, depending on the capability of the cli ent.
• Access control—You can protect confidential files or directories by
implementing access control (viewing or editing) by user name, password,
domain name, IP address, and user certificates. This feature also represents
another aspect of the NSAPI Content Management plug-in, w hich enables an
end user (the owner of a document)to set access control ona document,rather
than having to ask the administrator to accomplish the task.
• High performance—Delivers high performance fo r dynamic and secure
content with features s uch as HTTP1.1, multi-threading, and support for SSL
hardware accelerators.
• Standards-based—E nterprise Server includes support for a wide range of web
software standards, including: JDK 1.2; Servlet 2.3; JavaServer Pages™ 1.2;
HTTP 1.1; and various security-basedstandards, in cluding PKCS #11,
FIPS-140, and 168-bit step-up certificates.
• Server-side Java Servlet and JavaServer Pages support—enables
development of dynamic content, presentation logic, and JDBC database
access.
• Additional features—Support for multiple processes and process monitors,
failover, automatic recovery, and dynamic log rotation.
26 Netscape Enterprise Server Administrator’s Guide • August 2002
Enterprise Server Architecture
Administering and Managing Enterprise Servers
You can manage your Enterprise Server(s) via the following user interfaces:
• Enterprise Server Administration Server
• Server M anager
•ClassManager
•VirtualServerManager
In previous releases, the Enterprise Server and other Netscape servers were
administered b y a single server, called the Administration Server. In a previous
release, the “administration server” became simply an additiona l instance of the
Enterprise Server, called Enterprise Server Administration Server, or
AdministrationServer. You usethe AdministrationServer to administerall ofyour
Enterprise Server instances.For more information,see “AdministrationServer,” on
page 36.
NOTE You can also perform administrative tasks manually by editing the
configuration file s or by using command-line utilities.
For managing in dividual instances of Enterprise Server, you ca n use the Server
Manager. For more information, see “Server Manager,” on page 37.
To manage virtual servers, use the Class Manager. For more information, see
“Virtual Server Configuration,” on page 35.
Enterprise Server Architecture
Enterprise Server incorporates a modular architecture that integrates seamlessly
with all of the products in the Netscape family of servers. In addition, Enterprise
Server includes an administration server interface for coordinating administrative
functions across all of yo ur web servers. Note that this administrative interface is
itself another instance of Enterprise Server.
Enterprise Server includes the following software modules:
• Content Engines
• Server Extensions
• Runtime Environments
Chapter 1 Introduction to Enterprise Server 27
Enterprise Server Architecture
• Application Services
These server modules are described in the following sections.
Content Engines
Enterprise Server content engines are designed for manipulating customer data.
The following content engines make up the content layer of the Enterprise Server
architecture:
• The HTTP (Web Server) engine represents the core of the Enterprise Server.
• The Content Management engineenables you to manage your server's content.
Server Extensions
From a functional perspective, the rest of the Enterprise Server architecture
resideson top of this engine for performance and integration functionality.
You create and store HTML pages, JavaServer Pages, and other files such as
graphics, text, sound, or video on your server. When clients connect to your
server,theycanviewyourfilesprovidedtheyhaveaccesstothem.
The Enterprise Server extensions enableyou to extend orreplace the function of the
server to better suit your business operations. The following server extensions are
part of the core Enterprise Server architecture:
• Common Gateway Interface (CGI)
• Netscape Server Application Programming Interface (NSAPI)
• Java Servlets a nd JavaServer Pages
Common Gateway Interface (CGI) is a stand-alone application development
interface that enables you to create programs that process your client requests
dynamically.
Netscape Server Application Programming Interface (NSAPI) is used to
implement the functions the server calls when processing a request (Server
Application Functions) which provide the core and extended f unctionality of the
Enterprise Server. It allows the server’s processing of requests to be divided into
small steps w hich may be arranged in a variety of ways for speed and flexible
configuration.
28 Netscape Enterprise Server Administrator’s Guide • August 2002
Enterprise Server Configuration
Java Servletsand JavaServer P ages extensions enable all Java servlet and
JavaServer page meta-functions, including instantiation, initialization, destruction,
access from other components, and configuration management. Java servlets and
JavaServer pages are reusable Java applications that run on a web server rather
than in a web browser.
Runtime Environments
In ad dition to the various server extensions, Enterprise Server includes a set of
runtime environments which s upport the server extensions. These runtime
environments include the following:
• CGI Processor
•NSAPIEngine
• Java Virtual Machine (JVM)
• ParsedHTML(Server-SideIncludes)
Application Services
Finally, the Enterprise Server architecture includes a set of application services for
various application-specific functions. These application services include the
following:
•Security&AccessControl
• SessionManagement Service
• File System Service
Enterprise Server Configuration
Enterprise Server is configured to enable you to turn on or off various features,
determine ho w to respond to individual client requests, and write programs that
run on and interactwith the server’s operation. The instructions (called directives)
which identify these options are stored in configuration files. Enterprise Server
reads the configuration files on startup and during client requests to map your
choiceswith thedesired server activity. Formore information about thesefiles, see
“Enterprise Server Configuration Files,” on page 30.
Chapter 1 Introduction to Enterprise Server 29
Enterprise Server Configuration
The server includes a number configuration files which are stored in
server_root/https-server_id/config and server_root/https-admserv/config when
installed on yourcomputer.
This section includes the following topics:
• Enterprise Server Com ponent Options
• Enterprise Server Configuration Files
• Single-Server Configuration
• Multiple-Server Configuration
Enterprise Server Component Options
The following com ponent options are available w hen you install Enterprise Server:
• Enterprise Server Core
•JavaRuntimeEnvironment
•JavaandServlets
• SNMP Support
Enterprise Server Configuration Files
Enterprise Serve r includes a variety of configuration files that enable you to se t
various global variables, and to customize how the server responds to specific
events and client requests. You can modify the configuration files automatically
using theAdminis trator Ser ver, Serve r Manager, and Class Manager user interface,
or by editing the files directly using a text editor.
The main Enterprise Server configuration files are:
mime.types,andserver.xml. These configuration files are described in this
section.
NOTE There are a number of configuration files Enterprise Server u ses
when your server is set up as part of a cluster of Enterprise Servers
(these files include a .
regarding how you can configure a cluster of Enterprise Server,
including important guidelines, see “About Clusters,” on page 139.
30 Netscape Enterprise Server Administrator’s Guide • August 2002
magnus.conf, obj.conf,
clfilter file extensio n). For more information
Enterprise Server Configuration
magnus.conf: contains global server configuration information (such as security
and default language selection). This file sets the values for variables that configure
the server during initialization. Enterprise Server reads this file and executes the
variable settings on startup. The server does not read this file again until it is
restarted, so you must restart the server every time you make changes to this file.
For more information, see the Netscape Enterprise Server NSAPI Programmer’s Guide.
obj.conf: object configuration file. There is one
class, or grouping of virtual servers. Whenever this guide refers to “the
obj.conf file foreach virtualserver
obj.conf
file,” it refers to all obj.conf filesortotheobj.conf file for the virtual server class
being described. All the
They are typically named vsclass
obj.conf files are lo cated in server_root/server_id/config .
.obj.conf,wherevsclassis the virtual server class
name.
The
obj.conf file contains settings for server customization, and instructions that
theserverusestoprocessrequestsfromclients(suchasbrowsers).Eachvirtual
server referenc es this information every tim e it processes a client request.
For more information about the actual file syntax and the specific directives used
by the
obj.conf and magnus.conf configuratio n files, see the Netscape Enterprise
Server NSAPI Programmer’s Guide.
server.xml: configur es the addresses and ports that the server listens on and
assignsvirtual server classes and virtual servers to these listensockets. Formore
information, see the Netscape Enterprise Server NSAPI Program mer’s Guide.
mime.types:the MIME ( Multi-purpose Internet Mail Extension) type configuration
file. This file maps file extensions to MIME types, to enable the server to determine
the t ype of content being requested. For example, requests for resources with .
html
extensions indica te that the client is requesting an HTML file, while requests for
resources with
.gif extensions indicate that the client is requ esting an image file in
GIF format.
For more information, see “Specifying a Default MIME Type,” on page 314.
Dynamic Reconfiguration
Dynamic reconfiguration allows you to make configuration changes to a live web
server without having to s top and restart the web server for the changes to take
effect. You can dynamically change all configuration settings and attributes in
server.xml and its associated files without restarting the server.
Chapter 1 Introduction to Enterprise Server 31
Enterprise Server Configuration
To access the dyna mic reconfiguration s creen and install a new configuration
dynamically, click the Apply link found in the upper right corner of the Server
Manager, C lass Manager, and Virtual Server Manager pages, then click the Load
Configuration File s button on the Apply Changes page. If there are errors in
installing the new configuration, the previous configuration is restored.
Single-Server Configuration
If you have installed En terprise Server on a single server machine, the installation
process places all the files under the s erver root directory that you specified during
installation.
All P latforms
For all platforms, the following directories are created under the server root
directory:
• alias contains the key and certificatefiles forall Netscape servers (for example,
• bin contains the binary fi les for the server, such as the actual server, the
https-admserv-server_id-cert7.db and secmod.db).
AdministrationServer forms, and so on. Inaddition,this directoryincludesthe
https/install folder that contains files neede d for migrating server settings
and default configuration files needed for backward compatibility.
• docs is the server’s default primary docum ent directory, where your server’s
content files are usually kept. If you are migrating settings from an existing
server, this directory doesn’t appear until you finish the migration process.
• extras c ontains the log analyzer and log analysis tools.
❍ The flexanlg directory contains a command-line log analyzer. This log
analyzer analyzes files in flexlog format.
❍ The log_anly directory contains the log analysis tool that runs thro u gh the
Server Manager. T his log analyzer analyzes files in c ommon log format
only.
• httpacl contains the files that store access control configuration information in
the
generated.server-id.acl and genwork.server-id.acl files. The file
generated.server-id.acl conta ins c ha nge s yo u make using the Server
Manager access control forms after saving your changes;
genwork.server-id.acl contains your changes befo re you save your changes.
• https-admserv contains the directories for the AdministrationServer. This
directory has the following subdirectories and files:
32 Netscape Enterprise Server Administrator’s Guide • August 2002
Enterprise Server Configuration
❍ This directory contains shellscripts to start, stop, and restart the server,
start JVM, and a script to rotate log files.
❍ ClassCache contains classes and Java files, generated as result of the
compilation of JavaServer Pages.
❍ conf_bk contains backup copies of the Administration Server’s
configuration files.
❍ config contains the server’s configuration files: admpw, admin.conf,
cluster.xml, contexts.properties, cron.conf, dsgw.conf,
dsgwfilter.conf, dsgw-language.conf, dsgw-orgperson.conf,
dsgwserarchprefs.conf, jvm12.conf, magnus.conf,
magnus.conf.clfilter, mime.types, ns-cron.conf, obj.conf,
obj.conf.clfilter, server.dtd, servers.lst, server.xml,
server.xml.clfilter
user-apps.xml, userclass.obj.conf
copies are kept here. For more information on
, servlets.properties, ssl.xml,
,andweb-apps.xml. Working
magnus.conf and obj.conf,
see the Netscape Enterprise Server NSAPI Programmer’s Guide.
❍ logs contains any error or access log files.
❍ SessionData contains session database data from MMapSessionManager.
❍ startsvr.bat is the script that starts the Server M anager on Windows
NT® and W indows® 2000 machines. T he Server Manager lets you
configure all servers installed in the server root directory.
❍ stopsvr.bat is the script that s tops the Server Manager on Windows NT
and Windows 2000 machines.
• https-server_id.domain are the directories for each server you have installed
on the machine. Each server directory has the f ollowing subdirectories and
files:
❍ ClassCache contains classes and Java files, generated as result of the
compilation of JavaServer pages.
❍ conf_bk contains backup copies of the server’s configuration files.
❍ config contains the server instance configuratio n files.
❍ logs contains the server instance log files.
❍ reconfig is the script used to reconfigure the server dynamically. If you
make non-global change s to the server, you can use this script to
reconfigure the server without stopping and starting it. Note that changes
to
magnus.conf require you to stop and restart the server.
Chapter 1 Introduction to Enterprise Server 33
Enterprise Server Configuration
• manual contains the online manuals for the product.
• plugins contains directories for Java and other plugins. This directory has the
❍ restart is the script that restarts the server.
❍ rotate rotates server log files without affecting users who may be
connected to the server.
❍ SessionData contains session database data from MMapSessionManager.
❍ startsvr.bat is the script that starts the Server Manager. The Server
Manager lets you configure all servers installed in the server root
directory.
❍ stopsvr.bat is the script that s tops the Server Manager.
following subdirectories:
❍ htaccess contains server plugin for .htaccess access control and
htconvert,an.nsconfig to .htaccess converter.
❍ digest contains the Digest Authentication Plugin for Netscape Directory
Server, as well as information about the plugin.
❍ samples contains samples a nd example components, plugins and
technologies supported by t he Enterprise Server servlet engine. This
includes binaries , all code, and a build envirom ent.
❍ servlets contains information about and examples of web-apps
applications.
❍ include contains various include files.
❍ lib contains shared libraries.
❍ nsacl contains information for your server’ s a ccess control lists.
❍ loadbal containstherequiredfilesfortheResonateload-balancer
integration plugin.
❍ nsapi contains header files and example code for creating your own
functions using NSAPI.
❍ snmp contains information for your server ’s SNMP plugins.
• setup contains the various Enterprise Server setup files, including
and uninstall.inf.
• userdb conta ins user databases and related informa tion.
• LICENSE.txt is the license file.
34 Netscape Enterprise Server Administrator’s Guide • August 2002
setup.log
Enterprise Server Configuration
• README.txt is the readme file that contains a link to the Netscape Enterprise
Server Release Not es .
UNIX and Linux Platforms
In addition to the files and directories described in “All Platforms,” on page 32 the
following files are created at the
platforms:
• startconsole launches a browser to the Administration Server page.
server-root directory for UNIX® and Linux®
The following files are created under the
server-root/https-admserv directory for
UNIX and Linux platforms:
❍ ClassCache contains classes and Java files, generated as result of the
compilation of JavaServer pages.
❍ conf_bk contains backup copies of the server’s configuration files.
❍ config contains the Admini stra tion Server configura tio n files.
❍ logs contains the Administration Server log files.
❍ SessionData contains session database data from MMapSessionManager.
❍ restart is the script that restarts the Server Manager.
❍ start is the script that s tarts the Server Manager. The Server M anager lets
you configure all servers installed in the server root directory.
❍ stop is the script that stops the Server Manager.
Virtual Server C onfiguration
Virtual servers allow you, with a single installed server, to offer companies or
individuals domain names, IP addresses, and some server administration
capabilities. You can configure virtual servers using the Virtual tab of the Se rver
Manager, as well as the Class Mana ge r interface and the
settings for virtual servers are stored inthe
server_root/https-server_id/
config directory.
server.xml file, found in the
server.xml file. The
For more information, see Chapter 11, “Using Virtual Ser vers.”
Chapter 1 Introduction to Enterprise Server 35
Administration Server
Multiple-Server Configura tion
You can have multiple web servers running on the same server machine. Multiple
web servers can be configured from a single-server administration interface called
the Administration Server.
Administration Server
The Administration Server is a web-based server that contains the Java forms you
use to configure all of your Enterprise Servers.
After installing Enter prise Server, you use your browser t o navigate to the
AdministrationServer page and use its forms to configureyour Enterprise Servers.
When you submit the forms, the Administration Se rver modifies the configuration
for the server you w ere a dministering.
The URL you use to navigate to the Admi nistration Server page depends on the
computer host name and the port number you choose for the Administration
Server when you install Enterprise Server. For example, if you installed the
Administration Server on port 1234, the URL would look like this:
http://myserver.example.com:1234
Before you can get to any form s, the Administration Server prompts you to
authenticate yourself. This means you need to type a user name and password.
You set up the “s uperuser” user name and password when you install Enterprise
Server on your computer. After installation, you can use distributed administration
to give multiple people access to different forms in the Adm inistration Server. For
more information about distributed administration, see “Allowing Multiple
Administrators,”on page 52.
The first page yo u see when you access the Administration Server, is called
Servers. Y ou u se the buttons on this page to manage, add, remove, and migrate
your Enterprise Servers. The Administration Server provides the following tabs for
your administration-leveltasks:
•Servers
•Preferences
•GlobalSettings
• Users and Groups
•Security
36 Netscape Enterprise Server Administrator’s Guide • August 2002
• Cluster Mgmt (Cluster Management)
NOTE Enterprise Server requires a browser that supports frames and has
JavaScript and cookies enabled.
For more information on using the Administration Server, including information
regarding these administration-level tasks, see C hapter 2, “Administering
Enterprise Servers.”
Server Manager
The Server Manager is a web-based interface that contains the forms you use to
configure individual instances of Enterprise Server.
You can access the Server Manager for Enterprise Server by performing the
following steps:
1. Install and start your Enterprise Server.
The Administration Server displays the Servers page.
Server Manager
2. In t he Manage Servers area, select the desired server and click Manage.
The Enterprise S erver Administration Server displays the Server Manager
Preferences page.
NOTE Enterprise Server requires a browser that supports frames and has
JavaScript and cookies enabled.
You use the links on the Preferences page to manage options such as thread pool
settings, and to turn the web server on and off.
In addition, the Server Manager provides the following tabs for additional
Enterprise Server managerial tasks:
•Security
•Logs
• Monitor
• Virtual Server Class
•Java
Chapter 1 Introduction to Enterprise Server 37
Server Manager
• Legacy Servlets
For more information, see the Ser ver Manager in the online help.
Using the Resource Picker
Most of the Server Manager and Class Manager pages configure the entire
Enterprise Server or an entire class. However, some pages can configure either the
entire server (or class) or files and directories that the server (or class) maintains.
These pages include the Resource Picker, shown in Figure 1-1, at the top.
Figure 1-1 Resource Picker
The Resource Picker a ppears on a number of pages, including the Server
Manager’s Log Preferences page and most screens accessible from the Class
Manager’s Content Management tab.
To use the Resource Picker, choose a resource from the drop-down list for
configuration. Click Browse to browse your primary document directory; clicking
Options allows you t o choose other directories. Click Wildcard to configure files
with a specific extension.
Wildcards Used in the Resource Picker
In many parts of the s erver configuration, you specify wildcard patterns to
represent o ne or more items to configure. Please note that the wildcards for access
control may be different from those discussed in this section.
Wildcard pat terns use special characters. If you want to use one o f these characters
without the special meaning, precede it with a backslash (\) character.
38 Netscape Enterprise Server Administrator’s Guide • August 2002
Class Manager
The Class Manager is a web-based interface that co ntains the Ja va forms you use to
configure your virtual Enterprise Servers. The user interface for virtual servers has
two parts, the Server Manager and the Class Manager. The Class Manager contains
settings that affect a single class or single virtual server. You can set services for the
classintheClassManager,aswellasaddvirtualservers(membersoftheclass)
and configure settings for an individual virtual serve r.
You can access the Class Manager for Enterprise Server by performing the
following steps:
1. From the Server Manag er, click the Virtual Server Class tab.
The Server Manager displays the Select a Class of Virtual Server page.
2. From the drop-down list, select a virtual server class and click Manage.
Enterprise Server displays the Class Manager’s Select a Virtual Server page.
You can also access the Class Manager by simply clicking the Clas s Manage r link in
the upper right-hand corner of the browser window.
TheClassManagerprovidesthefollowingtabstomanageyourEnterpriseServer
virtual servers:
Class Manager
•VirtualServers
•Programs
• Content Management
•Styles
For more information, see the Class Manager in the online help.
Virtual Server Manager
To access the Virtual Server Manager, go to the Virtual Servers tab in the Class
Manager, then select a virtua l server from the list on the Manager Vir tual Servers
page and click Manag e, or click on the link to a virtual server under the tree view.
The pages provided in the Virtual Server Manager allow you to check the status
and settings,set the Java web applications state to on, and generate reports for the
selected virtual server.
Chapter 1 Introduction to Enterprise Server 39
Virtual Server Manager
The Virtual server Manager provides the following tabs to manage your Enterprise
Server virtual servers:
•Preferences
•Logs
• Web Applications
40 Netscape Enterprise Server Administrator’s Guide • August 2002
Chapter 2
Administering Enterprise Servers
This chapter describes how to administer Netscape Enterprise Server with the
EnterpriseServerAdministrationServer.Using the Administration Server,you can
manage servers, ad d and remove servers, and migrate serversfrom a previous
release.
This chapter includes the following sections:
• Accessing the Administration Server
• Running Multiple Servers
• Installing Multiple Instances of the Server
•RemovingaServer
•MigratingaServer
Accessing the Administration Server
This section describes how to access the Administration Server for UNIX/Linux
and Windows NT/Windows 2000 platforms.
UNIX/Linux Platforms
To access the Administration Server in UNIX or Linux platforms, go to the
server_root/https-admserv/ directory(for example,
/usr/netscape/server6/https-admserv/)andtype./start. This com mand
starts the Adm inistration Server using the port number you specified during
installation.
41
Accessing the Administration Server
Windows NT/Windows 2000 Platforms
The Enterprise S erver installation program creates a program group with several
icons for Windows N T/Windows 2000 platforms. The program group includes the
following icons:
• Release Notes
• Start Administration Server
• Uninstall Enterpr ise Server 6.1
• Administer Enterprise Server
Note that the Admi nistration Server runs as a services applet; thus, you can also
use the Control Panel to start this servicedirectly.
To access the Administration Server in Windows NT/Windows 2000, perform the
following steps:
1. Double-click the “Start Ad ministration Server” icon, or type the following URL
for starting the administration server in your browser:
http://hostname.domain_name:administration_port
Enterprise Server then displays a window prompting you for a user name and
password.
2. Type the administration user name and password you specified during
installation.
Enterprise Server displays the Administration Server page.
For more information, s ee Administration Server in the online help.
NOTE Enterprise Server requires a browser that supports frames and has
JavaScript and cookies enabled.
Since the Administrator Server is accessed through a browser, you can access it
from any machine that can reach the server over the network.
42 Netscape Enterprise Server Administrator’s Guide • August 2002
Running Multiple Servers
There are two ways you can have multiple web servers running on your system:
• Use virtual servers
• Install multiple instances of the server
Virtual Se rv er s
Virtual servers allow you, with a single installed server, to offer companies or
individuals domain names, IP addresses, and some server administration
capabilities. For the users, it is a lmost as if they have their own web server, though
you provide the hardware and basic web server maintena nce.
Running Multiple Servers
The settings for virtual servers are stored in the
server_root/
use virtual servers, but if you would like to learn more about this file, see the
Netscape Enterprise Server NSAPI Programmer’s Guide.
For more information about virtual servers, see Chapter 11, “Using Virtual
Servers.”
https-server_id/config directory. You do not need t o edit this file to
server.xml file, found in the
Installing Multiple Instances of the Server
In past releases of Enterprise Server, virtualservers did not have unique
configuration informa tion. The only way to have servers with sep arate
configuration informa tion was to create a new server instance. However, with
Enterprise Server 6.1, virtual servers have separate configuration information,so
multiple server instances are no lon g er required. They are still supported, but
virtual servers are the preferred way to have multiple servers.
If you choose to install multiple server instances, you can use the Enterprise Server
Administration Server to:
• Install mu ltiple copies of the server as separate instances, each with a different
IP address.
• Configure a set o f servers that all use the same IP address, but different port
numbers.
If your system is configured t o listen to multiple IP addresses enter one of the IP
addresses that your system is hosting for each server you install.
Chapter 2 Administering Enterprise Servers 43
RemovingaServer
If you installed your server before configuring your system to host multiple IP
addresses, configure yo ur system to respond to different IP addresses. Then you
can either install IP virtual servers or change the server’s bind address using the
Server Manager and install separate in stances of the server for each IP address.
To add another server instance, perform the following steps:
1. Access the Administration Server and choose the Servers tab.
2. Click the Add Server link.
3. Enter the desired inf ormation for the specified fields.
Note that the server identifier cannot start with a digit and only Latin-1
characters should be used in instance names.
For more information, s ee The Add Server Page in the online help.
Removing a Server
You can remove a server from your system using the Administration Server. Be
sure that you don’t need t he server anymore before you remove it, since this
process cannot be und one.
NOTE Windows NT/Windows 2000 servers have an uninstall program
that you can use to remove a server and its associated
administration server.
To remove a s er ver from your machine, perform the following steps:
1. Access the Administration Server and choose the Servers tab.
2. Click Remove Server.
The Administration Server s ubse quently deletes the server’s configuration files,
Server Manager forms, and the following directory (and any subdirectories):
server_root
/https-server-id
For more information, s ee The R em o ve Server Page in the online help.
44 Netscape Enterprise Server Administrator’s Guide • August 2002
Migrating a Server
You can migrate a server instance from iPlanet™ Web Server 4.x to Enterprise
Server 6.1. Your iPlanet Web Server 4.x server in stance is preserved, and a new
Enterprise Server 6.1 server using the s am e settings is created.
You should stop running iPlanet Web Server 4.x before migrating settings. Make
sure you have a compatible version of a web browser installed on your computer
before migrating settings.
For a complete description of how to migrate a server, see the Netscape Enterprise
Server Installati on and Migration Guide.
Formoreinformation,seeTheMigrateServerPageintheonlinehelp.
Migrating a Server
Chapter 2 Administering Enterprise Servers 45
Migrating a Server
46 Netscape Enterprise Server Administrator’s Guide • August 2002
Using the Administration Server
Chapter 3, “Setting Administration Preferences”
Chapter 4, “Managing Users and Groups”
Chapter 5, “Securing Your Enterprise Server”
Part 2
Chapter 6, “Managing Server Clusters”
47
48 Netscape Enterprise Server Administrator’s Guide • August 2002
Chapter 3
Setting Administration Preferences
You can configure your Netscape Enterprise Server Admin ist ra tion Server using
the pages on t he Preferences and Global Settings tabs. Note that you must enable
cookies and JavaScript in your browser to configure your server.
This chapter includes the following sections:
• Shutting Down the Enterprise Server Administration Server
• EditingListen Socket Settings
• Changing the User Ac count (UNIX/Linux)
• Changing the Superuser Settings
• Allowing Multiple Administrators
• Specifying Log File Options
•ConfiguringDirectoryServices
• Restricting Server Access
• Configuring JRE/JDK Paths
Shutting Down the Enterprise Server Administration Server
Once the server is installed, it runs constantly, listening for and accepting HTTP
requests.Youmightwanttostopandrestartyourserverif,forinstance,youhave
just installed a Java Development Kit (JDK) or Netscape Directory Server, or if you
have changed listen socket settings.
49
Editing Listen Socket Settings
You can stop the server using one of the following methods:
• Access the Administration Server, choosethe Preferences tab, select the Shut
• Use the Services window in the Control Panel (Windows NT /W indows 2000).
Down link, and click “Shut down the admini stra tion server button!”.
For more information, see The Shut Down Pagein the online help.
•Use
After you shut down the server, it may take several seconds for the server to
complete its shut-down process and for the status to change to “Off.”
stop, which shuts do wn the server completely, interrupting service until it
is restarted.
Editing Listen Socket Settings
Before the server can process a request, it must accept t he request via a listen
socket, then direct the request to the correct c onnection group and virtual server.
When you install Enterprise Server, one listen socket,
This listen socket use s the IP address 0.0.0.0 (equivalent to any address the machine
is configured to) and the port number you specified as your HTTP server port
number during installation. (The default is 8888.) You cannot delete the default
listen socket.
You can edit your serve r’s listen socket settings using the Administration Server’s
Listen Sockets T able. To access the table, perform the following steps:
1. Access the En terprise Server Administration Server and click the Pr eferences
tab.
2. Click the Edit Listen Sockets link.
3. Make the desired c hanges and click OK.
ls1, is created automatically.
For more information, see Chapter 11, “Using Virtual Servers” and the online help
for The Edit L isten Sockets Page.
Changing the User Account (UNIX/Linux)
The Server Settings page allows yo u to c hange the user account for your web
server on UNIX and Linux machines. All the server’s processes run as this user.
50 Netscape Enterprise Server Administrator’s Guide • August 2002
Changing the Superuser Settings
You do not need to specify a server user if you chose a port number greater than
1024 an d are not running as the
logged on as
root to start the s erver). If you do not specify a user account her e, the
root user (in this case, you do not need to be
server runs with the user accou nt you start it with. Make sure that when you start
theserver,youusethecorrectuseraccount.
NOTE
Even if you start the server as
If you do not know how to create a new u ser on your system, contact your
system administrator or consult your system documentation.
root, you should not run the server as root all the
time. You want the server to have restricted access to your system resources and
run as a non-privileged u ser. The user name you enter as the server user should
already exist as a normal UNIX/Linux user ac count. After the server starts, it runs
as this user.
If you want to avoid c reating a new user account, you can choose the user
or an account used by another HTTP server running on the same host. On some
systems, however, the user
nobody can own files but not run programs.
To access the Server Settings page, perform the following s teps:
1. Access the Administration Server and choose the Preferences tab.
2. Click the Server Settings link.
3. Make the desired c hanges and click OK.
Changing the Superuser Settings
You can c onfigure superuser access for your Administration Server. T hese settings
affect only the superuser account. That is, if your Administration Server u ses
distributed administration, you need to set up additional access controls for the
administrators you allow.
nobody
CAUTION
If you useDirectory Server to manage users and groups, you need to update
the superuser entry in the directory before you change the su peruser user
name or password.If you don’t update the directoryfirst, you won’tbe able
to access the Users & Groups forms in the Administration Server. To fix this,
you’ll need to either access the Administration Server with an administrator
accountthat does have access to the directory, oryou’ll need to update the
directory using the Directory Server’s Console or configuration files.
Chapter 3 Setting Administration Preferences 51
Allowing Multiple Administrators
To change the superuser settings for the Administration Server, perform the
following steps:
1. Access the Administration Server and choose the Preferences tab.
2. Click the Superuser Access Control link.
3. Make the desired c hanges and click OK..
The superuser’s user n a me and password are kept in a file called
server_root/https-admserv/config/admpw. If you fo rget the user name, you
can view this file to obtain the actu al name; however, note that the password is
encrypted an d unreadable. The file has the format
forget the password, you can edit the
password. You can then go to the Server Manager forms and spec if y a n e w
password.
username:password.Ifyou
admpw file and simply delete the encrypted
CAUTION
Because you can edit the admpw file, it is very important that you keep the
server computer in a secure place and restrict access to its file system:
• On UNIX/Linux systems, consider changing t he file ownership so that
it’s writable only by root or whatever system user ru ns the
Administration Server daemon.
• On Windows NT/Windows 20 00 systems, restrict the file owne rship to
the user account Administration Server uses.
Allowing Multiple Administrators
Multiple administrators can change specific parts of the server through distributed
administration. With distributed administration you have three levels of users:
• superuser is the user listed in the file
server_root/https-admserv/config/admpw. This is the user name (and
password) you specified during installation. This user has full access to all
forms in the Administration Server, except the Users & Groupsforms, which
depend on the superuser having a valid account in an LDAP server such as
Directory Server.
• administrators go directly to the Server Manager forms fo r a specific server,
including the A dministration Server. The forms they see d epend on the access
control rules set up for them (usually done by the superuser). Administrators
can perform limited administrative tasks and can make changes that affect
other users, such as adding users or changing access control.
52 Netscape Enterprise Server Administrator’s Guide • August 2002
Allowing Multiple Administrators
• end users can view read-only data stored in the database. Additionally, end
users may be granted access permissions to change only specific data.
For an in-depth discussion of access control for Enterprise Server, see “What Is
Access Control?,” on page 161.
NOTE
Before you can enable distributed administration, you must install a
Directory Server. For more information, see the Netscape Enterprise Server
Installation and Migration Guide and the Netscape Directory Server
Administrator’s Guide.
To enable distributed administration, perform the following s t eps:
1. Verify that you have installed a Directory Server.
2. Access the Administration Server.
3. One you’ve installed a Directory Server, you may also need to create an
administration group, if you have not previouslydone so.
To create a gro up, perform the following steps:
a. Choose the Users & Groups tab.
b. Click the New Group link.
c. Create an “administrators” group in the LDAP directory and add the
names of the users you want to have permission to configure the
Administration Server, or any of the servers installed in its server root. All
users in the “administrators” group have full access to the Administration
Server, but you c an use access control to limit the servers and forms they
will be allowed to configure.
CAUTION
4. Choose the Preferences tab.
5. Click the Distributed Admin link.
6. Make the desired c hanges and click OK.
Once you create an access-control list, the distributed administration group
is added to that list. If you change the name of the “administrators” group,
you m u st manually edit the access-control list to change the group it
references.
For more information,see The Distributed Administration Pagein the online help.
Chapter 3 Setting Administration Preferences 53
Specifying Log File Options
Specifying Log File Options
The Enterprise Server Administration Server log files record data about the s erver,
including the types of errors encountered and information about server access.
Viewing these logs allows you to monitor server activity and troubleshoot
problems by providing data like the type of er ror encountered and the time certain
files were ac cessed.
You can specify the type and format of the data recorded in the Enterprise Server
Administration Server logs using the Log Preferences page. For instance, you can
choose to log data about every client who accesses the AdministrationServer or
you canomit certain clients from the log. In addition, you can choose the Common
Logfile Format, which provides a fixed amount of information about the server, or
you can create a c ustom log file format that better suits your requirements.
Access the Administration Server Log Prefere nces page by choosing the
Preferences tab, then clicking the Logging O ptions link.
For more information, see The Logging Options Page in the online help, and
Chapter 9, “Using Log Files.”
Viewing Log Files
The Administration Server log files are located in
server_root
NT/Windows 2000, the path to your log files might look like
c:\Netscape\server6\https-admserv\logs. You can view both the error log
and the access log through the Enterprise Serve r Administration Server console or
using a text editor.
The Access Log File
The access log records information about requests to and responsesfrom the
server.
To view the a c cess log file, perform the following steps:
1. Accessthe Enterprise Server AdministrationServer andchoose the Preferences
2. ClicktheViewAccessLoglinkandclickOK.
For more information, see The View Error Log Page in the online help and “Using
Log Files,”on page 207.”
54 Netscape Enterprise Server Administrator’s Guide • August 2002
/https-admserv/admin/logs. For exam ple, on Windows
tab.
Specifying Log File Options
TheErrorLogFile
The error lo g lists all the errors the server has encountered since the log file was
created. It also contains informationalmessages about the server, such as when the
server was started and who tried unsuccessf ully to log in to the server.
To view the error log file, perform the following steps:
1. Accessthe Enterprise Server AdministrationServer andchoose the Preferences
tab.
2. Click the View Error Log link and click OK.
For more information, s ee The View Access Log Page in the online help, and
“Using Log Files,” on page 207.”
Archiving Log Files
You can set up your log files to be automatically archived. At a certain time, or after
a specified interval, Enterprise Server rotates your access logs. Enterprise Server
saves the old log files and stamps the saved file with a name that includes the date
and time they were saved.
Access log r otation is initialized at server startup. If rotation is turned on,
Enterprise Server createsa time-stamped access log file and rotation startsat server
startup.
Once the rotation starts, Enterprise Server creates a new time stamped access log
file when there is a request that needs to be logged to the access log file and it
occurs after the previously-scheduled “next rotate time.”
Using Cron-based Log Rotation (UNIX/Linux)
You can configure several features of your Enterprise Server to operate
automaticallyand set to begin at specific times. The cron daemon checks the
computer clock and then spawns processes at certain times.(These settings are
stored in the
This cron daemon co ntrols scheduled tasks for your Enterprise Server and can be
activatedand deactivated from the Administration Server. Thetasks performed by
the cron pr ocess depends on the various servers. (Note that on Windows NT and
Windows 2000 platforms, the scheduling occurs within the individual servers .)
Some of the tasks that can be controlled by cron daemo ns include scheduling
collection main tenance and archiving log files. You need to restart cro n control
whenever you change the settings fo r scheduled tasks.
ns-cron.conf file.)
Chapter 3 Setting Administration Preferences 55
Configuring Directory Services
To restart, start, or stop cron control, performthe following steps:
1. Access the Enterprise Server Administration Server and choose the Global
Settings tab.
2. Click the Cron Control link.
3. Click Restart, Start, or Stop to change the cron controls.
Note that any time you add a task to cron, you n eed to restart the daemon.
Configuring Directory Services
You can store and manage information such as the names and p asswords of your
users in a single Directory Server using an open-systems server protocol called the
Lightweight Directory AccessProtocol (LDAP). You can also configure the server
to allow your users to retrieve directory information from multiple, easily
accessible netw ork locations.
To configure the directory services preferences, perform the fol low ing steps:
1. Access the Enterprise Server Administration Server and choose the Global
Settings tab.
2. Click the Configure Directory Service link.
3. Make the desired c hanges and click OK.
For more information, see The Configure Directory Service Page in the online help.
Restricting Server Access
You can control access to the entire server or to parts of the server (that is,
directories, files, file types). When the server evaluates an incoming request, it
determines ac cess based on a hierarchy of rules called access-control entries
(ACEs), and then it uses the matching entries to determine if the request is allowed
or denied.Each ACE specifies whether or not the server should continue to the
next ACE in the hierarchy. The collection of ACEs is called an acces s-control list
(ACL). When a request comes in, the server determines access by checking
vsclass.
an appropriate ACL. By default, the server has one ACL file that contains multiple
ACLs.
56 Netscape Enterprise Server Administrator’s Guide • August 2002
obj.conf (where vsclass is the virtual server class name)for a reference to
Configuring JRE/JDK Paths
You can set access control globallyfor all servers through the Enterprise Server
Administration Server or for a resource within a specific server instancethrough
the Server Manager. For more information about setting access control for a
resource,see “Setting Access Control,” on page 173.
NOTE
You must turn on distributed administration before you can restrict server
access for the Enterprise Server Administration Server.
To restrict accessto your EnterpriseServer Administration Server, perform the
following steps:
1. Access the Enterprise Server Administration Server and choose the Global
Settings tab.
2. Click the Restrict Access link.
3. Select the desired server and click Edit ACL.
The Enterprise Server Ad mi nistration Server displays the access control rules
for the server you s pecified.
4. Make the desired access control change s a nd click OK.
For more information, s ee The R es trict Access Page in the online help.
Configuring JRE/JDK Paths
When you install Enterprise Server, you can choose to install the Java Runtime
Environment (JRE), which is bundled with Enterprise Server. You can also specify
a path to the Java Development Kit (JDK), which you must install separately. See
the Nets cape Enterprise Server Installation and Migration Guide for more information.
Regardless of whether you chooseto install the JRE or specify a path to the JDK
during installation, you can tell the Enterprise Server to switch to using either the
JRE or JDK at any time by performing the following steps:
1. Access the Enterprise Server Administration Server.
2. Select the Global Settings tab.
3. Click the Configure JRE/JDK Paths link.
The Configure JR E/JDK Paths page appears.
Chapter 3 Setting Administration Preferences 57
Configuring JRE/JDK Paths
4. Click the radio button corresponding to the feature to enable.
5. Enter the appropriate information andclick OK.
For instance, click JDK to supply the path to the Java D evelopment Kit inst alled
on your machine.
You must restart your server for changes to become effective.
See The Configure JRE/JDK Paths Page in the online help for more
information.
58 Netscape Enterprise Server Administrator’s Guide • August 2002
Chapter 4
Managing Users and Groups
This chapter describes how to add, delete, and edit the users and groups who ca n
access your Netscape Enterprise Server.
This chapter includes the following sections:
• Using Directory Services to Manage Users and Groups
•CreatingUsers
• Managing Users
•CreatingGroups
• Managing Groups
• Creating OrganizationalUnits
• Managing Organizational U nits
• Managing a Preferred Language List
Using Directory Services to Manage Users and Groups
The Enterprise Server Administration Server provides access to your application
data about user accounts, group lists, access privileges, organization units, and
other user- and group-specific information.
User and group information is stored in a directory server such as Netscape
Directory Server, which supports Lightweight Directory Access Protocol (LDAP).
LDAP is an open directory access protocol that runs over TCP/IP and is scalable to
a global size and millions of entries.
59
Using Directory Services to Manage Users and Groups
Since Enterprise Serverdoes not support local LDAP, you must have a directory
server installed before you can add users and groups.
Understanding Distinguished Names (DNs)
Use the Users and G roups tab of the Administration Server to create or modify
users, groups, and organizational u nits. A user is an individual in your LDAP
database, such as an employee of your company. A group is two or more users
who share a common attribute. An organizational unit is a subdivision within your
company that uses the
organizational units are described further la ter in this chapter.
Each user and group in your enterprise is represented by a Distinguished Name
(DN) attribute. A DN attributeis a text string that containsidentifying information
for an associated user, group, or object. Youuse DNs whenever you make changes
to a user or group directory entry. For example, you need to specify DN
information each time you create or modify directory entr ies, set up access
controls, and set up user a ccounts for applications such as mail or publishing. The
users and groups i nterface of Netscape Consolehelps you create or modify DNs.
The following example represents a typical DN for an employee of Example
Corporation:
organizationalUnit object class.Users, groups, and
uid=doe,e=doe@example.com,cn=John Doe,o=Example Corporation,c=US
The abbrevia tio n s before each equal sign in this example have the follo wing
meanings:
• uid:userID
• e: email address
• cn: the user’s common name
• o: organization
• c:country
DNs may include a variety of name-value pairs. They are used to identify both
certificate subjects and entries in directories that support LDAP.
60 Netscape Enterprise Server Administrator’s Guide • August 2002
Using LDIF
If you do not currently have a directory,or if you want to add a new subtree to an
existing directory, you can use the Directory Server’s Administration Server LDIF
import function. This function accepts a file containing LDIF and attempts to build
a directory or a new s ubtree from the LDIF entries. You can also export your
current directory to LDIF using the Directory Server’s LDIF export function. This
function creates an LDIF-formatted file that represents your directory. A dd or edit
entries using the ldapmodify command along with the a ppropriate LDIF update
statements.
To add entries to the database using LDIF, first define the entries in an LDIF file,
then import the LDIF file from Directory Server. For m ore information, see
“Formatting LDIF Entries,” on page 331.
Creating Users
Use the Users and Groups tab of the Enterprise Server Administration Server to
create or modify user entries. A user entry contains information about an
individualperson or object in the database.
Creating Users
This section includes the following topics:
• GuidelinesforCreatingUserEntries
• How to Create a New User Entry
• Directory Ser ver User Entries
Guidelin es for Creating User Entries
Consider the follo wing guidelines whe n using the administrator for ms to create
new user entries:
• If you enter a given name (or first name) and a surname,then the form
automaticallyfills in the user’s full name and user ID for you. The user ID is
generated as the first initial of the user’s first name followed by the user’s last
name. For example, if the user’s name is Babs Jensen, then the user ID is
automatically set to bjensen.YoucanreplacethisuserIDwithanIDofyour
own choosing if you wish.
Chapter 4 Managing Users and Groups 61
CreatingUsers
• The user ID must be unique. The Administration Server ensures that the user
ID is unique by searching the entire directory from the search base (base DN)
down to see if the user ID is in use. Be aware, however, that if you use the
Directory Server
ldapmodify command line utility (if available) to create a
user, that it does not ensure unique user IDs. If duplicate user IDs exist in your
directory, the affected users will not be able to authenticate to the directory.
• Note that the base DN specifies the distinguished name where directory
lookups will occur by default, and where all Netscape Web Administration
Server’s entries are placed in your directory tree. A “DN” is the string
representation for the name of an entry in a Directory Server.
• Note that at a minimum, you must specify the following user information
when creating a new us er entry:
❍ surname or last name
❍ full name
❍ user ID
• If any organizational units have been defined for your directory, you can
specify where you want the new user to be placed using the Add New User To
list. The default location is your directory’s base DN (or root point).
NOTE
The user edit text fields for international information differs between the
Administration Server and Netscape Console. I n Netscape Console, in
addition to the untagged cn fields, there is a preferred language cn field
whichdoesn’texistintheAdministrationServer.
HowtoCreateaNewUserEntry
To create a user entry, read the guidelines outlined in “Guidelines for Creating
User Entries,” on page 61, then perform the following steps:
1. Access the Administration Server and choose the Users & Groups tab.
2. Click the New User link and add the associated informat ion to the displayed
page.
For more information, see The New User Page in the online help.
62 Netscape Enterprise Server Administrator’s Guide • August 2002
Creating Users
Directory Server User E ntries
The following user entry notes may be of interest to the d irectory administrator:
• User entries use the
inetOrgPerson, organizationalPerson,andperson
object classes.
• By default, the distinguis he d name for users is of the form:
cn=full name, ou=organization, ...,o=base organization, c=country
For ex ample, if a user entry for Babs Jensenis created within the organizational
unit Marketing, and the directory’s base DN is o=Example Corporation, c=US,
then the person’s DN is:
cn=Babs Jensen, ou=Marketing, o=Example Corporation, c=US
However, note that you can change this format to a uid-based d istinguished
name.
• The values on the us er form fields are stored as the following LDAP attributes
(note that a ny stored information other than ‘user’ and ‘gr oup’ requires a full
Directory Server license):
Table 4-1 LDAP Attributes
User Field Corresponding LDAP Attribute
Given Name givenName
Surname sn
Full Name cn
User I D uid
Password userPassword
Email Address mail
The following fields are also available when editing the user entry:
Table 4-2 User Entry LDAP Attributes
User Field Corresponding LDAP Attribute
Title title
Telephone telephoneNumber
Chapter 4 Managing Users and Groups 63
Managing Users
• Sometimes a user’s name can be more accurately represented in characters of a
language other than the default language. You can select a preferred language
for usersso that their names will display in the characters of the t hat language,
even when the default language is English. For more information regarding
setting a user’s preferred language, see The Manage Users Page in the online
help.
Managing Users
You edit user attributes from the Enterprise Server Administration Server Manage
Users form. From this form you can find, change, rename, and de lete user entries;
manage user licenses; and potentially change product-specific information.
Some,butnotall,Netscapeserversaddadditionalformstothisareathatallowyou
to manage product-specific information. For example, if a messaging server is
installed under you r Administration Server, then an additional form is added that
allows you to edit me ss aging server-specific information. See the server
documentation for details on these additional management capabilities.
This section includes the following topics:
• Finding User Information
•EditingUserInformation
• Managing a User’s Password
• Managing U ser Licenses
•RenamingUsers
• Removing Users
Finding User Information
Before you can edit a user entry, you must display the associated information. To
find the specific user inf ormation, perform th e following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Users link.
3. In the Find User field, enter some descriptive value for the entry that you want
to edit. Yo u can enter any of the following in the search field:
64 Netscape Enterprise Server Administrator’s Guide • August 2002
Managing Users
❍ A name. Enter a full name or a partialname. All entries that eq ually match
the search string will be returned. If no such entries are found, all entries
that contain the search string will be found. If no such entries are found,
any entries that sounds like the search string are found.
❍ AuserID.
❍ A telephone number. If you enter onl y a partial number, any entries that
have telephone numbers ending in the search number will be returned.
❍ An email address. Any search string containing an at (@) symbol is
assumed to be an email address. If an exact match cannot be found, then a
search is performed to find all email addresses that begin with the search
string.
❍ An asterisk (*) to see all of the entries currently in your directory. You can
achieve the same effect by si mply leaving the field blank.
❍ Any LDAP search filter. Any string that contains an equal sign (=) is
considered a search filter.
As an alternative, use the pu ll down menus in the Find all users whose field to
narrow the results of your search.
4. In the Look within field, select the organizational u nit u nder which you want
to search for entries.
The default is the directory’s root point (or top most entry).
5. In t he Format field, choose either On-Screen or Printer.
6. Click Find.
All the users in the selected organizational unit are displayed.
7. In the resulting table, click the name of the entry that you want to edit.
The user edit form is displayed.
8. Change the d isplayed fields as desired and click Save Changes.
Thechangesaremadeimmediately.
Building Custom Search Queries
The “Find all users whose” field allows you to build a custom search filter. Use this
fieldtonarrowdownthesearchresultsreturnedbya“Finduser”search.
The Find all users whose field provides the following search criteria:
Chapter 4 Managing Users and Groups 65
Managing Users
• The left-most pull-down list allows yo u t o specify the attribute on which the
search will be based.
The available search attribute options are described in t he following table:
Table 4-3 Search Attribute Options
Option Name Description
full name Search each entry’s full name for a match.
last name Search each entry’s last name, or surnamefor a
match.
user id Search each entry’s user id for a match.
phonenumber Searcheachentry’sphonenumberforamatch.
email address Search each entry’s email address for a match.
unit name Search each entry’sname for a match.
description Search each organizational unit entry’s
description for a match.
• In the center pull-down list, select the type of search you want to perform.
The available search type options are described in the following table:
Table 4-4 Search Type Options
Option Name Description
contains Causes a substring search to be performed. Entries with attribute
values containing the specified search string are returned. For
example, if you know a user’s name probably contains the word
“Dylan,” use this option with the search string “Dylan” to find the
user’s entry.
is Causes an exact match to be found. That is, this option specifies an
equality search. Use this option when you know the exact value of a
user’s a ttribute. For example, if you kn ow the exact spelling of the
user’s name, use this option.
isn’t Returns all the entries whose attribute value does not exactly match
the search string. That is, if you want to find all the users in the
directory whose name is not “John Smith,” use this option. Be aware,
however, thatuse of this option can cause an extremely large number
of entries to be returned to you.
66 Netscape Enterprise Server Administrator’s Guide • August 2002
Managing Users
Table 4-4 Search Type Options
Option Name Description
sounds like Causes an approximate, or phonetic, search to be performed. Use this
optionif you knowan attribute’svalue,but you are unsure of the
spelling. For example, if you are not sure if a user’s name is spelled
“Sarret,” “Sarette,” or “Sarett,” use this option.
starts with Causes a substring search to be performed. Returns all the entries
whose attribute value starts with the specified search string. For
example, if you know a user’s name starts with “Miles,” but you do
not know the rest of the name, use this option.
ends with Causes a substring search to be performed. Returns all the entries
whose attribute value ends with the specified search string. For
example, if you know a user’s name ends with “Dimaggio,” but you
do not know the rest of the name, use this option.
• In the right-most text field, enter your search string.
To display all of the users entries contained in the Look Within directory, enter
either an asterisk (*) or simply leave this text field blank.
Editing User Informati on
To change a user’s entry, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Display t he user entry as described in “Finding User Information,” on page 64.
3. Edit the field corresponding to the attribute that you wish to change.
Formoreinformation,seeTheEditUsersPageintheonlinehelp.
NOTE It is possible that you will want to change an attribute valu e t hat is
not displayed by the edit user form. In this situation, use the
Directory Server
ldapmodify command line utility, if available.
Chapter 4 Managing Users and Groups 67
Managing Users
In ad dition, note that you can change the user’s first,last, and full name field from
this form, but to fully rename the entry (including the entry’s distinguished name),
you need to use the Rename User form. For moreinformation on how to renamean
entry, see “Renaming Users,” on page 69.
Managing a User’s Password
The password you set for user entries is used by the various servers for user
authentication.
To change or c reate a user’s password, perform the following steps:
1. Access the Enterprise Server Administration Server and choose Users &
Groups tab.
2. Display the user entry as described in “Finding User Inform ation,” on page 64.
3. Make the desired c hanges and click OK.
Formoreinformation,seeTheManageUsersPageintheonlinehelp.
NOTE You can change the Enterprise Server Administration Server user
from root to another user on the operating system to enable
multiple users (belo nging to the group) to edit/manage the
configuration files. H owever, note that while on UNIX/Linux
platforms, the installer can give “rw” permissions to a group for the
configuration file s, on Windows NT/Windows 2000 platforms, the
user must belong to the “Administrators”group.
You can also disable the user’s password by clicking the Disable Password button.
Doing this prevents the user f rom logging into a server without deleting the user’s
directory entry.You can allow access for the user again by using the Password
Management Form to enter a new password.
Managing User Licenses
Enterprise Server Administration Server enables you to track which Netscape
server products your users are licensed to use.
To manage the licenses available to the user, perform the following steps:
68 Netscape Enterprise Server Administrator’s Guide • August 2002
Managing Users
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Display the user entry as described in “Finding User Inform ation,” on page 64.
3. Click the Licenses link at the top of the User Edit form.
4. Make the desired c hanges and click OK.
Formoreinformation,seeTheManageUsersPageintheonlinehelp.
Renaming Users
The rename feature changes only the user’s name; all other fie lds are left intact. In
addition, t he user’s old name is still preserved so searches against the old name
will still find the new entry.
When you rename a user entry, you can only change the user’s name; you cannot
use the rename feature to move the ent ry f ro m one organizational unit to another .
For example,suppose you have organizational units for Marketing and
Accounting and an entry named “Babs Jensen” under the Marketing
organizational unit. You can rename the entry from
but you cannot rename the entry such that
organizational unit becomes
Babs Jensen under the Accounting organizational
Babs Jensen under the Marketing
unit.
Babs Jensen to Bob Jensen,
To rename a user entry, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Display t he user entry as described in “Finding User Information,” on page 64.
Note that if you are using common name-based DNs, specify the user’s full
name.If you are using uid-based distinguishedn ames, enter thenew uid value
that you want to use for the entry.
3. Click the Rename User button.
4. Change the G iven Nam e, Surname, Full Name, or UID fields as is appropriate
to match the new distinguished name for the entry.
5. You can specify that the Administration Server no longer reta ins the old full
name or
keepOldValueWhenRenaming parameter to false. You can find this parameter
uid values when you rename the entry by setting th e
in the following file:
Chapter 4 Managing Users and Groups 69
CreatingGroups
server_root/https-admserv/config/dsgw-orgperson.conf
Formoreinformation,seeTheManageUsersPageintheonlinehelp.
Removing Users
To delete a us er entry, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Display t he user entry as described in “Finding User Information,” on page 64.
3. Click Delete User.
Formoreinformation,seeTheManageUsersPageintheonlinehelp.
Creating Groups
A group is an object that describes a set of objects in an LDAP database. A n
Enterprise Servergroup consists of users who share a common attribute. For
instance, the s et of objects might be a number of employees who work in the
marketing division of your company. Th ese employees might belong to a group
called Marketing.
There are two ways to define membership of a group: statica lly and dynamically.
Static groups e numerate their member objects explicitly. A sta tic group is a CN and
contains
For static groups, t he members do not share a common attribute except for the
CN=<Groupname> attribute.
Dynamic groups allow you to use a LDAP URL to define a set of rules that match
only for group members. For Dynamic Groups, the members do share a c o mmo n
attribute or set of attributes that are defined in the
you need a group that contains all employees in Sales, and they are already i n the
LDAPdatabase under “
group with the following
This group would subsequently contain all objects that have an uid attribute in the
tree below the “
70 Netscape Enterprise Server Administrator’s Guide • August 2002
uniqueMembers and/or memberURLs and/or memberCertDescriptions.
ou=Sales,o=example.com,” you’d define a dynamic
memberurl:
ldap:///ou=Sales,o=example??sub?(uid=*)
ou=Sales,o=example” point; thus, all the Sales members.
memberURL filter. For example, if
Creating Groups
For static and dynamic groups, members canshare a common attribute from a
certificate if you use the
if the ACL uses the SSL method.
Once you create a new group, you can add users, or members, to it.
This section inc ludes the following top ics for creating groups:
•StaticGroups
•DynamicGroups
memberCertDescription. Note that these will only w ork
Static Groups
The Enterprise Server Administration Server enables you to create a static group by
specifying the same group attribute in the DNs o f any number of users. A static
group doesn’t change unless you add a user to it or delete a user from it.
Guidelines for Creating Static Groups
Consider the following guidelines when using the Enterprise Server
AdministrationServer formsto createnew static groups:
• Static groups can contain other static or dynamic groups.
• You can optionally also add a description for the new group.
• If any organizational units have been defined for your directory, you can
specify where you want the new group to be placed using the Add New Group
To l ist. The default location is yourdirectory’s root point, or top-most entry.
• When you are finished entering the desired information, click Create Group to
add the group and imme diately return to the New Group form. Alternatively,
click Create and Edit Group to add the group and then proceed to the Edit
Group form for the group you have just added. For information on editing
groups, see “Editing Group Attributes,” on page 77.
ToCreateaStaticGroup
To create a st atic group entry, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the New Group link.
3. Enter the required information and click OK.
Chapter 4 Managing Users and Groups 71
CreatingGroups
For more information, see The New Group Pagein the online help.
Dynamic Groups
A dynamic group has an objectclass of groupOfURLs, and has z e ro or more
memberURL attributes, each of which is a LDAP URL that describes a set of objects.
Enterprise Server enables you to create a dynamic group when you want to group
users automatically based on any attribute, or when you want to apply ACLs to
specific groups which con tain matching DNs. For example, you can create a group
that automatically includes any DN that contains the attribute
department=marketing. If you apply a search filter for department=marketing,
the search returns a group including all DNs containing the attribute
department=marketing. You can then define a dynamic group from the search
results based o n this filter. Subsequently, you can define an ACL for the resulting
dynamic group.
This section includes the following topics:
• How Enterprise Server Implements Dynamic Groups
• Groups Can Be Static and Dynamic
• Dynamic G roup Impact on Server Performance
• Guidelines for Creating Dynamic Groups
•ToCreateaDynamicGroup
How Enterprise Server Implements Dynamic Groups
Enterprise Server im plements dynamic groups in the LDAP server schema as
objectclass = groupOfURLs.AgroupOfURLS class can have multiple memberURL
attributes, each one consisting of an LDAP URL that enumerates a set of objects in
the directory. The members of the group would be the u nion of these sets. For
example, the following grou p contains just one member URL:
ldap:///o=example.com??sub?(department=marketing)
This example d escribes a set that consists of all objects below “o=example.com”
whose department is “marketing.”
TheLDAPURLcancontainasearchbaseDN,ascopeandfilter,however,nota
hostname and port. This means that you can only refer to object s on t he same
LDAP server. All scopes are supported.
72 Netscape Enterprise Server Administrator’s Guide • August 2002
Creating Groups
The DNs are included automatica lly, without your having to add each individual
to the group. The gr ou p changes dynamically, because Enterprise Server performs
an LDAP server s earch each time a group lookup is needed for ACL verification.
The user and group names used in the ACL file correspond to the
cn attribute of
the objects in the LDAP database.
NOTE
Enterprise Server uses the cn (commonName) attribute as group name for
ACLs.
The mapping from an ACL to an LDAP database is defined both in the
dbswitch.conf configuration file (which associates the ACL database names with
actual LDAP database URLs) and the ACL file (which d efines which databases are
to be used fo r which ACL). For example, if you want base access rights on
membership in a group named “s taff ,” the A CL s yste m looks up an object that has
an object class of
groupOf<anything> and a CN set t o “staff.” The object d efines
the members of the group, either by explicitly enumerating the member DNs (as is
done for
example,
groupOfUniqueNames forstaticgroups),orbyspecifyingLDAPURLs(for
groupOfURLs).
Groups Can Be Static and Dynamic
A group object can h ave both objectclass = groupOfUniqueMembers and
objectclass = groupOfURLs; therefore, both “uniqueMember”and“memberURL”
attributes are valid. The group’s membership is the union of its static and dynamic
members.
Dynamic Group Impact on Server Performance
There is a server performance impact when using dynamic groups. If you are
testinggroup membership, and the DN is not a member of a static group,
Enterprise Server checks all dynamic groups in the database’s baseDN. Enterprise
Serveraccomplishesthistaskbycheckingifeach
its baseDN and scope against the DN of the user, and then performing a base
search using the user DN as baseDN and the filter of the
procedure can amount to a large number of individual searches.
memberURL matches by checking
memberURL.This
Guidelines for Creating Dynamic Groups
Consider the following guidelines when using the Enterprise Server
AdministrationServer forms to create new dynamic groups:
• Dynamic groups can not contain other groups.
Chapter 4 Managing Users and Groups 73
CreatingGroups
• Enter the group’s LDAP URL using the following format (without host and
port info, since these parameters are ignored):
ldap:///<basedn>?<attributes>?<scope>?<(filter)>
The required parameters are described in the following table:
Table 4-5 Dynamic Groups: Required P arameters
Parameter Name Description
<base_dn> The D istinguished Name (DN) of the search base, or point from
which all searches are performed in the LDA P directory. This
parameter is often set to the su ffix or root of the directory,such as
“o=example.com”.
<attributes> A list of the attributes to be returned by the search. To specify
more than one, use commas to delimit the attributes (for example,
“cn,mail,telephoneNumber”); if no a ttributes are specified, all
attributes are returned. Note that this parameter is ignored for
dynamic group membership checks.
<scope> The scope of the search, which can be one of these values:
• base retrieves information only about the distinguished
name (<base_dn>) specified in the URL.
• one retrieves information about entries one level below the
distinguished name (<base_dn>) specified in the URL. The
base entry is not included in this scope.
• sub retrieves information about entries at all levels below the
distinguished name (<base_dn>) specified in the URL. The
baseentryisincludedinthisscope.
This parameter is required.
<(filter)> Search filter to apply to entries within the specified scope of the
search. If you are using the Admin istration Server forms, you
must specify this attribute. Note that the parentheses are required.
This parameter is required.
Note that the
<attributes>, <scope>,and<(filter)> parameters are
identified by their positions in the URL. If you do not want to specify any
attributes, you still need to include the questio n marks delimiting that field.
• You can optionally also add a description for the new group.
74 Netscape Enterprise Server Administrator’s Guide • August 2002
Managing Groups
• If any organizational units have been defined for your directory, you can
specify where you want the new group to be placed using the Add New Group
To l ist. The default location is yourdirectory’s root point, or top-most entry.
• When you are finished entering the desired information, click Create Group to
add the group and imme diately return to the New Group form. Alternatively,
click Create and Edit Group to add the group and then proceed to the Edit
Group form for the group you have just added. For information on editing
groups, see “Editing Group Attributes,” on page 77.
To Create a Dynamic Group
To create a d ynam ic group entry within the directory, perform the fo llowing steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the New Group link.
3. Select Dynamic Group from the Type of Group dropdown list.
4. Enter the required information and click OK.
For more information, see The New Group Pagein the online help.
Managing Groups
The Enterprise Server Administration Server enables you to edit groups and
manage group memberships from the Manage Group form. This section describes
the following topics:
• Finding Group Entrie s
• Editing Group Attributes
•AddingGroupMembers
• AddingGroupstotheGroupMembersList
• Removing Entries from the Group Members List
• Managing O wners
• Managing See Alsos
•RemovingGroups
•RenamingGroups
Chapter 4 Managing Users and Groups 75
Managing Groups
Finding Group Entries
Before you can edit a group entry, first you must find and display the entry.
To find a group entry, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Groups link.
3. Enter the name of the group that you want to find in the Find Group field.
You can enter any of the following values in the search field:
❍ A name. Enter a full name or a partialname. All entries that eq ually match
the search string arereturned. If no such entries are found, all entries that
contain the search strin g w ill be found. If no such entries are found, a ny
entriesthat sounds like the search string are found.
❍ An asterisk (*) to see all of the groups currently residing in your directory.
You can achieve the same effect by simply leaving the field blank.
❍ Any LDAP search filter. Any string that contains an equal sign (=) is
considered to be a search filter.
As an alternative, use the pull down menus in “Find all groups whose” to
narrow the results of your search.
4. In the Look within field, select the organizational u nit u nder which you want
to search for entries.
The default is the directory’s root point, or to p-most entry.
5. In t he Format field, choose either On-Screen or Printer.
6. Click Find.
All the groups matching your search criteria are displayed.
7. In the resulting table, click the name of the entry that you want to edit.
The “Find all groups whose” Field
The “Find all groups whose” field allows you to build a custom search filter. Use
this field to narrow down the search results that are o therwise returned by Find
groups.
To display all of the group entries contained in the Look Within directory, enter
either an asterisk (*) or simply leave this text field blank.
76 Netscape Enterprise Server Administrator’s Guide • August 2002
Managing Groups
For more information regarding how to build a cu stom search filter, see “Building
Custom Search Queries,” on page 65.
Editing Group Attributes
To edit a group entry, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Groups link.
3. Locatethe group you want to edit, and type the desired changes.
For more information regarding how to find specific entries, refer to the
concepts outlined in “Finding Group Entries,” on page 76.
For more informationabout editing group attributes,see T he Manage Groups Page
in the online help.
NOTE
It is possible that you will want to change an attribute value that is not
displayed by the group edit form. I n this situation, use the
Server
ldapmodify command line utility, if available.
Directory
Adding Group Members
To add members to a group, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Groups link.
3. Locate the group you want to manage as described in “Finding Group
Entries,” on page 76, and click the Edit button under Group Members.
Enterprise Server displays a new form that enables you to search for entries. If
youwanttoadduserentriestothelist,makesureUsersisshownintheFind
pull-down menu. If you want to add group ent ries to the group, make sure
Group is shown.
4. In the right-most text field, enter a search string. Enter any of the following
options:
Chapter 4 Managing Users and Groups 77
Managing Groups
❍ A name. Enter a full name or a partial name. All entries whose name
matches the search string is returned. If no such entries are found, all
entries that contain the search string are found. If n o such entries are
found, any entries that sounds like the search string are found.
❍ AuserIDifyouaresearchingforuserentries.
❍ A telephone number. If you enter onl y a partial number, any entries that
have telephone numbers ending in the search number are returned.
❍ An email address. Any search string containing an at (@) symbol is
assumed to be an email address. If an exact m atch cannot be found, then a
search is performed to find all email addresses that begin with the search
string.
❍ Enter either an ast erisk (*) or simply leave this text field blank to see all of
the entries o r gr oups currently residing in your directory.
❍ Any LDAP search filter. Any string that contains an equal sign (=) is
considered to be a search filter.
5. Click Find and Add to find all the matching entries and add them to the group.
If the search returns any entries that you do not want add to the group, click
the box in the Remove from list? column. You can also construct a search filter
to match the entries you want removed and then click Find and Remove.
6. When the l ist of group members is complete, click Save Changes.
The currently displayed entries are now members of the group.
For more information about adding groups members, see The Edit M embers Page
in the online help.
Adding Groups to the Group Members List
You can add groups (instead of individual members) to the group’s members list.
Doing so causes a ny users belonging to the included group to become a me mber of
the receiving group. For ex ampl e, if Bob Smith is a member of the Engineering
Managers group, and you make the Engineering Managers group a member of the
Engineering Personnel group, then Bob Smith is also a member of the Engineering
Personnel group.
To add a group to the members list of another group, add the group as if it were a
user entry. For more information, see “Adding G roup Members,” on page 77.
78 Netscape Enterprise Server Administrator’s Guide • August 2002
Managing Groups
Removing Entries from the Group Members List
To delete an entry from the group members list, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Groups link, locate the group you want to manage as
described in “Finding Group Entries,” on page 76, and click the Edit button
under Group Members.
3. Foreachmemberthatyouwanttoremovefromthelist,clickthe
corresponding box under the Remove from list? column.
Alternatively, you can construct a filter to find the entries you want to remove
and click the Find and Remove button. For more information on cr e ating a
search filter, see “Adding Group Members,” on page 77.
4. Click Save Changes. The entry(s) are deleted from the group member s list.
Managing Owners
You manage a group’s owners list the same way as you manage the group
members list. The following table identifies which section to read fo r more
information:
Table 4-6 AdditionalInformation
Task You Want to Complete Read Section
Add owners to the group “Adding Group Members,” on page 77.
Add groups to the owners list “Adding Groups to the Group Members List,” on
page 78.
Remove entries from the owners
list
“Removing Entries from the Group Members List,”
on page 79.
Managing See Alsos
“See alsos” are references to other directory entries that may be relevant to the
current group. They a llow users to easily find entries for people and other groups
that are related to the current group.
Chapter 4 Managing Users and Groups 79
Managing Groups
Youmanageseealsosthesamewayasyoumanagethegroupmemberslist.The
following table shows you which section to read for more information:
Table 4-7 AdditionalInformation
Task You Want to Complete Read Section
Add users to see alsos “Adding Group Members,” on page 77.
Add groups to see alsos “Adding Groups to the Group Members List,” on
page 78.
Remove entries from see alsos “Removing Entries from the Group Members List,”
on page 79
Removing Groups
To delete a gr ou p, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Groups link, locate the group you want to manage as
described in “Finding Group Entries,” on page 76, and click Delete Group.
NOTE
80 Netscape Enterprise Server Administrator’s Guide • August 2002
The Enterprise Server Administration Server does not remove the
individual members of the group(s) you remove; only the group entry is
removed.
Creating Organizational Units
Renaming Groups
To rename a group, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Groups link and locate the group you want to manage as
described in “Finding Group Entries,” on page 76.
3. ClicktheRenameGroupbuttonandtypethenewgroupnameintheresulting
dialog box.
Whenyourenameagroupentry,youonlychangethegroup’sname;youcannot
use the Rename Group feature to move the entry from one org anizational unit to
another. For example, a business might have the following organizations:
• organizational units for Marketing and Product Management
• a group named Online Sales under the Marke ting organizational unit
In this example, you can rename the group from Online Sales to Internet
Investments, but you cannot rename the entry such that Online Sal es under the
Marketing organizational unit becomes Online Sales under the Product
Management organizational unit.
Creating Organizational Units
An organizational unit can include a number of groups, and it usually r epresents a
division, department, or other discrete business group. A DN can exist in more
than one organizational unit.
To create an organizational unit, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the New Organizational Unit link and enter the required information.
For more information, s ee The New Organizational Unit Page in the online help.
The following notes may be of interest to the directory administrator:
• New organizational u nits are created using the
class.
• The distinguished name for new organizational units is of the form:
organizationalUnit object
Chapter 4 Managing Users and Groups 81
Managing Organizational Units
ou=new organization, ou=parent organization, ...,o=base
organization, c=country
For example, if you create a new organization called Accounting within the
organizational unit West Coast, and your Base DN is o=Example C orporation,
c=US, then the new organization unit’s DN is:
ou=Accounting, ou=West Coast, o=Example Corporation, c=US
Managing Organizational Units
You edit and manage organizational units from the Organizational Unit Edit form.
This section describes the following tasks:
• Finding Organizational Units
• Editing OrganizationalUnit Attributes
• Renaming Organizational Units
• Deleting Organizational Units
Finding Organizational U nits
To find organizational units, perform the following st eps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Organizational Units link.
3. Type the name of the unit you want to find in the Find organizational unit
field. You can enter any of the following in the search field:
❍ A name. Enter a full name or a partialname. All entries that eq ually match
the search string will be returned. If no such entries are found, all entries
that contain the search string will be found. If no such entries are found,
any entries that sounds like the search string are found.
❍ An asterisk (*) to see all of the groups currently residing in your directory.
You can achieve this same result by simply leaving t he field blank.
❍ Any LDAP search filter. Any string that contains an equal sign (=) is
considered to be a search filter.
82 Netscape Enterprise Server Administrator’s Guide • August 2002
Managing Organizational Units
As an alternative, use the pull down menus in the Find all units whose field to
narrow the results of your search.
4. In the Look within field, select the organizational u nit u nder which you want
to search for entries.
The default is the root point of the directory.
5. In t he Format field, choose either On-Screen or Printer.
6. Click Find.
All the organizationalunits matching your search criteria are displayed.
7. In the resulting table, click the name of the organiza tional unit that you want to
find.
The “Find all units whose” Field
The Find all units whose field allows you to build a custom search filter. Use this
field to narrow d own the search results that are otherwise returned by Find
organizational unit.
To display all of the group entries contained in the Look Within directory, enter
either an asterisk (*) or simply leave this text field blank.
For more information regarding how to build a cu stom search filter, see “Building
Custom Search Queries,” on page 65.
Editing Organizational Unit Attributes
To change a organizational unit entry, access the Enterprise Server Administration
Server and per form the following steps:
1. Locate the organizational unit you want to edit as described in “Finding
Organizational Units,” on page 82
The organizational unit edit form is displayed.
2. Change the d isplayed fields as desired and click Save Changes.
Thechangesaremadeimmediately.
NOTE
It is possible that you will want to change an attribute value that is not
displayed by the organizational unit edit form. In this situation, use the
Directory Server ldapmodify command line utility, if available.
Chapter 4 Managing Users and Groups 83
Managing Organizational Units
Renaming Organizational Units
To rename an organizational unit entry, access the Enterprise Server
Administration Server and perform the following steps:
1. Make sure no other entries exist in the directory under the organizational unit
2. Locate the organizational unit you want to edit as described in “Finding
3. Click the Rename button.
4. Enter the new organiz ational unit name in the result ing dialog box.
that you want to rename.
Organizational Units,” on page 82.
NOTE
When you rename an organizational unit entry, you can only change the
organizational unit’s name; you cannot use the rename feature to move the
entry from one organizational unit to another.
Deleting Organizational Units
To delete an organizational unit entry, access the AdministrationServer and
perform the following s teps:
1. Make sure no other entries exist in the directory under the organizational unit
that you want to rename.
2. Locate the organizational unit you want to delete as described in “Finding
Organizational Units,” on page 82.
3. Click the Delete button.
4. Click OK in the resulting confirmation box.
The organizational unit is immediately deleted.
84 Netscape Enterprise Server Administrator’s Guide • August 2002
Managing a Preferred Language List
Enterprise Server enables you to di splay and maintain the list of preferred
languages.
To manage the preferred language list, perform the following steps:
1. Access the Enterprise Server Administration Server and choose t he Users &
Groups tab.
2. Click the Manage Preferred Langu age List link.
3. In the Dis play Language Selection List field, click Yes or No to specify whether
Enterprise Server displays the Language Selection List.
4. In t he Languages in the Selection List field, click t he Add to List checkbox to
add each language you want specified as part of the Preferred Language List.
5. Click the default value for the language y ou want to specify as the default
language in the Preferred Language List.
6. Click Save Changes.
Managing a Preferred Language List
Chapter 4 Managing Users and Groups 85
Managing a Preferred Language List
86 Netscape Enterprise Server Administrator’s Guide • August 2002
Chapter 5
Securing Your Enterprise Server
This chapter describes how to activate the various s ecurity features designed to
safeguard your data, deny intruders access, and allow access to those you want.
Netscape Enterprise Server 6.1 incorporates the security architecture of all
Netscape servers: it’sbuilt on industry standards and public protocols for
maximum interope rability and consistency.
Before reading this chapter you should be familiar with the basic concepts of
public-key cryptography. These concepts include encryption and decryption;
public and privat e keys; digital certificates; and the encryption protocols.
The processof s ecu ring your web server will be explained indetail in the following
sections:
• Requiring Authentication
• Creating a Trust Database
• Requesting and Installing a VeriSign Certificate
• Requesting and Installing Ot her Server Certificates
• Migrating Certificates When You Upgrade
• Managing C ertificates
• Installing and M anaging CRLs and CKLs
•ConfiguringRemoteCRLs
• Setting Security Preferences
• Using ExternalEncryption Modules
• Setting Client Security Requirements
• Setting Stronger Ciphers
87
Requiring Authentication
• Considering Additional Security Issues
Requiring Authentication
Authentication is the processof confirming an identity. In the context of network
interactions, authentication is the confident identification of one party by another
party. Certifica tes a re one way of supporting authentication.
Using Certificates for Authentication
A certificate consists of digital data that specifies the name of an individual,
company, or other entity, and certifies that the public key, included in the
certificate, belongs to that entity. Both clients and servers can have certificates.
A certificate is issued and digitally signed by a Certificate Au thority, or CA. The
CA can be a company that sells certificates over the Internet, or it can be a
department responsible for issuing certificates for your company’s intranet or
extranet. You decide which CAs you trust enough to serve as verifiers of other
people’s identities.
In addition to a public key and thename of the entityidentifiedby the certificate,a
certificate also includes an expiration date, the name of the CA that issued the
certificate, and the “digital signature” of the issuing CA.
NOTE A server certificate must be installed before encryption can be
activated.
Server Authentication
Server authenticationrefers to the confident identification of a server by a client;
that is, identification of the organizatio n assumed to be responsible for the server at
a particular network address.
Client Authentication
Client authentication refers to the confident identificationof a client by a server;
that is, identificatio n of the person assumed to be using the client software. Clients
can have multiple certificates, much like a person m igh t have several different
pieces of identification.
88 Netscape Enterprise Server Administrator’s Guide • August 2002
Virtual Server Certificates
You can have a different certificate database per virtual server. Each virtual server
database can contain multiple cert ificates. Virtual servers can also have different
certificates within each instance.
Creating a Trust Database
Before requesting a server certificate,you must create a trust database. In
Enterprise Server the Administration Server and each server instance can have its
own trust database. The trust database should only be created on your local
machine.
When you create the trust database, you specify a password that will be used for a
key-pair file. You will also need this password to start a server using encrypted
communications.For a listof guidelines to consider when changing a password,
see “Changing P asswords or PINs,” on page 132
In the trustdatabaseyou create and store the publicand private keys,r eferred to as
your key-pair file. The key-pair file is used for SSL encryption. You will use the
key-pair file when you r e qu est and install your server certific ate. The certificate is
stored in the trust database after installation. The key-pair file is stored encrypted
in the following directory:
Creating a Trust Database
server_root/alias/<serverid-hostname>-key3.db.
The Enterprise Server Administration Server can only have one trust database.
Eachserverinstance can haveitsown trust database.Virtual serversare covered by
the trust database created for their server instance.
Creating a Trust Database
To create a trust database, perform the following s teps:
1. Access either the Enterprise Server Administration Ser ver or the Server
Manager and choose the Security ta b .
For the Server Manager you must firs t select the server instance from t he
drop-down list.
2. Click on the Create Database link.
3. Enter a password for the database.
4. Repeat.
5. Click OK.
Chapter 5 Securing Your Enterprise Server 89
Creating a Trust Database
6. For the Server Manager, click Apply, and t hen Restart for changes to take
After creating a certificate trust database for your s erver, you can request a
certificate and submit it to a Certificate Autho rity (CA). If your company has its
own internal CA, request your certificate from them. If you plan to purch ase your
certificate from a commercial CA, choose a C A and ask for the specific format of
the information they require. A list of availablecertificate authorities including
links to their sites, is available on the Request a Certificate pag e. For more
information on what CAs may require , a list of C ertificate Authorit ies is available
through both Server Administrator , and Server Manager Sec urity Pages under
Request a Certificate.
The Administration Server can have only one server certificate. Each server
instance c an have its own server certificate. You can select a server i nstance
certificate for each virtual server.
Using password.conf
Normally, you cannot start an UNIX SSL-enabled server with the /etc/rc.local
or the /etc/inittab files, because the server requires a password before starting.
By default, the web server prompts the administrator for the key database
password before starting up. If you must be able to start/restart an unattended
web server, you can save the password ina
recommended. Only do thisif your system is adequately protected so that this file
and the key databases are not compromised. The server’s
should be owned by
should have read or write access.
effect.
password.conf file, bu t this is not
password.conf file
root or the user who installed the server, and only the owner
On UNIX, leaving t he SSL-enabled server's password in the
asecurityrisk.AnyonewhocanaccessthefilehasaccesstotheSSL-enabled
server’s password. Consider the security risks before keeping the SSL-enabled
server’s password in the
password.conf file.
On Windows NT/Windows 2000, if you have an NTFS file system,you should
protect the directory that contains the
even if you do not use the file. The directory should have read/write per missions
for the administration server user and the w eb server user. Protecting the directory
prevents others from creating a false
directories or files on FAT file systems by restricting access to them.
90 Netscape Enterprise Server Administrator’s Guide • August 2002
password.conf file is
password.conf file by restricting its access,
password.conf file. You cannot protect
Requesting and Installing a VeriSign Certificate
Start an SSL-enabled Server Automatically
If security risks are not a concern for you, follow these steps to start your
SSL-enabled server automatically:
1. Make sure SSL is on. See “Turning Security On,” on page 109.
2. Create a new password.conf file in the config subdirectory of the server
instance.
❍ If you are using the internal PKC S#11 software encryption mo dule that
comes with the server, enter the following information:
internal:your_password
❍ If you are using a different PKC S#11 module (for hardware encryption or
hardware accelerators), specify the name of the PKCS#11 module, followed
with the password. For example:
nFast:your_password
3. Stop and restart your server for the new setting to take effect.
You will always be prompted to supply a password when starting the web server,
even after the
password.conf file has been created.
Requesting and Installing a VeriSign Certificate
VeriSign® is Enterprise Server’s preferred certificate authority. VeriSign’s VICE
protocol simplifies the certificate request process. VeriSign has the adv antage of
being able to return their certificate directly to your server.
Requesting a VeriSign Certificate
To request a VeriSign C ertificate, perform the following steps:
1. Access either the Enterprise Server Administration Ser ver or the Server
Manager and choose the Security ta b .
For the Server Manager you must firs t select the server instance from t he
drop-down list.
2. Click the Request VeriSign Certificate link.
3. Review the steps required.
4. Click Get Certificate.
Chapter 5 Securing Your Enterprise Server 91
Requesting and Installing Other Server Certificates
5. Follow the VeriSign pr o cedure.
Installing a VeriSign Certificate
If you request and receive approval for a VeriSign certificate, it should appear in
the drop-down list of t he Install VeriSign Certificate page in one to three d ays. To
install a VeriSign Certif icate, perform the following steps:
1. Access either the Enterprise Server Administration Ser ver or the Server
Manager and choose the Security ta b .
For the Server Manager you must firs t select the server instance from t he
drop-down list.
2. Click the Install VeriSign Certificate link.
3. Choose internal (software) from the drop-down listfor cryptographic module,
unless you will use an external encryption mod ule.
4. Enter your Key Pair File Password or PIN.
5. Select the TransactionID to Retrieve from the drop-down list.
You will usually want the last one.
6. Click Install.
7. For the Server Manager, click Apply, and t hen Restart for changes to take
effect.
Requesting and Installing Other Server
Certificates
Besides VeriSign, you can request and install certificates from other certificate
authorities. A list of CAs is available through both Server Administrator, and
Server Manager Security Pages und er Request a Certificate. Your company or
organization may provide its own internal certificates. This section describes how
you would request and install these other types of server certificates.
92 Netscape Enterprise Server Administrator’s Guide • August 2002
Requesting and Installing Other Server Certificates
Required CA Information
Before you begin the request process, make sure you know what information your
CA requires.Whether you are requesting a server certificate from a commercial CA
or an internal CA, you need to provide the following information:
• Common Name must be the fully qualif ied hostname used in DNS lookups
(for example,
browser uses to connect to your site. If these two names don’t match, a client is
notified t hat the certificate name doesn’t match the site name, creating doubt
about the authenticity of your certificate. Some CAs might have d ifferent
requirements, so it’s important to check with them.
You can also enter wildcard and regular expressions in this field if you are
requesting a certificate from an internal CA. Most vendors would not approve
a certificate request with a wildcard or regular expression entered for common
name.
• Email Address is your business email address. This is used for correspondence
between you and the CA.
• Organization is the official, legal name of your company, ed ucational
institution, partnership, a nd so on. Most CAs require that you verify this
information with legal documents (such as a copy of a business license).
www.example.com). This is the hostname in the URL that a
• OrganizationalUnit is an optional field that describes an organization within
your company. This can also be used to note a less formal company name
(without the Inc., Corp., and so on).
• Locality is an optional field that usually describes the city, p rincipality, or
country for the organization.
• State or Province is usually required, but can be optional for some CAs. Note
that most CAs won’t accept abbreviations, but check with them to be sure.
• Country is a required, two-character abbreviation of your country name (in
ISO format). The country code for the United States is US.
All this informati on is combined as a series of attribute-value pairs called the
distinguished name (DN), which uniquely identifies the subject of the cert ificate.
If you are purchasing your certificate from a commercial CA, you must contact the
CA to find out what additionalinformationthey require before they issue a
certificate. Mos t CAs require that you prove your identity. For example, they want
to verify yourcompany nameand who is authorizedby t he company to administer
the server, and they might ask whether you have the legal right to use the
information you provide.
Chapter 5 Securing Your Enterprise Server 93
Requesting and Installing Other Server Certificates
Some commercial CAs offer certificates with greater detail and veracity to
organizations or individuals who pro vide more thorough identification. For
example, you might be able to purchase a certificate stating that the CA has not
only verified that yo u are the rightful administ ra tor of the
computer, but that y ou are a company that has been in business for three years,
and have no outstanding customer litigation.
Requesting Other Server Certificates
To request a c ertificate, perform the following st eps:
1. Access either the Enterprise Server Administration Ser ver or the Server
Manager and choose the Security ta b .
For the Server Manager you must firs t select the server instance from t he
drop-down list.
2. Click the Request a Certificate link.
3. Select if this is a new certificate or a certificate renew al.
Many certificatesexpire after a set period of time, such as six months or a year.
Some CAs will automatically send you a renewal.
www.example.com
4. Perform the following steps to specify how you want to submit the request for
the certificate:
❍ If the CA expects to receive the request in an email message, checkCA
Email and enter t he email address of the CA. For a list of CAs, click List of
available certificate authorities.
❍ If you are requesting the certificate from an internal CA that is using
Netscape Certificate Server, click CA URL and enter the URL for the
Certificate Server. This URL should point to the certificate server’s
program that handles certificate requests. A sample URL might be:
https://CA.example.com:444/cms.
5. Select the cryptographic module for the key-pair file you want to use when
requesting the certificate from the drop-down list.
6. Selectthecryptographickeysizetobeusedwiththecertificatefromthe
drop-down list. Choose a key size of 1024 or 2048 bits.
This key is used in RSA operations. Larger keys can provide improved
security, but the computation time associated with this key is proportional to
the square of the modulus. For example, a key size of 2048 bits takes four times
longer to processthan a 1024-bit key size.
94 Netscape Enterprise Server Administrator’s Guide • August 2002
Requesting and Installing Other Server Certificates
NOTE There are many factors that affect SSL performance, such as server
load, operatingsystem and SSL hardware accelerators. Also, older
browsers might have problems with the larger key size. Do not
change the key size without first determining if it is necessary for
your environment.
7. Enterthepasswordforyourkey-pairfile.
This is the password you specified when you created thetrust d atabase, u nless
you selected a cryptographic module other than the internalmodule. The
server uses the password to get your private key and encrypt a message t o the
CA. The server then sends both your public key andtheencryptedmessageto
the CA. The CA uses the public k ey to decrypt your message.
8. Enter your identification information.
The format o f this information varies by CA. For a general description of these
fields, alist of Certificate Authorities is available through both Server
Administrator, and Server Manager Security Pages under Request a
Certificate. N ot e that most of this information usually isn’t required for a
certificate renewal.
9. Double-check your work to ensure accuracy.
The more accurate the information, the faster your certificate is likely to be
approved. If y our request is going to a certificate server, you’ll be pr ompted to
verify the form information before the request is submitted.
10. Click OK.
11. For the Server M anager, click Apply, and then Restart for cha nge s to take
effect.
The server generates a certificate request that contains your information. The
request has a digital signature created with your pr ivate key. The CA uses a digital
signature to verify that the request wasn’t tampered with during routing from your
server machine t o the CA. In the rare event that the request is tampered with, the
CA will usually contact you by phone.
If you choose to email the request, the server composes an email message
containing the request and sends the message to the CA. Typically, the certificate is
then returned to you via email.If insteadyou specifieda URL to a certificate server,
your server uses the URL to submit the request to the CertificateServer. You might
get a response via email or other means depending on the CA.
Chapter 5 Securing Your Enterprise Server 95
Requesting and Installing Other Server Certificates
The CA will notify you if it agrees to issue you a certificate. In most cases, the CA
will send you r certificate via email. If your organization is using a certificate server,
you may be able to search for the certificate by using the certificate server’s forms.
NOTE Not everyone who requests a certificate from a commercial CA is
given one. Many CAs require you to prove your identity before
issuingyou a certificate.Also,it can take anywhere from one day to
two months to g et approval. You are responsible fo r promptly
providing all the ne cessary information to the CA.
Onceyou receivethe certificate,you can install it. In themeantime, you canstilluse
your server without SSL.
Installing Other Server Certificates
When you receive your certificate back from the CA, it will be encrypted with your
public key so that only you can decrypt it. Only by entering the correct password
for your trust database can y ou decrypt and install your certificate.
There are three types of certificates:
• Your own server’s certificate to present to clients
• A CA’s own certificate for use in a certificate chain
• A trusted CA’s certificate
A certificate chain is a hierarchical series of certificates signed by successive
certificate authorities. A CA certificate identifies a certificate authority (CA) and is
used to sign certificates issued by that authority. A CA certificate can in turn be
signed by the CA certificate of a parent CA, and so on, up t o a root CA.
NOTE If your CA doesn’t automatically send you their ce rtificate, you
should request it. Many CAs include their certificate in the email
with your certificate, and your server installs both certificates at the
same time.
The server will use the key-pair fil e password you specify to decrypt the certificate
when you install it. You can either save the email somewhe re accessible to the
server, or copy the text of the email and b e ready to paste the text into the Install
Certificate form, as described here.
96 Netscape Enterprise Server Administrator’s Guide • August 2002
Requesting and Installing Other Server Certificates
Installing a Certificate
To install a certificate, perform the following steps:
1. Access either the Enterprise Server Administration Ser ver or the Server
Manager and choose the Security ta b .
For the Server Manager you must firs t select the server instance from t he
drop-down list.
2. Click the Install Certificate link.
3. Check the type of certific ate you are installing:
❍ This Server is for a s ingle certificate associated only with your server.
❍ Server Certificate Chain is for a CA’s certificate to include in a certificate
chain.
❍ Trusted Certificate Authority (CA) is for a certificate of a CA that you want
to accept as a trusted CA for client authentication.
4. Select the Cryptographic Module from the drop-down list.
5. Enter the Key-Pair File Password.
6. Leave the a nam e for the certificate field blank if it will be the only one used for
this server instance, unless:
❍ Multiple certificates will be used for virtual servers
Enter a certificate name unique within the server instance
❍ Cryptographic module s o ther than internal are used
Enteracertificatenameuniqueacrossallserverinstanceswithina
single cryptographic module
If a name is entered, it will be displayed in the Manage Certificates l ist, and
should be descriptive. For example, “Unit ed States Postal Service CA” is the
name of a CA, and “VeriSign Class 2 Primary CA” describes botha CA and the
type of certificate. When no certificate name is entered, the default value is
applied.
7. Select either:
❍ Message is in this file and enter the full pathname to the saved email
❍ Message text (with headers) and paste the email text
Chapter 5 Securing Your Enterprise Server 97
Migrating Certificates When You Upgrade
If you copy and paste the text, be sure to include the headers -Begin
Certificate-
and -End Certificate-, including t h e beg inning and
ending hyphens.
8. Click OK.
9. Select either:
❍ Add Certificate if you are installing a new certifica te.
❍ Replace Certificate if you are installing a certificate renewal.
10. For the Server M anager, click Apply, and then Restart for cha nge s to take
effect.
The certificate is stored in the server’s certificate database. The filename will be
<alias>-cert7.db. For example:
https-serverid-hostname-cert7.db
Migrating Certificates When You Upgrade
Key-pair files and certificates are migrated only if your server has security enabled.
You can also migrate key s and certificates by themselves using the Security tabs in
the Enterprise Server Administration Server page and the Server Manager page.
In Enterprise Server 6.1, the Enterprise Server Administration Server and each
server instance has its own certificate and key-pair file, referred to as a trust
database inst ead of an alias.
You manage the trust database and its constituent certificates, including the server
certificate and all the included Certificate Authorities, from the Enterprise Server
Administration Server for itself, and from the Server Manager for server instances.
The certificate and key-pair databasefiles are now named after the server instance
that uses them. If in the previous version, multiple se rver instances shared the
same alias,when migrated the certificate and key-pair file are renamed for the new
server instance.
The entire trust database associated with the server instance is migrated. All the
Certificate Authorities listed in your previous database are m igrated to the
Enterprise Server 6.1 database. If duplicate CAs occur, use the previous CA until it
expires. Do not attempt to delete duplicate CAs.
Migrating a Certificate
To migrate a certificate, perform the fo llowing steps:
98 Netscape Enterprise Server Administrator’s Guide • August 2002
Migrating Certificates When You Upgrade
1. From your local m achine, access either the Administration Server or the Server
Manager and choose the Security ta b .
For the Server Manager you must firs t select the server instance from t he
drop-down list.
2. Choose:
❍ Migrate 3.X Certifica tes link from the Administration Server
❍ Migrate Certificate link from the Server Manager.
3. Enterthe3.6ServerRoot.
4. Enter the Alias.
5. Enter the Password.
6. Click OK.
7. For the Server Manager, click Apply, and t hen Restart for changes to take
effect.
Using the Built-in Root Certificate Module
The dynamically loadable root certificate module included with Enterprise Server
6.1 contains the root certificates for many CAs, including VeriSign. The root
certificate module allows you to upgrade your root certificates to newer versions in
a much easierway than before. In the past, you were required to delete the oldroot
certificates one at a time, then installthe new ones one at a time.To install
well-knownCA certificates, you can nowsimply update the root certificate module
file to a newer version as it becomes available through future versions of Enterprise
Server or in Service Packs.
Because the root certificate is implemented as a PKCS#11 cryptographic module,
you can never delete the root certificates it contains,and the option to delete will
not be offered when managing these certifica tes. To remove the root certificates
from your server instances, you can disable the root certificate module by deleting
the following in t h e server’s
•
libnssckbi.so (on most UNIX platforms)
•
libnssckbi.sl (on HP-UX)
•
nssckbi.dll (on Windows NT/Windows 2000)
alias subdirectory:
Chapter 5 Securing Your Enterprise Server 99
Managing Certificates
If you later wish to restore the root certificate module, you can copy the extension
from
bin/https/lib (UNIX and HP-UX) or bin\https\bin (Windows
NT/Windows 2000) back into the
You can modify the trust information of the root certificates. The trust information
is written t o the certificate database for the server instance being edited, not back to
the root certificate module itself.
Managing Certificates
You can view, delete, or edit the trust settings of the various certificates installed on
your server. This includes your own certificate and certificates from CAs.
To manage certificate lists, perform the fo llowing steps:
1. Access either the Enterprise Server Administration Ser ver or the Server
Manager and choose the Security ta b .
For the Server Manager you must firs t select the server instance from t he
drop-down list.
2. Click the Manage Certificates link.
alias subdirectory.
❍ If you are managing a certificate for a default configuration using the
internal cryptographic module, a list of all installed certificates with their
type and expira tion date is displayed. All certificates are stored in the
directory
❍ If you are using an external cryptographic module, such as a hardware
server_root/alias.
accelerator, you will first need to enter your password for each specific
module and click OK. The certificate list will update to include certificates
in the module.
3. Click the Certificate Name you wish to manage.
An Edit Server Certificate page appears w ith management options for that type
of certificate. Only CA certificates will allo w you to set or unset client trust.
Some external cryptographic modules will not allow certificates to be deleted.
4. In the Edit Server Certificate window you may select:
❍ Delete Certifica te or Quit for certificates obtained internally
❍ Set client trust, Unset server trust, or Quit for CA certificates
5. Click OK.
100 Netscape Enterprise Server Administrator’s Guide • August 2002
Loading...