Sun Java System Web Server FAQ  Sun Java System Web Server FAQ  Sun Java System Web Server FAQ

Sun Java System Web Server FAQ

This FAQ also covers older versions of SUN's WebServer including the 3.x, 4.x and 6.0 releases
which were named using the then appropriate SUN Naming Conventions (including iPlanet an Netscape)

Q: Problem: Simple Perl scripts run (i.e. a script that will print "Hello World" in a browser window), but more complex scripts fail. They print to the browser window that a server error occurred, and that the administrator should look for core files, etc. Examination of the errors log shows that the CGI "terminated without producing a valid header."

A: Solution:

Verify that the PERL scripts are not failing due to dependencies on external libraries.

Discussion:

Frequently Perl scripts (and scripts written in other languages) will have a dependency
on external libraries. Often the libraries will be located in the same directory as
the script and the Perl interpreter, so a relative link to the library (i.e. require
cgi-lib.pl; ) is sufficient for the script. Frequently programmers will forget that
these links are soft and that the links are "attached" to the Perl interpreter, not
to the script itself. Therefore moving the CGI script to the web server's cgi-bin
directory along with the libraries will break the dependencies since thei Perl
interpreter will look in its own directory for the libraries.

Three ways to work around the problem (there are undoubtedly others) are:

1.Make sure that the libraries are linked with absolute paths
(i.e. require /export/suitespot/cgibin/cgi-lib.pl
or are linked with paths relative to the Perl interpreter
(i.e. require ../../cgibin/cgi-lib.pl; ).

2.Copy the required libraries to the same directory that the Perl interpreter
is installed.

3.Set an environmental variable (i.e. PERL_LIBRARIES) and force the CGI script to pull
the path data from that variable.

Q: cgi-parse-output reports: the CGI program did not produce a valid header

A: This error message basically tells you that your CGI program did not
produce a valid CGI header such as

Content-type: text/html

or

Content-type: text/plain

To debug your CGI program, the following steps shall be taken.

Make sure the first output statement from the CGI program will
produce a valid CGI header such as the one described in the above.
Make sure your program can run successfully from your terminal
prompt by just typing the program name, say, your.ch .

Sometimes, your program may terminate at the mid of the execution
if the flow of the program depends on some environmental
variables passed from the Web server. It is fine if this is
the case. For example, function getnamevalue() depends on the
environmental variables
REQUEST_METHOD, CONTENT_LENGTH, and QUERY_STRING,
and if your CGI program is not invoked by the Web server,
these environmental variables are not set. The values supposedly passed
from a FORM will be NULL, and the program may be terminated prematurely
if run from a terminal. But, the program can be run successfully from
the Common Gateway Interface.
Since your CGI program is executed by the web server, which
uses a different user account from yours,
make sure your program is readable and executable by other users in
the system. In Unix, you can change the permission of your program by
the following command

chmod 755 your.ch

If your CGI program reads and writes a file, make sure the file is readable and writable by the user
account of the Web server. Often times, you may need to create temporary file using the function
tmpnam() in Ch if a temporary file is needed in the CGI program.
If you can login as the Web server, test your CGI program from the account of the Web server. You
may need to get permission from your system administrator to do so.
If your CGI program invokes other Ch programs, you may need to add the following statement

setbuf(stdout,NULL);

before the first printing statement of your CGI program. This function will cause output to be flushed
immediately instead of being buffered so that the output will be sent in a proper sequence.
If you use a C program as your CGI program, make sure you add the following line as the first
statement of the program.

#!/bin/ch

so that it can be used as Ch CGI code in both Unix and Windows although it is not necessary in
Windows.
Read the tutorial on Common Gateway Interface in Ch. about how to write Ch CGI programs.

Q: Is there a way to allow servers which have certificates installed on them to automatically pick up the key password without it being entered in manually?

A: Yes, you can but it means putting the private key in cleartext in the startup file. It lowers the
security of server if it is accessible. Under Unix you need to edit the start script file and do a
redirect '<' to a file containing the password.

The following example uses Enterprise Server 2.01.

Edit this line in the start script:

cd /usr/ns-enterprise201/bin/https; ./ns-httpd -d
/usr/ns-enterprise201/https-aviator/config $@

Append after $@ this: < /usr/ns-enterprise201/https-aviator/pass
so it looks like:

cd /usr/ns-home/bin/https; ./ns-httpd -d
/usr/ns-home/https-nickname/config $@ < /usr/ns-home/https-nickname/pass

The "pass" file contains the password. Create the "pass" file and put the password in it.

For Netscape servers running Windows NT all you need to do is create a file named
'password.txt' that contains only your password and place this file in your config directory.
(For example, c:\netscape\server\https-nickname\config\password.txt)
However. there are a few things to know about this:

If your server is running as Localsystem, you should uncheck the box that reads
"Allow service to interact with desktop" to avoid being prompted for the password.
If you are running a 3.x server and start the server from the admin GUI, a pop up
may still prompt you for the password. You do not need to enter a valid password
here; your server will successfully start no matter what is entered into this box.

Q: How do I know what version of Enterprise Server I have?

A: This is usually readily apparent from the administrative GUI. If this
is not a feasible way for you to find out, you may also check the prodinfo
file in the netscape_enterprise_server_home/bin/admin or if you
don't have this file, by running the following command from that
directory:

for version 3.x (and suitespot), use:

  1. ./ns-admin -v
    Netscape Communications Corporation
    Netscape-Administrator/3.5

for version 4.x you will need to locate the command ns-httpd in:

cd $serverroot/bin/https/bin
./ns-httpd -v

Q: I forgot my password for the Administration GUI and now cannot log in to Netscape Enterprse Server Administration screen. How can I resolve this?

A: The easiest solution is to remove the password from the flat file which
contains the encrypted password for the administrator login.

The file is: /opt/netscape/suitespot/admin-serv/config/admpw

The contents of the file will contain the name of the administrative user
followed by a colon and then the encrypted password. Delete the encrypted
password following the colon.

Q: How do I set the classpath such that I might allow my servlets running under Netscape Enterprise Server to use a custom defined jvm OTHER than the default jvm which Enterprise Server ships with?

A: Take a look at the configuration file located in the directory:
Netscape_enterprise_server_home/https-/config/jvm12.conf.

If you set jvm.include.CLASSPATH=1 option then the CLASSPATH from your
shell environment is imported as part of system classpath. in iWS 4.x,
the default is to use the shell environment's classpath.
this has been changed in iWS 6.0 where you will have to explicitly
enable the option for server to pick up the shell CLASSPATH env.

In either case, with either server version, you can always configure
your classpath in jvm.classpath option, or
contexts.properties context.global.classpath if the classpath is specific
to a context.

Q: What's the best way to start Enterprise Server 6.x?

A: With 6.x of Enterprise Server, an undocumented but helpful option is
available to the "start" command. Start the webserver or administration
server by moving the netscape home directory

eg., cd /usr/netscape/server4 or /opt/

cd https-admserv ..or.. cd https-server_name

./start -e < -e will also tell you the port number being used for connection>

Q: What tool can I use to monitor the performance of my server?

A: Netscape provides the perfdump utility which can easily be enabled on the server
through some simple steps:

1) Backup your obj.conf in case you make a mistake:

cd /https-./config
cp obj.conf obj.conf.bak

2) Edit the obj.conf file and add the following at the bottom
as follows:

Service fn="service-dump"

3) Stop and restart the webserver

Note: Stop the webserver using the browser based GUI. in
so doing, you will be prompted that the configuration
files have been modified by hand. Click on the "apply"
button in the upper right hand corner of the GUI and then
on "Load Configuration Files". Then try to start the server
from the GUI.

4) Access the perfdump statistics by pointing your browser to:

http:///.perf?refresh=

Note: perfdump may also be obtainable via the command line

(echo "GET /.perf";sleep 1 ) | telnet webserver port_number

Q: How do I setup a virtual server using NES 6.0?

A: NES 6.0 has a different look and feel to the GUI which makes a few changes
to the way that one would have normally configured a virtual server (host)
under the older 4.x versions of the server.

Here is the general outline of the steps involved to configuring a virtual
server with NES 6.0:

1) For creating a virtual server that listens on another ip address
(hardware virtual server):

If you are creating a virtual server that will be listening
on another ip address (other than the system ip), you will
have to configure a separate listen socket.

A listen socket in Enterprise Server simply indicates to the
server what ip addresses and ports to listen to incoming requests

You do this by getting into the server manager in the GUI for the
particular server instance you choose.

Click on "Add Listen Socket" and give an id (eg., shmuck-id) to your socket
You will also indicate what ip address to listen to. This could be
a virtual ip address that you had pre-configured in Solaris - let's
say something like: 6.6.6.6 on port 9191. Enter the appropriate
values for ip and port and click "ok". Servername could be just the
default name of your server. Click on"help" for further information.

You should have already configured the UNIX portion of this and
should also be able to confirm that an "ifconfig -a" shows
the ip address and interface (physical or virtual) already listening.

If this isn't the case, you will need to "plumb" an interface in UNIX
before proceeding.

1) Create a virtual server in the GUI by clicking "class manager" in the
upper right hand side of the GUI display

2) Click on "Add Virtual Server". Give it an identifier that you will
remember. Note that although it is indicated that you may use the
characters such as "_" and ".", they do not appear to work. Avoid
all non-alphanumeric characters. In our example, this would be:
myshmuck. URL hosts would have the entry that matches the physical
name of the server. In our case, an /etc/hosts entry exists that
indicates 6.6.6.6 belonging to shmuck.com. shmuck.com is therefore
entered into URLhost.

Indicte the urlhost. The urlhost is simply what the user is going to
type in on the URL line in their browser to reach the virtual host.

Indicate the connection to be the listen socket noted above as "greg-id"

One more note. Make sure that the identfier (id) and the URLhost
names are DIFFERENT. If they are the same, the server will become
very confused and will not start.

3) Click on the "Content Management" tab. You may wish to change the
primary document directory to some other directory with a unique
index page. make sure that you actually do create the new
document directory at the UNIX shell level first if indeed you choose
to do this.

II) Creating Host Based Virtual hosts (software virtual hosting)

This means that the webserver will listen to incoming requests on
the default ip address but will distinguish the content to be delivered
based upon the parsing of the host name in the URL header.

Note that host based addressing is only supported in Netscape Browsers
that have a revision higher then 3.x and that can support the http
protocol version 1.1.

This situation is even simpler than hardware virtual server setup.
In our example, we will create a software virtual server that is
hosted off of the main server.

1) click on the manage tab next to the server you wish to manage.

2) click on the "class manager" tab (upper right hand portion of screen.

3) click on "add virtual server" (left side menu bar)

4) For name, enter the name of your server as it appears in
your naming files (eg., /etc/hosts has sinkhole).

For connections, enter the default ls:1

Wth software virtual servers, you use the same listen socket and ip....

For "URLhosts", enter the name that you will be typing in on the url line
in the browser when you attempt to hit the site.

Click ok....

5) Apply your changes.

6) Do not forget to add the name that you added to urlhosts also to
the /etc/hosts file.... eg.,

129.148.192.138 saturn5 sinkhole loghost (saturn5 is primary, sinkhole is virtual)

Q: How do I set the Java heap size on iPlanet Web Server(iWS)? And how do I fine-tune the heapsize for iWS?

A: To configure the Java heap size, go to the
server_root/https-instance_name/config directory and edit the jvm12.conf file.
In this file, you can set jvm.minHeapSize and jvm.maxHeapSize .
The file will appear something as follows:

bash-2.00$ cat jvm12.conf
[JVMConfig]
#jvm.minHeapSize=1048576
#jvm.maxHeapSize=16777216
#jvm.enableClassGC=0
#jvm.verboseMode=1
#jvm.enableDebug=1
#jvm.printErrors=0
#jvm.option=-Xrunoii
#jvm.profiler=optimizeit
#jvm.disableThreadRecycling=0
#jvm.serializeAttach=0
#jvm.stickyAttach=0
#jvm.trace=5
#jvm.allowExit=0
#java.compiler=NONE
#OPTITDIR=D:/App/IntuitiveSystems/OptimizeIt30D
#nes.jsp.enabledebug=1
#jvm.include.CLASSPATH=1
#nes.jsp.forkjavac=0
#jvm.serializeFirstRequest=0
jvm.exitOnAbort=40
jvm.classpath=/export/iws41/plugins/samples/servlets/beans.10/
SDKBeans10.jar:/export/iws41/plugins/samples/servlets/beans/SDKBeans.jar

After setting jvm.minHeapSize and jvm.maxHeapSize (and also removing the comment symbol, "#",
you can then use some Java code, such as the following code, to confirm that
the memory available to Java has increased:

double freeMem = Runtime.getRuntime().freeMemory();
double totlMem = Runtime.getRuntime().totalMemory();

Q: What is the recommended Maximum Heap size setting for the jdk?

A: The maximum heap size highwater mark must NEVER exceed the amount of
physical memory available on the system. Other constraints apply
beyond this as well and should be taken into consideration:

1) 2 Gig is a highwater mark that should not be exceeded irregardless
of the amount of physical memory available on the sytem.

2) Specifying too large an a stack size can increase the number of
page faults and garbage collection related issues.

Q: So you think that you don't have enough file descriptors? You didn't get enough and so you want some more?

I'll tell you how to check to see if you have got enough.

A: ulimit -n -. This will show you the "soft" limit. If you want to
see your high water mark, you need to look at the numbers through
adb. Youse do it like this:

adb -k

rlim_fd_max/D

d <<<< to get out of adb...

Q: A client behavior is the browser seems to wait endlessly on a request to the server to complete. This is a condition that occurs within the browser.

A: To work around this problem: 1.Turn off server-side caching in the Enterprise Server, or

Turn off keepalive connections by adding to the magnus.conf:

KeepAliveTimeout 0

Q: How do I install a certificate on a second iPlanet Web Server (iWS) that has the same URL

A: In order to install a certificate on a second iWS that
has the same URL, copy the two original certificate
databases in server-root/alias to the second instance
of iWS. For example, if you have two iWS instances,
"foo" and "bar," and you want to use a certificate
already installed on the "foo" instance with the "bar" instance, you
would perform the following actions:

Copy "https-foo-hostname-cert7.db" over to
"https-bar-hostname-cert7.db".

Copy "https-foo-hostname-key3.db" over to
"https-bar-hostname-key3.db".

The SSL password will be the same for both instances,
as they will be using a copy of the same database.
(Note that if you add subsequent certificates to one of
the databases, it will not be automatically mirrored in
the second webserver instance).

NOTE: Your certificate vendor may have restrictions
against this practice. Consult with your vendor before
attempting this practice.

Q: I am trying to set up SSL for my web server. I note the following error when attempting to start the server on the secure ssl port: File System Error:Encryption No Trust Database Found. Please create one before enabling security. The system returned error number -5950, which is an unknown early startup error.

A: If you have already done the preliminary step when
setting up certificates of creating a trusted database
(manage server -> security -> create database), then
the other possibilities are:

1) Check the permissions on the alias directory
(/nes_server_home/alias) such that they are
open to write as the user the server runs as.

2) Verify that you are starting the instance of the
web server for which you actually created the
certificate for. This means that if you are
trying to start a server instance named "zoltar",
then make sure that you have certificates in the
alias directory such as: https-zoltar-zoltar-key3.db
and https-zoltar-zoltar-cert7.db

Q: How could I check to see if the web server is experiencing the effects of a memory leak?

A: Restart your server. Look at the process "size" using
either "top" or "ps". The top command gives the added
advantage of having a threads column (THR) which will
show you the number of active threads. The number of
threads should increase based upon the number of
simultaneous requests

Now hit the server with a load of say 50 concurrent users
for X times and for Y minutes. You should see the process
size increase in top. Let the server idle for 5
minutes to let garbage collection do its cleanup.

Hit the server with the same load again. You should NOT
see a dramatic increase in size as you did in the
beginning. THere should not be a huge increase in size
but a small increase.

Let the server idle again for 5 minutes.

Hit the server again but with a lower load than the
original- say- half the size. This time, you should
not see any increase in the size.

Repeat the test over and over.

If there is a memory leak, then the size will
consistently grow. If so, look at the system
config, check SWAP, OS Patches and system settings.

Note that stopping and starting the web server will
not prove anything during this test, because you
will simply be starting from the beginning again.

Q: I have attempted to make a change to the ACL configuration on the web server via the GUI. When I make the changes and click "submit", I find not only that my changes dre not effective but also that they appear to revert to the former settings when I look back at the config page!

A: It is important to remember to click on the apply button
after making any changes via the GUI. Failure to do so
will result in the changes not taking effect and the
related xml files that represent the written format
of the GUI config not being written.

Motto of the GUI: Always click Apply.....

Q: What are the differences between iWS, 4.1 FastTrack and iWS, 4.1 Enterprise Editions?

A: FastTrack Edition is essentially the same product as
Enterprise Edition, supporting the same APIs, but with the following
limiting factors:

Single process, 5 threads only, limiting performance to
~20% of Enterprise Edition
Limited to 5 Virtual Servers
Only 56- bit encrpytion version available
No Web Publishing capability: no Search, Web Publishing API or
Applet support
No WAI support
No Server- Side Java Script support
No LiveWire support
No SSL Hardware Accelerator support
No Group/ Cluster Management support
No Distributed Admin support
No SNMP support

Q: I am receiving errors when attempting to start iPlanet WebServer. The error in /var/adm/messages is: /Startup failure: could not bind to port 80 (Bad file number) What could this mean?

A: Bad file number is an error that is returned from the OS. It relates
to errno #9 in /usr/include/sys/errno.h (see this file for more info).

The bad file number is usually indicative of a system call made against
a file descriptor that is beyond the allowable range of file descriptors
on the system. EG., if the system were to make a reference to file
descriptor #260 and the system only has 256 file descriptors available
to it, then this error would occur.

Solution is to increase the number of file descriptors on the system
in the /etc/system file and reboot.

A separate Q&A above delineates how one would check the number of file
descriptors available to the OS.

Q: I am receiving the following error message in iPlanet Web Server's error log: "java.net.Socket.Exception: Bad file number"

A: This is usually seen when a connection to the web server via a socket
connection can not be made because the maximum number of simultaneous
connections has been reached. This may be alleviated by both
increasing the available number of sockets which clients may
connect to the webserver with and also by reducing the amount
of time that idle connections remain open:

ndd -set /dev/tcp tcp_conn_req_max 1024

ndd -set /dev/tcp tcp_keepalive_interval 30000

The first line would have the effect of increasing the amount
of simultaneous connections to the webserver to 1024

The second line would have the effect of reducing connections
that are not active to a maximum lifetime of 5 minutes before
they are closed...

Q: How do I deploy the sample application war files that are given as examples on page 330 of the iPlanet Web Server 6.0 admin guide.

A: Look at the sample located in $ns_server_home/nes6/plugins/ \
servlets/examples/web-apps

The command to deploy will look like this (from the readme)

For Web Server 6.0 example:

  1. wdeploy deploy -u /hello -i zoltar -v https-zoltar -d
    /opt/nes6/https-zoltar/web-apps/hello
    /opt/nes6/plugins/servlets/examples/web-apps/HelloWorld/HelloWorld.war
    Deploying web application
    Loading new configuration
    Web application deploy successful

For Web Server 6.1 example:

  1. /opt/nes6.1/bin/https/bin/wdeploy deploy -u /test \
    -i saturn5.east.sun.com -v https-saturn5.east.sun.com \
    -d /opt/nes6.1/https-saturn5.east.sun.com/webapps/test \
    /opt/nes6.1/plugins/java/samples/webapps/simple/webapps-simple.war

Make sure that you then go into the administration GUI and
click on "Virtual Servers" for the server you are attempting
to manage and then click on "Java Web Application Settings"
and enter the name of the xml app file you are accessing. In
our example, this would be: web-apps.xml. Be sure to also
click on the radio button on the fight side of the screen to
change the default state from off to on.

Also be sure to add: /usr/java1.2/lib/tools.jar
to the end of the classpath line in the jvm12.conf for the
webserver instance which you are deploying to.

Q: Does perl come with the web server?

A: Why yes it does! At version 6.0 it may be found at the following
location: $ns_server_home/bin/https/perl/perl

A sample script in your cgi-bin directory might then look like

#!/opt/nes6/bin/https/perl/perl
print "Content-type: text/html\n\n"; print " ";
print "Testing Perl";
print " ";

Q: What does the seemingly undocumented directive "address" that appears in the magnus.conf file mean? It is not there by default.

A: The address directive is not included in the magnus.conf file
by default. It is, however, available to be manually included
in this file should you wish the serve rot listen to requests
coming only from a specific ip address.

See the following manual for information about this little known
directive:

http://docs.iplanet.com/docs/manuals/fasttrak/41/nsapi/0b_magnu.htm#17063

Q: Where can I find a list of SSL error codes?

A: A list of SSL Error codes is available at this link

Q: I have increased the number of file descriptors (hard limit) of my web server by increasing the rlim_fd_max parameter in /etc/system to a number higher than 1024? Will my NSAPI take advantage of this if it is running as a non-root user?

A: An NSAPI that runs as a non-root user will NOT take advantage
of more than 1024 concurently open files if it is not run as root.

Q: Are the jvm12.conf parameters defined anywhere? There appears to be no documentation to this file?

A: Please see the link: http://docs.sun.com/source/816-5689-10/xjvm.htm#21181

Q: How do I increase the general logging for the webserver?

A: Manually edit the magnus.conf for the server instance you wish to
increase the logging level for.

Add the parameter and value: LogVerbose on"

for 4.x of the webserver, add this as the last line of the file.

for 6.x of the webserver, add this before the "Init" section if any.

Restart the webserver and don't forget that you will need to click
on the "apply" button in the webserver gui to apply your manually
saved changes!

Q: Is there a way to clear out the JSP cache?

A: Clearing out the jsp cache can be a helpful thing if the jsp classcache
either becomes too large or if there appears to be a problem with startingh
the webserver in which the web sever them complains with errors regarding
"jsps"

The easiest way to find your jsp classcache is to follow the instructions below...

cd server_root/serverinstance/ClassCache

remove all files and directories located at and under this directory.

When using webserver version 6.0, you may also clear out the cache by

1) clicking on the java tab

2) Clicking on the Session Data/JSP Class Cache button on the left side of the display

3) Clicking both the radio buttons for clearing out the files

4) Click ok and then click apply to restart the server...

If you are running webserver version 4.1, then follow the instructions below...

You must now re-enable jsp's through the GUI on the webserver and
then restart the webserver.

1) From the Web Server GUI, click to manage your webserver instance.
2) Click on the "servlets" tab on the top menu.
3) In the resulting display, click ont "NO" radion button under
the section entitled "Enable JSP".
4) Click on the OK button and then apply your changes (choose to
restart your webserver as part of the apply process).
5) Now, after applying your changes, re-enable the JSP's by clicking
on the "YES" radio button and then click on "OK"
6) Click on the Apply button and choose to restart the server.

You may now test your access to your jsp file. The cache should be
created at the time of your initial access to the file.

Q: How do I increase the JVM logging and general logging in the web server?

A: Make the following changes in jvm12.conf of the server instance you are interested in:

From:
#jvm.verboseMode=1
#jvm.printErrors=0
#jvm.trace=5

To:
jvm.verboseMode=1
jvm.printErrors=1
jvm.trace=6

Restart the server instances for the changes to take affect.

To increase general logging for the webserver as a whole,
set the variable: LogVerbose in magnus.conf. See the following
as reference to achieve this:

http://docs.iplanet.com/docs/manuals/enterprise/41/nsapi/0b_magnu.htm#24119

http://docs.iplanet.com/docs/manuals/enterprise/41/nsapi/0b_magnu.htm#24

Q; In websever 6.1, I do not see a jvm12.conf file. How do I make changes to the jvm?

A: Webserver 6.1 no longer makes use of the jvm12.conf file for jvm specific
parameters. Under 6.1, all changes must be carried out within the confines
of the server.xml file.

An example of what this looks like is taken from a working server.xml below:

-Dorg.xml.sax.parser=org.xml.sax.helpers.XMLReaderAdapter
-Dorg.xml.sax.driver=org.apache.crimson.parser.XMLReaderImpl
-Xmx256m

Additional options may be created in the server.xml by bracketing them within
"JVMOPTIONS tags as shown above.

Q: What tuning is specific to tuning a multi-cpu system whichs i-Planet Web Server Version 6.x

A: It is recommended that the following parameters be set in magnus.conf
to take advantage of the increased horsepower of multi-cpu systems:

MinAcceptThreadPerSocket = # cpus
MaxAcceptThreadPerSocket = 2 * # cpus

Q: I receive a "404 Not Found" error when trying to enable PerfDump

A: The most likely reason is that the NameTrans function for perfdump
appears AFTER the NameTrans Function for "document-root"

To fix the problem, ensure that the NameTrans line that signifies
the Document Root appears AFTER the NameTrans line for perfdump.
eg.,
NameTrans fn="assign-name" from="/.perf" name="perf"
NameTrans fn="document-root" root="$docroot"

Q: I am noticing large number of JVM abort errors of the sort:

{{

Unknown macro: { info (11342)}

}}

A: The jvm is started when the webserver is started. A number
of configuration files can have a direct impact as to how
often this error message appears. It is most likely due to
large number of java apps like servlets or jsp's that can
overload the server and cause this error to occur.

Check the following files and consider the following changes
to assist with this error:

jvm12.conf of the web server instance that is affected:

default: #jvm.maxHeapSize=16777216

try uncommenting and setting to a larger value to increase heap:

jvm.maxHeapSize=64000000 <<< set the heap to 64 meg

Also reference the following url:

http://docs.iplanet.com/docs/manuals/enterprise/41/servlets/a-sess.htm#17031

You may also try referenceing the VERY helpful document:

http://ourplanet.red.iplanet.com/CS/WWTechSupport/americas/internet/Documentation/jsptest.html

Also, you may reference the faq above which speaks of
jvm12.conf options

Q: Does iPlanet WebServer run on a 64 bit os or only on 32 bit?

A: iWS runs as a 32 bit application in all OSes except DEC Tru64.

Q: I installed a plugin from a vendor to the webserver and the server continually is stopping and restarting (by uxwdog). What can be done?

A: This particular issue is not a known issue, however, the
issue of server restarts-generally caused by a plugin-is
an issue which we occasionally encounter.

Core files should be generated by the server restarts.
If the CU has no core files in his (server root)/(server
instance name)/config directory, refer him to,
http://knowledgebase.iplanet.com/ikb/kb/articles/5102.html.
Once a core file is obtained, have the CU run dbx against
it--see
http://vault.red.iplanet.com/FARGO/engineeringdocs/ESdebug.html
for more information on how to obtain the dbx stack trace.

Q: How to I get a core file from ns-httpd which is running in SSL Mode?

A: Document id: 3420 in the iplanet knowledge database will yield an answer.

Q: The webserver does not generate a core file when it encounters errors

A: If the server is not able to dump core, you may try the following:

1: Make the following changes to the obj.conf file....

Change this line:

Init fn="NSServletLateInit" LateInit="yes"

To this...

Init fn="NSServletLateInit" LateInit="yes" CatchSignals="0" Signals="SIGSEGV,SIGBUS,SIGABRT"

2: Now edit the jvm12.conf file as follows:

default:

jvm.exitOnAbort=40

Modified:

jvm.exitOnAbort=0

The server should now be able to dump core where it did not before...

Q: My server still does not seem to be able to dump core? What else could be wrong?

A: Please check the following aspects...

1) Check to make sure that lyou have the correct UNIX permissions
so that the server as a user that has permissions to write to
its own instance directory and from that directory below.

To verify this, you should be able to "su" to the user
that the webserver is running as and be able to "touch" a
file in the directory that the webserver is running from
with success.

2) Make sure that ther is enough space in the root directory so
that a large core file can be written there.

3) The user that you execute ./start as (the real user id) may be
different form the user that the server is running as (the effective
user id. You may verify this by checking the magnus.conf file
and checking for the appearance and value of a parameter called
"user" to see what the server will run as.

Q: How do I enable the iPlanet Web Server to utilise the "alternate thread" libraries that are available with the jdk 1.3 and higher?

A: Specify -XX in jvm12.conf at the line:

#jvm.option=-Xrunoii

The above is the default line. Uncomment and modify or add
the following below...

This link will give complete instructions of the options
that can be used in the jdk:

http://java.sun.com/docs/hotspot/VMOptions.html.

Regarding using the -XX:-UseBoundThreads vs
-XX:-OverrideDefaultLibthread...

...the rule is as follows:

******************************

-XX:-OverrideDefaultLibthread

is used with Solaris 8 and with
1.3.1_xx along with setting LD_LIBRARY_PATH with a prefix of
/usr/lib/lwp:/usr/lib/lwp/libthread.so .

******************************

-XX:-UseBoundThreads

used with Pre Solaris 8 and with
1.3.1_xx along with setting LD_LIBRARY_PATH variable with a prefix of
/usr/lib/lwp:/usr/lib/lwp/libthread.so .

******************************

Example on how to set LD_LIBRARY_PATH :

LD_LIBRARY_PATH=/usr/lib/lwp:/usr/lib/lwp/libthread.so:$

Unknown macro: {LD_LIBRARY_PATH}

;
export LD_LIBRARY_PATH

Note that the LD_LIBRARY_PATH is to e set in start-jvm file under
the https-admserv instance

Addendum:

For running java programs from the command line:
------------------------------------------------

Usage: you can do so as follows in the run time command:

'java -XX:-OverrideDefaultLibthread/-XX:-UseBoundThreads
(the other arguments you use)...(the application run time executable)'

Q: Are SSJS (Server Side Java Scripts) supported with iws 6.0?

A: No, that functionality has been deprecated. See the following link for
helpful migration information:

http://docs.iplanet.com/docs/manuals/enterprise/50/ig/migrate.htm#13272

Q: The problem is, when we attempt to use the "Enforce Strong Security" feature of the iPlanet Web Server to restrict SSL access to only 128-bit, it does not seem to apply to requests that are handled by the application server. However, the enforcement does occur for pages that are served locally by the web server. I have been able to test this by first making a request to any page served by the web server

A: The communication between the iWS and iAS is via the NSAPI plugin called web
connector. This uses iAS proprietary protocal, kcp, to talk to iAS. It
does not use normal HTTP(s) to talk to iAS.
So, whatever you do now, it will not work as expected. AFAIK, the S1AS
7.0 will do away with the kcp and use normal HTTP(s) between S1WS and
S1AS.

Q: There is an option under "content management" for using "htaccess"? How do I create an htaccess file to test and implement this functionality?

A: Click link to access the instructions

Q: Are there instructions for deploying a sample web-app application that will also make use of the jsp engine for iWS 6.0!

A: The basic test is the the HelloWorld app for the iWS6.0 webserver. Just
follow the following command and substitute in your variables where and
when they differ!

By default, wdeploy is located in: server_root/bin/https/httpadmin/bin/wdeploy

wdeploy deploy -u /hello -i zoltar -v https-zoltar -d /opt/nes6/https-zoltar/web-apps/hello \
/opt/nes6/plugins/servlets/examples/web-apps/HelloWorld/HelloWorld.war

-u : The relative url under which you will access this app
In this case, it would be: http://zoltar:/hello

-i : The server instance to which this app will be related.

v : The virtual server id which it will relate to: https

-d : The physical directory under which this web app is to be deployed

Last argument is the location of the sample war file we will use to deploy!

Oh yes... Don't forget to enable jsp's and Java for the webserver - and also
if you want jsp's to function, you will need to ensure that you have a FULL jdk and
not just a jre installed!

Q: What are the maximum number of active Web Server threads that can be handled by iWS?

A: The iWS release notes indicate the answer as this: the maximum
number of active Web Server threads is
calculated using the formula RqThrottle +MaxKeepAliveConnections.

Q: Are there any documents available for integrating P3P with iWS?

A: http://www.w3.org/TR/p3pdeployment#Whats_Involved

Q: What information is sent by the webserver when a redirect is indicated for a specific url received from a client browser?

A: A redirect on the webserver tells the browser what hostname and port
to redirect to. The port number is always included, and assumptions
made, even if it is not explicitly being set.

Q: When I utilize the ns-crond function to rotate my log files, I notice that the log files are not always correctly rotated (if at all). Why?

A: There are several things to check here.

The first is whether or not cron based (not ns-crond but a real cron job)
can rotate the log files. If it can, then the problem is most
likely the result of the restat script which ns-crond utilizes, not
being able to respond the kill -HUP which it must in order for the
ns-crond to function properly.

Q: Where do I make changes on the webserver to increase the number of servlet sessions that are simultaneously allowed on the server?

A: If you are deploying the servlets as legacy servlets (not as
web-app), then you need to modify the context.properties to put the
sessionManager related properties as below:

context.global.sessionmgr=com.iplanet.server.http.session.IWSSessionManager
context.global.sessionmgr.initArgs=maxSessions=5000

If you are deploying the servlets as web-app then only you will have to
put the configuration in web-apps.xml file.

Session Manager for legacy servlets:
For each context specified in context.properties, an instance of Session
manager is created (by default it is
com.iplanet.server.http.session.IWSSessionManager). A default
context 'global' is created at the startup time.

Sesion Manager for servlets deployed as web-app:
For each virtual server a session manager is created and can be used by
all the web-apps deployed in it.
For e.g.

maxSessions
5000

In this both the web-apps use the same session manager instance with
maxSession=5000.

You will notice Max session value set to different values, but those are
for different SessionManager objects. By default it is 1000. In the
log you have mentioned,
5000 is getting initialized for web-app servlets and 1000 for legacy
servlets. Your legacy servlets are still having configuration with 1000
max sessions so modify the context.properties as mentioned above.

Q: in the obj.conf I see the directive: ObjectType fn="shtml-hacktype"

What does this mean?

A: shtml-hacktype requests that .htm and .html files are parsed
for server-parsed html commands

Q: My webserver will not start when I try to initialize my NSAPI.

A: Try to check you initialization line in the magnus.conf.

Try adding a LateInit to the line as such:

Init fn="My_function" LateInit="yes"

The line LateInit="yes" means the server will delay loading of the
.dll and .so files until the ns-httpd process has completed loading.
Both .dll and .so files are usually loaded during the time that the
uxwdog process is loading.

Q: In 4.1sp10 and iWS6.0sp3, is there is a parameter that allows the server to step down the protocol version from http 1.1 to http 1.0.

A: There are two possibilities for accomplishing this:

1. to downgrade the HTTP version to 1.0 for Microsoft IE browsers ONLY.

obj.conf add the following:
AuthTrans fn="match-browser" browser="MSIE" http-downgrade="1.0"

2. to downgrade ALL requests to HTTP/1.0 version.
add the following to the magnus.conf:

HttpVersion 1.0

Q: How do I enable "legacy" servlets under iWS 6.0?

A: Servlets may either be deployed as part of a deployment under 6.0
or they may be accessed as individual servlets. As a deployment,
they would be deployed as per the earlier section in this faq.

The older methodology for deploying servlets is now called "legacy"
and simply implies that you will be accessing your servlets as
standalone entities.

From the GUI, click to manage your server, then choose the "legacy
servlets" tab. Click on "Configure Servlet Directory"

Note that a default servlet directory is preconfigured for you as
"/servlet" with a physical directory to be located at $docroot/servlet

You will need to create the "servlet directory" underneath the docroot
directory eg: $iws_install_dir/docs/servlet and then place a sample
servlet in this directory to test.

Accessing the servlet class file by a client browser would look something
like this:

http://iws_server:port/servlet/HelloWorldServlet

where HelloWorldServlet is simply the name of a servlet class file.

Q: Where are the legacy sample servlets located?

A: $server_root/plugins/samples/servlets/servlets
A simple servlet for testing is:

./plugins/samples/servlets/servlets/HelloWorld/HelloWorldServlet.class

which could be copied to the legacy servlet directory for testing...

Q: Is there a sample perl cgi script that will print out all of the CGI environment variables?

A: #!/opt/nes4.1/bin/https/perl/perl

print "Content-type: text/html\n\n";
print "\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}";

Q: How can I translate the url for perfdump so that I can get to: http://server/perf instead of http://server/.perf

A: In the obj.conf file, under the section titled:
add the following name translation...

NameTrans fn="assign-name" name="perf" from=".perf"

and modify the ppath setting as follows:

Service fn="service-dump"

Save your changes and restart the server. You should now be able
to get to: http://server/perf !

Q: I am receiving the following message in my 4.1 server's error log: IWSSessionManager: cannot create a new session as the limit on maximum number of sessions has already been reached: (a number)

A: You have run out of available sessions that can be started.
Make changes by increasing the number of maxSessions
as follows:

cd $server_root/https-/config
vi servlets.properties

add the following to the bottom of the file:

servlets.sessionmgr.initArgs=maxSessions=200,timeOut=300,reapInterval=150

Note that for webserver 6.x and above, that contexts.properties will be
the proper place to instantiate these changes.

Restart the server with the new parameters saved and in place.

Q: Search Engine: If there is a problem, where can I look for errors?

A: Beyond the web server's error log, also look at the error log for
the search engine. Since the search engine is an OEM product, it
is located in a separate location:

/plugins/search/admin/nsloader.err

Q: I am unable to create a search collection with the webserver:

error initializing loader

A: Check that the serverroot/plugins/search/common/style directory
as well as all directories below that directory are owned by
the server user and grouped to match the server group.

To what the server user and optionally, the group are set to,
check the magnus.conf file for the server instance in question.

Please note that doing upgrades of service packs to a webserver
may cause this to occur!!!

Q: Can I utilize JDK 1.4 with iPlanet WebServer 6.0?

A: As of iWS 6.0SP5, JDk 1.4 will be certified for use! Meanwhile,
although it is not officially supported, one may try, on their own,
to utilize the JDK 1.4 but should increase the maxstacksize
to 1024000 in magnus.conf

Q: Can iPlanet webserver 4.1 and 6.0 modify any of the default LDAP values?

A: By editing page: /bin/https/admin/html/dslsusers.html
one can specify values for ldapsizelimit, ldaptimelimit, ...
eg., default value for search result size is 1000.

Q: Publishing a webpage to the 6.0 version of the webserver does not appear to work by default. I receive errors indicating that the requested method is not supported. What should I do?

A: In order to allow for web page publishing, manage the server instance from
the GUI, click on "class manager" followed by "Remote File Manipulation".
Click the radio button to allow remote file manipulation, save and apply
the changes.

Remember that if there are acl's involved, it will be necessary as well
to ensure that users who will be posting allow "post" writes as well!

Q: IS there a good site where I can see where ldap authentication errors are defined?

A: try http://developer.netscape.com/docs/manuals/dirsdk/jsdk30/except
n1.htm

Q: When I attempt to start up the ns-cron daemon, it will not by default start

A: ns-cron is can not by default be started without first creating
an ns-cron.conf file.

The default location for this placement of this cron.conf file is denoted
within the ./https-admserv/config/ns-cron.conf

Here is a sample ns-cron.conf file:

ConfFile /opt/nes6/https-admserv/config/cron.conf
Dir /tmp
Status on

Notice that the ns-cron.conf file has an entry under ConfFile that
indicates where it will find the cron.conf...

Now you must create the file called cron.conf in
https-admserv/config/cron.conf

Place the following entries in that file - of course you will
want to customize the times to your suiting...

<Object name=https-your_server>
Command "/opt/nes6/https-your_server/rotate"
User nobody
Time 11:30
Days Mon Tue Wed Thu Fri Sat Sun
</Object>

and now save the changes and try to start up cron.

verify that it is running with ps -ef | grep -i ns-cron

Q: How do I implement a meta-redirect in my webpage to automatically forward users to a new site?

A:
<html>
<head>
<title> Meta Redirect Code </title>
<meta http-equiv="refresh" content="5;url=http://www.devnull.com">
</head>

<body>
<pre>
This site is no longer in existance, you will automatically be reidrected
to http://www.devnull.com in 5 seconds!
</pre>
</body>
</html>

If you want to see meta-redirect in action Click here

Q: I need info on integrating BEA WebLogic Plugin with iPlanet WebServer

A: see the link at http://edocs.bea.com/wls/certifications/certifications/sun_solaris8.html#39669

Q: Webserver hangs with BEA plugin. Are any troubleshooting documents available?

A: see the link at http://support.bea.com/application_content/product_portlets/support_patterns/wls/Generic_Server_Hang_Pattern.html

Q: Where can I find tuning tips for the BEA plugin?

A: http://e-docs.bea.com/wls/docs61/adminguide/plugin_params.html#1143055

Q: How Do I set up SunONe WebServer 4.1 to allow for a different document root and a separate

cgi-bin directory?

A: Setting up a software virtual server can be done via the gui, however, the ability
to give that virtual server a different document root directory or an independent
cgi-bin directory must be done at the command line by editing the obj.conf file:

By default, there will be a client block which will look like this after you
setup a software virtual server via the gui (under content management)

<Client urlhost="sinkhole">
NameTrans fn="home-page" path="sinkhole.html"
</Client>

The modified file to take advantage of the aforementioned features is denoted below:

<Client urlhost="sinkhole">
NameTrans fn="pfx2dir" from="/sinkhole-cgi-bin" dir="/opt/nes4.1/sinkhole-cgi-bi
n" name="cgi" — add this line for separate cgi-bin directory
NameTrans fn="home-page" path="sinkhole.html"
NameTrans fn="document-root" root="/opt/nes4.1/docs/sinkhole" — add this for doc root
</Client>

Q: I am receiving the following errors when trying to start up the 6.0 webserver administrative server with the jdk1.3 version of the jre

I see the following error messages in the log file:
{{

Unknown macro: { [20/Nov/2002}

}}

A:

Do not use the self extracting binary version. Download the package version of
the product. iThe problem could also be related to downloading the self
extracting version and then moving it to another directory. In the process
links may have been broken.

Install the package version and set the path to the default location of the install
(which is /usr/j2se)

Q: We are getting an OS error. Do you know what what this one means? [04/Dec/2001:09:47:54] failure (20214): Error accepting connection -5974, oserr=233 (Insufficient resources)

A: This is a generic error telling us only that the web server attempted
to gain ac ces to an OS resource, and could not. This could be due to
any number of things. Maybe the OS has run out of available connections.
Please run a "netstat -a" and verify that there are not a large number
of connections either in TIME_WAIT or CLOSE_WAIT state.

Q: How can I start Sun ONE webserver's JVM with en_US.ISO8859-1

A: Add the following to
/opt/NSCPserver/iws_namefinder/https-admserv/start-jvm
LANG=en_US.ISO8859-1; export LANG

Add it before the # DO NOT CHANGE ANYTHING BELOW THIS LINE
and restart the webserver.

Q: The Sun One WebServer (4.x or 6.x) is experiencing issues with the appearance of "OutofMemoryError" errors which then result in an abort () call being made.

What can be done about this?

A: Check to see if the jdk is being referenced. If so, then this problem may
be related to bug id: 4682937. Although this bug denotes a JDK release of
1.3.x, this may NOT be the only jdk to which this issue could be associated.

setting a suitably large -XX:MaxPermSize=X may be a reliable solution. Try
a value of 128m for 'X' since the default is only 32m.

Q: What option can be specified as an argument to the jdk to increase the thread heap size used by the JDK in the context of the webserver?

A: The option: -Xss2m when added to the jvm.option specifier in the jvm12.conf of
the webserver will increase the thread heap to 2 megabytes.

Q: If "OutofMemoryError" errors still appear to be occurring, what may be done to debug further?

A: The following options, added to the jvm12.conf file might be of some help:
-XX:-UseStackBanging -XX:+UseBoundThreads -XX:AltStackSize=64k

Q: Where can I obtain a free trial copy of the dbx compiler?

A: Following is the url where you can download the dbx.

1. Go to http://access1.sun.com/forte
2. On the page below you will see the Product Downloads.
3. Select Forte C++ Enterprise Edition 6 Try & Buy. Click on SPARC for solaris OS.
4. Enter your user/passwd to register.
5. Accept the license agreement.
6. It will take you to the product Download Center.

Q: I have noticed that the log files in the webserver seem to have timestamps which are out of order. Why do I see this?

A: iplanet has the uncanny ability to write instances to the log out
of sequence. It will write them in the order that objects are
actually served to the client but the time stamps will be for when
they were actually called.

To get around this, one could write a script to parse the log files
and reorder them appropriately by timestamp.

Q: What are the advantages of utilizing the specifier for servlets entitled, LateInit="yes" in the magnus.conf?

A: The line LateInit="yes" means the server will delay loading of any
.dll and .so files until the ns-httpd process has completed loading.
Both .dll and .so files are usually loaded during the time during the
webserver startup that the uxwdog process is loading.

In a situation in which you see that the webserver does not start
normally but seems to constantly die and repeatedly attempt to start
in a vicious loop, this specifier can be a helpful possibilty to try.

Q: The following message appears to be occurring on an AIX box running SunONE WebServer: java.lang.OutOfMemoryError: loading classes, stack: java.lang.OutOfMemoryError

A: Try setting the following parameter in the start script for the webserver
instance which is noted to be failing...

AIXTHREAD_SCOPE=S; export AIXTHREAD_SCOPE

Q: is there an easy way to disable the favicon.ico on the webserver 6.0?

A: The default iPlanet icon file is rendered in the web address and favorites
list for IE browsers if the admin does not have a custom favicon.ico
file in the document root of the web server. To disable internal
favicon.ico support on the SunONE Web Server 6.0, add the line below
to the magnus.conf file for that web server.

Favicon off

After creating the icon, it must associate it with your Web page.
One way is to save the icon with the default file name of favicon.ico
in the root directory of your domain: for example, in your docs directory.

Each time your Web page is added to a user's favorites,
Internet Explorer will automatically search for this file and place the
icon next to all the favorites and quick links originating from your site.

You can also associate the icon with your Web page by saving the icon with a
file name other than favicon.ico and adding a line of HTML code in the head
section of your Web document. The line of code includes a link tag that speci
fies the location and name of the file. You can include this link tag on a
per-page basis.

Additional information may be gleaned from the site...

http://www.webdevelopersjournal.com/articles/favicon.html

and

http://www.trilithium.com/johan/2005/02/no-favicon/

Q: how can I test if the "TRACE" command is enabled on my webserver?

A: Test this by issuing the following command sequence...

For example, we will use a server named zoltar which has a web server
instance running on port 4141. You would, of course, want to substitute
appropriate variables where necessary.

$ telnet zoltar 4141
Trying 129.148.192.139...
Connected to zoltar.east.sun.com.
Escape character is '^]'.
TRACE /banner.html HTTP/1.1 <--- type this in
host: zoltar <--- type this is
<--- type return here
HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Tue, 29 Apr 2003 18:44:21 GMT
Content-type: message/http
Content-length: 45

TRACE /banner.html HTTP/1.1
Host: zoltar

Q: What hotspot options are available for the 1.3 or 1.4 jvm?

A: jvm options can be specified in the jvm12.conf of the webserver.

A helpful link to see all of the available hotspot options is at:

http://java.sun.com/docs/hotspot/VMOptions.html

Q: Is there a way to output jvm messaging to the console window instead of having it logged to the webserver's error logs?

A: Set the following parameter in the jvm12.conf of the web server instance
you desire to make the change for:

jvm.printErrors=2

Q: How do I determine if the TRACE routine is implemented on my webserver?

A: TRACE is a HTTP 1.1 method(see RFCs) and is enabled on our
servers.

Here's how you can confirm if trace is enabled
----------------------------------------------

  1. telnet localhost 41280
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    TRACE /banner.html HTTP/1.1
    host: zoltar

HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Tue, 29 Apr 2003 17:04:05 GMT
Content-type: message/http
Content-length: 46

TRACE /banner.html HTTP/1.1
Host: zoltar
----------------------------------------

You can see from the above session that 4.1 sp12 returns a HTTP status
200(ok) to a TRACE request. This indicates that the TRACE method is
enabled.

Now after loading/configuring the reject_trace plugin, if you send the
TRACE request, it would be denied with a "HTTP/1.1 413 Request Entity
Too Large" response from the server. This indicates that server has
disabled TRACE method after the plugin was configured.

Information on implenting the fix can be found at the following site:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603&zone_32=category%3Asecurity%2050603

A link to a public cert dexcribing the problem can be found at:

http://www.extremetech.com/article2/0%2C3973%2C841144%2C00.asp

Additional information and sample NSAPI fix can be found at:

http://www.securityspace.com/smysecure/catid.html?id=11213

Later versions of the webserver have the functionality to turn this
feature off built in. the following, added into the default block is the
following:

<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding"
set-headers="content-length: -1" error="501"
</Client>

Q: Are utilities available for SunONE WebServer to handle / export / import certificates?

A: The following are availabe in the directory "server_root"/bin/https/admin/bin:

certutil

pk12util

If your aim is simply at migrating certs from one server to another and both
the servers have the same https-"servername" then it might be easier to follow
the instructions in the following article to accomplish this:

Knowledge Article: 4853

Q: Is there a good site on IBm for downloading ml's and fixes that might be pertinent to webserver?

A: https://techsupport.services.ibm.com/server/fixes

Q: How can I use the telnet protocol to test the http 1.1 "options" method?

A: telnet saturn5 6161

Trying 129.148.192.138...
Connected to saturn5.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: 127.0.0.1

HTTP/1.1 200 OK
Server: "Greg's server"
Date: Thu, 26 Jun 2003 19:04:30 GMT
Content-length: 0
Content-type: magnus-internal/directory
Cache-control: no-cache
Allow: HEAD, GET
Connection: close

Connection closed by foreign host.

Q: What exactly is the http 1.1 OPTIONS method for?

A: The OPTIONS method represents a request for information about the
communication options available on the request/response chain
identified by the Request-URI. This method allows the client to
determine the options and/or requirements associated with a resource,
or the capabilities of a server, without implying a resource action
or initiating a resource retrieval.

Q: Why am I unable to edit acl's using SunONE WebServer when accessing

this page from any type browser on a Mac/OSX system?

A: Mac/OSX does not share cookies between web browser and server applications
SunONE WebServer indicates that browsers must be enabled to share cookies
in order for proper functionality to exist with the product.

To get around this, it is necessary to use the workaround supplied
by Apple at the following link: http://developer.apple.com/qa/qa2001/qa1265.html

Q: Where can I get a listing of all spec versions of JSP and TomCat?

A: http://java.sun.com/products/jsp/download.html

Q: How do I get a core file on Windows ?

A: The difference between Solaris and Windows is that the OS writes the core file if an exception occurs,
whereas on windows, if no debugger is currently attached to the process a so called
"postmortem debugger" is called. Which one this is, you can guess it, is controlled by the registry. In the key:
\\HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\AeDebug

The default entry on NT is drwtsn32, which comes with NT. At a crash,
DrWatson usually appends info on the crash to the Drwatson log
(drwtsn32.log), but it can also write a core dump of the crash.
To see if this is enabled have look at the registry key:
\\HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson

The value for CreateCrashDump has to be set to 1. In this registry key you
can also see what is the path and name of the created crash dump.

There are alternatives to drwatson in the debugging tools available from
http://www.microsoft.com/ddk/debugging/ but I don't see what they offer for creating a
core file in advance of dr Watson. But they are useful for analysis of a core or
if you want to get a core from a running process (like gcore).

Q: I am unable to make an ssl connection to SunOne Webserver when attempting to connect from a Microsoft IE browser when only FIPS compliant crypto modules are selected on the webserver.

A: There are deficiencies with the Microsoft IE browser and it may not
be up to date enough to allow for communication using only fips
compliant modules.

See the following two links at Microsoft's web site for some information
regarding this and possible actions.

http://support.microsoft.com/default.aspx?scid=kb;en-us;811834
http://support.microsoft.com/default.aspx?scid=kb;en-us;245030

Q: What does the following messsage mean? #define ECONNABORTED 130 /* Software caused connection abort */)

A: This generally indicates that a client has killed the connection
before the server has processed it (at different points in processing),
usually this is seen repeatedly during a hang of the webserver
since users will stop/reload in their browsers when they see that
the page is not loading.

Q: When doing a truss on the ns-httpd process, I occasionally see and EAGAIN message. What does this mean?

A: EAGAIN means... Try Again

It is very common to get this error when your application is doing
non-blocking operations on files or network sockets. For example,
you can open a file/socket/fifo for reading with the O_NONBLOCK flag.
If you subsequently do a read(2) call and there is no data waiting,
instead of blocking and waiting until there is data ready and
returning that data, the read() call will return an error (EAGAIN)
to let your application know that there is no data ready and to
try again later.

Another example is if a system call failed due to insufficient resources
(such as virtual memory), but it might succeed if called again.
(eg fork(2) does this).

Q: When using the ns-crond to rotate error logs, are connections lost when it runs?

A: No. The 6.1 restart scripts sends a SIGUSR1 to webservd-wdog (nee uxwdog)
which sends a socket-based message to webservd (nee ns-httpd) instructing it
to rotate the log files. Connections are not lost.

Q: Is it possible to start the webserver without having to start the uxwdog?

A: Yes, it is possible to start the webserver without the watchdog.

For Webserver 6.0, change the:

PRODUCT_BIN=uxwdog to

PRODUCT_BIN=ns-httpd

Note that you will have to write a separate script to kill the ns-httpd(s).
Use the command "kill -TERM " within the script.
The ns-httpd pid should be the primordial(one with the lower pid value).

For webserver version 6.1

PRODUCT_BIN=webservd-wdog would be changed to:

PRODUCT_BIN=webservd

Q: Is it possible to pass a cgi environment variable to a cgi program on the webserver?

A: This can be easily accomplished by initializing the required variable
in the init section for the cgi process.

example:

Init fn=init-cgi variable1="value1" variable2="value2"

Q: Is it possible to set up the webserver such that the watchdog (uxwdog) does not restart the webserver should the daemon fail?

A: Change the web server start script so that the watchdog does not get started.
Modify the following to look like this:
PRODUCT_BIN=ns-httpd

Q: I am seeing the following message appearing occasionally in the webserver error log:

Unable to set TCP_NODELAY on connected socket (Buffer over flow error)

A: The TCP_NODELAY socket option is set to disable Nagle's
algorithm. This is done to improve socket performance for HTTP
implementations. The warning message which you see in the error logs is
logged when it could not set the TCP_NODELAY option due to some
underlying network(TCP/IP) issue.

Q: How do you create a Java Stack dump on windows machine.

A: Here is what you do to generate Java stack dump on a Windows machine.

1) Add to magnus.conf:

Init fn="nt-console-init" stdout=console stderr=console
That will insure that iWS or iWS Admin will start in a console.

2) When you next start the server instance a command window will be
created and stay open. Make sure you have this Window in
focus before going to step 3 so the signal is sent to the
correct window.

3) Once you hit the hang condition press "Ctrl+Break" and Java stack
dump will be sent into error log: https-machine_name/logs/errors

Q: Trailing '/' at the end of a URL is causing problems. Can this be removed?

A: See the url: http://www.netmechanic.com/news/vol4/load_no11.htm which
discusses how trailing url's are interpreted by the webserver and the
possible problems they can cause.

In general, a trailing url in a client request should only be present if the
intended url represents a directory structure. If the requested object is
a file, then the trailing '/' should not be present in the requesting URL.

Q: Is there an install log for the web server, and where is it?

A: Yes, <server root>/setup/WebServer called: nescore.log

Q: Under WebServer 6.1, the administration documentation indicates that

logging verbosity may be increased by adding the LogVerbose variable to
a boolean TRUE or 1 within the magnus.conf. The directive, however, is
indicated to be ignored when checking the error logs. Why is this?

A: A documentation error exists as of this writing (6.1sp1) in which the
release notes indicate that the LogVerbose feature is ignored.
Suggestion is made to utilize the ability of the xml LOG tag in the
server.xml to achieve the same function.

The reference to the bug is noted at:

http://docs.sun.com/source/817-5169-10/rn61sp1.html

An example of usage is provided at the end of a default install's
server.xml and is reprinted here:

<LOG file="/export//https-iws-files2.red.iplanet.com/logs/errors" loglevel="finest" logtoconsole="true" usesyslog="false" createconsole="false" logstderr="true" logstdout="true" logvsid="true"/>

Note that the default level of logging is "info" and the highest level
of logging is denoted as "finest" as in the example above.

Q: Is it possible to be able to specify a username and a password within an ftp url?

A: This is quite easily doable. Use the following URL for reference: http://www.cs.rutgers.edu/~watrous/user-pass-url.html

Q: What debugging ideas are available for issues dealing with BEA Weblogics?

A: Please see the following link as an excellent reference on this topic:

great story

Q: How can I disable the servlet engine in the webserver under version 6.0?

A: you will need to verify in the 'obj.conf':

Service type="magnus-internal/jsp" fn="NSServletService"
and
<Object name="ServletByExt">
ObjectType fn=force-type type=magnus-internal/servlet
Service type="magnus-internal/servlet" fn="NSServletService"
</Object>

are not present or commented out. Please test this out on the failover
instance.

Q: How can I start the ns-cron daemon manually?

A: cd serverroot/bin/https/bin
./ns-cron -d /serverroot

Q: Can the webserver log files record the client browser's encryption capabilities?

A: The %Ses->client.secret-keysize% logs the browser's encryption
capability in the access log. This would be added to the format line
of access log (top line).

Q: Is there an easy way with webserver 6.0 to point to the -server version of the jvm vs the client version?

A: Besides the administrative server settings to point to the jvm you wish
to use, you must edit the jvm12.conf for the server instance in question.
Look for and uncomment the following line...

jvm.option=-server

Also, the link with the j2ee environment must be changed to use the
server option:

Check the jvm that you are pointing to for this. Lets say that you
are pointing the webserver to use /usr/j2se:

$ pwd
/usr/j2se/jre/lib/sparc
$ ls -la libjvm.so lrwxrwxrwx 1 root other 16 Jan 5 2004 libjvm.so -> client/libjvm.so

Note that you will need to remove the libjvm.so link and recreate it
to point to server/libjvm.so

Change the start-jvm script to allow the server pathing to be picked up:

NSES_JRE_RUNTIME_LIBPATH=$

Unknown macro: {NSES_JRE}

/lib/sparc/server

Q: Are there any links to help me in setting up the java profiling option?

A: Please see setup instructions at: http://docs.sun.com/source/816-5689-10/xprof.htm#22740

Q: How can I set the jvm to pring out verbose GC data?

A: Set the following in the jvm12.conf file: jvm.option=-Xverbosegc:file=/tmp/myfile.out

Q:

A: -Xloggc:/path_for_webserver/logs/gc.log

Q: Why does webserver 6.1 have a cert8.db file for ssl and not cert7 ?

A: At webserver 6.1, the NSS libs have been upgraded to version 3.3.5
the naming convention of cert8.db reflects this change.

Q: Where can I get more info on CLF format options for access logs for the webserver

A: http://docs.sun.com/source/817-2176/dninit.html#33444

Q: Can an applet which a client browser uses be profiled?

A: If you are using for example, 1.4.2_05 plugin then you could being up
the plugin console to do this:

eg., cd j2sdk1.4.2_05/jre/bin/ControlPanel

Go to advanced tab, in the Java Runtime Parameters, put
-Xrunhprof:file=/tmp/java.hprof.txt,depth=20,thread=y

Start the applet, check that /tmp/java.hprof.txt is created, do a
kill-3, see that it has some contents now. Do a few runs, e.g. what
you do to get it to crash, maybe 1-2 hours, get the pid, do a kill -3.
Subsequently, exit. Repeat cycle and kill -3 every hour till it
crashes.

Additional information is provided on this procedure at:

threads.html

Q: I am noting High cpu usage and memory space leakage under webserver 6.1. Any non-standard ideas I might try?

A: Try removing the following from the magnus.conf file for the webvserver instance in question:

ClientLanguage en
AdminLanguage en
DefaultLanguage en

Restart the server and test as you would again.

Q: Can I force the value of SERVER_NAME to be a different value

than the default?

A: The SERVER_NAME variable can be defined to reflect whatever the
administrator may desire by adding the following line to the
magnus.conf in the relevant section:

Init fn="init-cgi" SERVER_NAME="my.domain.com" LateInit="yes"

Q: Is there an easy way for the webserver to be able to remove a specific header which it may receive?

A: Any header, received by the webserver, can be removed by explicitly
noting it within the obj.conf file:

<Object name="wl-proxy">
Service fn="set-variable" remove-headers="Expect: 100-continue"
Service fn="wl-proxy"
</Object>

Q: How can I tell which version of the nss libraries I have?

A:

  1. pwd
    /opt/nes6/bin/https/lib
  1. pvs -d libnss3.so
    libnss3.so;
    NSS_3.2;
    NSS_3.2.1;
    NSS_3.3;
    NSS_3.3.1;

Q: Why do I sometimes NOT see Content-length indicated in an http header of a page I am requesting?

A: Check to see if the page being requested is of type jsp. All pages of
type jsp are dynamically generated and it would be impractical to attempt
to pre-determine the size of the resultant file prior to transmission.

Therefore, files of type jsp (java server pages) will not have a Content-length
associated with them.

Q: Is it possible to redirect error responses to another?

A: <Client code=302>
Output fn=set-variable error=301
</Client>

Will work with 6.1 webserver but is not applicable with 6.0 since this was not
available as a directive at that release.

Similarly, to redirect requests to a particular url the following may be employed:

<Client ppath="mypath">
Output fn=set-variable error=301
</Client>

Q: I am looking for JAVA profiling tools for HP's jdk. Are there any?

A: jtune is the tool of choice when attempting to diagnose issues associated
with HP's version of java. Get it for free from HP at:

Get jtune NOW

Q: The rotate script appears to rotate my log files but the size of the files are all 0 bytes. Why might this be happening.

A: One oddity of the rotate script is that it is unable to right over a pre-
existing file of the same name. This can occur if an already existant
file exists in that same directory with the same name. This can happen
easily when the files are one or more years old. The workaround is to
move off any files which may be over one year old from the directory
which will resolve the issue.

Q; I am using the password.conf file to attempt to automate startup of a secure webserver. This alleviates the necessity of an administrator having to manually enter in the password for the secure instance when it is started. I notice however, that I am still prompted for a password when the webserver is started from the GUI. Why is this occurring?

A: The password.conf file is only intended to automate startup of the
webserver and any secure instances when this is done from the command
line. Currently, the functionality will not work with a GUI startup and
so in this instance, it will be necessary to continue to enter in the
password manually.

Q: Is there a way to prevent a web crawler "Robot" from searching my page?

A: The Robots META tag allows HTML authors to indicate to visiting robots
if a document may be indexed, or used to harvest more links.
No server administrator action is required.

Note that currently only a few robots implement this.

In this simple example:

a robot should neither index this document, nor analyse it for links.

Q: Webserver 6.1 is configured for HTTP compression on demand. Why do I see that requests going through the weblogics proxy plugin (wl_proxy) are not being compressed?

A: HTTP compression on demand will work through the BEA Weblogics Proxy Plugin
but it is necessary that the version of the plugin which includes the fix for
BEA bug CR182434 is in place. For WebLogic 8.1, that means 8.1 SP4.

Q: Wnen attempting to execute a cgi program installed to Java Sun One Webserver running on a windows based operating platform, the following error is incurred: Failure: (pid) for host (hostname) trying to GET /cgi-shell/bin/test.pl, shellcgi-send reports: HTTP4065: Can't find file association of (cgifile.ext) What does this error message mean and how may it be corrected?

A: In order for cgi programs to execute within a windows environment, an
additional step beyond that of the normal configurations within the GUI
are required. It is necessary to add a file type association in order
to map the file extension of the webserver with the underlying Microsoft
Windows OS.

Please see the following link for assistance in this crucial, intermediary
step: http://support.microsoft.com/default.aspx?scid=kb;en-us;307859&product=winxp

Q: When using IE6 to access and download a file from Sun Java Webserver, the following message is often displayed and the file fails to download: Unable to Display

A: This problem is within the IE browser itself and is explained by Microsoft in document id:
323308

The fix involves the disabling the cache which normally saves encrypted pages to disk and
requires that the user modifies the registry to enable this change.

The problem occurs as a result of the server sending a "Cache-control:no-store" header or
a "Cache-control:no-cache" header.

Q: I would like to see an example of how to create a separate thread pool for my servlet engine. What would the syntax for creating a thread pool look like in the magnus.conf?

A: First: Create the pool definition:

Init fn="thread-pool-init" name="JavaServletPool" MinThreads="16" MaxThreads="8192" \
StackSize="262144" EarlyInit="yes"

Second: When initializing the servlet engine, associate the engine with the newly
created thread pool defined above.

Init fn="load-modules" shlib="/opt/local/iplanet/bin/https/lib/libNSServletPlugin.so" \
funcs="NSServletEarlyInit,NSServletLateInit,NSServletNameTrans,NSServletService" \
shlib_flags="(global|now)" pool="JavaServletPool"

Q: How to create an enhanced thread dump under JDK 1.3.x

A: Under JDK 1.3, thread dump output was somewhat confusing. Under JDK 1.4 and higher, formats
of thread dumps have been enhanced. This enhancement was backported to JDK 1.3.x and can
be enabled as part of the HotSpot using the following syntax:

-XX:+JavaMonitorsInStackTrace

Q: I have pem formatted ssl certificates - how can I convert these to pk12?

A: Use opensssl - available from sunfreeware.com and the following instructional link
http://www.flatmtn.com/computer/Linux-SSLCertifcatesPKCS12.html

Q: How do I disable Java plugin caching on a Solaris / Linux platform?

A: Unlike on a windows system which allows for the java plugin to be
manipulated from a pull down menu option available from the browser,
a Unix or Linux system requires that a separate utility be run.

The utility is call ControlPanel and is located in the jre/bin directory

To run it, simply type: ControlPanel

Caching options are located under the caching tab.

Q: Is there a way to send the output of a thread dump (kill -3) to a file rather than to standard output (which is the default)?

A: Specify the following hotspot options (available at version 1.4 and higher):

-XX:+LogVMOutput
-XX:LogFile=/tmp/thread_dump.out

Q: Is there a definitive list of all the jvm hotspot options out there?

A: Try this:

http://blogs.sun.com/roller/resources/watt/jvm-options-list.html

Q: I have tried to customize error message responses with the webserver yet I am unable to view the customized error response page. What could be wrong?

A: Determine if you are using the Internet Explorer browser. If so, then
you may need to turn off the "Show Friendly HTTP Error Messages" option.
"Show Friendly HTTP Error Messages" will, by nature of Microsoft
design, block certain contents intended for the browser. The types of content
is documented by Microsoft to be restricted to 500 series messages but has
been noted to also intefere with 400 series messages as well. For information
regarding the particulars to turning this "feature" off on the browser, please
see the technical article available at the Microsoft Support site:
http://support.microsoft.com/default.aspx?scid=kb;en-us;294807

Q: Is the setting of KeepAlive honored during a "Post" operation?

A: Web Server 6.x will not honor keep-alive on HTTP/1.0 POST requests.
In other words, a connection will always be closed following an
HTTP/1.0 POST response. This behaviour is currently not configurable.

Web Server 6.x will honor keep-alive on HTTP/1.1 POST requests.

The upcoming Web Server 7 release will honour keep-alive regardless of
the HTTP method and protocol version.

Q: Can a 32-bit plugin be used with the 64 bit release of the webserver?

A: Existing 32-bit plug-ins cannot be used with the 64-bit release.
Attempting to load a 32-bit plug-in using the 64-bit Sun Java System Web
Server release will result in an error message such as the following:

Sun ONE Web Server 6.1SP5 (64-Bit) B10/28/2005 09:00
failure: CORE3170: Configuration initialization failed: Error running
init function load-modules: dlopen of plugin.so failed (ld.so.1:
webservd: fatal: plugin.so: wrong ELF class: ELFCLASS32)

Workaround: Use the 32-bit release of Sun Java System Web Server or
contact the plug-in vendor to obtain a 64-bit release of the affected
plug-in.

Q: Are there any good documents describing how to manage certificates via command line?

A: the following links will prove helpful:

infodoc1

infodoc1

Q: I suspect that the basis of the webserver problem is within the jdk? How can I debug this if I am on a windows platform?

A: Use the following reference as a guide: http://rsd-software.sfbay/twiki/pub/Products/JavaSupportTrainingDebuggingJavaOnWindows/

Q; I have many connections in CLOSE_WAIT? What does this mean?

Why does netstat -a show connections in the CLOSE_WAIT state?

The CLOSE_WAIT state on tcp connections occurs if the system has not received a close system call from the application, after having received notification (FIN packet) from the other system that it has closed its endpoint.

Details:

"CLOSE_WAIT" state means the other end of the connection has been closed while the local end is still waiting for the application to close. An indefinite CLOSE_WAIT state normally indicates some application level bug.

TCP connections will move to the CLOSE_WAIT state from the ESTABLISHED state after receiving a FIN from the remote system but before a close has called from the local application.

The CLOSE_WAIT state signifies that the endpoint has received a FIN from the peer, indicating that the peer has finished writing - It has no more data to send. This will be indicated by a 0 length read on the input. The connection is now half-closed or a simplex connection (one way) the receiver of the FIN still has the option of writing more data . The state can persist indefinitely as a it is perfectly valid, synchronized TCP state. The peer should be in FIN_WAIT_2 (i.e. sent fin, received ack, waiting for FIN). It is only an application fault if the application ignores the EOF (0 length read) and persists as if the connection is still a duplex connection.

The transition from CLOSE_WAIT -> LAST_ACK occurs when the application issues close. During the transition, TCP schedules a FIN to be sent. The FIN will be sent after remaining data, which may be delayed if the receiver has closed its window.

It is sometimes hard to determine what exactly happened with only "netstat -a" output on the server to go on. To get more details, it is best to "truss" the application and "snoop" the TCP session to help narrow down why the connections in CLOSE_WAIT are not being cleared.

  1. truss -o truss.out -laef -vall -p
  2. snoop -o snoop.out port
  3. netstat -an

There are a couple of possibilities as to why the application has not issued a close on the TCP connection. The first possibility is that the application is not done sending data on the connection. As noted above, an application that only intends to receive data and not send any might very well close its end of the connection, which leaves the other end in CLOSE_WAIT until the process at that end is done sending data and issues a close.

Another possibility is that the application may not have received notification of the close of the other endpoint. With the sockets API, an application receives this notification when it attempts to read the socket and receives the EOF (i.e. 0 bytes) indication. IF the application does not attempt to read the socket, it will never know that the socket is closed at the other end. This would be an application error, since applications should correctly manage all of their sockets.

One other possibility has been seen, particularly when so-called "middleware" is in use. Since the close of a socket does not take effect until the last process that has a copy of the socket issues a close, it possible for a process to detect the close of the other end of the socket and to issue a close on its own end, or even to exit, without actually causing the socket to close. This will occur if a copy of the socket is also in another process. Sockets are copied from a parent process to a child via the fork system call. Some middleware servers have a bug such that a server will accept a TCP connection and then fork a child to handle the connection, but before the fork is issued, another thread will accept another TCP connection. Thus there will be two child processes, but one socket will be copied in both of them. Until both processes exit, this socket cannot close. If the process that mistakenly has the socket is particularly long-lived, while the child that was supposed to have the socket is short-lived, the socket will end up in the CLOSE_WAIT state until the long-lived process exits.

Note: if the FIN is recieving from the peer because it issues a close(2) against the fd of the socket, that will normally terminate both directions of data transfer but if peer uses shutdown(3SOCKET) with SHUT_WR option it will send FIN but still can read on that socket till other end closes the socket and read(2) on this end returns 0.

Q: Is it possible to do a dir listing on specific directorys with webserver

A; If it is desired that directory listings be allowed for the 2
directories, /test1 and /dir1, the following syntax can be used to do this:

<Client uri="(/test1|/dir1)">
Service method=(GET|HEAD) type=magnus-internal/directory
fn=index-common
</Client>
Service method="(GET|HEAD)" type="magnus-internal/directory"
fn="send-error"
path="/nfa/netscape/server4/sales/docs/public_docs/error.html"

Alternately, a NameTrans directive can be created, as below, specifying
that the defined object be used for processing such requests:

NameTrans fn="assign-name" from="(/test1|/dir1)" name=mytest

<Object name=mytest>
Service method=(GET|HEAD) type=magnus-internal/directory fn=index-common
</Object>

Please note that the web server instance will have to be restarted for
the above changes to take effect. Additionally, directory listings for
whatever directories are included in the directory listing as long as
such directories contain none of the index files in the PathCheck
directive for which I provided an incorrect solution earlier.

Please let me know if you would like the complete obj.conf files that I
used for my tests or if there is anything else I can do to satisfy your
expectations on this issue.

Q: I am receiving an HTTP 413 error code message in my webserver access logs? What does this mean and how can I resolve the issue?

A: The HTTP 413 error code is defined in RFC 26126 for HTTP 1.1 as meaning:

The server is refusing to process a request because the request
entity is larger than the server is willing or able to process. The
server MAY close the connection to prevent the client from continuing
the request.

Particular situations in which this can occur would include but not
be limited to:

1) Large cookie sizes greater than the maximum of 4096 bytes which the webserver
can accept and which is hardcoded

2) A header from a client which exceeds the maximum allowable size as
set on the webserver and which is configurable.

The magnus.conf directive, HeaderBufferSize is set by default
to allow a maximum header size of 8192 bytes. This can be changed
by the user. The documentation fo this can be found at:

HTTP://docs.sun.com/source/816-5686-10/07_magnu.htm#26363

The above documentation and parameter settings are avaialable at
webserver releases 6.0, 6.1 and 7.0.

Q: Does webserver 6.1 support toggling of strictly enforced url encoding?

A: As this turns out, provisions were made to modify the webserver behavior
to toggle strict enforcement of URL encoding.
This was done for our latest webserver 7 product.
Earlier releases were not provisioned with this same option availability.

Q: I have changed the hostname of my webserver and would like to change the certificate of the admin server.

A: Use wadm as follows:

(install_dir)/SunWebServer7/7/bin/certutil -S -k rsa -n Admin-Server-Cert -s CN=ubns32 -c Admin-CA-Cert -t u,u,u -v 6 -d /local/SunWebServer7/7/admin-server/config

Note that you may need to input a random seed number and this may be done
by specifying the -f option to a file containing a random number.

Q; Can I redirect the output from perfdump to a flat file?

A: Yes:

perfdump is already formatted as text, so it's easy to view it without a browser.
For example, the following will dump the perfdump output of a server listening
on port 80 to the screen then wait for you to press Enter:

(echo GET /.perf; cat -) | telnet -c localhost 80

For a cleaner interface, you can grab a copy of the wget Open Source command line HTTP client.

Q: I am seeing the following error logged to my webserver error log: [17/Apr/2008:09:35:18] warning (21475): for host 129.150.17.5 trying to GET /index.jsp, flex-log reports: HTTP4198: buffer overflow (log entry greater than 4096 characters)

A: If you serve a request with URI greater than 8K, you will get the following warning
if you are logging the request in the access log. This is because the flex-log buffer
can hold only 4096 characters.

Q: Webserver 4.1 is reporting the following error in the error log:

client is getting 414 URI too long errors. This has happened only occasionally.

167.24.104.150 - - [21/Mar/2008:14:40:55 -0400] "" 414 161

A: http error 414 - URI too long

This occurs when the URI length is greater than 8kbytes:

Request-URI Too Large
129.150.17.5 - - [17/Apr/2008:08:56:48 -0700] 414 161

Q: Webserver 4.1 is reporting 413 error codes in the error log. What does this mean?

A: If the URI length is less than 8k, but the total combined HTTP header length
is greater than 8K, you get the following:

Request Entity Too Large
129.150.17.5 - - [17/Apr/2008:09:05:30 -0700] 413 168

Q: Webserver 6.1 is reporting the following error in the error log: 129.150.17.5 - - [17/Apr/2008:09:05:30 -0700] 413 168

A: This error means "Request Entity Too Large"

You are only able, by default, to server a request URI which is <8kbytes long.

Increase the default setting of HeaderBufferSize to, for example 16192.
You will then be able to serve a request with URI greater than 8K.

Note however that even if you can serve a request with URI greater than 8K,
you will get the following warning if you are logging the request in the access log.
This is because flex-log buffer can hold only 4096 characters.

[17/Apr/2008:09:35:18] warning (21475): for host 129.150.17.5 trying to GET /index.jsp, flex-log reports: HTT
P4198: buffer overflow (log entry greater than 4096 characters)

Q: Is there way at Version 6.1 and up, of logging cookies to the webserver error log?

A: Cookies can be logged by specifying the following format in the webserver error log:

Req->headers.cookie.name

See: http://docs.sun.com/app/docs/doc/820-1643/abvcf?l=en&a=view&q=cookie

Q: In Web Server 7.0 What is the proper syntax for using the <Else> tag?

A: Here is an example syntax:

<Object name="reverse-proxy-/">
<If not $security>
Route fn="set-origin-server" server="http://myserver.com"
</If>
<Else>
Route fn="set-origin-server" server="https://myserver.com"
</Else>
</Object>

Q: When my Web Server 6.1 obj.conf lines are too long, I can't start Web Server. What's wrong?

A: Web Server 6.1 allows a maximum line length of 800 characters. If you make longer lines, then Web Server will not start. If you make the change from the admin console, you may see a message like this:

File System Error:
objset_scan returned NULL. Object file corrupt...

In the error log for the server, you'll see something like this:

[15/Aug/2008:13:23:39] config (  620): CORE3185: Invalid configuration: File /export4/ws61dbg/instance/https-jwsse10.red.iplanet.com/config/server.xml, line 19, column 92: HTTP3258: Error processing obj.conf line 13: HTTP2214: unrecognized directive

In this case, don't apply the change.
If you've changed obj.conf directly, then find the line that's too-long and shorten or remove it.

Note: This limit does not exist in Web Server 7.0 and later versions.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact