|
|
United States-English | |
|
|
 |
|
 HP OpenVMS Systems |
|
HP Secure Web Server for OpenVMS (based on Apache) November
2005 Version
2.1 for OpenVMS Alpha, based on Apache 2.0.52 Version
2.1 for OpenVMS I64, based on Apache 2.0.52 This
document contains information about installing and configuring the HP Secure
Web Server for OpenVMS. It also includes information about running the web
server, security information, and how to build and debug loadable Apache
modules. Software Version Hewlett-Packard Company Contents Chapter 1
Installation Requirements and Prerequisites 1.1.1 ODS-5
Disk 1.1.2 Disk
Space 1.1.3 Stream_LF File Format No
Longer Required 1.2.1 MultiNet and TCPware
Network Products 1.2.2 CSWS_JAVA
Requirements 1.2.3 CSWS_PHP
Requirements 1.2.5 Building
the Apache HTTP Server from Source Code Chapter 2
Installation and Configuration 2.2 Install
the Secure Web Server 2.2.1 Sample
Installation 2.3 Configure
the Secure Web Server 2.3.1 Configuration
Menu 2.3.3 Configuring
a Single Server 2.3.3 Sample
Configuration of a Single Server 2.3.4 Configuring
Multiple Servers 2.3.5 Sample
Configuration of Multiple Servers 2.3.6 Delete
Server Instance 2.3.7 Managing
suEXEC 2.3.8 Running
the OpenSSL Certificate Tool 2.3.9 Converting
Files to Stream_LF 2.3.10 Starting
and Stopping the Secure Web Server 2.3.11 Showing
the Status of an Apache Instance 2.3.13 Managing Multiple Servers 2.3.13.1
HTTPD.CONF
2.3.13.2
APACHE$SETUP.COM
and LOGIN.COM 2.3.14 Viewing
the OpenSSL Certificate 2.4 Post
Configuration Checklist 2.4.1 Configure
CSWS_JAVA 2.4.2 Check the
CSWS_PERL Configuration 2.4.3 Check the
CSWS_PHP Configuration 2.4.4 Run
AUTOGEN 2.4.5 Check
Disk Quota 2.4.6 Check
for SET TERMINAL/INQUIRE 2.5.1 Browser
Test 2.5.2 TELNET
Test 2.5.3 Troubleshooting
2.6 What's
Next 2.7 Merge
Changes to Files You Have Customized 2.8 Installing
Optional Modules at a Later Time Chapter 3
Running the Secure Web Server on OpenVMS 3.1 Starting
and Stopping the Server 3.1.1 Starting
the Server 3.1.2 Stopping
the Server 3.1.2.1
Stopping
the Server Using the Server Process Name 3.2 Server
Log File 3.3 Performance
Considerations 3.3.1 Limits
and Quotas 3.3.2 Server
Experiencing Medium to High Usage 3.3.3 Global
Pages and Global Sections 3.3.4 Excessive
File Build Up 3.4 Customizing
the Server Environment 3.5.1 Apache
Modules 3.5.2 Apache
1.3 Modules Not Included 3.5.3 OpenVMS
Directives 3.5.4 Command
Line Options 3.5.5 Virtual
Host Support 3.5.6 Dynamic
Shared Object Support 3.5.7 File
Handlers 3.5.8 Content
Negotiation 3.5.9 Apache
API 3.5.10 WebDAV (Distributed Authoring and
Versioning) Support 3.5.10.1
Testing
DAV Operation 3.5.11 suEXEC Support 3.5.13 Running
MOD_OSUSCRIPT 3.6 File
Formats 3.7 Managing
File and Directory Access Controls 3.7.1 Outbound
Access to Non-CSWS Files and Directories 3.7.2 Inbound
Access to SWS Files and Directories 3.8 Logical
Names 3.9 OpenVMS
Cluster Considerations 3.9.1 Individual
System vs. Clusterwide Definition 3.9.2 Mixed-Architecture
(Alpha and VAX) Cluster 3.10 Common
Gateway Interface (CGI) 3.10.1 CGI
Environment Variables 3.10.2 Referencing
Input 3.10.3 Executing
CGI 3.10.4 Logicals for Debugging CGI Scripts
3.10.5 Displaying
Graphics with CGI Command Procedures Chapter 4
Security Information 4.1 Process
Model 4.2 Privileges
Required to Start and Stop the Server 4.3 File
Ownership and Protection 4.4 Authentication
Using OpenVMS Usernames and Passwords (MOD_AUTH_OPENVMS) 4.4.1 The
require group Directive 4.4.2 The
require user Directive 4.4.3 Hiding
Accounts 4.4.4 MOD_AUTH_OPENVMS
Security Considerations 4.4.5 MOD_AUTH_OPENVMS
Examples 4.5 Server
Extensions (CGI Scripts, PHP Scripts, Perl Modules) 4.6 suEXEC in the Secure Web Server 4.6.1 suEXEC
Security Model 4.6.2 Configuring
suEXEC 4.7 Protecting
Server Certificate Keys Chapter 5
Building and Debugging Loadable Apache Modules for
the Secure Web Server 5.1 The
Apache API, Run-Time Library, and HTTP Request Processing 5.2.1 Defining
Your Apache Module Data Structure Symbol 5.2.2 Compiling
a Module 5.2.3 Linking
a Module 5.2.4 Example:
mod_rewrite 5.2.5 Debugging
a User-Built Apache Module 5.2.5.1
Preparing
to debug your module 5.2.5.2
Debugging
your module Chapter 6
Open Source Licenses Chapter 1 Before
you can install the Secure Web Server for OpenVMS (based on Apache),
verify that your system meets the minimum hardware and software requirements
described below. 1.1 Hardware Requirements You
can install the Secure Web Server for OpenVMS on any AlphaServer
system running OpenVMS Version 7.3-2 or higher, or any Integrity server system running OpenVMS I64 Version 8.2 or higher. 1.1.1 ODS-5 Disk HP
requires that you install the Version 2.1 kit on an ODS-5 enabled disk. Important You must install the V2.1
kit on an ODS-5 target volume. If you attempt to install this kit on an ODS-2
volume, the installation will fail. If
you had an existing CSWS V1.3 installation, the failed operation will leave it
in a corrupt state. Verify
that the destination device is an ODS-5 volume by entering a command similar to
the following, where DISK$DKA200 is the disk where you want to install
the Secure Web Server: $ SHOW DEV
DISK$DKA200/FULL Disk
VARMIT$DKA200:, device type COMPAQ BB00923468, is online, mounted, file-oriented
device, shareable, available to cluster, error logging is enabled. Volume
Status: ODS-5, subject to mount
verification, file high-water marking, write-back caching enabled. The
Secure Web Server for OpenVMS Alpha compressed file contains 13,743 blocks. The
expanded PCSI file requires approximately 42,000 blocks of working disk space
to install. The
Secure Web Server for OpenVMS I64 compressed file contains 17,134 blocks. The
expanded PCSI file requires approximately 59,000 blocks of working disk space
to install. 1.1.3 Stream_LF File Format No Longer Required The
Secure Web Server Version 2.1 no longer requires that all served files must be
in Stream_LF format. See Converting Files to Stream_LF
for information about a command procedure included in the kit that
automatically converts your files if you choose to do so. 1.2 Software Requirements The
Secure Web Server requires the following software: ·
HP OpenVMS Alpha Version 7.3-2 or higher ·
HP TCP/IP Services for OpenVMS Version 5.4 or higher (for SWS on
OpenVMS Alpha Version 7.3-2) 1.2.1 MultiNet and TCPware
Network Products If
you are using MultiNet or TCPware
from Process Software Corporation instead of HP TCP/IP Services for OpenVMS,
you should be aware of the following information. The
Secure Web Server has been tested and verified using HP TCP/IP Services for
OpenVMS. There are no known problems running the Secure Web Server with other
TCP/IP network products such as MultiNet and TCPware, but HP has not formally tested and verified these
other products. Note MultiNet and TCPware currently
support IPv4 only. If you want to take advantage of the IPv6 support in the
Secure Web Server, you must use HP TCP/IP Services for OpenVMS Version 5.3 or
higher. MultiNet and TCPware require
ECO kits for the Secure Web Server. These ECO kits are subject to change. For
the latest ECO kit information, contact Process Software and ask for the ECO
kits required to run the Secure Web Server for OpenVMS. Send network
connectivity questions regarding the Secure Web Server on TCPware
and MultiNet via email to support@process.com.
1.2.2 CSWS_JAVA Requirements CSWS_JAVA
includes the following Apache Jakarta technologies: Tomcat
(JavaServer Pages 1.2, Java Servlet
2.3, MOD_JK, and MOD_JK2) and Ant. (Note: Ant is a partial
implementation of the Jakarta Ant subproject and its use is limited to building
the included sample web applications and simple user-written web applications
for Tomcat.)
CSWS_JAVA V3.0 provides Java Servlet 2.4 and JSP 2.0 technology,
while CSWS_JAVA V2.x provides Java Servlet 2.3 and JSP 1.2 technology. CSWS_JAVA
has retired support for CSWS_JSERV. If you want to continue JSERV support,
download CSWS_JAVA Version 1.1 from the CSWS_JAVA for HP Secure Web Server for
OpenVMS web site at http://h71000.www7.hp.com/openvms/products/ips/apache/csws_java.html.
See
the CSWS_JAVA for HP Secure Web Server for OpenVMS web site for CSWS_JAVA
requirements. 1.2.3 CSWS_PHP Requirements PHP
is a server-side, cross-platform, HTML embedded
scripting language that lets you create dynamic web pages. PHP-enabled web
pages are treated the same as regular HTML pages, and you can create and edit
them the way you normally create regular HTML pages.
Chapter 2 Installation
and configuration consists of the following steps: 1.
Read the release notes 2.
Install the server and optional modules 3.
Configure the server 4.
Review the post configuration checklist 5.
Test the installation
· Secure Web Server for OpenVMS (CSWS) Version
2.1 -or- 1.3-1 · CSWS_PHP Version 1.3 or higher · CSWS_PERL Version 2.1 or higher and PERL for OpenVMS
Version 5.8.6 or higher · CSWS_JAVA Version 3.0 or higher Note Earlier versions of these optional kits will not work with Secure
Web Server Version 2.1. You can install the Secure Web Server by itself
or with one or more of the optional modules. You can install the optional modules later if you
choose. Before
you begin, do the following: 1.
Decide what you want to install. 2.
Review the software requirements for the server and
each optional module you are installing. 3.
Decide where you want to install the kit. Note The Secure Web Server and
CSWS_PHP must be installed in the same directory (required). By default, the Secure
Web Server and CSWS_PHP are installed in SYS$COMMON. However, HP recommends
that you specify another location. CSWS_JAVA can be
installed into a different disk or directory from the Secure Web Server. HP recommends that you shut down
the Secure Web Server (and Tomcat, which runs as a separate process) before
installing a new version of any component: CSWS, CSWS_PHP, CSWS_PERL, or
CSWS_JAVA (Tomcat).
1.
The Secure Web Server for OpenVMS kit is provided as a compressed,
self-extracting file. To download it from the OpenVMS web site, fill out and
submit the registration form at Secure Web Server for OpenVMS web site at http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html.
Download
any optional modules you want to install. Download
CSWS_JAVA from http://h71000.www7.hp.com/openvms/products/ips/apache/csws_java_relnotes.html
Download
CSWS_PHP from http://h71000.www7.hp.com/openvms/products/ips/apache/csws_php_relnotes.html
Download
CSWS_PERL from http://h71000.www7.hp.com/openvms/products/ips/apache/csws_modperl_relnotes.html Download
PERL for OpenVMS from http://h71000.www7.hp.com/openvms/products/ips/apache/csws_perl_relnotes.html 2.
Log in as a privileged OpenVMS user (for example, SYSTEM). 3.
Select UIC group and member numbers for the APACHE$WWW account that
will be created by the installation procedure. HP recommends that you use an
empty or new UIC group (without current members). Servers typically use the
highest unused UIC group (for example, [370,1]). To
ensure that the UIC you chose for APACHE$WWW has READ and WRITE access to the
intended login device, use the SHOW DEVICE/FULL command.
$ SHOW
DEVICE/FULL DKB0: Disk $DKB0:, device type COMPAQ BD03664545, is online, mounted,
file-oriented device, shareable, available to cluster, error logging is enabled
Owner process
""
Owner UIC
[SYSTEM]
Owner process ID
00000000
Dev Prot
S:RWPL,O:RWPL,G:R,W
Reference count
29
Default buffer size
512
Total blocks
71132000
Sectors per track
254
Total cylinders
14003
Tracks per cylinder
20
Volume label
"BUILD1"
Relative volume number
0
Cluster size
3
Transaction count
25
Free blocks
52293678
Maximum files allowed
8891500
Extend quantity
5
Mount count
1
Mount status
System
Cache name
"_ALPHA$DKA300:XQPCACHE"
Extent cache size
64
Maximum blocks in extent cache
5229367
File ID cache size
64
Blocks in extent cache
2703
Quota cache size
0
Maximum buffers in FCP cache
1730
Volume owner UIC
[SYSTEM]
Vol
Prot
S:RWCD,O:RWCD,G:RWCD,W:RWCD
Volume Status:
ODS-5, subject to mount verification, write-back caching enabled, access dates enabled, hard links enabled.
4.
Decompress the server kit with one of the following command, depending
on $ RUN CPQ-AXPVMS-CSWS-V0201--1.PCSI_SFX_AXPEXE ! for Alpha The system expands the
file and names it CPQ-AXPVMS-CSWS-V0201--1.PCSI or 5.
If you are upgrading from a previous version of the Secure Web Server
and you modified Start the installation
with the PRODUCT INSTALL command. Use the /DESTINATION qualifier to specify a
target device and directory for the installation. If you do not specify a
destination, the software will be installed in SYS$COMMON. HP recommends that you specify another location. Note Once you enter a PCSI INSTALL
CSWS/DESTINATION=[destination] command, you
cannot change the installation location unless you remove CSWS and then
reinstall it. To change the installation location when you upgrade to a new
version of CSWS, you must first enter the PCSI REMOVE CSWS command, then enter
PCSI INSTALL CSWS/DESTINATION=[new-destination].
To install the server,
enter the following command: $ PRODUCT
INSTALL CSWS /DESTINATION=device:[directory-name] To install the server
and one or more of the optional modules, specify CSWS and the CSWS_nnnn kit name on the PRODUCT INSTALL command
line separated by commas. For example, to install the server and CSWS_PHP, use
the following command: $ PRODUCT INSTALL CSWS, CSWS_PHP /DESTINATION=device:[directory-name] The installation
proceeds and displays product information as well as post-installation
instructions. The installation is finished when you see the DCL prompt ($). After the installation,
you must configure the Secure Web Server. Note Do not attempt to start
the server or configure any optional modules before you have configured the
server.
The following
product has been selected: CPQ AXPVMS CSWS V2.1 Layered Product Do you want to
continue? [YES] Configuration
phase starting ... You will be asked
to choose options, if any, for each selected product and for any products that
may be installed to satisfy software dependency requirements. CPQ AXPVMS CSWS
V2.1 Hewlett-Packard Company & The Apache
Software Foundation. * This product
does not have any configuration options. Execution phase
starting ... The following
product will be installed to destination: CPQ
AXPVMS CSWS V2.1
USER$DISK3:[000000.] Portion done:
0%...10%...20%...30%...40%...50%...60%...70%...90%...100% The following
product has been installed: CPQ AXPVMS CSWS V2.1 Layered Product CPQ AXPVMS CSWS
V2.1 Release notes are available in
SYS$HELP:CSWS0201.RELEASE_NOTES. HP highly recommends that you read these
release notes. For the most up-to-date documentation,
including release notes, Frequently Asked Questions (FAQs), and information about configuring and running the HP Secure Web Server,
please see the web pages at:
http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html Post-installation tasks are required for
the HP Secure Web Server. The OpenVMS Installation and Configuration
Guide gives detailed directions. This information is a brief checklist. Configure OpenVMS aspects of the HP Secure
Web Server by: $ @SYS$MANAGER:APACHE$CONFIG If the OpenVMS username APACHE$WWW does not
exist, you will be prompted to create that username. File ownerships are set to UIC [APACHE$WWW], etc. After configuration, start the HP Secure
Web Server manually by entering: $ @SYS$STARTUP:APACHE$STARTUP Check that neither SYLOGIN.COM nor the
LOGIN.COM write any output to SYS$OUTPUT:. Look especially for a $ SET TERMINAL/INQUIRE. Start the HP Secure Web Server at system
boot time by adding the following lines to SYS$MANAGER:SYSTARTUP_VMS.COM: $ file :=
SYS$STARTUP:APACHE$STARTUP.COM $ if f$search("''file'")
.nes. "" then @'file' Shutdown the Apache server at system
shutdown time by adding the following lines to
SYS$MANAGER:SYSHUTDWN.COM: $ file :=
SYS$STARTUP:APACHE$SHUTDOWN.COM $ if f$search("''file'")
.nes. "" then @'file' Test the installation using your favorite
Web browser. Replace host.domain
in the following URL (Uniform Resource Locator) with the information for the HP Secure Web
Server just installed, configured, and started. URL http://host.domain/ should display the
standard introductory page from the Apache Software Foundation. This
has the bold text "It Worked! The Apache Web Server is Installed
on this Web Site!" at the top
and the Apache server logo prominently displayed at the bottom. If you do not see this page, check the HP
Secure Web Server release notes, particularly the Frequently
Asked Questions section. If you'd like to use secure connections
with the HP Secure Web Server then you'll need to create a server
certificate. We recommend that you start by creating a 30 day self signed
certificate using the following certificate tool: $ @APACHE$COMMON:[OPENSSL.COM]OPENSSL_AUTO_CERT.COM Once the certificate has been created
you'll need to uncomment the following directive in the
APACHE$COMMON:[CONF]HTTPD.CONF file to enable SSL. Include /apache$root/conf/ssl.conf Thank you for using the HP Secure Web
Server.
1. Configure the Secure Web Server 2. Create an Apache instance 3. Delete an Apache instance 4. Manage suEXEC
users 5. Run OpenSSL
Certificate tool 6. Convert directory tree to Stream_LF 7. Start up an Apache instance 8. Shut down an Apache instance 9. Show status of an Apache instance 10. Add a node to CSWS in a cluster
environment 11. Exit Enter Menu Choice:
1.
SYS$MANAGER:APACHE$CONFIG.COM 2.
APACHE$COMMON:[000000]APACHE$CREATE_ROOT.COM 3.
APACHE$COMMON:[000000]APACHE$DELETE_ROOT.COM 4.
APACHE$COMMON:[000000]APACHE$MANAGE_SUEXEC.COM 5.
APACHE$COMMON:[000000]APACHE$CERT_TOOL.COM 6.
APACHE$COMMON:[000000]APACHE$CONVERT_STREAMLF.COM 7.
SYS$STARTUP:APACHE$STARTUP.COM 8.
SYS$STARTUP:APACHE$SHUTDOWN.COM 9.
SHOW SYSTEM/PROCESS=APACHE$tag 10.
APACHE$COMMON:[000000]APACHE$ADDNODE.COM 2.3.2
Configuring a Single Server
SYS$MANAGER:APACHE$CONFIG.COM
For information about
configuring multiple servers, see the Configuring Multiple Servers section.
$ @SYS$MANAGER:APACHE$CONFIG $ @APACHE$COMMON:[000000]APACHE$MENU
and select Option 1
HP Secure Web Server for
OpenVMS [based on Apache] This procedure helps you define the
operating environment required to run the Secure Web Server
on this system. To operate successfully, the server processes
must have read access to the installed files and read-write access
to certain other files and directories. HP recommends that you use this procedure to set the owner UIC on the CSWS files and
directories to match the server. You should do this each time the product is
installed, but it only has to be done once for each installation on a
cluster. Set owner UIC on CSWS files? [YES] Do you want to enable the impersonation
features provided by suEXEC? If so, the server will support running CGIs using specified usernames. Enable suEXEC?
[YES] Setting ownership on files. This could take a minute or two. . . . Enabling suEXEC
configuration. This could take a minute
or two. . . . APACHE$MANAGE_SUEXEC This procedure allows the system manager to
grant users the ability to utilize the suEXEC feature of the Secure Web Server. Users will be granted/revoked VMS rights identifiers to allow access. Continue [YES]? Enter '?' for help Manage suEXEC user
accounts (SHOW/GRANT/REVOKE/DONE/?): [DONE] GRANT Enter Username: USER1 %UAF-I-GRANTMSG, identifer
APACHE$SUEXEC_USER granted to USER1 Manage suEXEC user
accounts (SHOW/GRANT/REVOKE/DONE/?): [DONE] GRANT Enter Username: USER2 %UAF-I-GRANTMSG, identifer
APACHE$SUEXEC_USER granted to USER2 Manage suEXEC user
accounts (SHOW/GRANT/REVOKE/DONE/?): [DONE] Configuration is complete. To start the server: $ @SYS$STARTUP:APACHE$STARTUP.COM
Choosing Option 2 from the
Secure Web Server Configuration Menu starts the following command procedure,
which creates a new server root: APACHE$COMMON:[000000]APACHE$CREATE_ROOT.COM
$ @APACHE$COMMON:[000000]APACHE$MENU
and select Option 2
APACHE$CREATE_ROOT Create a set of directories and files where
a Secure Web Server can run. You will be prompted for the location of the root, the user to run under,
the TCP/IP port to monitor, the unique server
tag, the privileged routines the user will be allowed
to use, and optional startup and shutdown
procedures. Continue [YES]? Root location: Give the location of where to create the
directory tree and configuration template file for the
new instance of the server. e.g.
USER2:[SMITH.CSWS] This will create a series of directories
under the USER2:[SMITH.CSWS] directory.
This will become the new APACHE$SPECIFIC location. $ DIRECTORY USER2:[SMITH.CSWS] Directory USER2:[SMITH.CSWS] BIN.DIR;1 CGI-BIN.DIR;1 CONF.DIR;1 HTDOCS.DIR;1 ICONS.DIR;1 KIT.DIR;1 LOGS.DIR;1 MODULES.DIR;1 OPENSSL.DIR;1 Total of 9 files. Username: Enter the user that will own and
control the content of this root.
The ownership of the directories and files will be set to the given user. The user must be a valid user in the SYSUAF. Username: JOE The Secure Web Server has several privileged
routines to allow the server to run in a basic fashion. These routines can be blocked from other users of the web server to run in a
more restrictive mode. These routines are protected by a series of
rights identifiers: APACHE$APR_ALL Allow access to all of the protected
routines APACHE$APR_CREMBX Allow access to create a groupwide mailbox APACHE$APR_GETPWNAM Allow access to other user's information APACHE$APR_SETSOCKOPT Allow user to set socket options APACHE$APR_SOCKET Allow creation of a privileged socket APACHE$APR_AUTH_OPENVMS Allow user to authorize using SYSUAF APACHE$APR_GALAXY_GBLSEC Allow user to
manage galactic memory sections Grant access to CreMbx?
y Grant access to GetPwNam?
n Grant access to SetSockOpt?
n Grant access to Create a Priveleged
Socket? y Grant authorization via SYSUAF? y Grant user ability to access galactic
sections? y Each instance of the Secure Web Sever must
have a unique TCP/IP port to monitor as it runs. If you have not granted this user the Socket privilege, then the port must be greater
than 1024 (non-privileged). Note that this routine does not keep track
of previously specified ports to other instances. It is the system manager's responsibility to maintain this information. Each instance of the Secure Web Server must
have a unique tag associated with it on the system. The tag is 1 to 4 characters (A-Z, 0-9). The instance of Secure Web Server can have a
startup and a shutdown command procedure defined to run
accordingly. Define a startup or shutdown procedure? y Startup procedure filename [NONE]:
DISK1:[JOE.APACHE]Test_Start.com Shutdown procedure filename [NONE]: Granting rights to JOE UAF account... Creating directory tree under
DISK1:[JOE.APACHE] Generating Apache configuration file
DISK1:[JOE.APACHE.CONF]httpd.conf Updating the configuration database Root created: DISK1:[JOE.APACHE] Template server configuration file created: Please review this file for accuracy.
·
a template configuration file ·
a mime type file ·
an SSL configuration file These are all placed in
the configuration directory and should be reviewed before attempting to start
the server.
APACHE$DELETE_ROOT Deletes a previously defined set of
directories and all files contained therein. Also revokes all user rights granted when the root was created. Continue [YES]? Apache Instances available for deletion 1. Tst DISK1:[JOE.APACHE.CONF]httpd.conf 2. Exit Choice: 1 Revoking rights from JOE UAF account... Deleting all files under
DISK1:[JOE.APACHE...] Updating the configuration database... Root deleted: DISK1:[JOE.APACHE]
Note The Secure Web Server Version
2.1 no longer requires that all
served files be in Stream_LF format. The EnableMMAP
directive must be set to OFF to lift the Stream_LF
restriction. In Version 2.1, EnableMMAP is set to OFF by default. (In Version 2.0, the default for EnableMMAP was ON.)
Note The
APACHE$CONVERT_STREAMLF command procedure converts all sequential files (with
the exceptions listed above) to Stream_LF format,
including sequential files currently in Stream format. After you run the
procedure, be sure to check the SYS$SCRATCH:CONVERT_DIR.LOG
file for files that should not be in Stream_LF
format, and delete the newest version of those files.
Top Directory: USER1:[APACHE.HTDOCS] Starting conversion of
USER1:[APACHE.HTDOCS...] This could take a while... Conversions complete. See SYS$SCRATCH:Convert_Dir.Log
for a log of transactions.
SYS$STARTUP:APACHE$STARTUP.COM SYS$STARTUP:APACHE$SHUTDOWN.COM See Starting
and Stopping the Server for more information. 2.3.11 Showing the Status of an Apache
Instance Choosing Option 9 from
the Secure Web Server Configuration Menu runs the following command: $ SHOW SYSTEM/PROCESS=APACHE$tag Server processes have a
process tag of the form APACHE$ssss, where ssss is up to four alphanumeric characters defined
in the VMSServerTag directive. The default is
APACHE$SWS. Similarly, child
processes have a process name of the form APACHE$ssssnnnn,
where APACHE$ssss is the server name and nnnn is the child server process number represented
as a hex value. The SHOW SYSTEM/PROCESS=APACHE$tag command lists a menu of the current
instances of the server. You choose the instance for which you want to see
status. The following is an
example output showing the status of a running server: Registered Apache Instances 1. SWS
APACHE$COMMON:[CONF]HTTPD.CONF 2. Exit Choice: 1 Status of SWS
instance of Apache... OpenVMS V7.3-2 on
node APSERV 1-AUG-2005 15:55:34.09 Uptime 67 Pid Process Name State Pri I/O
CPU Page flts Pages 2020026D
APACHE$SWS LEF 6
2526 0 00:00:11.35 839
1016 2020026F
APACHE$SWS0000 LEF 6
2556 0 00:00:12.69 824
979 20200270
APACHE$SWS0001 LEF 6
2530 0 00:00:09.41 834
1010 20200271
APACHE$SWS0002 LEF 6
2493 0 00:00:14.00 811
978 20200272
APACHE$SWS0003 LEF 6
2499 0 00:00:13.66 822
988 20200273
APACHE$SWS0004 LEF 6
2487 0 00:00:12.01 832
1002 20200274
APACHE$SWS0005 LEF 6
2501 0 00:00:15.22 810
994 End status. The following is an
example output showing the status of a server that has been shut down: Registered Apache Instances 1. SWS
APACHE$COMMON:[CONF]HTTPD.CONF 2. Exit Choice: 1 Status of SWS
instance of Apache... End status. 2.3.12 Adding a Node to CSWS in a Cluster
Environment Choosing Option 10 from
the Secure Web Server Configuration Menu starts the following command
procedure, which adds a node to the Secure Web Server in a cluster environment. APACHE$COMMON:[000000]APACHE$ADDNODE.COM You must log into the system you want to add as a CSWS cluster
member before you choose Option 10. For example, perform the initial
installation and configuration of CSWS on NODE1. Then log into NODE2 and enter the following commands: $
@SYS$STARTUP:APACHE$LOGICALS $ @APACHE$COMMON:[000000]APACHE$MENU Apache$Menu
1. Configure the Secure Web Server
2. Create an Apache instance
3. Delete an Apache instance
4. Manage suEXEC users
5. Run OpenSSL Certificate tool 6. Convert directory tree to Stream_LF
7. Start up an Apache instance
8. Shut down an Apache instance
9. Show status of an Apache instance
10. Add a node to CSWS in a cluster environment
11. Exit Enter Menu Choice: 10 APACHE$ADDNODE Create a set of directories and files on another
node in a cluster environment for the Secure Web Server. The node name used is that defined by
TCPIP$INET_HOST. A directory by that
name will be created under the APACHE$SPECIFIC: area. The top level directories under APACHE$COMMON
are essentially duplicated here. A new version of HTTPD.CONF is created in
APACHE$ROOT:[CONF]. This will be used by
default. The common configuration in
APACHE$COMMON:[CONF] remains untouched. Remove this new configuration if you
wish to use the common one. The rights identifiers for the user account
APACHE$WWW on this node are set to the defaults. If this is a common SYSUAF/RIGHTSLIST, then
the account should be checked as it might be changed. Continue [YES]?
yes Granting rights to APACHE$WWW UAF account... Creating directory tree under
device:[000000.APACHE.SPECIFIC.node-name] Generating Apache configuration file
device:[000000.APACHE.SPECIFIC.node-name.CONF]httpd.conf Node node added
successfully Node specific
directories created: device:[000000.APACHE.SPECIFIC.node-name] Configuration
files created in: device:[000000.APACHE.SPECIFIC.node-name.CONF] Please review
these files for accuracy. Press return to continue... Exit the configuration menu, then enter the following
command to start the Secure Web Server on NODE2: $ @sys$startup:apache$startup
This section discusses the
issues you may encounter when managing multiple servers. 2.3.13.1 HTTPD.CONF To create and maintain
multiple HTTPD.CONF files, you rely on the fact that each server has a separate
configuration-specific root directory. You can set the processwide
logical name APACHE$SPECIFIC to the configuration-specific directory. You then
edit the file APACHE$SPECIFIC:[CONF]HTTPD.CONF. 2.3.13.2 APACHE$SETUP.COM and LOGIN.COM APACHE$COMMON:[000000]APACHE$SETUP.COM is run for every server (parent
and child) and server instance. This command procedure defines the necessary
Apache symbols and executes any subsequent product setups if they exist (for
example, PHP and Perl). It also defines the CRTL logicals
needed to allow the Secure Web Server to run correctly with extended command
parsing and file specifications. The APACHE$ROOT:[000000]LOGIN.COM command procedure is executed after
APACHE$SETUP.COM and is determined by the LGICMD stored in SYSUAF for the
Apache server user (for example, APACHE$WWW). The Secure Web Server
includes APACHE$SETUP.COM so that each instance of the server can use its own
LOGIN.COM procedure, and not have to maintain server critical definitions. 2.3.14 Viewing the OpenSSL
Certificate You need a valid server
certificate to run the Secure Web Server in SSL mode. Configuration creates a
self-signed certificate and installs it. If you want to view the certificate
before starting the server, use the OpenSSL
Certificate Tool as described in the HP Secure Web Server SSL User Guide.
After configuring the
Secure Web Server, do not start the server. Follow the instructions in the Post
Configuration Checklist section. 2.4 Post Configuration Checklist After you configure the
Secure Web Server, perform the following tasks to ensure a successful startup: 1.
Configure CSWS_JAVA, if you have just installed it. 2.
Optionally check the CSWS_PHP configuration now or later. 3.
Optionally check the CSWS_PERL configuration now or later 4.
Run AUTOGEN. 5.
Check disk quota. 6.
Check for SET TERMINAL/INQUIRE. Each of these tasks is
explained below. Once you have completed them, you can test the installation by
starting the Secure Web Server. 2.4.1 Configure CSWS_JAVA If you installed the
CSWS_JAVA module, you must configure it before you can start the server. For
instructions, see the CSWS_JAVA
for HP Secure Web Server for OpenVMS Installation Guide and Release Notes.
2.4.2 Check
the CSWS_PERL Configuration You are not required to configure
CSWS_PERL before starting the server. CSWS_PERL is preconfigured with default
values. If you want to change the default configuration, edit APACHE$COMMON:[CONF]MOD_PERL.CONF. For more information,
see the CSWS_PERL for HP Secure Web Server for OpenVMS
Installation Guide and Release Notes. 2.4.3 Check the CSWS_PHP Configuration You are not required to
configure CSWS_PHP before starting the server. CSWS_PHP is preconfigured with
default values. If you want to change the default configuration, edit
APACHE$ROOT:[CONF]MOD_PHP.CONF. For more information,
see the CSWS_PHP for HP Secure Web Server for
OpenVMS Installation Guide and Release Notes. 2.4.4 Run AUTOGEN After the installation,
run SYS$UPDATE:AUTOGEN.COM (AUTOGEN) to evaluate your
system parameters and make adjustments based on your hardware configuration and
system workload. Because of the Secure Web Server installation, AUTOGEN will
probably increase the page file size and the number of swap file pages. 2.4.5 Check Disk Quota If the disk quota is too
low, the Secure Web Server will not start. Either raise the disk quota for the
user account APACHE$WWW, or grant the account the EXQUOTA privilege, thus
allowing it to bypass disk quota restrictions. Use the following commands: $ SHOW QUOTA/USER=[server-uic]/DISK=device-name $ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE $ MOD
APACHE$WWW/PRIV=EXQUOTA $ EXIT Stop and restart the
Secure Web Server so that the APACHE$WWW account picks up the new privilege. 2.4.6 Check for SET TERMINAL/INQUIRE When the Secure Web
Server for OpenVMS is started, the command procedure APACHE$SETUP is executed.
The following login files are executed: ·
SYLOGIN.COM (system login file) ·
LOGIN.COM (login file for APACHE$WWW) Check these files to
make sure that any SET TERMINAL/INQUIRE statements are executed only in
INTERACTIVE mode. For example: $ IF
F$MODE() .eqs
"INTERACTIVE" then $ SET TERMINAL/INQUIRE Failure to do so might
result in ill-formed HTML intermittently being returned to clients. This
problem might also appear when executing CGI scripts. 2.5 Test the Installation Manually start the
Secure Web Server to verify the installation and configuration of the server.
Enter the following command: $ @SYS$STARTUP:APACHE$STARTUP You can test the
installation using your web browser. Replace host.domain
in the following URL with the information for the Secure Web Server you just installed: HTTP://host.domain/ If this is a new
installation, the browser should display the standard introductory page with
the following bold text at the top: "Hey, it worked ! The SSL/TLS-aware Apache webserver was successfully
installed on this website." The Apache logo is
displayed at the bottom. 2.5.2 TELNET Test You can also use TELNET
on the local host to test the installation.
(In TCP/IP Services Version 5.3 for OpenVMS and higher, user input is
not echoed. Use the following procedure
to test the installation. Enter the following
command: $ TELNET
0 80 The following text is
displayed: %TELNET-I-TRYING, Trying ... 127.0.0.1 %TELNET-I-SESSION, Session 01, host localhost, port 80 HEAD / HTTP/1.0 Press ENTER twice.
Text similar to the following is displayed: HTTP/1.1 200 OK Date: Wed, 21 Sep 2005 Server: Apache/2.0.52 (OpenVMS) mod_ssl/2.0.52
OpenSSL/0.9.7d Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Thu, 08 Sep 2005 ETag:
"2e4550-5b2-b12cef40" Accept-Ranges: bytes Content-Length: 1458 Connection: close Content-Type: text/html; charset=ISO-8859-1 %TELNET-S-REMCLOSED, Remote
connection closed -TELNET-I-SESSION, Session
01, host localhost, port 80 You should receive
several lines of text from the Secure Web Server. 2.5.3 Troubleshooting If you do not receive a
response from the Secure Web Server, check the following: §
Look in your SYLOGIN.COM file and make sure there is no SET
TERMINAL/INQUIRE statement for NETWORK processes. §
Make sure the APACHE$WWW account exists and is not disabled. §
Look for the following files: APACHE$ROOT:[000000]APACHE$tag §
If you have trouble starting the server, enable the logical
APACHE$SPL_DISABLED systemwide, then restart the
server. §
If you have trouble stopping the server using the APACHE$SHUTDOWN
command and APACHE$WWW is still running, use the following command to stop it.
You should then be able to shut down the server. $ STOP
PROCESS/ID=<apache-pid> After you have
successfully tested the installation, perform any of the following tasks that
are relevant for you: ·
If you are upgrading from a previous version of the Secure Web
Server, you can merge the previous versions of files commonly modified by
system administrators with the newly installed versions of these files. See the
Merge
Changes to Files You Have Customized section. ·
If you enabled MOD_SSL, follow the instructions for verifying SSL
in the HP
Secure Web Server SSL User Guide. ·
Read Chapter 3 for information on starting and
stopping the server, using HTTPD.CONF to customize the server environment, and
other OpenVMS specific topics. 2.7 Merge
Changes to Files You Have Customized If you have installed a
previous version or field test kit of the Secure Web Server, it is removed
automatically before the new kit is installed. When the previous
version of the Secure Web Server is removed, the PCSI utility removes only the
files and directories it installed. Any files you have created are not
affected. Note Files installed by the
Secure Web Server that are commonly modified by system administrators are not
removed. However, the new kit contains updated versions of these files. Be
sure to transfer any edits you made to the previous versions of these files to
the new versions.
·
[APACHE]LOGIN.COM ·
[APACHE.HTDOCS]INDEX.HTML ·
[APACHE.CONF]HTTPD.CONF If you modified the file
[APACHE.CONF]MIME.TYPES, you need to copy the file to
another location before you begin the installation. This file is removed during
the installation. (HP recommends that you use the AddTypes
directive instead of modifying the MIME.TYPES file.) The new kit contains an
updated version of this file. After you save your current version, restore the file
and incorporate your local modifications with the new version. 2.8 Installing Optional Modules at a
Later Time If you did not install
the optional modules (CSWS_JAVA, CSWS_PERL, or CSWS_PHP) when you installed the
server, follow these instructions for installing them at a later time. Before
you begin, make sure: ·
You have installed the required software. ·
You have already installed the Secure Web Server. ·
You install CSWS_PHP in the same directory as you installed the
server. You do not need to install CSWS_JAVA or CSWS_PERL into the same disk or
directory as the Secure Web Server. Use the appropriate
command from the list below. To install CSWS_JAVA,
use the following command: $ PRODUCT INSTALL CSWS_JAVA /DESTINATION=device:[directory-name] To install CSWS_PHP, use
the following command: $ PRODUCT INSTALL
CSWS_PHP/DESTINATION=device:[directory-name] To install CSWS_PERL,
use the following command: $ PRODUCT INSTALL
CSWS_PERL/DESTINATION=device:[directory-name] The installation is
complete when the dollar sign prompt ($) is displayed. After you install
CSWS_JAVA, you must configure it. For more information, see Configure
CSWS_JAVA. CSWS_PHP and CSWS_PERL
are preconfigured, but you can change the configurations. For more information,
see Check the CSWS_PHP Configuration and Check the CSWS_PERL
Configuration. Chapter 3 In general, you can run
the Secure Web Server on OpenVMS as you would run Apache with MOD_SSL on any
platform. However, there are some exceptions. This chapter describes the
functions that behave differently or are not available, as well as any
enhancements that are specific to OpenVMS. 3.1 Starting and Stopping the Server Starting and stopping
the Secure Web Server requires enhanced privileges (DETACH, SYSNAM, WORLD,
etc.). Start and stop the server from a privileged account such as SYSTEM. Start the Secure Web
Server with the following command: $ @SYS$STARTUP:APACHE$STARTUP [startup-value] [configuration-file] Startup-value is optional and can
have the following values:
To automate the startup
of the Secure Web Server when the system is booted, add the following commands
to the SYS$MANAGER:SYSTARTUP_VMS.COM file: $ FILE :=
SYS$STARTUP:APACHE$STARTUP.COM $ IF
F$SEARCH("''FILE'") .NES. "" THEN @'FILE' You can shut down the
Secure Web Server with the following command: $ @SYS$STARTUP:APACHE$SHUTDOWN [startup-value] [configuration-file] Startup-value is optional and can
have the following values:
To automate the shutdown
of the Secure Web Server when the system is shut down, add the following
commands to the SYS$MANAGER:SYSHUTDOWN.COM file: $ FILE :=
SYS$STARTUP:APACHE$SHUTDOWN.COM $ IF
F$SEARCH("''FILE'") .NES. "" THEN @'FILE' Note The Secure Web Server will
not shut down as long as the APACHE$WWW process is running.
$ SHOW
SYSTEM/OWNER_UIC=[APACHE$WWW] 3.1.2.1
Stopping the Server Using the Server PID If you are unable to
shut down the server using the APACHE$SHUTDOWN command, and APACHE$WWW is still
running, you can use the server PID to stop it. To determine the server PID,
enter the following command (or choose Option 9 from the configuration menu): $ SHOW
SYSTEM/PROCESS=APACHE$tag Server processes have a
process tag of the form APACHE$ssss, where ssss is up to four alphanumeric characters defined
in the VmsServerTag directive. The default is
APACHE$SWS. You should then be able
to shut down the server by entering the following command: $ STOP
PROCESS/ID=<apache-pid> The server log file for
APACHE$WWW is written to: APACHE$SPECIFIC:[000000]APACHE$tag Server processes have a process
tag of the form APACHE$ssss, where ssss is up to four alphanumeric characters defined
in the VMSServerTag directive. The default is
APACHE$SWS. Similarly, child
processes have a process name of the form APACHE$ssssnnnn,
where APACHE$ssss is the server name and nnnn is the child server process number represented
as a hex value. For example: Parent
APACHE$SWS Child 1
APACHE$SWS0000 Child 2
APACHE$SWS0001 Child 3
APACHE$SWS0002 3.3
Performance Considerations You should have prior
experience tuning the performance of the OpenVMS operating system. For general
information on OpenVMS performance, see the OpenVMS Performance Management
Manual in the OpenVMS documentation website. Recommendations for
improving performance on a Secure Web Server are provided in the following
sections. 3.3.1 Limits and Quotas The following table
shows sample values for the APACHE$WWW system user account (SYSUAF) from a
working and exercised Secure Web Server with a light to moderate load. These
values are presented as an example of a system performing well within its
context. If you should experience
performance difficulties, refer to this table for guidelines in making
adjustments. For heavier loads, we point out which values, in our experience,
need to be increased as load increases. Keep in mind that no one set of values
will be appropriate for all situations.
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE UAF> SHOW APACHE$WWW Username:
APACHE$WWW Owner:
APACHE WEBSERVER ... Maxjobs: 0 Fillm: 100 Bytlm: 64000 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Prclm: 8 DIOlm: 150 WSdef: 2000 ... UAF> MODIFY
APACHE$WWW/FILLM=300/PRCLM=20 %UAF-I-MDFYMSG,
user record(s) updated UAF> EXIT $ 3.3.2 Server Experiencing Medium to High
Usage Periodically, check the
server's log file for errors of the "cannot open" variety. Errors of
this type often indicate you need to modify system parameters. Try the
following: ·
Set FILLM to limit the number of files a user's process can have
open. ·
Set the SYSGEN parameter CHANNELCNT to 1024 (unless it is already
set to a higher value). Note Whenever you change
system parameters, you must reboot the system to enable the new settings.
·
No directives have been deleted or added to the Apache template
except an Include directive for MOD_SSL. Installing CSWS_JAVA, CSWS_PHP, or
CSWS_PERL will also append Include directives specific to these modules. ·
MOD_OSUSCRIPT has been added to enable CGI scripts originally
written for the OSU server. ·
MOD_AUTH_OPENVMS enables authentication using OpenVMS usernames
and passwords. ·
UNIX style path names are recognized by OpenVMS. You can use
either UNIX style or OpenVMS style path names in the configuration file.
However, you cannot intermix the two styles within a specification. HP
recommends UNIX style path names. ·
In an OpenVMS cluster, you can specify either clusterwide
or system-specific files. For more information, see Individual System vs. Clusterwide Definition.
Note In SWS Version 2.1, many loadable modules are no longer loaded by default. You must uncomment the modules in httpd.conf to load them. (See the file httpd-vms.conf for other modules you may w | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
