Monday Jul 14, 2014

How to Add Expires and max-age Headers in Oracle iPlanet Web Server ?

To enhance performance, you can add cache control headers, e.g. Expires and max-age Headers.


See more at my writing below:


How to Add Expires and max-age Headers in Oracle iPlanet Web Server (Doc ID 1303465.1)

Some Examples on How to Set up Oracle Traffic Director (OTD) Web Application Firewalls (WAF) Rules Files to Enhance Security ?


Web firewall is a new feature in OTD, below are my writings about how to set up and debug this. 


Some Examples on How to Set up Oracle Traffic Director (OTD) Web Application Firewalls (WAF) Rules Files to Enhance Security ? (Doc ID 1613672.1)


How to Debug Oracle Traffic Director (OTD) Web Application Firewalls (WAF) ? (Doc ID 1613679.1)

Why Unable To Stop Oracle Traffic Director (OTD) Process And Admin Console Shows Status As "Instance Not Running" When It Is Actually Running ?


This issue will happen when you run OTD on Linux.


See my writing at below KM note: 


Why Unable To Stop Oracle Traffic Director (OTD) Process And Admin Console Shows Status As "Instance Not Running" When It Is Actually Running ? (Doc ID 1506995.1)


Why Unable To Stop Oracle iPlanet Web Server 7 Process And Admin Console Shows Status As "Not Running" When It Is Actually Running ?

If you are running Oracle iPlanet Web Server 7 on Linux, then you may hit this issue below.


See my writing at KM note:









Insufficient File Descriptors For Optimum Configuration Error Reported on Oracle Traffic Director 11.1.1.6

If you are using OTD and found this error in the logs,


"CORE3361: Insufficient File Descriptors For Optimum Configuration"


then please see KM notes at


Insufficient File Descriptors For Optimum Configuration Error Reported on Oracle Traffic Director 11.1.1.6 (Doc ID 1489362.1)


"CORE3361: Insufficient File Descriptors For Optimum Configuration" Warning Message While Starting Oracle Traffic Director (Doc ID 1667415.1)

Important notes about Oracle Traffic Director admin-server SSL certificate expiry date

If you are using Oracle Traffic Director (OTD), then please read my KM notes about how to renew the admin-server SSL certificates before the common 1-year expiry date after first install.


See KM note at


How to Renew Admin Server SSL Certificate for Oracle Traffic Director ? (Doc ID 1549253.1)


See also another KM note from our team,











How to Test if Oracle iPlanet Web Server Is Responding Fast Directly From The Web Server Box ?

Often, there are many components behind the web server, e.g. App server, Database, etc.


It is important to isolate where the slowness is at.


I wrote this KM note to test if Oracle iPlanet web server responds fast or not to help isolate the bottleneck.


How to Test if Oracle iPlanet Web Server Is Responding Fast Directly From The Web Server Box ? (Doc ID 1539477.1)

Some tips to use Weblogic WLS server with Oracle iPlanet (former SunONE) web server

I wrote some KM notes about how to use Weblogic WLS server together with Oracle iPlanet Web server. 


e.g.


How to set up and configure WebLogic Server plugin in Oracle iPlanet Web Server (Doc ID 1352951.1)


How to Forward Requests to Different Backend WebLogic Servers Based on Incoming Request Hostname and URI in Oracle iPlanet Web Server 7 (Doc ID 1360055.1)


How To Configure Oracle iPlanet Web Server 7.0 To Serve Static Content Without Proxying To Backend Weblogic Server (WLS) ? (Doc ID 1517507.1)


Below are more KM notes written by others in our team:


How To Display Site Under Maintenace Page On Oracle iPlanet Web Server 7.0 for Content Proxied to WebLogic Server? (Doc ID 1538515.1)


Oracle iPlanet Web Server Document Root Files Are Not Served and Intercepted by WebLogic Plugin (Doc ID 1432075.1)


Setup a Single 404 Response page in Oracle iPlanet Web Server When Used With the WebLogic Plugin (Doc ID 1391638.1)


Oracle iPlanet Web Server Can't Start After Configuring the WebLogic Proxy Plugin (Doc ID 1551302.1)


Simple Script to Download Perfdump Output Into a File For Later Analysis in Oracle iPlanet (former SunONE) Web Server

 


Before we can performance tune the web server, we need to know some stats and numbers during runtime. I wrote this KM note to capture the numbers/stats automatically for later reviews.


See


Simple Script to Download Perfdump Output Into a File For Later Analysis in Oracle iPlanet Web Server (Doc ID 1304328.1)


You can login My Oracle Support (MOS) and see the details there.

How to Decrypt and View SSL Snoop Data With Wireshark for Oracle iPlanet (former SunONE) Web Server ?

Often, it is nice to see the SSL https traffic content in clear text for troubleshooting purpose, e.g. examine what headers/cookies values inside when something does not work.


I wrote this KM note:


How to Decrypt and View SSL Snoop Data With Wireshark for Oracle iPlanet Web Server (Doc ID 1455999.1)


which shows the steps needed to do this.


It is not for Oracle iPlanet Web server only, the same steps can be used to examine SSL traffic in other SSL servers.


You can login My Oracle Support (MOS) and see the details there.

How To Enhance Security on Oracle iPlanet (former SunONE) Web Server 7.0?

Web server security is a very important topic, so I wrote this Oracle KM note on this topic:


How To Enhance Security on Oracle iPlanet Web Server 7.0? (Doc ID 1500326.1)


I added many security tips inside, e.g. how to avoid XSS, CSRF, Slowloris, etc...


You can login My Oracle Support (MOS) and see the details there.


Thursday Aug 11, 2011

How to Set POST Request Body Size Limit In Oracle iPlanet Web Server 6.1 and 7.0

Very often, you like to set  POST Request Body Size Limit in a web server for different reasons.

I wrote two new Oracle KM docs on this topic:

1. How to Set POST Request Body Size Limit In Oracle iPlanet Web Server 6.1 (Doc ID 1327832.1)

2. How To Set POST Request Body Size Limit In Oracle iPlanet Web Server 7 (Doc ID 1297025.1)

You can login My Oracle Support (MOS) and see the details there.


Thursday Jun 11, 2009

How to generate CSR with SHA1 (Signature Algorithm) with certutil in Web 6.1 SPx

If the security auditor asked you about the SSL certificate which is using MD5 as


Signature Algorithm, (e.g. http://www.kb.cert.org/vuls/id/836068 ) in web server 6.1SPx.


Then you can upgrade to 6.1SP11 which has default to SHA1 in CSR, e.g.


    Signature Algorithm: sha1WithRSAEncryption

If you cannot upgrade to 6.1SP11 now, then you can create a new CSR with SHA1 with certutil -Z option.

e.g. I did an example with -Z below for your reference,

apple:/export/home/iws6.1sp7> ./bin/https/admin/bin/certutil -R -s
"CN=hostname.domain.com,OU=Company,O=Company,L=Anytown,ST=New York,C=US"  -a -o /tmp/testSHA1.csr -k rsa -g 2048 -v 12 -d
/export/home/iws6.1sp7/alias -P https-apple-apple- -Z  SHA1

(Note- you need to change -d and -P to match what you have there in
your site!)

Enter Password or Pin for "NSS Certificate DB": <password to your
web server security DB>

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished.  Press enter to continue:

Generating key.  This may take a few moments...

apple:/export/home/iws6.1sp7> ls -l /tmp/testSHA1.csr

-rw-rw----   1 root     other       1247 May 26 13:57
/tmp/testSHA1.csr

apple:/export/home/iws6.1sp7> cat /tmp/testSHA1.csr

Certificate request generated by Netscape certutil

....

-----BEGIN NEW CERTIFICATE REQUEST-----

MIICxjCCAa4CAQAwgYAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
...............

OesYDTs6R/KTs6R9o/GX/07eAhMO7m+sBQhd4Q29WUu3mkWRqbVzn9CE

-----END NEW CERTIFICATE REQUEST-----

then goto
http://www.ssldirect.com/ssltools/decode/csr/decode_csr_certificate_signing_request.html

to verify if this is SHA1 now,

......

Public Key Information
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Exponent: 65537 (0x10001)

Attributes
None
 

CSR Signature

Signature Algorithm: sha1WithRSAEncryption 
(see it is SHA1 , instead of MD5)

If you do not add the -Z  SHA1 at the end, then it will be

Signature Algorithm: md5WithRSAEncryption  \*\*\* instead

Then you can submit this CSR (with SHA1) to a CA, e.g. Verisign to sign it.

After you install the new SSL certificate, you can see it ok.

e.g. I added the new SSL cert as "new dumpy cert1" below,

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -d /export/home/iws6.1sp7/alias -P https-apple-apple-
1000year CT,,
myissuer Cu,Cu,Cu
Server-Cert u,u,u
new dumpy cert1 \*\*\* u,u,u

then I can examine the inside of this new SSL cert,

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple-
Certificate:

Data:
Version: 3 (0x2)
Serial Number:
00:a7:a9:fa:ed:f9:50:f7:7d
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

or

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple- | grep -i SHA
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Fingerprint (SHA1):

see more at

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html


how to disable directory listing in web 6.1SPx ?

If your security auditor said you need to disable the directory listing in your web 6.1SPx server, then you can do this in Admin GUI - Document Preferences - Directory Indexing - None. You can add an error response page too to send back when a request is asking for directory indexing.


The obj.conf will then look like below,


Service method="(GET|HEAD)" type="magnus-internal/directory" fn="send-error" path="/export/home/iws6.1sp9/docs/error.html"


then you can restart and take effect.


If you just comment out the default line below,


#Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"


Then the end-user will see a Method Not Allowed in the browser when they request a directory listing. They will not see the custom error page as above.







About

to share tips and experience in Oracle products, e.g. SunONE / iPlanet Web server, Weblogic server, Web protocols, security and performance.

Search

Categories
Archives
« September 2015
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today