Thursday Aug 11, 2011

How to Set POST Request Body Size Limit In Oracle iPlanet Web Server 6.1 and 7.0

Very often, you like to set  POST Request Body Size Limit in a web server for different reasons.

I wrote two new Oracle KM docs on this topic:

1. How to Set POST Request Body Size Limit In Oracle iPlanet Web Server 6.1 (Doc ID 1327832.1)

2. How To Set POST Request Body Size Limit In Oracle iPlanet Web Server 7 (Doc ID 1297025.1)

You can login My Oracle Support (MOS) and see the details there.


Thursday Jun 11, 2009

How to generate CSR with SHA1 (Signature Algorithm) with certutil in Web 6.1 SPx

If the security auditor asked you about the SSL certificate which is using MD5 as


Signature Algorithm, (e.g. http://www.kb.cert.org/vuls/id/836068 ) in web server 6.1SPx.


Then you can upgrade to 6.1SP11 which has default to SHA1 in CSR, e.g.


    Signature Algorithm: sha1WithRSAEncryption

If you cannot upgrade to 6.1SP11 now, then you can create a new CSR with SHA1 with certutil -Z option.

e.g. I did an example with -Z below for your reference,

apple:/export/home/iws6.1sp7> ./bin/https/admin/bin/certutil -R -s
"CN=hostname.domain.com,OU=Company,O=Company,L=Anytown,ST=New York,C=US"  -a -o /tmp/testSHA1.csr -k rsa -g 2048 -v 12 -d
/export/home/iws6.1sp7/alias -P https-apple-apple- -Z  SHA1

(Note- you need to change -d and -P to match what you have there in
your site!)

Enter Password or Pin for "NSS Certificate DB": <password to your
web server security DB>

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished.  Press enter to continue:

Generating key.  This may take a few moments...

apple:/export/home/iws6.1sp7> ls -l /tmp/testSHA1.csr

-rw-rw----   1 root     other       1247 May 26 13:57
/tmp/testSHA1.csr

apple:/export/home/iws6.1sp7> cat /tmp/testSHA1.csr

Certificate request generated by Netscape certutil

....

-----BEGIN NEW CERTIFICATE REQUEST-----

MIICxjCCAa4CAQAwgYAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
...............

OesYDTs6R/KTs6R9o/GX/07eAhMO7m+sBQhd4Q29WUu3mkWRqbVzn9CE

-----END NEW CERTIFICATE REQUEST-----

then goto
http://www.ssldirect.com/ssltools/decode/csr/decode_csr_certificate_signing_request.html

to verify if this is SHA1 now,

......

Public Key Information
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Exponent: 65537 (0x10001)

Attributes
None
 

CSR Signature

Signature Algorithm: sha1WithRSAEncryption 
(see it is SHA1 , instead of MD5)

If you do not add the -Z  SHA1 at the end, then it will be

Signature Algorithm: md5WithRSAEncryption  \*\*\* instead

Then you can submit this CSR (with SHA1) to a CA, e.g. Verisign to sign it.

After you install the new SSL certificate, you can see it ok.

e.g. I added the new SSL cert as "new dumpy cert1" below,

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -d /export/home/iws6.1sp7/alias -P https-apple-apple-
1000year CT,,
myissuer Cu,Cu,Cu
Server-Cert u,u,u
new dumpy cert1 \*\*\* u,u,u

then I can examine the inside of this new SSL cert,

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple-
Certificate:

Data:
Version: 3 (0x2)
Serial Number:
00:a7:a9:fa:ed:f9:50:f7:7d
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

or

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple- | grep -i SHA
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Fingerprint (SHA1):

see more at

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html


how to disable directory listing in web 6.1SPx ?

If your security auditor said you need to disable the directory listing in your web 6.1SPx server, then you can do this in Admin GUI - Document Preferences - Directory Indexing - None. You can add an error response page too to send back when a request is asking for directory indexing.


The obj.conf will then look like below,


Service method="(GET|HEAD)" type="magnus-internal/directory" fn="send-error" path="/export/home/iws6.1sp9/docs/error.html"


then you can restart and take effect.


If you just comment out the default line below,


#Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"


Then the end-user will see a Method Not Allowed in the browser when they request a directory listing. They will not see the custom error page as above.







Friday May 15, 2009

web 6.1 SP11 64-bit download

If you need to use 64-bit web 6.1 SP11, you can download it at



https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-6.1-SP11-OTH-G-F@CDS-CDS_SMI


This will allow you to use much more in memory address space.


e.g. for a 32-bit process, the theoretical max. memory per process = 4 GB,


a pmap will show,


vm40:/wlee/bits/tmp-web7.0u5> pmap 16908 | more
16908:  webservd -d /wlee/7.0u4/run/https-vm40.singapore.sun.com/config -r /wl
00010000       8K r-x--  /wlee/7.0u4/run/lib/webservd
00020000       8K rwx--  /wlee/7.0u4/run/lib/webservd
00022000      56K rwx--    [ heap ]
00030000    3904K rwx--    [ heap ]
00400000  167936K rwx--    [ heap ]
DB87A000       8K rwx-R    [ stack tid=285 ]


......(note the above address = 8 \* 4-byte each = 32-bit address)


but if we are running 64-bit, then the pmap will show,


vm40:/wlee> pmap 3799 | more
3799:   webservd -d /wlee/7.0u5-64/https-vm40.singapore.sun.com/config -r /wle
0000000100000000          8K r-x--  /wlee/7.0u5-64/lib/sparcv9/webservd
0000000100100000          8K rwx--  /wlee/7.0u5-64/lib/sparcv9/webservd
0000000100102000         56K rwx--    [ heap ]
0000000100110000       3008K rwx--    [ heap ]
0000000100400000     217088K rwx--    [ heap ]
FFFFFFFF3FCFA000          8K rw--R    [ stack tid=284 ]


......(note the above address = 16 \* 4-byte each = 64-bit address), so the theoretical max. memory per process = 16 TB, but of course limited by other factors, e.g. physical RAM and swap space, etc.


If you need more memory for your web server process (assume you do not have any memory leaks in your application, etc), then one option is to run 64-bit process.





web 6.1 Reverse Proxy Plug-in 1.0.2 is out !

Hi,


I just got the news that 


Reverse Proxy Plug-in 1.0.2 is
released for Sun Java System WebServer 6.1 SP11 is out , please try it at


https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-6.1SP11-RPAddOn1.0.2-G-F@CDS-CDS_SMI

The Release Notes are here: http://docs.sun.com/app/docs/doc/820-7660

Proxy 4.0.10 is out !

This new version of proxy server was out on 5/5/2009. FYI.


It can be publicly downloaded at:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJPrxySrv-4.0.10-OTH-G-F@CDS-CDS_SMI

Release Notes:
http://docs.sun.com/app/docs/doc/820-7445

This has fixed different known issues and so good to try it.

Friday May 08, 2009

Web Server 6.1 SP11 is out now !

I just got the internal news that this latest version is released.


Download :


https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-6.1-SP11-OTH-G-F@CDS-CDS_SMI


Release notes :


http://docs.sun.com/app/docs/doc/820-7659


Please try it out.

Friday Apr 03, 2009

Web Server 7.0 Update 5 is out !

Web 7.0u5 is out now. From the email from our staff,


"


It can be publicly downloaded at:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-7.0U5-OTH-G-F@CDS-CDS_SMI

The Release Notes are here:
http://wikis.sun.com/display/WebServerdocs/Release+Notes


In addition to customer escalation & other bug fixes (>50) this release also contains important bug-fixes related to performance 
enhancement.
http://wikis.sun.com/display/WebServerdocs/Release+Notes#ReleaseNotes-IssuesResolvedinWebServer7.0Update5
 
All users of Web Server 7.0 through Web Server 7.0 Update 4 are encourage to upgrade.

"


So, please try it.

Tuesday Feb 10, 2009

Proxy Server 3.6 SP12 is out

I just got an email about this new version of Proxy 3.6.


However, please plan for an upgrade to Proxy 4.0 (SP9 is the latest now as of Feb , 2009).


email from our Sustaining manager,


"


Proxy Server 3.6 SP12 has been released:


https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJPrxySrv-3.6SP12-OTH-G-F@CDS-CDS_SMI

This URL is publicly accessible and can be given to customers waiting for it.


Release Notes:: Unix Platform:: http://docs.sun.com/source/820-5882/
Release Notes:: Windows Platform:: http://docs.sun.com/source/820-5883/


"



Walter

Friday Jan 16, 2009

How to disable other methods in web server 6 ?

Sometimes, if you like/need to disable other methods which you do not need in web 6.1SPx, then you can add this into default object inside obj.conf,

in 6.1 web (for 7.0, please see comments below by Meena), you need to add

<Client method=("INDEX"|"OPTIONS"|"DELETE"|"PUT"|"MOVE"|"TRACE"|"MKDIR"|"RMDIR")>
AuthTrans fn="set-variable" remove-headers="transfer-encoding"

set-headers="content-length: -1" error="501"
</Client>

(NOTE - all in ONE single line for <Client method ...> and AuthTrans... above!
You saw wrapping above because of formatting in tools/browsers !)

as below :

apple:/export/home/iws6.1sp10/https-methods/config> cat obj.conf
# You can edit this file, but comments and formatting changes
# might be lost when the admin server makes changes.

<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
<Client method=("INDEX"|"OPTIONS"|"DELETE"|"PUT"|"MOVE"|"TRACE"|"INDEX"|"MKDIR"|"RMDIR")>
AuthTrans fn="set-variable" remove-headers="transfer-encoding"

set-headers="content-length: -1" error="501"
</Client>
....

then restart and will work ok.

2. tests:

a. INDEX :

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
INDEX / HTTP/1.1
Host: apple

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:56:34 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.

b. OPTIONS :

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
OPTIONS /banner.html HTTP/1.1
Host: apple

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:56:58 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
apple:/export/home/iws6.1sp10/https-methods/config>

c. TRACE method:

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
TRACE /index.html HTTP/1.1
Host: apple
X-header: test

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:57:32 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
apple:/export/home/iws6.1sp10/https-methods/config>

3. Some may like to set up ACL, but there is still a chance for hackers to use above methods

if they discover the ACL uid/password.

So, if the above methods are not needed, then better disable them as above.

4. you can see a list of methods at

http://www.ietf.org/rfc/rfc2616.txt

e.g. section 9 Method Definitions

 


 

Friday Jan 02, 2009

Sun Java System Web Proxy Server 4.0.9 is out !

Hi, 


I just found that we have

Sun Java System Web Proxy Server 4.0.9 available now at:


https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJPrxySrv-4.0.9-OTH-G-F@CDS-CDS_SMI


docs can be found at:


http://docs.sun.com/app/docs/coll/1311.9?l=en


For patch versions, it is below:


1. Solaris: 120981-16


Sun Java System Web Proxy Server 4.0.9, Solaris (SVR4 patch): Maintenance Release Patch


2. x86: 120982-16


Sun Java System Web Proxy Server 4.0.9, _x86 (SVR4 patch): Maintenance Release Patch


3. Redhat: 120983-16


Sun Java System Web Proxy Server 4.0.9 RHEL3.0 :Maintenance Release Patch


Thursday Jan 01, 2009

how to bypass RPP and AM agent to get perfdump

Sometimes, you like to get perfdump (/.perf) from web or proxy servers, but the RPP or AM agent may prevent you from doing this. So, you can try below:


 1. follow the steps of perfdump at


http://docs.sun.com/app/docs/doc/820-5719/abyaq?l=en&a=view&q=perfdump


 2. if you got RPP in your web server, then


<Client match="none" uri="/.perf">

NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
</Client> 


then both perf dump and rpp will work ok.

The above will map rpp if uri not equal to /.perf, and will skip rpp
if uri is /.perf


So, both requests to rpp and .perf will work ok.

3. if you got AM agent in your proxy server, then


................ 


NameTrans fn="assign-name" name="stats-xml" from="(/stats-xml|/stats-xml/.\*)"
NameTrans fn="assign-name" name="statistics" from="/.abc/.statistics"
................


PathCheck fn="url-check"
<Client match="none" uri="/.abc(/.\*|)">
PathCheck fn="validate_session_policy"
</Client>

Service fn="deny-service"
AddLog fn="flex-log" name="access"
</Object>


.........


<Object name="stats-xml">
Service fn="stats-xml"
</Object>

<Object name="statistics">
Service fn="service-dump"
</Object>


 then a request to get the statistics will work ok without the AM agent Path Check .





Monday Dec 15, 2008

wevb 7.0 u4 is out now

Hi, 


I just got this from PM, Joe,


"I am delighted to announce that Web Server 7.0 Update 4 has been
released. It can be publicly downloaded at:


http://tinyurl.com/ws70u4

and will be showing up on the various download pages later today.


The Release Notes are here:
http://docs.sun.com/app/docs/doc/820-6373/gdutz?a=view

In addition to bug fixes and stability improvements (>40,
http://docs.sun.com/app/docs/doc/820-6373/ghyks?a=view ), this release
introduces better compatibility with CGI and FastCGI applications by
providing REQUEST_URI and SCRIPT_FILENAME variables, support for
default-sun-web.xml, and certification of OpenSolaris 2008.11 as a
supported platform.


All users of Web Server 7.0 through Web Server 7.0 Update 3 are
encourage to upgrade.


Thank you to the entire product team for another great release!


"


So, please download and try it.


I can see many resolved issues in this latest u4 release, at


http://docs.sun.com/app/docs/doc/820-6373/ghyjt?a=view

Friday Dec 12, 2008

Simple script to download or get perfdump output into a file for later analysis for web 6.1

Today, I found a need to run perfdump periodically in web server 6.1 SPx and download it into a single file with timestamps for later analysis. I can then check further on different number of performance numbers of this web server to see if any area to tune for better.


So, I followed the steps at 6.1 docs to enable perfdump,


http://docs.sun.com/app/docs/doc/820-5719/abyaq?l=en&a=view&q=perfdump


then I came across this great blog,


 http://blogs.sun.com/elving/entry/perfdump_in_7_0


which tells how to do it in web 7 easily.


Inside, I also saw,


" (echo "GET /.perf";sleep 1 ) | telnet www.mysite.com 80  "


by
"Posted by
ttalex

on October 20, 2006 at 02:33 AM PDT" 



So,  I wrote up a simple script to try,


 APPLE:/export/home0/case/7041xxxx-yyy-p1> cat get-perf-2s.ksh
#/usr/bin/ksh
while [ 1 ]
do
# 1st to print date timestamp
echo "=====================next perf dump======================="
date
# 2nd to get .perf
(echo "GET /.perf";sleep 1 ) | telnet apple.asia.sun.com 60103
# 3rd sleep 2s
sleep 2
done


Then, I chmod a+x and then


./get-perf-2s.ksh >> perf.txt


and control-c to stop it after a while,


then  > cat perf.txt
=====================next perf dump=======================
Fri Dec 12 15:06:33 CST 2008
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
webservd pid: 19065

Sun ONE Web Server 6.1SP10 B09/04/2008 10:03 (SunOS DOMESTIC)

Server started Fri Dec 12 14:39:20 2008
Process 19065 started Fri Dec 12 14:39:20 2008

ConnectionQueue:
-----------------------------------------
Current/Peak/Limit Queue Length            0/1/4096
Total Connections Queued                   95
Average Queue Length (1, 5, 15 minutes)    0.00, 0.00, 0.00
Average Queueing Delay                     0.13 milliseconds

ListenSocket ls1:
------------------------
Address                   http://0.0.0.0:60103
Acceptor Threads          1
Default Virtual Server    https-sess

ListenSocket ls2:
------------------------
Address                   http://129.158.175.16:60104
Acceptor Threads          1
Default Virtual Server    land-vs1

KeepAliveInfo:
--------------------
KeepAliveCount        0/256
KeepAliveHits         7
KeepAliveFlushes      0
KeepAliveRefusals     0
KeepAliveTimeouts     3
KeepAliveTimeout      30 seconds

SessionCreationInfo:
------------------------
Active Sessions           1
Keep-Alive Sessions       0
Total Sessions Created    48/128

CacheInfo:
------------------
enabled             yes
CacheEntries        8/1024
Hit Ratio           108/214 ( 50.47%)
Maximum Age         30

Native pools:
----------------------------
NativePool:
Idle/Peak/Limit               1/1/128
Work Queue Length/Peak/Limit  0/0/0

Server DNS cache disabled

Async DNS disabled

Performance Counters:
------------------------------------------------
                           Average         Total      Percent

Total number of requests:                    101
Request processing time:    0.0019        0.1919

default-bucket (Default bucket)
Number of Requests:                          101    (100.00%)
Number of Invocations:                      1307    (100.00%)
Latency:                    0.0003        0.0272    ( 14.18%)
Function Processing Time:   0.0016        0.1647    ( 85.82%)
Total Response Time:        0.0019        0.1919    (100.00%)

Sessions:
----------------------------
Process  Status     Function

19065    response   service-dump
=====================next perf dump=======================
Fri Dec 12 15:06:36 CST 2008
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
webservd pid: 19065

Sun ONE Web Server 6.1SP10 B09/04/2008 10:03 (SunOS DOMESTIC)

Server started Fri Dec 12 14:39:20 2008
Process 19065 started Fri Dec 12 14:39:20 2008

ConnectionQueue:
-----------------------------------------
Current/Peak/Limit Queue Length            0/1/4096
Total Connections Queued                   96
Average Queue Length (1, 5, 15 minutes)    0.00, 0.00, 0.00
Average Queueing Delay                     0.13 milliseconds

................. repeated itself................


======================================


 So, hope this simple script can help capture the perfdump in web 6.1 .


However, it is still best to upgrade to web 7 to use the CLI there for perfdump (it will work in web 7 even when the webservd process hung, but not in web 6.1). Another good reason to upgraded to web 7.



About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today