|
|
United States-English | |
|
|
 |
|
 HP OpenVMS SystemsSecure Web Server (based on Apache™) |
|
HP Secure Web Server for OpenVMS (based on Apache)
June 2007
Version 2.1-1 for OpenVMS Alpha, based on Apache 2.0.52
Version 2.1-1 for OpenVMS I64, based on Apache 2.0.52 This document
contains information about installing and configuring the HP Secure Web Server
for OpenVMS. It also includes information about running the web server, security
information, and how to build and debug loadable Apache modules. Software Version Hewlett-Packard Company Contents Chapter 1
Installation Requirements and Prerequisites 1.1.1
ODS-5 Disk 1.1.2
Disk Space 1.1.3
Stream_LF File Format
No Longer Required 1.2.1
MultiNet and TCPware Network Products
1.2.2
CSWS_JAVA Requirements 1.2.3
CSWS_PHP Requirements 1.2.5
Building the Apache HTTP Server from
Source Code Chapter 2
Installation and Configuration 2.2
Install the Secure Web Server
2.2.1
Sample Installation
2.3
Configure the Secure Web Server
2.3.1
Configuration Menu 2.3.2
Configuring a Single Server
2.3.3
Sample Configuration of a
Single Server 2.3.4
Configuring Multiple Servers
2.3.5
Sample Configuration of
Multiple Servers 2.3.6
Delete Server Instance
2.3.7
Managing suEXEC 2.3.8
Running the OpenSSL Certificate Tool
2.3.9
Converting Files to Stream_LF
2.3.10
Starting and Stopping the
Secure Web Server 2.3.11
Showing the Status of an Apache
Instance 2.3.13
Managing Multiple Servers
2.3.13.1
HTTPD.CONF 2.3.13.2
APACHE$SETUP.COM and LOGIN.COM
2.3.14
Viewing the OpenSSL Certificate
2.4
Post Configuration Checklist
2.4.1
Configure CSWS_JAVA 2.4.2
Check the CSWS_PERL Configuration
2.4.3
Check the CSWS_PHP Configuration
2.4.4
Run AUTOGEN 2.4.5
Check Disk Quota 2.4.6
Check for SET TERMINAL/INQUIRE
2.5.1
Browser Test 2.5.2
TELNET Test 2.5.3
Troubleshooting 2.6
What's Next 2.7
Merge Changes to Files You Have
Customized 2.8
Installing Optional Modules at a Later
Time Chapter 3
Running the Secure Web Server on OpenVMS 3.1
Starting and Stopping the Server 3.1.1
Starting the Server 3.1.2
Stopping the Server 3.1.2.1
Stopping the Server Using the
Server Process Name 3.2
Server Log File 3.3
Performance Considerations
3.3.1
Limits and Quotas 3.3.2
Server Experiencing Medium to High
Usage 3.3.3
Global Pages and Global Sections
3.3.4
Excessive File Build Up 3.4
Customizing the Server Environment
3.5.1
Apache Modules 3.5.2
Apache 1.3 Modules Not Included
3.5.3
OpenVMS Directives 3.5.4
Command Line Options
3.5.5
Virtual Host Support 3.5.6
Dynamic Shared Object Support
3.5.7
File Handlers 3.5.8
Content Negotiation 3.5.9
Apache API 3.5.10
WebDAV (Distributed Authoring and
Versioning) Support 3.5.10.1
Testing DAV Operation
3.5.11
suEXEC Support 3.5.13
Running MOD_OSUSCRIPT 3.6
File Formats 3.7
Managing File and Directory Access
Controls 3.7.1
Outbound Access to Non-CSWS Files and
Directories 3.7.2
Inbound Access to SWS Files and
Directories 3.8
Logical Names 3.9
OpenVMS Cluster Considerations
3.9.1
Individual System vs. Clusterwide
Definition 3.9.2
Mixed-Architecture (Alpha and VAX)
Cluster 3.10
Common Gateway Interface (CGI)
3.10.1
CGI Environment Variables 3.10.2
Referencing Input 3.10.3
Executing CGI 3.10.4
Logicals for Debugging CGI Scripts
3.10.5
Displaying Graphics with CGI Command
Procedures Chapter 4
Security Information 4.1
Process Model 4.2
Privileges Required to Start and Stop
the Server 4.3
File Ownership and Protection 4.4
Authentication Using OpenVMS Usernames
and Passwords (MOD_AUTH_OPENVMS) 4.4.1
The require group Directive
4.4.2
The require user Directive
4.4.3
Hiding Accounts 4.4.4
MOD_AUTH_OPENVMS Security
Considerations 4.4.5
MOD_AUTH_OPENVMS Examples
4.5
Server Extensions (CGI Scripts, PHP
Scripts, Perl Modules) 4.6
suEXEC in the Secure Web Server
4.6.1
suEXEC Security Model
4.6.2
Configuring suEXEC 4.6.2.1
Using Paths with Logicals in UserDir Directive
4.6.2.2
Using Paths with Device Names in UserDir Directive
4.7
Protecting Server Certificate Keys
Chapter 5
Building and Debugging Loadable Apache Modules for the
Secure Web Server 5.1
The Apache API, Run-Time Library, and
HTTP Request Processing 5.2.1
Defining Your Apache Module
Data Structure Symbol 5.2.2
Compiling a Module 5.2.3
Linking a Module 5.2.4
Example: mod_rewrite
5.2.5
Debugging a User-Built Apache
Module 5.2.5.1
Preparing to debug your module
5.2.5.2
Debugging your module
Chapter 6
Open Source Licenses Chapter 1
Before you can install the Secure Web Server for OpenVMS (based on Apache),
verify that your system meets the minimum hardware and software requirements
described below.
You can install the Secure Web Server for OpenVMS on any
AlphaServer
system running OpenVMS Version 7.3-2 or higher, or any Integrity server system running OpenVMS I64 Version 8.2 or higher.
HP requires that you install the Version 2.1-1 kit on an ODS-5 enabled disk. Important
You must install the V2.1-1 kit on an ODS-5 target volume. If you attempt to install this kit on an ODS-2
volume, the installation will fail.
If you had an existing CSWS V1.3 installation, the failed operation will leave
it in a corrupt state.
Verify that the destination device is an ODS-5 volume by entering a command
similar to the following, where DISK$DKA200 is the disk where you want to
install the Secure Web Server: $ SHOW DEV
DISK$DKA200/FULL Disk
VARMIT$DKA200:, device type COMPAQ BB00923468, is online, mounted, file-oriented
device, shareable, available to cluster, error logging is enabled. Volume Status:
ODS-5, subject to mount verification, file high-water marking, write-back
caching enabled.
The Secure Web Server for OpenVMS Alpha compressed file contains 19,887 blocks.
The expanded PCSI file requires approximately 45,000 blocks of working disk
space to install.
The Secure Web Server for OpenVMS I64 compressed file contains 25,645 blocks.
The expanded PCSI file requires approximately 65,000 blocks of working disk
space to install.
1.1.3
Stream_LF File Format No Longer Required
The Secure Web Server Version 2.1-1 no longer requires that all served files
must be in Stream_LF format. See Converting Files to Stream_LF
for information about a command procedure included in the kit that automatically
converts your files if you choose to do so.
The Secure Web Server requires the following software:
·
HP OpenVMS Alpha Version 7.3-2 or higher
·
HP TCP/IP Services for OpenVMS Version 5.4 or higher (for SWS on
OpenVMS Alpha Version 7.3-2) 1.2.1 MultiNet and
TCPware
Network Products
If you are using MultiNet or
TCPware
from Process Software Corporation instead of HP TCP/IP Services for OpenVMS, you
should be aware of the following information.
The Secure Web Server has been tested and verified using HP TCP/IP Services for
OpenVMS. There are no known problems running the Secure Web Server with other
TCP/IP network products such as MultiNet and TCPware, but HP has not formally tested and verified these
other products. Note MultiNet and TCPware currently
support IPv4 only. If you want to take advantage of the IPv6 support in the
Secure Web Server, you must use HP TCP/IP Services for OpenVMS Version 5.3 or
higher. MultiNet and TCPware require
ECO kits for the Secure Web Server. These ECO kits are subject to change. For
the latest ECO kit information, contact Process Software and ask for the ECO
kits required to run the Secure Web Server for OpenVMS. Send network
connectivity questions regarding the Secure Web Server on
TCPware
and MultiNet via email to support@process.com.
CSWS_JAVA includes the following Apache Jakarta technologies: Tomcat
(JavaServer Pages 1.2, Java Servlet
2.3, MOD_JK, and MOD_JK2) and Ant. (Note: Ant is a partial implementation
of the Jakarta Ant subproject and its use is limited to building the included
sample web applications and simple user-written web applications for Tomcat.)
CSWS_JAVA V3.0 provides Java Servlet 2.4 and JSP 2.0 technology, while CSWS_JAVA
V2.x provides Java Servlet 2.3 and JSP 1.2 technology.
CSWS_JAVA has retired support for CSWS_JSERV. If you want to continue JSERV
support, download CSWS_JAVA Version 1.1 from the CSWS_JAVA for HP Secure Web
Server for OpenVMS web site at
http://h71000.www7.hp.com/openvms/products/ips/apache/csws_java.html.
See the CSWS_JAVA for HP Secure Web Server for OpenVMS web site for CSWS_JAVA
requirements. 1.2.3 CSWS_PHP Requirements
PHP is a server-side, cross-platform, HTML embedded
scripting language that lets you create dynamic web pages. PHP-enabled web pages
are treated the same as regular HTML pages, and you can create and edit them the
way you normally create regular HTML pages.
Chapter 2
Installation and configuration consists of the following steps:
1.
Read the release notes
2.
Install the server and optional modules
3.
Configure the server
4.
Review the post configuration checklist
5.
Test the installation
·
Secure Web Server for OpenVMS (CSWS) Version
2.1 and higher -or- 1.3-1
·
CSWS_PHP Version 1.3 or higher
·
CSWS_PERL Version 2.1 or higher and PERL for
OpenVMS Version 5.8.6 or higher
·
CSWS_JAVA Version 3.0 or higher Note Earlier versions of these optional kits will not work with Secure
Web Server Version 2.1-1. You can install the Secure Web Server by itself
or with one or more of the optional modules. You can install the optional modules later if you
choose.
Before you begin, do the following:
1.
Decide what you want to install.
2.
Review the software requirements for the server and
each optional module you are installing.
3.
Decide where you want to install the kit. Note The Secure Web Server and
CSWS_PHP must be installed in the same directory (required). By default, the Secure
Web Server and CSWS_PHP are installed in SYS$COMMON. However, HP recommends that
you specify another location. CSWS_JAVA can be
installed into a different disk or directory from the Secure Web Server. HP recommends that you shut down the
Secure Web Server (and Tomcat, which runs as a separate process) before
installing a new version of any component: CSWS, CSWS_PHP, CSWS_PERL, or
CSWS_JAVA (Tomcat).
1.
The Secure Web Server for OpenVMS kit is provided as a compressed,
self-extracting file. To download it from the OpenVMS web site, fill out and
submit the registration form at Secure Web Server for OpenVMS web site at
http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html.
Download any optional modules you want to install.
Download CSWS_JAVA from
http://h71000.www7.hp.com/openvms/products/ips/apache/csws_java_relnotes.html
Download CSWS_PHP from
http://h71000.www7.hp.com/openvms/products/ips/apache/csws_php_relnotes.html
Download CSWS_PERL from
http://h71000.www7.hp.com/openvms/products/ips/apache/csws_modperl_relnotes.html
Download PERL for OpenVMS from
http://h71000.www7.hp.com/openvms/products/ips/apache/csws_perl_relnotes.html
2.
Log in as a privileged OpenVMS user (for example, SYSTEM).
3.
Select UIC group and member numbers for the APACHE$WWW account that
will be created by the installation procedure. HP recommends that you use an
empty or new UIC group (without current members). Servers typically use the
highest unused UIC group (for example, [370,1]).
To ensure that the UIC you chose for APACHE$WWW has READ and WRITE access to the
intended login device, use the SHOW DEVICE/FULL command.
$ SHOW
DEVICE/FULL DKB0: Disk $DKB0:, device type COMPAQ BD03664545, is online, mounted,
file-oriented device, shareable, available to cluster, error logging is enabled Owner process
"" Owner UIC [SYSTEM] Owner process ID 00000000
Dev Prot S:RWPL,O:RWPL,G:R,W Reference count 29 Default buffer size 512 Total blocks 71132000
Sectors per track 254 Total cylinders 14003
Tracks per cylinder 20 Volume label "BUILD1" Relative volume number 0 Cluster size 3
Transaction count 25 Free blocks 52293678
Maximum files allowed 8891500 Extend quantity 5
Mount count 1 Mount status System
Cache name "_ALPHA$DKA300:XQPCACHE" Extent cache size 64
Maximum blocks in extent cache 5229367 File ID cache size 64
Blocks in extent cache 2703 Quota cache size 0
Maximum buffers in FCP cache 1730 Volume owner UIC [SYSTEM]
Vol Prot S:RWCD,O:RWCD,G:RWCD,W:RWCD
Volume Status: ODS-5, subject to mount verification, write-back caching enabled, access dates enabled, hard links enabled.
4.
Decompress the server kit with one of the following command, depending on $ RUN CPQ-AXPVMS-CSWS-V0201-1-1.PCSI_SFX_AXPEXE ! for Alpha The system expands the
file and names it
CPQ-AXPVMS-CSWS-V0201-1-1.PCSI or 5.
If you are upgrading from a previous version of the Secure Web Server and
you modified Start the installation
with the PRODUCT INSTALL command. Use the /DESTINATION qualifier to specify a
target device and directory for the installation. If you do not specify a
destination, the software will be installed in SYS$COMMON.
HP recommends that you specify another location. Note Once you enter a PRODUCT
INSTALL CSWS/DESTINATION=[destination] command,
you cannot change the installation location unless you remove CSWS and then
reinstall it. To change the installation location when you upgrade to a new
version of CSWS, you must first enter the PRODUCT REMOVE CSWS command, then
enter PRODUCT INSTALL CSWS/DESTINATION=[new-destination].
To install the server,
enter the following command: $
PRODUCT INSTALL CSWS /DESTINATION=device:[directory-name] To install the server and
one or more of the optional modules, specify CSWS and the CSWS_nnnn kit name on the PRODUCT INSTALL command
line separated by commas. For example, to install the server and CSWS_PHP, use
the following command:
$ PRODUCT INSTALL CSWS, CSWS_PHP /DESTINATION=device:[directory-name] The installation proceeds
and displays product information as well as post-installation instructions. The
installation is finished when you see the DCL prompt ($). After the installation,
you must configure the Secure Web Server. Note Do not attempt to start
the server or configure any optional modules before you have configured the
server.
The following
product has been selected: CPQ AXPVMS CSWS V2.1-1
Layered Product Do you want to
continue? [YES] Configuration
phase starting ... You will be asked
to choose options, if any, for each selected product and for any products that
may be installed to satisfy software dependency requirements. CPQ AXPVMS CSWS
V2.1-1 Hewlett-Packard
Company & The Apache Software Foundation. * This product
does not have any configuration options. Execution phase
starting ... The following
product will be installed to destination: CPQ AXPVMS CSWS V2.1-1
USER$DISK3:[000000.] Portion done:
0%...10%...20%...30%...40%...50%...60%...70%...90%...100% The following
product has been installed: CPQ AXPVMS CSWS V2.1-1
Layered Product CPQ AXPVMS CSWS
V2.1-1 Release notes are available
in SYS$HELP:CSWS0201.RELEASE_NOTES. HP highly recommends that you
read these release notes. For the most up-to-date documentation,
including release notes, Frequently Asked Questions (FAQs), and information about configuring and running the HP Secure Web
Server, please see the web pages at:
http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html Post-installation tasks are
required for the HP Secure Web Server. The OpenVMS Installation and
Configuration Guide gives detailed directions. This information is a brief
checklist. Configure OpenVMS aspects of the HP
Secure Web Server by: $ @SYS$MANAGER:APACHE$CONFIG If the OpenVMS username APACHE$WWW does
not exist, you will be prompted to create
that username. File ownerships are set to UIC [APACHE$WWW], etc. After configuration, start the HP Secure
Web Server manually by entering: $ @SYS$STARTUP:APACHE$STARTUP Check that neither
SYLOGIN.COM nor the LOGIN.COM write any output to SYS$OUTPUT:. Look especially for a $ SET TERMINAL/INQUIRE Start the HP Secure Web
Server at system boot time by adding the following lines to
SYS$MANAGER:SYSTARTUP_VMS.COM: $ file := SYS$STARTUP:APACHE$STARTUP.COM $ if f$search("''file'")
.nes. "" then @'file' Shutdown the Apache server at system shutdown
time by adding the following lines to
SYS$MANAGER:SYSHUTDWN.COM: $ file :=
SYS$STARTUP:APACHE$SHUTDOWN.COM $ if f$search("''file'")
.nes. "" then @'file' Test the
installation using your favorite Web browser. Replace
host.domain
in the following URL (Uniform Resource Locator) with the information for the
HP Secure Web Server just installed, configured, and started. URL
http://host.domain/ should display the standard introductory page from the Apache Software
Foundation. This has the bold text "It Worked! The Apache Web Server
is Installed on this Web Site!" at the top
and the Apache server logo prominently displayed at the bottom. If you do not see this page,
check the HP Secure Web Server release notes, particularly
the Frequently Asked Questions section. If you'd like to use secure connections with
the HP Secure Web Server then you'll need
to create a server certificate. We
recommend that you start by
creating a 30 day self signed certificate using the following
certificate tool: $
@APACHE$COMMON:[OPENSSL.COM]OPENSSL_AUTO_CERT.COM
Once the certificate has been created
you'll need to uncomment the following directive in the
APACHE$COMMON:[CONF]HTTPD.CONF file to enable SSL.
Include /apache$root/conf/ssl.conf Thank you for using the HP
Secure Web Server.
1. Configure the Secure Web Server 2. Create an
Apache instance 3. Delete an
Apache instance 4. Manage suEXEC
users 5. Run OpenSSL
Certificate tool 6. Convert directory tree to Stream_LF 7. Start up an Apache instance 8. Shut down an Apache instance 9. Show status of an Apache
instance 10. Add a node to CSWS in a cluster
environment 11. Exit Enter Menu Choice:
1.
SYS$MANAGER:APACHE$CONFIG.COM
2.
APACHE$COMMON:[000000]APACHE$CREATE_ROOT.COM
3.
APACHE$COMMON:[000000]APACHE$DELETE_ROOT.COM
4.
APACHE$COMMON:[000000]APACHE$MANAGE_SUEXEC.COM
5.
APACHE$COMMON:[000000]APACHE$CERT_TOOL.COM
6.
APACHE$COMMON:[000000]APACHE$CONVERT_STREAMLF.COM
7.
SYS$STARTUP:APACHE$STARTUP.COM
8.
SYS$STARTUP:APACHE$SHUTDOWN.COM
9.
SHOW SYSTEM/PROCESS=APACHE$tag
10.
APACHE$COMMON:[000000]APACHE$ADDNODE.COM 2.3.2
Configuring a Single Server
SYS$MANAGER:APACHE$CONFIG.COM
For information about
configuring multiple servers, see the Configuring Multiple Servers section.
$
@SYS$MANAGER:APACHE$CONFIG $
@APACHE$COMMON:[000000]APACHE$MENU
and select Option 1
HP Secure Web
Server for OpenVMS
[based on Apache] This procedure helps you define the
operating environment
required to run the Secure Web Server on this system. To operate
successfully, the server processes must have read access to the installed files and read-write
access to certain other files and directories. HP recommends that you use this procedure
to set the owner UIC on the CSWS files and
directories to match the server. You should do this each time the product
is installed, but it only has to be done once for each installation on
a cluster. Set owner UIC on CSWS files? [YES] Do you want to enable the impersonation
features provided by suEXEC? If so, the server will support running CGIs using specified usernames. Enable suEXEC?
[YES] Setting ownership on files. This could take a minute or two. . . . Enabling suEXEC
configuration. This could take a
minute or two. . . .
APACHE$MANAGE_SUEXEC This procedure allows the system
manager to grant users the ability to utilize the suEXEC feature of the Secure Web Server. Users will be granted/revoked VMS rights identifiers to allow
access. Continue [YES]? Enter '?' for help Manage suEXEC
user accounts (SHOW/GRANT/REVOKE/DONE/?): [DONE] GRANT Enter Username: USER1 %UAF-I-GRANTMSG,
identifier
APACHE$SUEXEC_USER granted to USER1 Manage suEXEC
user accounts (SHOW/GRANT/REVOKE/DONE/?): [DONE] GRANT Enter Username: USER2 %UAF-I-GRANTMSG,
identifier
APACHE$SUEXEC_USER granted to USER2 Manage suEXEC
user accounts (SHOW/GRANT/REVOKE/DONE/?): [DONE] Configuration is complete. To start the server: $
@SYS$STARTUP:APACHE$STARTUP.COM
Choosing Option 2 from
the Secure Web Server Configuration Menu starts the following command procedure,
which creates a new server root: APACHE$COMMON:[000000]APACHE$CREATE_ROOT.COM
$
@APACHE$COMMON:[000000]APACHE$MENU
and select Option 2
APACHE$CREATE_ROOT Create a set of
directories and files where a Secure Web Server can
run. You will be prompted for the location of the root, the user to
run under, the TCP/IP port to monitor, the unique
server tag, the privileged
routines the user will be allowed to use, and optional startup and shutdown procedures. Continue [YES]? Root location: Give the location of where to create the
directory tree and configuration template
file for the new instance of the server.
e.g.
USER2:[SMITH.CSWS] This will create a series of directories
under the USER2:[SMITH.CSWS] directory.
This will become the new APACHE$SPECIFIC location. $ DIRECTORY
USER2:[SMITH.CSWS] Directory
USER2:[SMITH.CSWS] BIN.DIR;1
CGI-BIN.DIR;1 CONF.DIR;1
HTDOCS.DIR;1 ICONS.DIR;1
KIT.DIR;1
LOGS.DIR;1
MODULES.DIR;1 OPENSSL.DIR;1 Total of 9 files. Username: Enter the user that will
own and control the content of this root.
The ownership of the directories and files will be set to the given user. The user must be a valid user in the
SYSUAF. Username: JOE The Secure Web Server has several
privileged routines to allow the server to run in a basic fashion. These routines can be blocked from other users of the web server to
run in a more restrictive mode. These routines are protected by a
series of rights identifiers: APACHE$APR_ALL
Allow access to all of the protected routines APACHE$APR_CREMBX Allow
access to create a groupwide mailbox
APACHE$APR_GETPWNAM Allow access to
other user's information
APACHE$APR_SETSOCKOPT Allow user to set socket
options APACHE$APR_SOCKET Allow
creation of a privileged socket
APACHE$APR_AUTH_OPENVMS Allow user to authorize using SYSUAF
APACHE$APR_GALAXY_GBLSEC Allow user to manage galactic memory sections Grant access to
CreMbx? y Grant access to
GetPwNam? n Grant access to
SetSockOpt? n Grant access to Create a
Priveleged
Socket? y Grant authorization via SYSUAF? y Grant user ability to access
galactic sections? y Each instance of the Secure Web
Sever must have a unique TCP/IP port to monitor as it runs. If you have not granted this user the
Socket privilege, then the port must be
greater than 1024 (non-privileged). Note that this routine does not
keep track of previously specified ports to other instances. It is the system manager's responsibility
to maintain this information. Each instance of the Secure Web
Server must have a unique tag associated with it on the system. The tag is 1 to 4 characters (A-Z, 0-9). The instance of Secure Web Server
can have a startup and a shutdown command procedure defined to run
accordingly. Define a startup or shutdown
procedure? y Startup procedure filename [NONE]:
DISK1:[JOE.APACHE]Test_Start.com Shutdown procedure filename [NONE]: Granting rights to JOE UAF
account... Creating directory tree under
DISK1:[JOE.APACHE] Generating Apache configuration
file DISK1:[JOE.APACHE.CONF]httpd.conf Updating the configuration database Root created: DISK1:[JOE.APACHE] Template server configuration file
created: Please review this file for
accuracy.
·
a template configuration file
·
a mime type file
·
an SSL configuration file These are all placed in
the configuration directory and should be reviewed before attempting to start
the server.
APACHE$DELETE_ROOT Deletes a
previously defined set of directories and all files contained therein. Also revokes all user rights granted when the root was
created. Continue [YES]? Apache Instances available for deletion 1. Tst DISK1:[JOE.APACHE.CONF]httpd.conf 2. Exit Choice: 1 Revoking rights
from JOE UAF account... Deleting all files under DISK1:[JOE.APACHE...] Updating the configuration database... Root deleted: DISK1:[JOE.APACHE]
Note The Secure Web Server
Version 2.1-1 no longer requires
that all served files be in Stream_LF format. The
EnableMMAP
directive must be set to OFF to lift the Stream_LF
restriction. In Version 2.1-1, EnableMMAP is set to OFF by default. (In Version 2.0, the default for EnableMMAP was ON.)
Note The
APACHE$CONVERT_STREAMLF command procedure converts all sequential files (with
the exceptions listed above) to Stream_LF format,
including sequential files currently in Stream format. After you run the
procedure, be sure to check the SYS$SCRATCH:CONVERT_DIR.LOG
file for files that should not be in Stream_LF
format, and delete the newest version of those files.
Top Directory:
USER1:[APACHE.HTDOCS] Starting
conversion of USER1:[APACHE.HTDOCS...] This could take a
while...
Conversions
complete. See
SYS$SCRATCH:Convert_Dir.Log
for a log of transactions.
SYS$STARTUP:APACHE$STARTUP.COM SYS$STARTUP:APACHE$SHUTDOWN.COM See
Starting and Stopping the Server for more information. 2.3.11 Showing the Status of an Apache
Instance Choosing Option 9 from
the Secure Web Server Configuration Menu runs the following command: $ SHOW SYSTEM/PROCESS=APACHE$tag Server processes have a
process tag of the form APACHE$ssss, where ssss is up to four alphanumeric characters defined in
the VMSServerTag directive. The default is APACHE$SWS. Similarly, child
processes have a process name of the form APACHE$ssssnnnn,
where APACHE$ssss is the server name and nnnn is the child server process number represented
as a hex value. The SHOW SYSTEM/PROCESS=APACHE$tag command lists a menu of the current
instances of the server. You choose the instance for which you want to see
status. The following is an
example output showing the status of a running server: Registered Apache Instances 1. SWS
APACHE$COMMON:[CONF]HTTPD.CONF 2. Exit Choice: 1 Status of SWS
instance of Apache... OpenVMS V7.3-2 on
node APSERV 1-AUG-2005 15:55:34.09 Uptime 67 Pid Process Name State Pri I/O
CPU
Page flts Pages 2020026D
APACHE$SWS
LEF 6
2526 0 00:00:11.35 839
1016 2020026F
APACHE$SWS0000 LEF 6
2556 0 00:00:12.69 824
979 20200270
APACHE$SWS0001 LEF 6
2530 0 00:00:09.41 834
1010 20200271
APACHE$SWS0002 LEF 6
2493 0 00:00:14.00 811
978 20200272
APACHE$SWS0003 LEF 6
2499 0 00:00:13.66 822
988 20200273
APACHE$SWS0004 LEF 6
2487 0 00:00:12.01 832
1002 20200274
APACHE$SWS0005 LEF 6
2501 0 00:00:15.22 810
994 End status. The following is an
example output showing the status of a server that has been shut down: Registered Apache Instances 1. SWS
APACHE$COMMON:[CONF]HTTPD.CONF 2. Exit Choice: 1 Status of SWS
instance of Apache... End status. 2.3.12 Adding a Node to CSWS in a Cluster
Environment Choosing Option 10 from
the Secure Web Server Configuration Menu starts the following command procedure,
which adds a node to the Secure Web Server in a cluster environment.
APACHE$COMMON:[000000]APACHE$ADDNODE.COM You must log into the system you want to add as a CSWS
cluster member before you choose Option 10. For example, perform the initial
installation and configuration of CSWS on NODE1. Then log into NODE2 and enter the following commands: $
@SYS$STARTUP:APACHE$LOGICALS $ @APACHE$COMMON:[000000]APACHE$MENU Apache$Menu 1. Configure the Secure Web Server 2. Create an Apache instance 3. Delete an Apache instance 4. Manage suEXEC users 5. Run OpenSSL Certificate
tool
6. Convert directory tree to Stream_LF 7. Start up an Apache instance 8. Shut down an Apache instance 9. Show status of an Apache instance 10. Add a node to CSWS in a cluster environment 11. Exit Enter Menu Choice: 10 APACHE$ADDNODE Create a set of directories and files on another node
in a cluster environment for the Secure Web Server. The node name used is that defined by
TCPIP$INET_HOST. A directory by that
name will be created under the APACHE$SPECIFIC: area. The top level directories under
APACHE$COMMON are essentially duplicated here. A new version of HTTPD.CONF is created in
APACHE$ROOT:[CONF]. This will be
used by default. The common
configuration in APACHE$COMMON:[CONF] remains untouched. Remove this new
configuration if you wish to use the common one. The rights identifiers for the user account
APACHE$WWW on this node are set to the defaults. If this is a common SYSUAF/RIGHTSLIST,
then the account should be checked as it might be changed. Continue [YES]?
yes Granting rights to APACHE$WWW UAF account... Creating directory tree under
device:[000000.APACHE.SPECIFIC.node-name] Generating Apache configuration file
device:[000000.APACHE.SPECIFIC.node-name.CONF]httpd.conf Node node added
successfully Node specific
directories created: device:[000000.APACHE.SPECIFIC.node-name] Configuration
files created in: device:[000000.APACHE.SPECIFIC.node-name.CONF] Please review
these files for accuracy. Press return to continue... Exit the configuration menu, then enter the following command
to start the Secure Web Server on NODE2: $ @sys$startup:apache$startup
This section discusses
the issues you may encounter when managing multiple servers. 2.3.13.1 HTTPD.CONF To create and maintain
multiple HTTPD.CONF files, you rely on the fact that each server has a separate
configuration-specific root directory. You can set the
processwide
logical name APACHE$SPECIFIC to the configuration-specific directory. You then
edit the file APACHE$SPECIFIC:[CONF]HTTPD.CONF.
2.3.13.2 APACHE$SETUP.COM and LOGIN.COM APACHE$COMMON:[000000]APACHE$SETUP.COM is run for every server (parent and
child) and server instance. This command procedure defines the necessary Apache
symbols and executes any subsequent product setups if they exist (for example,
PHP and Perl). It also defines the CRTL logicals
needed to allow the Secure Web Server to run correctly with extended command
parsing and file specifications. The APACHE$ROOT:[000000]LOGIN.COM command procedure is executed after
APACHE$SETUP.COM and is determined by the LGICMD stored in SYSUAF for the Apache
server user (for example, APACHE$WWW). The Secure Web Server
includes APACHE$SETUP.COM so that each instance of the server can use its own
LOGIN.COM procedure, and not have to maintain server critical definitions.
2.3.14 Viewing the
OpenSSL
Certificate You need a valid server
certificate to run the Secure Web Server in SSL mode. Configuration creates a
self-signed certificate and installs it. If you want to view the certificate
before starting the server, use the OpenSSL
Certificate Tool as described in the
HP Secure Web Server SSL User Guide.
After configuring the
Secure Web Server, do not start the server. Follow the instructions in the Post
Configuration Checklist section.
2.4 Post Configuration Checklist After you configure the
Secure Web Server, perform the following tasks to ensure a successful startup:
1.
Configure CSWS_JAVA, if you have just installed it.
2.
Optionally check the CSWS_PHP configuration now or later.
3.
Optionally check the CSWS_PERL configuration now or later
4.
Run AUTOGEN.
5.
Check disk quota.
6.
Check for SET TERMINAL/INQUIRE. Each of these tasks is
explained below. Once you have completed them, you can test the installation by
starting the Secure Web Server.
If you installed the
CSWS_JAVA module, you must configure it before you can start the server. For
instructions, see the CSWS_JAVA
for HP Secure Web Server for OpenVMS Installation Guide and Release Notes.
2.4.2 Check the
CSWS_PERL Configuration You are not required to
configure CSWS_PERL before starting the server. CSWS_PERL is preconfigured with
default values. If you want to change the default configuration, edit APACHE$COMMON:[CONF]MOD_PERL.CONF. For more information, see
the CSWS_PERL for HP Secure Web Server for OpenVMS
Installation Guide and Release Notes.
2.4.3 Check the CSWS_PHP Configuration You are not required to
configure CSWS_PHP before starting the server. CSWS_PHP is preconfigured with
default values. If you want to change the default configuration, edit
APACHE$ROOT:[CONF]MOD_PHP.CONF. For more information, see
the
CSWS_PHP for HP Secure Web Server for
OpenVMS Installation Guide and Release Notes.
After the installation,
run SYS$UPDATE:AUTOGEN.COM (AUTOGEN) to evaluate your
system parameters and make adjustments based on your hardware configuration and
system workload. Because of the Secure Web Server installation, AUTOGEN will
probably increase the page file size and the number of swap file pages. If the disk quota is too
low, the Secure Web Server will not start. Either raise the disk quota for the
user account APACHE$WWW, or grant the account the EXQUOTA privilege, thus
allowing it to bypass disk quota restrictions. Use the following commands: $ SHOW QUOTA/USER=[server-uic]/DISK=device-name $ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE $
MOD APACHE$WWW/PRIV=EXQUOTA $
EXIT Stop and restart the
Secure Web Server so that the APACHE$WWW account picks up the new privilege.
2.4.6 Check for SET TERMINAL/INQUIRE When the Secure Web
Server for OpenVMS is started, the command procedure APACHE$SETUP is executed.
The following login files are executed:
·
SYLOGIN.COM (system login file)
·
LOGIN.COM (login file for APACHE$WWW) Check these files to make
sure that any SET TERMINAL/INQUIRE statements are executed only in INTERACTIVE
mode. For example: $
IF F$MODE() .eqs
"INTERACTIVE" then $ SET TERMINAL/INQUIRE Failure to do so might
result in ill-formed HTML intermittently being returned to clients. This problem
might also appear when executing CGI scripts.
Manually start the Secure
Web Server to verify the installation and configuration of the server. Enter the
following command: $
@SYS$STARTUP:APACHE$STARTUP You can test the
installation using your web browser. Replace host.domain
in the following URL with the information for the Secure Web Server you just installed: HTTP://host.domain/ If this is a new
installation, the browser should display the standard introductory page with the
following bold text at the top: "Hey, it
worked ! The SSL/TLS-aware
Apache webserver was
successfully
installed on this website." The Apache logo is
displayed at the bottom.
You can also use TELNET
on the local host to test the installation.
(In TCP/IP Services Version 5.3 for OpenVMS and higher, user input is not
echoed. Use the following
procedure to test the installation. Enter the following
command: $
TELNET 0 80 The following text is
displayed: %TELNET-I-TRYING, Trying ... 127.0.0.1 %TELNET-I-SESSION, Session 01, host localhost, port 80 HEAD /
HTTP/1.0 Press ENTER twice. Text
similar to the following is displayed: HTTP/1.1 200 OK Date: Wed, 21 Sep 2005 Server: Apache/2.0.52 (OpenVMS) mod_ssl/2.0.52
OpenSSL/0.9.7d Content-Location: index.html.en Vary:
negotiate,accept-language,accept-charset TCN: choice Last-Modified: Thu, 08 Sep 2005 ETag: "2e4550-5b2-b12cef40" Accept-Ranges: bytes Content-Length: 1458 Connection: close Content-Type: text/html; charset=ISO-8859-1 %TELNET-S-REMCLOSED, Remote
connection closed -TELNET-I-SESSION, Session 01,
host localhost, port 80 You should receive
several lines of text from the Secure Web Server.
If you do not receive a
response from the Secure Web Server, check the following:
§
Look in your SYLOGIN.COM file and make sure there is no SET
TERMINAL/INQUIRE statement for NETWORK processes.
§
Make sure the APACHE$WWW account exists and is not disabled.
§
Look for the following files: APACHE$ROOT:[000000]APACHE$tag
§
If you have trouble starting the server, enable the logical
APACHE$SPL_DISABLED systemwide, then restart the
server.
§
If you have trouble stopping the server using the APACHE$SHUTDOWN
command and APACHE$WWW is still running, use the following command to stop it.
You should then be able to shut down the server. $
STOP PROCESS/ID=<apache-pid> After you have
successfully tested the installation, perform any of the following tasks that
are relevant for you:
·
If you are upgrading from a previous version of the Secure Web
Server, you can merge the previous versions of files commonly modified by system
administrators with the newly installed versions of these files. See the
Merge
Changes to Files You Have Customized section.
·
If you enabled MOD_SSL, follow the instructions for verifying SSL
in the HP
Secure Web Server SSL User Guide.
·
Read Chapter 3 for information on starting and
stopping the server, using HTTPD.CONF to customize the server environment, and
other OpenVMS specific topics.
2.7 Merge
Changes to Files You Have Customized If you have installed a
previous version or field test kit of the Secure Web Server, it is removed
automatically before the new kit is installed. When the previous version
of the Secure Web Server is removed, the PCSI utility removes only the files and
directories it installed. Any files you have created are not affected.
Note Files installed by the
Secure Web Server that are commonly modified by system administrators are not
removed. However, the new kit contains updated versions of these files. Be
sure to transfer any edits you made to the previous versions of these files to
the new versions.
·
[APACHE]LOGIN.COM
·
[APACHE.HTDOCS]INDEX.HTML
·
[APACHE.CONF]HTTPD.CONF If you modified the file
[APACHE.CONF]MIME.TYPES, you need to copy the file to
another location before you begin the installation. This file is removed during
the installation. (HP recommends that you use the AddTypes
directive instead of modifying the MIME.TYPES file.) The new kit contains an
updated version of this file. After you save your current version, restore the
file and incorporate your local modifications with the new version.
2.8 Installing Optional Modules at a
Later Time If you did not install
the optional modules (CSWS_JAVA, CSWS_PERL, or CSWS_PHP) when you installed the
server, follow these instructions for installing them at a later time. Before
you begin, make sure:
·
You have installed the required software.
·
You have already installed the Secure Web Server.
·
You install CSWS_PHP in the same directory as you installed the
server. You do not need to install CSWS_JAVA or CSWS_PERL into the same disk or
directory as the Secure Web Server. Use the appropriate
command from the list below. To install CSWS_JAVA, use
the following command: $ PRODUCT INSTALL CSWS_JAVA
/DESTINATION=device:[directory-name] To install CSWS_PHP, use
the following command: $ PRODUCT INSTALL
CSWS_PHP/DESTINATION=device:[directory-name] To install CSWS_PERL, use
the following command:
$ PRODUCT INSTALL
CSWS_PERL/DESTINATION=device:[directory-name] The installation is
complete when the dollar sign prompt ($) is displayed. After you install
CSWS_JAVA, you must configure it. For more information, see Configure
CSWS_JAVA. CSWS_PHP and CSWS_PERL
are preconfigured, but you can change the configurations. For more information,
see Check the CSWS_PHP Configuration and Check the CSWS_PERL
Configuration. Chapter 3 In general, you can run
the Secure Web Server on OpenVMS as you would run Apache with MOD_SSL on any
platform. However, there are some exceptions. This chapter describes the
functions that behave differently or are not available, as well as any
enhancements that are specific to OpenVMS. 3.1 Starting and Stopping the Server Starting and stopping the
Secure Web Server requires enhanced privileges (DETACH, SYSNAM, WORLD, etc.).
Start and stop the server from a privileged account such as SYSTEM. Start the Secure Web
Server with the following command: $
@SYS$STARTUP:APACHE$STARTUP [startup-value] [configuration-file] Startup-value is optional and can have the following values:
To automate the startup
of the Secure Web Server when the system is booted, add the following commands
to the SYS$MANAGER:SYSTARTUP_VMS.COM file: $ FILE :=
SYS$STARTUP:APACHE$STARTUP.COM $
IF F$SEARCH("''FILE'") .NES. "" THEN @'FILE' You can shut down the
Secure Web Server with the following command: $
@SYS$STARTUP:APACHE$SHUTDOWN [startup-value] [configuration-file] Startup-value is optional and can have the following values:
To automate the shutdown
of the Secure Web Server when the system is shut down, add the following
commands to the SYS$MANAGER:SYSHUTDOWN.COM file: $ FILE :=
SYS$STARTUP:APACHE$SHUTDOWN.COM $
IF F$SEARCH("''FILE'") .NES. "" THEN @'FILE' Note The Secure Web Server
will not shut down as long as the APACHE$WWW process is running.
$
SHOW SYSTEM/OWNER_UIC=[APACHE$WWW]
3.1.2.1 Stopping the Server Using the Server Process Name If you are unable to shut
down the server using the APACHE$SHUTDOWN command, and APACHE$WWW is still
running, you can use the server PID to stop it. To determine the server PID,
enter the following command (or choose Option 9 from the configuration menu): $
SHOW SYSTEM/PROCESS=APACHE$tag Server processes have a
process tag of the form APACHE$ssss, where ssss is up to four alphanumeric characters defined in
the VmsServerTag directive. The default is APACHE$SWS. |
