-
iTP Secure WebServer System Administrator’s Guide HP Part Number: 629959-006 Published: February 2014 Edition: J06.10 and subsequent J-series RVUs and H06.21 and subsequent H-series RVUs.
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. Legal Notice Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
-
Contents About This Document...................................................................................15 Supported Release Version Updates (RVUs)................................................................................15 Intended Audience..................................................................................................................15 New and Changed Information in This Edition............................................................................
-
Setup for IP CIP Support.....................................................................................................43 Installing the Resource Locator.............................................................................................44 Installation Considerations..................................................................................................44 Verifying the Configuration......................................................................................................
-
Restarting the iTP Secure WebServer Using the restarth Script.......................................................83 For TCP/IPv6 and IP CIP Support.........................................................................................83 For Classical TCP/IP Support...............................................................................................84 Restarting the iTP Secure WebServer Using the restart Script.........................................................
-
Setting Up Clickable Images..................................................................................................127 Creating an Image Map File.............................................................................................127 Adding a Hypertext Anchor..............................................................................................128 Testing the Image Setup....................................................................................................
-
Ticketing and Tracking Example..............................................................................................171 Configuring for Anonymous Ticketing......................................................................................172 Enabling Session Identifiers...............................................................................................172 Advanced Configuration Options.......................................................................................
-
Default...........................................................................................................................206 Example.........................................................................................................................207 BigInBufSize.........................................................................................................................207 Syntax.......................................................................................................
-
Default...........................................................................................................................212 Example.........................................................................................................................212 Filemap...............................................................................................................................212 Syntax......................................................................................................
-
Default...........................................................................................................................217 Example.........................................................................................................................217 LanguagePreference..............................................................................................................218 Syntax............................................................................................................
-
Example.........................................................................................................................225 NewEmsMessageFormat........................................................................................................226 Syntax............................................................................................................................226 Description............................................................................................................
-
Default...........................................................................................................................246 Example.........................................................................................................................246 ScriptTimeout.......................................................................................................................246 Syntax........................................................................................................
-
Example.........................................................................................................................255 SK_CacheExpiration.............................................................................................................255 Syntax............................................................................................................................255 Description........................................................................................................
-
Public Key Systems...........................................................................................................270 Managing Key Certificates.....................................................................................................272 Using Certificates.............................................................................................................272 Obtaining Certificates....................................................................................................
-
About This Document This guide describes the installation, configuration, and management of the Internet Transaction Processing (iTP) Secure WebServer. It covers the nonsecure version (iTP WebServer) and secure version (iTP Secure WebServer). For simplicity, both versions are referred to as iTP Secure WebServer throughout the guide. This guide provides an overview of the iTP Secure WebServer environment and World Wide Web concepts.
-
Modified the following sections for the various enhancements in this release: Options for specifying encoding and encryption format for a private key • Exporting a Private Key to a User-defined Disk File (page 69) • Importing a Private Key into iTP Secure WebServer's Key Database File (page 68) • Migrating the key database from iTP Secure WebServer 7.0 to 7.
-
• Added the section for HeaderFieldSize (page 214) directive. • Updated the section ExtendedLog (page 211) directive. Changes for 629959-002 include: • Added the section for “Implementing Virtual Hosts for iTP Secure WebServer” (page 125) • Updated the section name to “Implementing Virtual Hosts for iTP Secure WebServer” (page 124) • Updated the sections “Configuration Directives” (page 198) and“Logging through an External ServerClass” (page 266).
-
Section Description Appendix B: Error Messages Provides general information about iTP Secure WebServer error reporting. The messages are described in the iTP Secure WebServer Operator Messages Manual. Appendix C: Server Log File Formats Describes the formats used in the log files generated by the server. Appendix D: Security Concepts Introduces the basic concepts relevant to setting up and administering a secure Web server.
-
TERM [\system-name.]$terminal-name INT[ERRUPTS] A group of items enclosed in brackets is a list from which you can choose one item or none. The items in the list can be arranged either vertically, with aligned brackets on each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example: FC [ num ] [ -num ] [ text ] K [ X | D ] address { } Braces A group of items enclosed in braces is a list from which you are required to choose one item.
-
Line Spacing If the syntax of a command is too long to fit on a single line, each continuation line is indented three spaces and is separated from the preceding line by a blank line. This spacing distinguishes items in a continuation line from items in a vertical list of selections.
-
A group of items enclosed in brackets is a list of all possible items that can be displayed, of which one or none might actually be displayed. The items in the list can be arranged either vertically, with aligned brackets on each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines.
-
General Syntax Notation This list summarizes the notation conventions for syntax presentation in this manual. UPPERCASE LETTERS Uppercase letters indicate keywords and reserved words. Type these items exactly as shown. Items not enclosed in brackets are required. For example: SELECT Italic Letters Italic letters, regardless of font, indicate variable items that you supply. Items not enclosed in brackets are required.
-
{, sql-expression}... An ellipsis immediately following a single syntax item indicates that you can repeat that syntax item any number of times. For example: expression-n… Punctuation Parentheses, commas, semicolons, and other symbols not previously described must be typed as shown. For example: DAY (datetime-expression) @script-file Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must type as shown.
-
Open System Services (OSS) Manuals For information specific to the OSS environment, see the following documents: • Open System Services User’s Guide describes the Open System Services (OSS) environment: the shell, file-system, and user commands. • Open System Services Installation Guide describes how to install and configure the NonStop OSS environment. • Open System Services Management and Operations Guide describes how to manage and operate the NonStop OSS environment.
-
of the installation planning. The guide is for the personnel responsible for planning the installation. • J06.nn Release Version Update Compendium provides a summary of the products that have major changes in the J06.nn RVU, including the products' new features, migration issues, and fallback considerations.
-
1 Introduction to the iTP Secure WebServer The iTP Secure WebServer provides a full range of services for running an online commercial or informational enterprise on the Web. In addition to basic Web-related services, the iTP Secure WebServer provides other important services including access control, enhanced logging, customized error messaging, and automatic directory indexing. NOTE: All references to the iTP Secure WebServer in this manual indicate 7.2 and later versions.
-
• Enhanced logging facilities The iTP Secure WebServer provides an extended log format (ELF) that includes the access, error, and security information of each request. ELF also provides fields for logging the Web client type, the referring URL, and the request begin and end times. The fields are all labeled, making the fields easy to parse and new fields easy to add. The server also supports the Common Log Format (CLF) widely used by other Web servers.
-
• Client authentication in SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. The server can request or require a Web client to authenticate itself and can restrict access based on client-authentication information by using region commands or CGI variables. • Digest access authentication Provides a challenge/response authentication mechanism for additional security; the user's password is not sent over the network. • Certificate chains The iTP Secure WebServer uses the SSL 3.
-
• Statistics collection through command-line iTP Secure WebServer provides a command-line utility, statscom, to collect httpd statistics. This utility is run using the command line and can be run by both administrators and normal users. For more information, see “Collecting httpd Statistics Using statscom” (page 88). • PUT, OPTIONS, and TRACE request methods A browser or Web client (using HTTP/1.1) uses the PUT request method to replace or create the content at a specified location.
-
Figure 1 iTP Secure WebServer Architecture iTP Secure WebServer PATHMON Environment Active Transaction Pages PATHMON Pathway CGI Applications iTP Secure WebServer httpd Server Class CGI Applications Generic CGI Servers Servlet Server Class Resource Locator Service Administration Server PATHMON Environment Distributor Process Log Files PATHMON iTP Secure WebServer Admin httpd Server Class TCP/IP Subsystem Admin Servers Web Client Web Client Web Client Web Clients Web clients, such as browsers
-
TCP/IPv6 TCP/IPv6 has multiple listener sockets on the same port. TCP/IPv6 allows the server direct access to the communication environment from their own processors instead of having to communicate via the processor that contains the HP TCP/IP process. This is done by linking to a system library containing the TCP/IP procedures and allowing the server to call the functions that are performing TCP/IP-related processing in its own context.
-
Active Transaction Pages (ATP) Active Transaction Pages (ATP) provides a server-side JavaScript environment for HP NonStop Systems. You can use ATP objects to provide Web-based interfaces to existing NonStop TS/MP, NonStop TUXEDO, NonStop SQL/MP, and sockets applications. For further information, see the iTP Active Transaction Pages (iTP ATP) Programmer's Guide. NOTE: The iTP Secure WebServer does not support Microsoft Active Server Pages or ADO.
-
You can use the TLS or SSL encryption by generating a key pair for the server, obtaining a certificate from a CA, and installing and configuring the key pair. For more information, see “Using the Keyadmin Utility to Manage Keys and Certificates” (page 56).
-
2 Installing the iTP Secure WebServer This section describes the perquisites you must have for your NonStop system to run the iTP Secure WebServer and explains how to install and configure it. This section also provides a test procedure that you can use to verify configuration and to perform server testing.
-
These software products are optional for using the iTP Secure WebServer: • NonStop Server for Java (NSJ) 2.0, if you plan to use Java servlets in the iTP Secure WebServer environment. For information about the NonStop Server for Java 2.0, see the NonStop Server for Java Programmer's Reference. • NonStop Servlets for JavaServer Pages (NSJSP) V1.0 or later, if you plan to use Java servlets in the iTP Secure WebServer environment.
-
conventional TCP/IP, a TCP/IP process is usually running on two processors a primary and a backup. For TCP/IPv6 or IP CIP, if the application is running on all the other 14 processors, and then all of those need to be TCP/IPv6 or IP CIP-enabled and must be in the access list. TCP/IPv6 or IP CIP-enabled means that a TCP6MON process must be running on that processor. For the httpd servers to function properly, all these processes must be in place.
-
restart of the iTPWebServer. Again, this behavior is not new to the PATHWAY system, it just might be more obvious when everything from application to transport is vertically aligned. • You Can No Longer Use Restarth Because the new product architecture no longer has a distributor working as a buffer zone between the incoming connection requests and the httpd servers, new servers cannot successfully bind to a local port unless the older httpd servers cease their operations.
-
: cd /usr/tandem/webserver/TnnnnHnn_DDMMMYY_SPR_Hnnn_nn/admin/conf : ./install.EMS The install.EMS script moves the template file to the proper NonStop directory, and merges the template file with the system template. Use of install.EMS requires the Guardian CTOEDIT program (part of the T8373 C run-time Library) to function properly. The EMS template installation can take up to five minutes to complete. The script displays the number of errors and warnings and terminates on an error.
-
You can install the iTP Secure WebServer in one of these three ways: • “Using DSM/SCM” (page 39) • “Running the IPSetup Program” (page 39) • “Copying the iTP Secure WebServer Software from the Distribution Medium” (page 40) Using DSM/SCM 1. 2. 3. 4. 5. Receive the SPR from disk or tape. Copy the SPR to a new software revision of the configuration you want to update. Execute the Build request and the Apply request on the configuration revision. Run ZPHIRNM to rename the product files.
-
Copying the iTP Secure WebServer Software from the Distribution Medium If you are using IPSetup with a product CD, the following procedure is performed automatically, so you can ignore these steps, and go to “Running the Setup Script” (page 40) after IPSetup completes. If you are not using IPSetup, follow these steps to copy the iTP Secure WebServer software from the distribution medium: 1. Copy the product files to $ISV.ZWEB (where ISV is the name of your installation NOTE: $ISV.
-
OSS: ./setup /home/myuser/mywebserver NOTE: The target installation path cannot be the same as the source path. After the installation of the iTP WebServer is complete, do not delete or modify the version-specific directory (/usr/tandem/webserver/) or its sub-directories. This is because the OSS symbolic links, present in the directory where the iTP WebServer was installed, point to the directory tree.
-
Enter the First Pathmon to use for your iTP WebServer (Default /G/zweb) #: /G/TWEB Enter the Second Pathmon to use for your iTP WebServer (Default /G/yweb) #: /G/UWEB NOTE: The target installation path cannot be the same as the source path. After the installation of iTP WebServer is complete, do not delete or modify the version-specific directory (/usr/tandem/webserver/) or its sub-directories.
-
With LNP configured, iTP Secure WebServer can bind and listen on multiple TCPIPv6 transports and servers across multiple networks. Additionally, when LNP is configured over TCP/IPv6, iTP Secure WebServer can listen on all combinations of IP and port from the list of configured combinations provided by the user. For using LNP feature of iTP Secure WebServer it is necessary that LNP be properly configured on the system.
-
Pathmon name: /G/zweb Guardian Pathmon subvolume name: /G/system/zweb. 3) Perform manual configuration for iTP WebServer Installing the Resource Locator You can install the optional Resource Locator feature with the iTP Secure WebServer. The Resource Locator feature has specific dependencies that should be considered prior to installation. See “Using the Resource Locator Service (RLS)” (page 166)for information on using RLS.
-
During this process, one Pathmon will be brought down for upgrading Webserver objects with those of the newer version, while other Pathmon serves the requests with older Webserver objects. This process is repeated to upgrade the other Pathmon. NOTE: The online upgrade feature is not supported for upgrading from H02 to H03 versions or downgrading from H03 to H02 versions of the iTP Secure WebServer.
-
CN=Secure Transport Bootstrap Certificate OU=Testing Only - Do not trust for Secure Transactions OU=No Assurance - Self-Signed OU=Generated date time PDT year O=comm.company.com NOTE: Commercial use of the ninety-day test certificates is prohitbited. NOTE: Certain versions of Microsoft Internet Explorer do not accept self-signed test certificates. Test-starting the Administration Server and the iTP Secure WebServer Use this procedure to verify your configuration: 1.
-
3 Planning the iTP Secure WebServer PATHMON Environment This section provides background for configuring the iTP Secure WebServer PATHMON environment.
-
Running the iTP Secure WebServer relies on the properly configured TCP/IPv6 or IP CIP environment. Every processor specified in the Server CPUS command (in the httpd.config configuration file) needs to be enabled to run TCP/IPv6 or IP CIP. In other words, the TCP6MAN/CIPMAN needs to be properly configured and run. As a result, there is a TCP6MON/CIPMAN (the monitor process) running on every processor specified in the Server's CPUS command.
-
require more detailed planning. The best way to avoid these types of problems is to make all the httpd servers static servers. Configuring the PATHMON Environment The configuration of the iTP Secure WebServer PATHMON environment is specified in the httpd.config file. You specify the configuration file when you start the iTP Secure WebServer process. The httpd.config file consists of keyword-value pairs. The sample configuration file httpd.config.
-
The benefits of assigning a smaller number of servers with a higher number of threads per server include: • In a process, all threads share system resources such as swap space and file opens, including opens to cache files. • No system dispatching is required to switch among threads in the same process. Assigning a larger number of processes with a lower number of threads per server has different benefits: • Load balancing is increased across processors.
-
arrive only on a secure port, modify the httpd.config file to exclude the Accept directive, and then restart the server. The iTP Secure WebServer Administration Server uses the ports you specify in response to prompts from the install.WS script. By default, the nonsecure port is 8088, and the secure port is 8089. Ports in the range from 1 through 1024, including the default HTTP port (80), can be used only by a process that has super ID privileges.
-
require. For other customers, keep a backup tape in the same building as the server machine is sufficient. For other customers, keep a backup in another location (for example, in another building) in case the original file is destroyed and a replica is needed immediately. Consider controlling access to the room in which backups are made and stored and the means by which they are transported physically or electronically (if applicable).
-
4 Configuring for Secure Transport Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols provide security enhancements for the Web. The security enhancements include encryption to ensure privacy and authentication (using key certificates) to verify the identity of servers, and, optionally, clients.
-
Overview of Server Configuration This section provides an overview of the tasks involved in configuring the server to accept and respond to secure transport requests (both TLS and SSL). The server can be configured using the following methods: • “Keyadmin Utility Configuration” (page 54) • “Server Configuration” (page 54) Keyadmin Utility Configuration The process for using the keyadmin utility to configure the server for secure transport includes these steps: 1.
-
• Whether the server checks for TLS, SSL, or both • Whether the server requests or requires client authentication (or neither) For complete information about these options, See “AcceptSecureTransport” (page 200). NOTE: The server checks for connections on the ports specified by both the Accept and the AcceptSecureTransport directives. 4. 5. 6.
-
Table 1 Common Distinguished Name (DN) Attributes (continued) Attribute Description L Locality: The city or other geographic location of an organization. ST State or Province: The U.S. state, Canadian province, or similar subdivision. State names must be spelled out completely. No postal abbreviations are allowed. C Country: The ISO country code of the country in which the certificate issuer is located (for example, C=US).
-
Generating a New Key Pair Before you generate a key pair, you must obtain these items: • The certificate-request form from a Certificate Authority. You can access this form from the Certificate Authority's home page on the Web. • The DN you have decided to use to identify your server. • The password associated with the server's key database file. If you plan to use an existing key database file, you must know the password associated with it.
-
specifies that complete information associated with the command string should be displayed. The keyadmin utility prompts you to enter the password associated with the key database file. After you enter the key database file password, the keyadmin utility creates the private/public key pair, stores them in the key database file, and then binds this key pair to the DN you specified. Longer keys provide more security, but at the cost of requiring more time to encrypt a particular object.
-
adds any of these plain text fields to the certificate request. The information in these fields are for your convenience and do not affect the keyadmin command. Be sure to include single quotes (') or double quotes (") around any entries that contain a space. -verbose specifies that complete information associated with the command string should be displayed. The keyadmin utility writes the public key and DN to the file name specified in -mkreqcert-req-file.
-
specifies the name of the key database file in which the key pair you created is stored. -addcert cert-recv-file specifies the name of the encoded file containing your new certificate as received from your CA. -force specifies that a renewal of an older certificate should occur, but that the check for a valid start date should not be performed. -root treats the certificate as a root. -verbose specifies that complete information associated with the command string should be displayed.
-
This command deletes from the certificate database all information associated with the specified DN. The command arguments have these functions: -keydb keydb specifies the name of the key database file in which the key pair you created is stored. -delete specifies that a certificate and key pair should be deleted from the server's key database file. -dn 'dn' specifies the full DN for the new key pair. Enclose this DN with apostrophes (') to protect it from being interpreted by the shell.
-
You can enter the arguments in any order. Enter the entire command on a single command line. If a continuation character is necessary, you must use the backslash (\) character as shown; the backslash is not permitted to break the DN value across lines. bin/keyadmin -keydb keydb {-disable | -enable} \ -dn 'dn' [-root] [-verbose] NOTE: The bin/ prefix indicates the directory that contains the keyadmin utility; the default is the bin directory.
-
-verbose specifies that complete information associated with the command string should be displayed. The keyadmin utility prompts you for the new password. Database passwords must have at least eight characters all in uppercase or in a combination of uppercase and lowercase characters. NOTE: Whenever you use the keyadmin utility to change the key database file password, you must reset the ServerPassword directive to the same password and restart the server. For details, see ServerPassword (page 252).
-
bin/keyadmin -keydb conf/keys -list produces the output: -------------------------------------Distinguished Name: OU: Secure Server Certification Authority O: RSA Data Security, Inc.
-
Table 3 Example Default Root Certificate (continued) Distinguished Name OU: Class 1 Public Primary Certification Authority O: Verisign, Inc.
-
Table 3 Example Default Root Certificate (continued) C: US State: Root Enabled Private Key: Not Present Public Key: Present Certificate: Present ----------------------------------Distinguished Name OU: Directory Services O: AT&T C: US State: Root Enabled Private Key: Not Present Public Key: Present Certificate: Present ----------------------------------Distinguished Name OU: Transaction Services O: AT&T C: US State: Root Enabled Private Key: Not Present Public Key: Present Certificate: Present -------------
-
-verbose specifies that complete information associated with the command string should be displayed. Under normal circumstances, you do not need to invoke this option. Exporting a Database Entry You can request that an entry from a specified key database file be written to any file name that you specify. Then you can use the new file as a key database file. You can enter the arguments in any order. Enter the entire command on a single command line.
-
This command displays the information about the keyadmin utility that you are running: • Utility name (keyadmin) • Version number of the utility • The operating system platform on which the utility was built Table 4 (page 68) lists all supported DN attributes.
-
This command prompts for the password of the key database file in which the key must be stored. The keyadmin command prompts to create a password to protect the key database file if it is not password protected. If the corresponding certificate is not found, a new entry is created using the DN provided in the -dn option of the command. In such instances, the -dn option must be specified and is not treated as optional. If the -dn option is not set, an error is displayed.
-
Starting with iTP Secure WebServer Release 7.5, you can export the private keys in the following formats: • PEM or DER encoded PKCS#8 format encrypted using either the 3DES, AES128, AES192, or AES256 algorithms • PEM encoded format NOTE: The private key is exported in PKCS#8 Base64 encoded format in older releases.
-
Storing unencrypted private keys in disk files is not recommended. Do not use –nocrypt with –crypt/-encode options. If the key-file does not exist, you are prompted to create the file. If the key-file already exists, it is overwritten. If the specified DN does not exist in the key database file, an error message is displayed. The following examples illustrate the export options: ./keyadmin -keydb demo.db -exportpriv priv.key –dn \ 'CN=www.hp.com, L=Cupertino, O=HP, OU=NED, C=US' \ –encode DER –crypt 3DES .
-
Using Server Certificate Chains With the iTP Secure WebServer The TLS and SSL 3.0 protocols allow iTP Secure WebServer to send and receive certificate chains. You can use the certificate chain option to establish a certificate hierarchy that is more than two certificates deep. For more information about certificates and certificate chains, see “Using Certificates” (page 272). No configuration changes to the iTP Secure WebServer are required for this feature.
-
1. 2. 3. 4. 5. Builds an internal certificate chain using what the Web client has returned. Attempts to back-build the internal certificate chain by retrieving issuer certificates from the certificate database and adding them to the internal certificate chain. The chain is built until the server either retrieves a certificate that is marked as root from the database or it cannot find an issuer of a certificate on the chain in the database.
-
INVALID_CERTIFICATE The server requested client authentication and received a client certificate chain that contains X509 version 3 certificates, but the certificate cannot be trusted. VALID The server requested and received a client certificate or client certificate chain, and all previous checks have passed. NOTE: If the iTP Secure WebServer finds one or more errors when validating a certificate, it reports the first error only.
-
To control server access and privacy, you can: • Specify Region commands to control server responses • Use the TLS and SSL variables to access information within CGI programs Specifying Content Access Using the Region Command You use the Region directive's RequireSecureTransport command to mandate that only TLS or SSL connections can access particular regions of content.
-
Using Ciphers With the AcceptSecureTransport Directive The iTP Secure WebServer allows you to specify the ciphers that you want the WebServer to support. Specifying a particular cipher mode ensures the maximum security for each connection. Encryption and integrity checking are controlled through the AcceptSecureTransportdirective's -ciphers argument. For details about the syntax and use of the -ciphers argument, See “AcceptSecureTransport” (page 200).
-
Starting with iTP Secure WebServer Release 7.5, you can export the private keys in the following formats: • PEM or DER encoded PKCS#8 format encrypted using either the 3DES, AES128, AES192, or AES256 algorithms • PEM encoded format To migrate the iTP Secure WebServer database, complete the following steps: NOTE: Before migrating your iTP Secure WebServer 7.0 key database to iTP Secure WebServer 7.
-
Enter passphrase for private key: Re-enter passphrase for private key: Are you sure you want to export this entry? (y/n) y The keyfile "keyfile" does not exist. Do you wish to create it? (y/n) y Private key is successfully exported to file.."keyfile" The dbmigrate command prompts you for the passphrase of the key database. If you do not specify the –nocrypt option, the command prompts you for the passphrase to encrypt the private key.
-
a. Using the following command, import the private keys: bin/keyadmin [-verbose] -importpriv -dn -keydb For more information about importing a private key, see “Importing a Private Key into iTP Secure WebServer's Key Database File” (page 68). b. Using the following command, add the corresponding certificate: bin/keyadmin [-verbose] -addcert [-root] -keydb For more information about adding a certificate, see “Adding a Certificate to the Key Database File” (page 59).
-
for keyadmin to process them. Use the following commands to enable support for non-English characters in your OSS terminal: 1. Check for available locales in your system using command locale -a. A list of locales is displayed. Table 6 (page 81) lists the locales displayed in the output of the command. For detailed information about these locales, see the Software Internationalization Guide. 2. Select the required locale based on the language support needed.
-
Table 6 (page 81) lists the locales that are displayed on running the locale -a command. Table 6 List of Valid Locales da_DK.ISO8859-1 fr_BE.ISO8859-1 nl_BE.ISO8859-1 de_CH.ISO8859-1 fr_CA.ISO8859-1 nl_NL.ISO8859-1 de_DE.ISO8859-1 fr_CH.ISO8859-1 no_NO.ISO8859-1 el_GR.ISO8859-7 fr_FR.ISO8859-1 pt_PT.ISO8859-1 en_GB.ISO8859-1 is_IS.ISO8859-1 sv_SE.ISO8859-1 en_JP.ISO8859-1 it_IT.ISO8859-1 tr_TR.ISO8859-9 en_US.ISO8859-1 ja_JP.AJEC zh_TW.eucTW es_ES.ISO8859-1 ja_JP.SJIS fi_FI.
-
5 Managing the iTP Secure WebServer Using Scripts This section describes the httpd command and how to manage the iTP Secure WebServer environment using the scripts provided.
-
Figure 3 WebServer Management Processes Distributor Process Generic-CGI Server PATHMON httpd config file iTP Secure WebServer Appl. CGI Server When stopping the iTP Secure WebServer environment, the httpd process sends a shutdown request to PATHMON, which in turn stops the server classes and the PATHMON process. The start, stop, and restart scripts provided in the /usr/tandem/webserver/conf directory manage a single iTP Secure WebServer process described by the httpd.config configuration file.
-
The -restarth option will result in the following error message indicating the function is no longer supported: httpd: (#617) Operation restarth is not supported with PTCPIP.
-
NOTE: By default, the conf directory contains the updatesc script. You can modify the configuration of multiple serverclasses by specifying the serverclasses as a space separated list. Using the httpd Command You can use the httpd command in your own scripts, or you can use it interactively to control the iTP Secure WebServer (the HTTPD server). Starting with iTP Secure WebServer Release 7.5, you can restart individual serverclasses with the httpd command.
-
adds and starts the server definitions to the pathmon specified in the configuration file. You can configure other serverclasses along with httpd. You must configure one httpd server in the configuration file that has all the server definitions that are to be added to the pathmon. The config-filename is a mandatory input parameter with this option. You must provide a confirmation to the following question while you run this command. "Pathmon is already running.
-
configuration. A new serverclass with the modified configuration, and new name is added to the PATHMON. • When distributor is present, you cannot use this option with httpd serverclass. • You cannot update distributor serverclass because it is configured by httpd. You cannot update a manually added serverclass named distributor. • If gcache is added to the iTP Secure WebServer environment, perform the following steps for caching to take effect: ◦ Set GlobalCache to ON in the httpd.stl.config file.
-
been changed in the configuration file, the iTP Secure WebServer ignores the change and opens new files using the old names. • When you use -rollover with -start, the log files that were in use when the iTP Secure WebServer was stopped are saved on startup, and the httpd process begins logging to new files. If the log file names have been changed in the configuration file, the server opens new files using the new names.
-
3. 4. Checks and reports if the webserver instrumentation is active Reads the current webserver statistics The statscom tool performs the following series of operations when run through the command line: 1. Finds all httpd processes owned by the specified iTP Secure Webserver PATHMON/ DOMAIN 2. Opens all httpd processes 3.
-
This command collects statistics for all httpd processes in PATHMON $PATHMON for parameters specified in user-specified config-file. The output of all of the above commands is a Comma Separated Value list that can be read in Microsoft Excel. • statscom -stop $PATHMON [config-file][-location ][-name ] This command stops the statistics gathering for all httpd processes in PATHMON $PATHMON. For example: ./statscom -stop \$SWEB OR .
-
OR ./statscom -submit \%WEB [config-file] This command collects statistics for all httpd processes in DOMAIN $DOMAINfor parameters specified in config-file. The output is a Comma Separated Value list that can be read in Microsoft Excel. • statscom -stop \%DOMAIN [config-file]-location ]\[-name ] This command stops the statistics gathering for all httpd processes under DOMAIN $DOMAIN. For example: /statscom -stop \%WEB OR .
-
Number of current open connections (Same as current active requests.) TotalPendingIOOperations Total number of pending I/O operations (socket as well as PATHSEND operations.
-
Syntax ./timestat \$interval [config-file] OR ./timestat \%interval [config-file] where config-file is any user-defined file configuration file, which specifies the statistics parameters to be monitored. If no configuration file is specified, all the parameters will be considered for statistics collection. interval specifies the time in seconds for which the webserver statistics are to be collected. Statistics of all the httpd processes are gathered and stored in the statistics.
-
6 Configuring the iTP Secure WebServer This section contains the default iTP Secure WebServer configuration file and explains how configuration directives can be used to affect server operation. “Configuration Directives” (page 198), contains complete descriptions of all configuration directives.
-
Table 7 Sample httpd.config File (continued) LanguageSuffix en .en # # LanguageSuffix fr .fr # LanguageSuffix es .es # LanguageSuffix de .ger # The default TCP/IP transport process that will be used is # /G/ztc0 the name is saved here because it is used in two # places in the configuration file. # set transport /G/ztc0 # This is the file where the extended format server log will # be written. # ExtendedLog $root/logs/httpd.log # # AccessLog $root/logs/access.log # ErrorLog $root/logs/error.
-
Table 7 Sample httpd.config File (continued) } ################################################################ ## # Attributes for servers might be stored in a variable and then # used later. ## set DefaultServerAttributes { Priority 170 Numstatic 1 Maxservers 50 Linkdepth 1 CWD $root/bin Maxlinks 1 } ################################################################ ## # Definition of the Generic-CGI server # Server $root/bin/generic-cgi.
-
Table 7 Sample httpd.config File (continued) # # Custom configuration can be done here. # # ################################################################ ## # This does an existential check for a sampleservers.config # file. If it is there, it will be included in the # configuration. # if { [file exists $root/conf/sampleservers.config] } { source $root/conf/sampleservers.config } ################################################################ ## # This does an existential check for a local.config file.
-
If you want global session key caching, the SK_GlobalCache directive (that is the GlobalCache variable), must be set to ON to enable the configuration of the server. If individual httpd server process session key caching is desired, which is the default, set the variable to OFF, or omit it. The value of MAXSERVERS must always be set to 1. This is a single process serverclass. The value of MAXLINKS and LINKDEPTH must both always be set to the value of the httpd server's MAXSERVERS value.
-
Table 8 Sample httpd.stl.config File (continued) } } } Other Configuration Files Information about the configuration file required to use the Servlet Server Class (SSC) is in NonStop Servlets for JavaServer Pages (NSJSP) System Administrator's Guide.
-
Filemap url-prefix dir where: url-prefix specifies the URL prefix to which this Filemap directive applies. For example: /admin/widgets. dir is the server directory to which any object specification matching url-prefix will be directed for the requested object. The Filemap directive converts a matched request specification (object path) into the actual location on the server of the requested object by substituting the target server directory (dir) for the matched URL prefix (url-prefix).
-
Handling DirectoryAccesses A URL can see a directory instead of a specific object. For example: http://my.server.com:8080/personal/tootie/ When a URL refers to adirectory, the server looks for an index file within the directory being requested. The specificindex file the server looks for is determined by the setting of the IndexFile directive. For example, if your server receives a directory request, and the directive IndexFile index.html welcome.html is specified in the server configuration file (httpd.
-
Configuration Directives for Content Negotiation The iTP Secure WebServer makes content-negotiation decisions on the basis of the following three configuration directives: • The Negotiation directive specifies whether the server should perform content negotiation and, if so, whether to make decisions based on language alone or also on the basis of encoding and character set.
-
include a LanguagePreference directive, the server returns a status code indicating that the file was not found. 3. After locating a subdirectory for the preferred language, the server searches for and returns the requested file. If the server finds a directory corresponding to the highest weighted language, but the file is not present in that directory, the server searches for the file in the directory for the second best language, and then the third best, and so on.
-
/us/ca/sj/store1/product.en.avi However, in no case will the server return a file that is unacceptable in terms of any of the header criteria. To use multiview content negotiation, you must give each file name one or more extensions that match the supported content-negotiation criteria. Do not store files for different languages in subdirectories named for those languages unless the client will include the subdirectory name explicitly in each URL.
-
/G/vol/subvol/file as text. • If a URL refers to a Pathway-CGI application and includes an extension, the iTP Secure WebServer directs the request to the server class specified in the PathwayMimeMap directive for the extension. For example: /G/vol/subvol/serverclassname.pway invokes the server class serverclassname in the local iTP Secure WebServer environment, unless the configuration contains a PathwayMimeMap directive that assigns the extension .pway to another server class or PATHMON environment.
-
The default configuration of the iTP Secure WebServer has been changed to take advantage of the file caching enhancement. If file caching is not enabled, the iTP Secure WebServer performs as in previous releases. However, users might choose not to use file caching because of its increased memory consumption. With the default configuration, up to 20MB bytes of additional memory might be used.
-
When no CacheTime directive is present, the server caches files for approximately 60 minutes (one hour). Example: CacheTime 7 MaxFileCacheEntries Syntax: MaxFileCacheEntries If you specify a larger number of entries, more memory might be consumed by the file cache; if you specify a smaller number, the server must access files directly from disk more frequently. Therefore, HP recommends a survey of the Web site in addition to the physical memory configuration on the processor.
-
Both MaxFileCacheEntries and MaxFileCacheContentSize determine the maximum file cache size. For example, if MaxFileCacheEntries is set to 3000 and MaxFileCacheContentSize is set to 30, and then the maximum capacity for the file cache is 90MB. HP recommends a survey of all static files residing on the Web site in addition to the physical memory configuration. Performance might be hindered if the iTP Secure WebServer consumes too much physical memory and causes a high number of page faults.
-
Common Log Format (CLF) The common log format (CLF) is used by the access and error log files and is specified by the AccessLog andErrorLog configuration directives (see “Configuration Directives” (page 198)). This format is supported by other Web servers and by many log-analysis tools. If you already are using or have such tools, you might want to use CLF. Combined Log Format The information logged into the access log as per the Common Log Format is devoid of the 'Referer' and the 'User-Agent' fields.
-
Table 10 Required Log-File Space (continued) Requests/Day Access Log Size Error Log Size Extended Log Size 500,000 48.0 Mb 9.6 Mb 72.0 Mb 1,000,000 97.0 Mb 19.4 Mb 145.5 Mb Rotating Log Files As the serverlog files grow in size, you will eventually must rotate to new ones: that is, either archive or delete the old files (depending on your policy) and create new files. There are a number of ways you can automatically save current log files and have iTP Secure WebServer begin logging to new files.
-
starts the server, saves the log files that were current when the server was stopped, and opens new log files. The following command: : httpd -restarth -rollover configfile_name dynamically restarts the server so that configuration changes can take effect immediately. The iTP Secure WebServer continues operation, the log files that were current when the server was started are saved, and new log files are opened.
-
Setting Up an Alias To set up an alias for your server: 1. Choose an alias for your machine and register it with the DNS. If you are not sure how to register the name you choose, consult your local area network (LAN) administrator or the system documentation. 2. Verify that your alias has been registered. Use the nslookup command if it is available on your system. 3. In the server configuration file (httpd.
-
tree, or all files ending with a particular extension, such as .gif. For example, you could deny access to any request attempting to access a region on your server such as /admin/*.cgi. A Region directive consists of a matching pattern and a list of commands to be applied to any URL that matches the given pattern: Region pattern { region_command . . . } where: pattern is a string that matches the path component of a URL.
-
specifies one or more client host names or IP addresses. If a Web client host name or an IP address matches a specified pattern, the Web client is granted access to the region specified in the containing Region directive. All other clients are denied access. For example, you are working on a project with another company that has the widget.com domain and you want to grant employees in this other company (along with those in your own company) access to the design documents in directory /secret-project.
-
NOTE: The -safeguard option is recommended for use with RequireSecureTransport because it is used with the non-secure basic authentication scheme that sends the user name and password as radix64 encoded strings. If the user enters a user name and password that matches one of the user name/password pairs in the specified password file, the Web client is granted access to the server region specified in the containing Region directive.
-
password is the new user’s password If you do not supply the user name and password, you will be prompted for them. Deleting a User From a Password File The following command needs to be run to delete a user from a password file: useradm delete file-name [user-name] where, file-name is the name of the password file user-name is the name of the user to be deleted If a user name is not supplied, you will be prompted for it. Moreover, you will be prompted to supply your current password for deletion.
-
1. You can use a Redirect command to redirect requests to an alternate location that has a different file structure from that of the original location: Redirect alt-url This Redirect command tells the server to redirect a request for a specified object and specifies a fully qualified alternate URL (alt-url). For example, if you move the HTML document /info/stats.html to /statsinfo.html on a different host machine (www.widgets.
-
../26-Mar-9510:14 CVS/17-Mar-9513:44 a-very-long-file-name-test17-Mar-9512:OK size-100000.html17-Mar-9512:1597K subdir/17-Mar-9513:44 test.html17-Mar-9512:15OK Automatic directory indexing is disabled by default. If no index file is available, the server returns an error for any attempt to access a directory. For more information about the DirectoryIndex command, see “Region” (page 232). Disabling Logging You can disable logging for specific requests.
-
In this example, your server would first require a user name and password for access. After receiving a valid user name and password, your server would check the Web client host name and deny access if the host name was not in the domain compedia.com. The problem with this ordering of commands is that users not in the domain compedia.com will be prompted for their user name and password before being denied access anyway.
-
value is the value to which you are setting this variable. Returning to the earlier example, you could accomplish the same result using the following RegionSet directive: RegionSet denyList "*.widgets.com *.compedia.com *.foo.com" Region /admin/* { DenyHost $denyList } Region /testing/* { DenyHost $denyList } If you subsequently needed to change your deny-access list, you would only need to change it in the RegionSet directive.
-
Table 11 Region Directive Variables (continued) Variable Description For information on reverse lookup, see “Region” (page 232). REMOTE_PORT The request is sent by using this port number. Format: number between-1-and-65535 For Example: 80 REMOTE_ADDR Contains the IP address of the Web client making the request. For example: 199.170.183.5 PATH Contains the URL path for this request. For example: /home/index.
-
} } In this example, the Region directive limits access to the /pictures area. Any users attempting to access this area between 7AM and 7PM (local server time) will be directed to the /come-back-later.html document.
-
As an example, an Adobe Portable Document Format (PDF) helper application would need to have access to individual pages by byte range; the table that defines those ranges is located at the end of the PDF file. (Use Adobe Acrobat version 3.0 or later to take advantage of this feature.) When the iTP Secure WebServer responds with the requested range, the HTTP status code 206, Partial Content, is returned and logged to the extended log file.
-
Establishing Alias IP Addresses NonStop TCP/IP enables you to define alias IP addresses (sometimes also called virtual IP addresses). For brief instructions about how to define such addresses, see “SCF TCP/IP Configuration” (page 199). For detailed information about this and other topics related to TCP/IP configuration on NonStop systems, see the TCP/IP Configuration and Management Manual.
-
Filemap / /groups/nerds/www } You can specify any number of pairings of Accept (or AcceptSecureTransport) and Region (with -host and -portdirectives) in any single configuration file. For further information about the Accept directive, see “Accept” (page 198). For further information about the AcceptSecureTransport directive, see “AcceptSecureTransport” (page 200). For further information about the Region directive, see “Region” (page 232).
-
Name Based Virtual Hosts are configured using Region –host configuration option. To enable Name Based Virtual Hosting, you must specify a valid DNS name as a parameter for Region –host. If a DNS name is specified as a parameter for Region –host, string comparisons with the users' Host value would be performed to validate the access. Syntax: Region –host { } For example: Region –host hp.com /* { Filemap / /home/site_data/hp_com } Region –host nonstop.
-
id is the message identifier (see “Server Access Errors” (page 222)). text is the HTML encoding of the message. You must use curly braces ({}) to enclose messages that include spaces or that span more than one line. The Message directive causes the server to return text whenever the error condition specified by id occurs.
-
rectangle (x1,y1) (x2,y2) url This directive defines a rectangle in terms of the upper-left coordinate (x1,y1) and the lower-right coordinate (x2,y2). For example: rectangle (30,30) (50,50) /offices/ceo.html circle (x1,y1) radius url This directive defines a circle in terms of the center of the circle (x,y) and the radius. For example: circle (100,100) 10/target/bullseye.html polygon (x1,y1) (x2,y2) (x2,y3) ... url This directive defines a polygon in terms of the vertices of the shape.
-
Testing the Image Setup The final step is to test your clickable image setup. With your Web client, open the HTML document that has the inline image. You should be able to click the image and link to other documents. If clicking has no effect, check to see if the hypertext anchor and ISMAP tag are properly set up (see “Adding a Hypertext Anchor” (page 128)). Be sure to check the hypertext links for all the regions in your image map file.
-
Setting Up a Server-Side Include (SSI) Use a server-side include (SSI) to insert real-time or updated information within any given document. Examples of such information include: • Another file • Output from a CGI or /bin/sh script • The current date • A document's last modification date • The size or last modification of other documents You set up SSIs by instructing the server to parse the HTML output being sent to a Web client to detect SSIs and act on them.
-
text/x-server-parsed-html to identify files to be parsed. To tell the server which extension you want to correspond to these files, you specify the MimeType directive in the mime-types.config file. For example, the server default is: MimeType text/x-server-parsed-html shtml This directive marks for parsing any file ending in .shtml. The default MIME-type extensions specified in the mime-types.config file are lowercase. Therefore, if you have a file with the extension .
-
sizefmt determines the formatting to be used for displaying the size of a file. The two values are bytes, for displaying a formatted byte count (formatted as 1,234,567); and abbrev, for displaying an abbreviated version consisting of the number of kilobytes or megabytes the file occupies. For example: size= Output: size=1,652,708 include inserts the text of a document into the parsed document.
-
Region/test {Filemap/ test $root/cgiscripts DirectoryIndex EnableIncludes - restricted} then, the cgi script at /usr/tandem/webserver/cgiscripts/test.cgi will be executed. The server does not perform error checking to check that the specified generated HTML output is valid; therefore, you should use this tag with caution. Disable SSI exec usage on uncontrolled regions. The iTP Secure WebServer does not support automatic handling of Location: headers.
-
TANDEM_PWAY_ALERT_TIME monitors the time taken for setting up a pathway link. A timer starts in the WebServer when a Pathway link needs to be established, and ends when the link is granted.
-
When TANDEM_SOCK_ALERT_TIME is set to a value greater than 0, and the timer value is greater than the value specified, this EMS alert message is generated: WWWWW socket read took m secs (n usecs) gfn: w irp x remote addr_n_port y:z Where: m and n are the time taken, in seconds w is the gfn number x is the irp address y is the remote client address z is the port number The unit of measurement for this environment variable is seconds.
-
use the same value, the serverclass mentioned in the configuration is not added to the pathmon and displays a relevant error. 2. Configuration of multiple daemons with different names is not supported with distributor (conventional TCP/IP). • Pathmon: Use the same Pathmon names in all configuration files to add the serverclasses in the same pathmon. • Server: Server definitions present in the configuration file are added and started to the pathmon as per the conditions mentioned above.
-
“file already exists. It will be saved with .backup extension.”Do you wish to continue? (y/n) (No default) If you enter y/Y, the script continues. Otherwise, if you enter n/N, the script exits. Else, an error message is printed and the script exits. This script does not create object files or sample server objects or admin WS. You must have the required permission to create files or directories on the specified location.
-
7 Using Common Gateway Interface (CGI) Programs This section introduces you to using Common Gateway Interface (CGI) programs with the iTP Secure WebServer.
-
Figure 5 CGI Relationships CGI Server Database Other CGI Standard Input & Environment Variables Standard Output iTP Secure WebServer Web Client CGI Support in the iTP Secure WebServer Environment The iTP Secure WebServer offers two CGI execution environments; and both have advantages over conventional CGI execution.
-
Figure 6 Generic-CGI Server class Serverclass_send Pathway CGI Main HTTPD generic_cgi Reply stdin stdout .cgi Program The generic-CGI execution environment has these characteristics and constraints: • You can run as many simultaneous CGI processes as there are processes in the generic-CGI server class. • The .cgi programs are launched in the same processor in which the generic-CGI server is running. • As in standard CGI, a new process is created for each invocation.
-
• ◦ CGI_getc ◦ CGI_puts Use other CGI procedures as required by your application. “CGI Procedures” (page 159) lists and describes all the procedures in the CGI library. The semantics of CGI routines are identical to the corresponding routines in the standard C library. • Link your application code with the CGI library, libcgi.a, to create an executable program. NOTE: Applications built using a version of libcgi.
-
• Returning output See “Returning Output” (page 156) • Logging errors See “Logging Error Information” (page 158) • The CGI standard file environment See “CGIStandard File Environment” (page 159) If you plan to use Pathway CGI, you should also be aware of a the coding considerations described in “Pathway CGI Coding Considerations” (page 161). CGI programs can be located in a common directory that includes HTML documents and graphics files. CGI executables are conventionally labeled with the extension .
-
You can customize this configuration in the following ways: • Enable files other than those that have the .cgi or .pway extension as CGI programs. The following example specifies that all files that have the extension .pl also have the MIME type of a CGI application MimeType application/x-httpd-guardian pl PathwayMimeMap pl generic-cgi (The PathwayMimeMap directive is required, as described in “Mapping MIME Types to Server Classes” (page 143).
-
Table 15 Server MIME Types (continued) # server side includes. # #MimeType application/x-httpd-cgi cgi #MimeType application/x-httpd-fcgi fcg fcgi MimeType application/x-imagemap map MimeType text/x-server-parsed-html shtml #These Mime Types are for Servlet API 2.
-
Table 15 Server MIME Types (continued) MimeType image/x-xwindowdump xwd MimeType text/html html htm MimeType text/plain txt MimeType text/richtext rtx MimeType text/tab-separated-values tsv MimeType text/x-setext etx MimeType video/mpeg mpeg mpg mpe MimeType video/mpeg2 mpv2 MimeType video/quicktime qt mov MimeType video/x-msvideo avi MimeType video/x-sgi-movie movie # # Everything below this point has been added for version 1.
-
Program Access Restrictions You can disable access to CGI programs in certain server areas by using the Deny command in a Region directive. For example, the directive Region /~*.cgi* { Deny } denies access to all CGI programs located in user directories, that is, any directory accessed by a URL beginning with a forward slash followed by a tilde (/~). Passing CGI Environment Variables You use environment variables to pass descriptive information about the server and the current request to a CGI program.
-
Table 16 Environment Variables (continued) Environment Variable Description These environment variables are request specific. SERVER_PROTOCOL The name and revision of the information protocol this request came in with. Format: protocol/revision Example: HTTP/1.0 SERVER_PORT The port number to which the request was sent. Format: number-between-1-and-65535 Example: 80 PATH_INFO Extra path information given by the Web client.
-
Table 16 Environment Variables (continued) Environment Variable Description REMOTE_ADDR The IP address of the remote host making the request. If IPv4 address is used: n.n.n.n Example: 199.170.183.2 If IPv6 address is used: n:n:n:n:n:n:n:n Example: 2001:0:0:0:0:FFD3:0:57ab REMOTE_PORT The request is sent by using this Port number.
-
Table 16 Environment Variables (continued) Environment Variable Description HTTPS_CLIENT_CERT If TLS or SSL client authentication is used, this variable contains the certificate that is presented by the Web client. It is encoded in ASCII using radix-64. If SSL 3.0 was used, the value stored in this variable is the Web client's certificate, extracted from the certificate chain that was received from the Web client.
-
Table 16 Environment Variables (continued) Environment Variable Description SI_SI The entire Session Identifier. SI_UCTX The 2-bit user context field from the ticket. This field is used by the ticketing agent. SI_UID The user ID of the user accessing the content. This value is extracted from the ticket. Except for anonymous ticketing, the user ID is taken from a user database. You can use this variable to present customized Web pages to particular users.
-
Table 17 Pathway Specific Environment Variables (continued) Environment Variable Description QUERY_STRING=name=value name=value=y AUTOMATIC_FORM_DECODING ON HTTP_ACCEPT */*, image/gif, image/x-xbitmap, image/jpeg PATH /bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/local/bin x y GATEWAY_INTERFACE CGI/1.1 REQUEST_METHOD GET SCRIPT_NAME /samples/Scripts/env.
-
Table 17 Pathway Specific Environment Variables (continued) Environment Variable Description Serverpath {Env TANDEM_CGI_FFLUSH_TIMER=value} The valid values for this variable are from 0 to 3600. The default value, 0, causes the CGI process to retain buffered data until the buffer is full. Any other value causes the process to wait the specified number of seconds before flushing the buffer. Example: Server /dir5/flush.
-
Table 18 Environment Variable Access Methods (continued) Language Variable Access Method $env(cgi_dump.
-
Table 19 Sample HTTP Header Variables (continued) Sample HTTP Variable Description image/gif, image/jpeg HTTP_ACCEPT_CHARSET This variable lists the character sets that the Web client can accept. Format: [ char-set-name, ] [ char-set-name, ] … Example: iso-8859-5, Shift_JIS HTTP_ACCEPT_LANGUAGE This variable lists the set of languages that the Web client prefers as a response.
-
Passing Input Input is passed to CGI programs by these ways: • “Command Line” (page 155) Arguments from the command line are placed into a variable argument list, and the argument counter is appropriately incremented. • “Query Strings” (page 155) The CGI program receives data through the QUERY_STRING environment variable if AUTOMATIC_FORM_DECODING is turned off.
-
is information to be passed to the designated CGI program (cgi_script). The most common use of extra path information is to specify the relative path name of a data file. The iTP Secure WebServer stores the contents of extra_path_info in the PATH_INFO variable. Using the mapping information specified in theFilemap directive, the iTP Secure WebServer also translates the PATH_INFO path name and assigns the translated path name to the variable PATH_TRANSLATED.
-
http://www.faqs.org/rfcs/rfc822.html • The response content The response content is the actual object being returned to a Web client. For example, this content might consist of an HTML document, an image, or an audio file. A simple example of output from a CGI program: Content-type: text/html
Example output This is the HTML document generated by a CGI program.
-
Content-type: text/html Clients ignore any headers they are unable to interpret. Server Headers Two headers (Location: and Status:) are used by CGI programs to pass information to the server rather than directly to the Web client. These headers cause the server to modify its response to the Web client. Location Header The Location: header instructs the server toredirect the Web client to another URL. This redirection consists of a specific URL the Web client should access in place of the original URL.
-
You controlerror logging by specifying an ErrorLog or ExtendedLog directive in the server configuration file (httpd.config). For further details about enabling error logging, see “Managing Log Files” (page 108). CGIStandard File Environment Although the UNIX and OSS environment have some internal differences, your CGI programs can use a standard file environment in familiar ways.
-
Table 21 CGI Procedures (continued) Procedure Description and sets the value of the variable. CGI_Capture() might be called in lieu of placing the Region directive AddCGI AUTOMATIC_FORM_DECODING ON command in the server's configuration file. CGI_feof() This procedure is analogous to the feof() procedure in the C library: It tests for the end-of-file condition on a specified stream and returns a nonzero value if it encounters the end-of-file.
-
Table 21 CGI Procedures (continued) Procedure Description Only a single alarm signal can be in effect for a process. If you need to implement a customized alarm function and still use the fflush timer, write an alarm signal handler that calls CGI_fflush() when appropriate. CGI_getc() This procedure gets a character from the CGI input stream.
-
Table 22 Sample cgilib.h File (continued) int CGI_feof(FILE * stream); int CGI_printf(const char *format, ...); int CGI_getc(FILE * stream); int CGI_puts(const char *buffer); int CGI_main(int argc, char *argv[]); void ErrorAbort(void); void CGI_connection_abort(void); void CGI_initialize(void); void CGI_terminate(void); int CGI_fflush(FILE * stream); int CGI_set_fflush_timer(int seconds); void CGI_Capture(void); #endif /* CGILIB */ Design Guidelines Most CGI programs do not clean up their environments.
-
Table 23 Sample Pathway CGI Program (continued) names as the name portion of the name value pair. In the second example the names of all decoded from are prefixed with the prefix "your_prefix_". Using the prefix option can be useful if you expect duplication of names on your form with default CGI parameters. */ #include #include #include #include #include #include #include
-
Table 23 Sample Pathway CGI Program (continued) if (Test_Count){ CGI_printf("
Printing %d test lines.
",Test_Count); for (i=1;i<=Test_Count;i++){ CGI_printf("Test Line %d ....|...10....|...20....|...30....|...40....|...50
",i); } } /* CASE=DEFAULT FALL THROUGH */ } else { CGI_printf("Unrecognized method '%s'.
-
8 Using NonStop Servlets for JavaServer Pages (NSJSP) NonStop Servlets for JavaServer Pages (NSJSP) are platform-independent server-side programs that programmatically extend the functionality of Web-based applications by providing dynamic content from a Webserver to a client browser over the HTTP protocol. NSJSP is an extension of the servlet functionality, primarily supplying a template of static content to be modified with dynamic content from a servlet or other programmable resource.
-
9 Using the Resource Locator Service (RLS) The Resource Locator Service (RLS) is an optional feature that causes multiple Web servers to appear to users as a single server. For example, an iTP Secure WebServer on a NonStop system and a different Web server on a Windows NT platform could be used interchangeably for access to the same content. For a given request, RLS selects which Web server to use. The selection criteria are: • Which Web server has demonstrated the best response time recently.
-
Defining the Server Class The RLS server class is called rmt.pway. As shown in “RLS Server Class Definition” (page 167), the httpd.config file provided with the iTP Secure WebServer defines the RLS server class as follows: Table 24 RLS Server Class Definition ############################################################### # Configure Resource Locator attributes # set rmt /bin/rmt/rmt.
-
The table has at least one row for each Web server RLS can contact. Each row includes these columns: • Filename • Ip_addr • Port • Tcpip • No_Servers • Relative_ID Where: Filename is the prefix (the first part of the URL path name) shared by a set of replicated Web servers. Its value identifies the root directory, or the alias name of the root directory for an Windows NT IIS Web server. This field cannot exceed 200 characters and cannot include wildcard characters.
-
insert insert insert insert insert insert into into into into into into =dbaccess =dbaccess =dbaccess =dbaccess =dbaccess =dbaccess values values values values values values ("/WEB","net.myco.com",80,"$ztc2",1,2); ("/Images","net.myco.com",80,"$ztc2",1,1); ("/samples","172.16.10.22",3366,"$ztc0",1,0); ("/index.html","172.16.10.22”,3366,"$ztc0",1,3); ("/MlplSrvs","172.16.10.22",3376,"$ztc0",2,4); ("/MlplSrvs","172.16.10.
-
10 Administering Session Identifiers for Anonymous Sessions This section describes how to set up the iTP Secure WebServer to use Session Identifiers for anonymous ticketing.
-
Ticketing and Tracking Example To understand how tracking works, consider the following example: A company called Universal Technology, Inc., has put all its marketing literature on the Web. Universal Technology does not want to limit access to these files, but it does want to know how many individuals are looking at each file. It also wants to know which links are accessed most frequently.
-
Figure 9 Using a Ticket URL Request with Ticket Subsequent requests are sent with the same ticket Requested Resource ...so the resource is returned immediately Web Client Internet iTP Secure WebServer Again, the ticket is logged. Because the ticket contains a user ID that uniquely identifies the user, the company in this example can track and analyze a user's Web activity by generating reports based on the log file.
-
Enabling Anonymous Ticketing After enabling ticketing, you also must enable anonymous ticketing by using the SI_Default directive and the -EnableAnonymousTicketing attribute. For example: SI_Default -EnableAnonymousTicketing {0} The number inside the braces (0 in this case) is a group ID. The group ID cab be any integer between 0 and 255. Initializing a Department Every region that you want to track must be part of a department.
-
SI_RequireSI Engineering 0 } Advanced Configuration Options This subsection describes how to customize the use of tickets to meet a variety of needs, including: • “Anonymous Ticketing Attributes” (page 174) • “Setting the Anonymous Ticket Expiration Time” (page 175) • “Browser Caching” (page 176) • “How Proxy Servers Affect Ticketing” (page 176) Anonymous Ticketing Attributes You can use various ticketing attributes to control ticketing behavior, as outlined in Table 10-1: Table 25 Anonymous Ticket
-
You can specify the attributes listed in Table 25 (page 174) in one of these three ways: • By Default Attributes You can change the default value of any ticketing attribute shown in [Table 24 (page 167)], by using the SI_Default directive, which has this form: SI_Default -attribute value [-attribute value] ... For example, the directive SI_Default -AnonymousTicketExpiration 7200 changes the validity period to 2 hours (7200 seconds).
-
The Session Identifier Specification 1.0 rounds expiration times to approximately 8.5 minute intervals. The range of expiration times is approximately 8.5 minutes (510 seconds) to 1 year (about 30 million seconds). Browser Caching Some browsers support caching mechanisms that the content server can use to prevent the loss of tickets. The cached information is called a cookie. You can specify whether you want your server to take advantage of these mechanisms whenever they are available.
-
from its own cache. Using tickets can reduce the problem considerably because each request can have a unique ticket embedded in it. So even though many users might request the same Web page, the presence of a unique ticket will make it appear to the proxy as though each request is unique. For example, user X's request might be http://www.acme.com/@@4RTgh67j8S23c5d3/info.html whereas user Y's request is http://www.acme.com/@@H9bF3f0Df36Gpp3Cd/info.
-
Dynamically Rewriting References URL references can be either relative or absolute. Relative references specify the location of the resource relative to the base document. For example, consider the directory structure shown in “Relative and Absolute References” (page 178). Figure 11 Relative and Absolute References www.acme.com HTML_Docs other_Docs Graphics index.html picture.gif Relative Reference = “graphics/picture.gif” Absolute Reference = “/HTML_Docs/Graphics/picture.
-
• • ![]()
Image references include: • 
•
• • ![]()
• • •
