Administrator's Guide Netscape Enterprise Server

Previous      Contents      Index      Next

Chapter 3   Setting Administration Preferences

You can configure your Netscape Enterprise Server Administration Server using the pages on the Preferences and Global Settings tabs. Note that you must enable cookies and JavaScript in your browser to configure your server.

This chapter includes the following sections:

• Shutting Down the Enterprise Server Administration Server
• Editing Listen Socket Settings
• Changing the User Account (UNIX/Linux)
• Changing the Superuser Settings
• Allowing Multiple Administrators
• Specifying Log File Options
• Configuring Directory Services
• Restricting Server Access
• Configuring JRE/JDK Paths

Shutting Down the Enterprise Server Administration Server

---

Once the server is installed, it runs constantly, listening for and accepting HTTP requests. You might want to stop and restart your server if, for instance, you have just installed a Java Development Kit (JDK) or Netscape Directory Server, or if you have changed listen socket settings.

You can stop the server using one of the following methods:

• Access the Administration Server, choose the Preferences tab, select the Shut Down link, and click "Shut down the administration server button!".

For more information, see The Shut Down Page in the online help.
 

• Use the Services window in the Control Panel (Windows NT/Windows 2000).
• Use stop, which shuts down the server completely, interrupting service until it is restarted.

After you shut down the server, it may take several seconds for the server to complete its shut-down process and for the status to change to "Off."

Editing Listen Socket Settings

---

Before the server can process a request, it must accept the request via a listen socket, then direct the request to the correct connection group and virtual server. When you install Enterprise Server, one listen socket, ls1, is created automatically. This listen socket uses the IP address 0.0.0.0 (equivalent to any address the machine is configured to) and the port number you specified as your HTTP server port number during installation. (The default is 8888.) You cannot delete the default listen socket.

You can edit your server's listen socket settings using the Administration Server's Listen Sockets Table. To access the table, perform the following steps:

1. Access the Enterprise Server Administration Server and click the Preferences tab.
2. Click the Edit Listen Sockets link.
3. Make the desired changes and click OK.

For more information, see Chapter 11 "Using Virtual Servers" and the online help for The Edit Listen Sockets Page.

Changing the User Account (UNIX/Linux)

---

The Server Settings page allows you to change the user account for your web server on UNIX and Linux machines. All the server's processes run as this user.

You do not need to specify a server user if you chose a port number greater than 1024 and are not running as the root user (in this case, you do not need to be logged on as root to start the server). If you do not specify a user account here, the server runs with the user account you start it with. Make sure that when you start the server, you use the correct user account.

Note	If you do not know how to create a new user on your system, contact your system administrator or consult your system documentation.

Even if you start the server as root, you should not run the server as root all the time. You want the server to have restricted access to your system resources and run as a non-privileged user. The user name you enter as the server user should already exist as a normal UNIX/Linux user account. After the server starts, it runs as this user.

If you want to avoid creating a new user account, you can choose the user nobody or an account used by another HTTP server running on the same host. On some systems, however, the user nobody can own files but not run programs.

To access the Server Settings page, perform the following steps:

1. Access the Administration Server and choose the Preferences tab.
2. Click the Server Settings link.
3. Make the desired changes and click OK.

Changing the Superuser Settings

---

You can configure superuser access for your Administration Server. These settings affect only the superuser account. That is, if your Administration Server uses distributed administration, you need to set up additional access controls for the administrators you allow.

Caution	If you use Directory Server to manage users and groups, you need to update the superuser entry in the directory before you change the superuser user name or password. If you don't update the directory first, you won't be able to access the Users & Groups forms in the Administration Server. To fix this, you'll need to either access the Administration Server with an administrator account that does have access to the directory, or you'll need to update the directory using the Directory Server's Console or configuration files.

To change the superuser settings for the Administration Server, perform the following steps:

1. Access the Administration Server and choose the Preferences tab.
2. Click the Superuser Access Control link.
3. Make the desired changes and click OK..

The superuser's user name and password are kept in a file called server_root/https-admserv/config/admpw. If you forget the user name, you can view this file to obtain the actual name; however, note that the password is encrypted and unreadable. The file has the format username:password. If you forget the password, you can edit the admpw file and simply delete the encrypted password. You can then go to the Server Manager forms and specify a new password.

Caution	Because you can edit the admpw file, it is very important that you keep the server computer in a secure place and restrict access to its file system: On UNIX/Linux systems, consider changing the file ownership so that it's writable only by root or whatever system user runs the Administration Server daemon. On Windows NT/Windows 2000 systems, restrict the file ownership to the user account Administration Server uses.

Allowing Multiple Administrators

---

Multiple administrators can change specific parts of the server through distributed administration. With distributed administration you have three levels of users:

• superuser is the user listed in the file server_root/https-admserv/config/admpw. This is the user name (and password) you specified during installation. This user has full access to all forms in the Administration Server, except the Users & Groups forms, which depend on the superuser having a valid account in an LDAP server such as Directory Server.
• administrators go directly to the Server Manager forms for a specific server, including the Administration Server. The forms they see depend on the access control rules set up for them (usually done by the superuser). Administrators can perform limited administrative tasks and can make changes that affect other users, such as adding users or changing access control.
• end users can view read-only data stored in the database. Additionally, end users may be granted access permissions to change only specific data.

For an in-depth discussion of access control for Enterprise Server, see "What Is Access Control?".

Note	Before you can enable distributed administration, you must install a Directory Server. For more information, see the Netscape Enterprise Server Installation and Migration Guide and the Netscape Directory Server Administrator's Guide.

To enable distributed administration, perform the following steps:

1. Verify that you have installed a Directory Server.
2. Access the Administration Server.
3. One you've installed a Directory Server, you may also need to create an administration group, if you have not previously done so.

To create a group, perform the following steps:
 

1. Choose the Users & Groups tab.
2. Click the New Group link.
3. Create an "administrators" group in the LDAP directory and add the names of the users you want to have permission to configure the Administration Server, or any of the servers installed in its server root. All users in the "administrators" group have full access to the Administration Server, but you can use access control to limit the servers and forms they will be allowed to configure.

Caution	Once you create an access-control list, the distributed administration group is added to that list. If you change the name of the "administrators" group, you must manually edit the access-control list to change the group it references.




4. Choose the Preferences tab.
5. Click the Distributed Admin link.
6. Make the desired changes and click OK.

For more information, see The Distributed Administration Page in the online help.

Specifying Log File Options

---

The Enterprise Server Administration Server log files record data about the server, including the types of errors encountered and information about server access. Viewing these logs allows you to monitor server activity and troubleshoot problems by providing data like the type of error encountered and the time certain files were accessed.

You can specify the type and format of the data recorded in the Enterprise Server Administration Server logs using the Log Preferences page. For instance, you can choose to log data about every client who accesses the Administration Server or you can omit certain clients from the log. In addition, you can choose the Common Logfile Format, which provides a fixed amount of information about the server, or you can create a custom log file format that better suits your requirements.

Access the Administration Server Log Preferences page by choosing the Preferences tab, then clicking the Logging Options link.

For more information, see The Logging Options Page in the online help, and Chapter 9 "Using Log Files."

Viewing Log Files

The Administration Server log files are located in server_root/https-admserv/admin/logs. For example, on Windows NT/Windows 2000, the path to your log files might look like c:\Netscape\server6\https-admserv\logs. You can view both the error log and the access log through the Enterprise Server Administration Server console or using a text editor.

The Access Log File

The access log records information about requests to and responses from the server.

To view the access log file, perform the following steps:

1. Access the Enterprise Server Administration Server and choose the Preferences tab.
2. Click the View Access Log link and click OK.

For more information, see The View Error Log Page in the online help and "Using Log Files"."

The Error Log File

The error log lists all the errors the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log in to the server.

To view the error log file, perform the following steps:

1. Access the Enterprise Server Administration Server and choose the Preferences tab.
2. Click the View Error Log link and click OK.

For more information, see The View Access Log Page in the online help, and "Using Log Files"."

Archiving Log Files

You can set up your log files to be automatically archived. At a certain time, or after a specified interval, Enterprise Server rotates your access logs. Enterprise Server saves the old log files and stamps the saved file with a name that includes the date and time they were saved.

Access log rotation is initialized at server startup. If rotation is turned on, Enterprise Server creates a time-stamped access log file and rotation starts at server startup.

Once the rotation starts, Enterprise Server creates a new time stamped access log file when there is a request that needs to be logged to the access log file and it occurs after the previously-scheduled "next rotate time."

Using Cron-based Log Rotation (UNIX/Linux)

You can configure several features of your Enterprise Server to operate automatically and set to begin at specific times. The cron daemon checks the computer clock and then spawns processes at certain times. (These settings are stored in the ns-cron.conf file.)

This cron daemon controls scheduled tasks for your Enterprise Server and can be activated and deactivated from the Administration Server. The tasks performed by the cron process depends on the various servers. (Note that on Windows NT and Windows 2000 platforms, the scheduling occurs within the individual servers.)

Some of the tasks that can be controlled by cron daemons include scheduling collection maintenance and archiving log files. You need to restart cron control whenever you change the settings for scheduled tasks.

To restart, start, or stop cron control, perform the following steps:

1. Access the Enterprise Server Administration Server and choose the Global Settings tab.
2. Click the Cron Control link.
3. Click Restart, Start, or Stop to change the cron controls.

Note that any time you add a task to cron, you need to restart the daemon.

Configuring Directory Services

---

You can store and manage information such as the names and passwords of your users in a single Directory Server using an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). You can also configure the server to allow your users to retrieve directory information from multiple, easily accessible network locations.

To configure the directory services preferences, perform the following steps:

1. Access the Enterprise Server Administration Server and choose the Global Settings tab.
2. Click the Configure Directory Service link.
3. Make the desired changes and click OK.

For more information, see The Configure Directory Service Page in the online help.

Restricting Server Access

---

You can control access to the entire server or to parts of the server (that is, directories, files, file types). When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access-control entries (ACEs), and then it uses the matching entries to determine if the request is allowed or denied. Each ACE specifies whether or not the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access-control list (ACL). When a request comes in, the server determines access by checking vsclass.obj.conf (where vsclass is the virtual server class name) for a reference to an appropriate ACL. By default, the server has one ACL file that contains multiple ACLs.

You can set access control globally for all servers through the Enterprise Server Administration Server or for a resource within a specific server instance through the Server Manager. For more information about setting access control for a resource, see "Setting Access Control".

Note	You must turn on distributed administration before you can restrict server access for the Enterprise Server Administration Server.

To restrict access to your Enterprise Server Administration Server, perform the following steps:

1. Access the Enterprise Server Administration Server and choose the Global Settings tab.
2. Click the Restrict Access link.
3. Select the desired server and click Edit ACL.

The Enterprise Server Administration Server displays the access control rules for the server you specified.
 

4. Make the desired access control changes and click OK.

For more information, see The Restrict Access Page in the online help.

Configuring JRE/JDK Paths

---

When you install Enterprise Server, you can choose to install the Java Runtime Environment (JRE), which is bundled with Enterprise Server. You can also specify a path to the Java Development Kit (JDK), which you must install separately. See the Netscape Enterprise Server Installation and Migration Guide for more information.

Regardless of whether you choose to install the JRE or specify a path to the JDK during installation, you can tell the Enterprise Server to switch to using either the JRE or JDK at any time by performing the following steps:

1. Access the Enterprise Server Administration Server.
2. Select the Global Settings tab.
3. Click the Configure JRE/JDK Paths link.

The Configure JRE/JDK Paths page appears.
 

4. Click the radio button corresponding to the feature to enable.

For instance, click JDK to supply the path to the Java Development Kit installed on your machine.
 

5. Enter the appropriate information and click OK.

You must restart your server for changes to become effective.
 

See The Configure JRE/JDK Paths Page in the online help for more information.
 

© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002 Netscape Communications Corporation. All rights reserved.

Last Updated August 02, 2002