Hi,
Web Proxy Server 4.0.12 was out on Oct 21, 2009.
It can be publicly downloaded at: http://tinyurl.com/yjkzlqfRelease Notes: http://docs.sun.com/app/docs/doc/821-0567
If you are using a prior version, please try it out and plan for an upgrade !
|
|
|
|
This has been out for some time. You can download it at
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-7.0U6-OTH-G-F@CDS-CDS_SMIdocs can be found at
|
|
|
|
|
|
|
|
|
|
|
|
If the security auditor asked you about the SSL certificate which is using MD5 as
Signature Algorithm, (e.g. http://www.kb.cert.org/vuls/id/836068 ) in web server 6.1SPx.
Then you can upgrade to 6.1SP11 which has default to SHA1 in CSR, e.g.
Signature Algorithm: sha1WithRSAEncryptionIf you cannot upgrade to 6.1SP11 now, then you can create a new CSR with SHA1 with certutil -Z option.
e.g. I did an example with -Z below for your reference,
apple:/export/home/iws6.1sp7> ./bin/https/admin/bin/certutil -R -s
"CN=hostname.domain.com,OU=Company,O=Company,L=Anytown,ST=New York,C=US" -a -o /tmp/testSHA1.csr -k rsa -g 2048 -v 12 -d
/export/home/iws6.1sp7/alias -P https-apple-apple- -Z SHA1(Note- you need to change -d and -P to match what you have there in
your site!)Enter Password or Pin for "NSS Certificate DB": <password to your
web server security DB>A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
apple:/export/home/iws6.1sp7> ls -l /tmp/testSHA1.csr
-rw-rw---- 1 root other 1247 May 26 13:57
/tmp/testSHA1.csrapple:/export/home/iws6.1sp7> cat /tmp/testSHA1.csr
Certificate request generated by Netscape certutil
....
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICxjCCAa4CAQAwgYAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
...............OesYDTs6R/KTs6R9o/GX/07eAhMO7m+sBQhd4Q29WUu3mkWRqbVzn9CE
-----END NEW CERTIFICATE REQUEST-----
then goto
http://www.ssldirect.com/ssltools/decode/csr/decode_csr_certificate_signing_request.htmlto verify if this is SHA1 now,
......
Public Key Information
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Exponent: 65537 (0x10001)Attributes
None
CSR Signature
Signature Algorithm: sha1WithRSAEncryption
(see it is SHA1 , instead of MD5)If you do not add the -Z SHA1 at the end, then it will be
Signature Algorithm: md5WithRSAEncryption *** instead
Then you can submit this CSR (with SHA1) to a CA, e.g. Verisign to sign it.
After you install the new SSL certificate, you can see it ok.
e.g. I added the new SSL cert as "new dumpy cert1" below,
apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -d /export/home/iws6.1sp7/alias -P https-apple-apple-
1000year CT,,
myissuer Cu,Cu,Cu
Server-Cert u,u,u
new dumpy cert1 *** u,u,uthen I can examine the inside of this new SSL cert,
apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple-
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:a7:a9:fa:ed:f9:50:f7:7d
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
or
apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple- | grep -i SHA
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Fingerprint (SHA1):
see more at
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
If your security auditor said you need to disable the directory listing in your web 6.1SPx server, then you can do this in Admin GUI - Document Preferences - Directory Indexing - None. You can add an error response page too to send back when a request is asking for directory indexing.
The obj.conf will then look like below,
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="send-error" path="/export/home/iws6.1sp9/docs/error.html"
then you can restart and take effect.
If you just comment out the default line below,
#Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Then the end-user will see a Method Not Allowed in the browser when they request a directory listing. They will not see the custom error page as above.
|
|
|
|
If you need to use 64-bit web 6.1 SP11, you can download it at
This will allow you to use much more in memory address space.
e.g. for a 32-bit process, the theoretical max. memory per process = 4 GB,
a pmap will show,
vm40:/wlee/bits/tmp-web7.0u5> pmap 16908 | more
16908: webservd -d /wlee/7.0u4/run/https-vm40.singapore.sun.com/config -r /wl
00010000 8K r-x-- /wlee/7.0u4/run/lib/webservd
00020000 8K rwx-- /wlee/7.0u4/run/lib/webservd
00022000 56K rwx-- [ heap ]
00030000 3904K rwx-- [ heap ]
00400000 167936K rwx-- [ heap ]
DB87A000 8K rwx-R [ stack tid=285 ]
......(note the above address = 8 * 4-byte each = 32-bit address)
but if we are running 64-bit, then the pmap will show,
vm40:/wlee> pmap 3799 | more
3799: webservd -d /wlee/7.0u5-64/https-vm40.singapore.sun.com/config -r /wle
0000000100000000 8K r-x-- /wlee/7.0u5-64/lib/sparcv9/webservd
0000000100100000 8K rwx-- /wlee/7.0u5-64/lib/sparcv9/webservd
0000000100102000 56K rwx-- [ heap ]
0000000100110000 3008K rwx-- [ heap ]
0000000100400000 217088K rwx-- [ heap ]
FFFFFFFF3FCFA000 8K rw--R [ stack tid=284 ]
......(note the above address = 16 * 4-byte each = 64-bit address), so the theoretical max. memory per process = 16 TB, but of course limited by other factors, e.g. physical RAM and swap space, etc.
If you need more memory for your web server process (assume you do not have any memory leaks in your application, etc), then one option is to run 64-bit process.
Hi,
I just got the news that
Reverse Proxy Plug-in 1.0.2 is
released for Sun Java System WebServer 6.1 SP11 is out , please try it at
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-6.1SP11-RPAddOn1.0.2-G-F@CDS-CDS_SMI
The Release Notes are here: http://docs.sun.com/app/docs/doc/820-7660
This new version of proxy server was out on 5/5/2009. FYI.
It can be publicly downloaded at:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJPrxySrv-4.0.10-OTH-G-F@CDS-CDS_SMI
Release Notes:
http://docs.sun.com/app/docs/doc/820-7445
This has fixed different known issues and so good to try it.
|
|
|
|
I just got the internal news that this latest version is released.
Download :
Release notes :
http://docs.sun.com/app/docs/doc/820-7659
Please try it out.
|
|
|
|
Web 7.0u5 is out now. From the email from our staff,
"
It can be publicly downloaded at:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-7.0U5-OTH-G-F@CDS-CDS_SMIThe Release Notes are here:
http://wikis.sun.com/display/WebServerdocs/Release+Notes
In addition to customer escalation & other bug fixes (>50) this release also contains important bug-fixes related to performance
enhancement.
http://wikis.sun.com/display/WebServerdocs/Release+Notes#ReleaseNotes-IssuesResolvedinWebServer7.0Update5
All users of Web Server 7.0 through Web Server 7.0 Update 4 are encourage to upgrade.
"
So, please try it.
|
|
|
|
I just got an email about this new version of Proxy 3.6.
However, please plan for an upgrade to Proxy 4.0 (SP9 is the latest now as of Feb , 2009).
email from our Sustaining manager,
"
Proxy Server 3.6 SP12 has been released:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJPrxySrv-3.6SP12-OTH-G-F@CDS-CDS_SMI
This URL is publicly accessible and can be given to customers waiting for it.
Release Notes:: Unix Platform:: http://docs.sun.com/source/820-5882/
Release Notes:: Windows Platform:: http://docs.sun.com/source/820-5883/
"
Walter
|
|
|
|
Sometimes, if you like/need to disable other methods which you do not need in web 6.1SPx, then you can add this into default object inside obj.conf,
in 6.1 web, you need to add<Client method=("INDEX"|"OPTIONS"|"DELETE"|"PUT"|"MOVE"|"TRACE"|"INDEX"|"MKDIR"|"RMDIR")>
AuthTrans fn="set-variable" remove-headers="transfer-encoding"
set-headers="content-length: -1" error="501"
</Client>
(NOTE - all in ONE single line for <Client method ...> and AuthTrans... above!
You saw wrapping above because of formatting in tools/browsers !)
as below :
apple:/export/home/iws6.1sp10/https-methods/config> cat obj.conf
# You can edit this file, but comments and formatting changes
# might be lost when the admin server makes changes.
<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
<Client method=("INDEX"|"OPTIONS"|"DELETE"|"PUT"|"MOVE"|"TRACE"|"INDEX"|"MKDIR"|"RMDIR")>
AuthTrans fn="set-variable" remove-headers="transfer-encoding"
set-headers="content-length: -1" error="501"
</Client>
....
then restart and will work ok.
2. tests:
a. INDEX :
apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '^]'.
INDEX / HTTP/1.1
Host: apple
HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:56:34 GMT
Content-length: 148
Content-type: text/html
Connection: close
<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
b. OPTIONS :
apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '^]'.
OPTIONS /banner.html HTTP/1.1
Host: apple
HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:56:58 GMT
Content-length: 148
Content-type: text/html
Connection: close
<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
apple:/export/home/iws6.1sp10/https-methods/config>
c. TRACE method:
apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '^]'.
TRACE /index.html HTTP/1.1
Host: apple
X-header: test
HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:57:32 GMT
Content-length: 148
Content-type: text/html
Connection: close
<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
apple:/export/home/iws6.1sp10/https-methods/config>
3. Some may like to set up ACL, but there is still a chance for hackers to use above methods
if they discover the ACL uid/password.
So, if the above methods are not needed, then better disable them as above.
4. you can see a list of methods at
http://www.ietf.org/rfc/rfc2616.txt
e.g. section 9 Method Definitions
|
|
|
|
Hi,
I just found that we have
Sun Java System Web Proxy Server 4.0.9 available now at:
docs can be found at:
http://docs.sun.com/app/docs/coll/1311.9?l=en
For patch versions, it is below:
1. Solaris: 120981-16
Sun Java System Web Proxy Server 4.0.9, Solaris (SVR4 patch): Maintenance Release Patch
2. x86: 120982-16
Sun Java System Web Proxy Server 4.0.9, _x86 (SVR4 patch): Maintenance Release Patch
3. Redhat: 120983-16
Sun Java System Web Proxy Server 4.0.9 RHEL3.0 :Maintenance Release Patch
|
|
|
|
Sometimes, you like to get perfdump (/.perf) from web or proxy servers, but the RPP or AM agent may prevent you from doing this. So, you can try below:
1. follow the steps of perfdump at
http://docs.sun.com/app/docs/doc/820-5719/abyaq?l=en&a=view&q=perfdump
2. if you got RPP in your web server, then
<Client match="none" uri="/.perf">
NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
</Client>
then both perf dump and rpp will work ok.
The above will map rpp if uri not equal to /.perf, and will skip rpp
if uri is /.perf
So, both requests to rpp and .perf will work ok.
3. if you got AM agent in your proxy server, then
................
NameTrans fn="assign-name" name="stats-xml" from="(/stats-xml|/stats-xml/.*)"
NameTrans fn="assign-name" name="statistics" from="/.abc/.statistics"
................
PathCheck fn="url-check"
<Client match="none" uri="/.abc(/.*|)">
PathCheck fn="validate_session_policy"
</Client>
Service fn="deny-service"
AddLog fn="flex-log" name="access"
</Object>
.........
<Object name="stats-xml">
Service fn="stats-xml"
</Object>
<Object name="statistics">
Service fn="service-dump"
</Object>
then a request to get the statistics will work ok without the AM agent Path Check .
|
|
|
|
.perf /var 4.0.10 4.0.8 4.0.9 500 6.1 7 7.0 alerts andrii backup certificate client close_wait collection data database deny-existence directory disable enabled example expires faq file gdd give gui hang header headers hung ie include innodb installation jes lecture log md5 memory migrate mismatch mysql never opensource out pack package package-based painting password pausch perfdump pk12util pkg_app pkgapp plugin promise proxy redirect release restore reverse rewrite-host rpp script scripts security server servers service set-variable single solais source sp10 sp11 sp12 ssl ssl_dump stacks startup status sun tag transplant troubleshooting ulimit upgrade upload version vulnerability web wiki written wshang wshang.ksh xss
This theme brought to you by the Sun Green Team.
Go Green!