Skip Headers
Oracle® Database Installation Guide
10g Release 2 (10.2) for hp OpenVMS

Part Number B25414-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

H Apache Server Installation and Configuration

This appendix lists the procedure and steps to install and configure Apache Server for OpenVMS. The following topics are included:

H.1 Postinstallation Checklist

After you configure Oracle HTTP Server for OpenVMS, perform the following tasks to ensure a successful startup:

Each of these tasks is explained in the following sections. Once you have completed these, you can test the installation by starting Oracle HTTP Server.

H.1.1 Running AUTOGEN

After the installation, when you have a normal system workload running on your machine, run SYS$UPDATE:AUTOGEN.COM (AUTOGEN) to evaluate the system parameters and make adjustments based on the hardware configuration and system workload. On Oracle HTTP Server, AUTOGEN will probably increase the page file size and the number of swap file pages.

H.1.2 Check Disk Quota

If the disk quota is too low, then Oracle HTTP Server will not start. Either raise the disk quota for the Oracle Database account or grant the account the EXQUOTA privilege, which enables it to bypass disk quota restrictions. Use the following commands:

$ SHOW QUOTA/USER=[server-uic]/DISK=device_name
$ SET PROCESS/PRIVILEGES=EXQUOTA node-name::ORACLE

H.1.3 Checking for SET TERMINAL/INQUIRE

When Oracle HTTP Server for OpenVMS is started, the following login files are run:

  • SYS$MANAGER:SYLOGIN.COM

  • LOGIN.COM (login for the Oracle Database account)

Check these files to ensure that any SET TERMINAL/INQUIRE statements are processed only in the INTERACTIVE mode. For example:

$ IF F$MODE() .EQS "INTERACTIVE" THEN $ SET TERMINAL/INQUIRE

If you do not check for this, then the HTML that is sent to clients may not be well-formed and may be sent in an intermittent fashion. This problem may also appear when running CGI scripts.

H.2 Test the Installation

You must manually start Oracle HTTP Server to verify the installation and configuration of the server. Enter the following command:

$ APACHECTL START

Perform the following tasks to test the installation:

H.2.1 Browser Test

You can test the installation using a Web browser. Replace host.domain in the following URL with the corresponding information about Oracle HTTP Server that you installed:

HTTP://host.domain:port

If this is a new installation, then the browser should display the standard introductory screen with the following bold text at the top:

"Welcome to Oracle HTTP Server."

The Apache logo is displayed at the bottom.

H.2.2 Troubleshooting

If you do not receive a response from Oracle HTTP Server, check the following:

  • In the SYS$MANAGER:SYLOGIN.COM file, ensure that there is no SET TERMINAL/INQUIRE statement for network processes.

  • Look for the following files:

    APACHE$ROOT:[000000]APACHE$SERVER.LOG
    APACHE$ROOT:[LOGS]ERROR_LOG
    

H.3 Running Oracle HTTP Server on OpenVMS

The default port for Oracle HTTP Server is port 7777. If this port is already in use by another application, or if you would like to use a different port, then modify the HTPPD.CONF file, located in the ORA_ROOT:[APACHE.APACHE.SPECIFIC.host.CONF] directory, to specify a different port number

The following subsections describes the process of running the Oracle HTTP server:

H.3.1 Starting and Stopping the Server

To start Oracle HTTP Server, enter the following command:

$ APACHECTL STARTUP

To stop Oracle HTTP Server, enter the following command:

$ APACHECTL STOP

H.3.2 Server Log File

The server log file for APACHE$WWW is written to:

APACHE$SPECIFIC:[000000]APACHE$SERVER.LOG

H.3.2.1 Performance Considerations

You should have prior experience in tuning the performance of the OpenVMS operating system. For information about OpenVMS performance, refer to OpenVMS system documentation

Recommendations for improving performance on Oracle HTTP Server are provided in this appendix and the Release Notes.

H.3.2.2 Limits and Quotas for Light to Moderate Load

Table H-1 shows sample values for the Oracle Database account from a working and exercised Oracle HTTP Server with a light to moderate load. These values are presented as an example of a system performing well within its context.

If you should experience performance difficulties, refer to this table for guidelines about making adjustments. Remember that no one set of values will be appropriate for all situations.

Table H-1 Sample Values for the oracle account

Parameter Default Sample value for Oracle HTTP Server

ASTLM (NonPooled)

Total number of asynchronous system trap (AST) operations and scheduled wake-up requests the user can have queued at one time

250

610

Or BIOLM + DIOLM + 10

BIOLM (NonPooled)

Number of outstanding buffered I/O operations permitted for a user process

150

300

You may also need to increase the SYSGEN parameter CHANNELCNT because it limits BIOLM,DIOLM, and FILLM.

BYTLM (Pooled)

Amount of buffer space a user process can use

64000

200000

Increase this value for a heavy load.

CHANNELCNT

256

256

CHANNELCNT must be greater than or equal to FILLM

DIOLM (NonPooled)

Number of outstanding direct I/O operations permitted for a user process

150

300

You may also need to increase the SYSGEN parameter CHANNELCNT because it limits BIOLM,DIOLM, and FILLM.

ENQLM (Pooled)

Specifies the lock queue limit

2000

2000

FILLM (Pooled)

Number of files a user process can have open at one time

This includes the number of network logical links that can be active at the same time.

100

300

Increase this value for a heavy load. You may also need to increase the SYSGEN parameter CHANNELCNT because it limits BIOLM,DIOLM, and FILLM.

JTQUOTA (Pooled)

Byte quota for the job-wide logical name table

4096

8192

PGFLQUO (Pooled)

Number of pages the user process can use in the system page file

50000

250000

If you increase PGFLQUO, then you should monitor the free size of the system page and swap files, because these may need to be increased.

PRCLM (Pooled)

Number of subprocesses a user process can create

8

20

You should increase this value for a heavy load.

TQELM (Pooled)

Number of entries a user process can have in the timer queue or the number of temporary common event flag clusters a user process can have.

10

610

Or BIOLM + DIOLM + 10


H.3.2.3 Server with Medium to High Load

After you install the server and run it, look in the log file for errors of the "cannot open" type. Errors of this type often indicate that you need to modify system parameters.Try the following:

  • Set FILLM to limit the number of files that a user process can have open.

  • Set the SYSGEN parameter, CHANNELCNT, to 1024 (unless it is already set to a higher value).

    Note:

    Whenever you change system parameters, you must restart the system to enable the new settings.

H.3.2.4 Excessive File Build Up

A large number of.LOG and.PID files can amass over time in the APACHE$ROOT:[0000000] and APACHE$ROOT:[LOGS] directories. Purging these files can become a burden on application or system managers. System managers should manually use explicit SET DIRECTORY/VERSION commands on these two directories.

H.3.3 Customizing the Server Environment

The installation procedure creates a file named HTTPD.CONF and places it in APACHE$ROOT:[CONF]. The HTTPD.CONF file stores information that Oracle HTTP Server uses to set up the server environment. The HTTPD.CONF file has been tailored to use OpenVMS syntax, but its overall functionality is essentially identical to httpd.conf on the UNIX platform.

The HTTPD.CONF file contains an explanation for each line that it can process. You can refer to these explanations when customizing the file for your environment. You can also refer to any generally available Apache documentation on HTTPD.CONF.

Note the following about HTTPD.CONF on OpenVMS:

  • MOD_OSUSCRIPT has been added to enable CGI scripts that were originally written for the OSU server.

  • UNIX-style path names are recognized by OpenVMS. You can use either UNIX-style or OpenVMS-style path names in the configuration file. However, you cannot mix the two styles within a specification.

  • In an OpenVMS Cluster, you can specify either clusterwide or system-specific files.

H.3.4 How to Configure Apache

Perform the following steps to configure Apache to run while using an account other than the Oracle Database account:

  1. Modify the HTTPD.CONF file to include the following line:

    User username
    
    
  2. Modify APACHEUSER.COM to set the logical APACHE_USERNAME to the required user name. Ensure that the user name is exactly the same as the entry in the HTTPD.CONF file.

  3. Restart the Apache Server if it is already running.

H.3.5 Modules and Directives

The Oracle HTTP Server provides the modules and directives that are provided by the HP Secure Web Server for OpenVMS (based on Apache), Version 1.3-1. Please refer to the HP documentation for that product for more information. All supported modules and directives function as documented by the Apache Software Foundation at:

http://www.apache.org/docs

H.3.6 Supported and Unsupported Features

Information about running Oracle HTTP Server that is specific to running the server on OpenVMS is provided in the following sections.

See Also:

For more information about on the Apache server, refer to the Apache Software Foundation Web site at

http://www.apache.org/docs/

H.3.6.1 Modules Not Included

The following modules are not included in this version of Oracle HTTP Server:

  • MOD_OSNINT

  • MOD_OSSLl

  • MOD_PERL

  • MOD_PHP

  • MOD_PROXY

H.3.6.2 Unsupported Directives

For information about directives that are not supported, refer to the HP documentation for the product HP Secure Web Server for OpenVMS (based on Apache), Version 1.3-1.

  • AgentLog

  • AllowCONNECT

  • Anonymous

  • Anonymous_Authoritative

  • Anonymous_LogEmail

  • Anonymous_MustGiveEmail

  • Anonymous_NoUserID

  • Anonymous_VerifyEmail

  • AuthDBAuthoritative

  • AuthDBGroupFile

  • AuthDBMAuthoritative

  • AuthDBMGroupFile

  • AuthDBUserFile

  • AuthDBMUserFile

  • AuthDigestFile

  • CacheDefaultExpire

  • CacheDirLength

  • CachedirLevels

  • CacheForceCompletion

  • CacheGcInterval

  • CacheLastModifiedFactor

  • CacheMaxExpire

  • CacheRoot

  • CacheSize

  • CheckSpelling

  • CookieExpires

  • CookieTracking

  • Example

  • ExpiresActive

  • ExpiresByType

  • ExpiresDefault

  • Header

  • Metadir

  • MetaFiles

  • MetaSuffix

  • MimeMagicFile

  • MMapFile

  • NoCache

  • ProxyBlock

  • ProxyDomain

  • ProxyPass

  • ProxyPassReverse

  • ProxyReceiveBufferSize

  • ProxyRemote

  • ProxyRequests

  • ProxyVia

  • RefererIgnore

  • RefererLog

  • RewriteBase

  • RewriteCond

  • RewriteEngine

  • RewriteLock

  • RewriteLog

  • RewriteLogLevel

  • RewriteMap

  • RewriteOptions

  • RewriteRule

  • ScriptInterpreterSource

  • VirtualDocumentRoot

  • VirtualDocumentRootIP

  • VirtualScriptAlias

  • VirtualScriptAliasIP

H.3.6.3 Command-Line Options

This section describes the HTTPD command-line options supported on Oracle HTTP Server.

Then you can use the following format to enter a command-line option:

$ HTTPD -option

where -option is one of the following command line options:

  • "-v"

    Displays the HTTPD version and its build date.

  • "-V"

    Displays the HTTPD base version, its build date, and a list of compile settings that influence the performance of the server.

  • -h:

    Displays a list of the HTTPD options.

  • "-l":

    Displays a list of all modules compiled into the server.

  • -"L":

    Displays a list of directives with expected arguments and instances where the directive is valid.

The following example shows how to enter the "L" option to list the available configuration directives:

$ HTTPD "-L"

H.3.6.4 Virtual Host Support

The term, virtual host, refers to the practice of maintaining a single server to serve pages for multiple virtual hosts. Both IP-based and name-based virtual host support are available on Oracle HTTP Server for OpenVMS.

Note:

The security profile of the running server is the same on all virtual hosts.

For more information about virtual hosts, refer to the Apache Software Foundation documentation at

http://www.apache.org/docs/vhosts/index.html

H.3.6.5 Dynamic Shared Object Support

Dynamic shared object support provides a method to format code so that it will load into the address space of an executable program at run time. For more information about dynamic shared object support, refer to the Apache Software Foundation documentation at

http://www.apache.org/docs/dso.html

H.3.6.6 File Handlers

Oracle HTTP Server for OpenVMS supports the ability to use file handlers explicitly. For more information about file handlers, refer to the Apache Software Foundation documentation at

http://www.apache.org/docs/handler.html

H.3.6.7 Content Negotiation

The MOD_NEGOTIATION module provides content negotiation. This module enables you to specify language variants of HTML files. To specify language variants, use an underscore instead of a period before the language extension.

For example:

  • On UNIX, filename.html.fr is the French variant of filename.html.

  • On OpenVMS, FILENAME.HTML_FR is the French variant of FILENAME.HTML.

For more information about content negotiation, refer to the Apache Software Foundation documentation at

http://www.apache.org/docs/content-negotiation.html

H.3.6.8 Apache API

You can use the standard Apache application programming interface (API) to write user-defined modules that run on Oracle HTTP Server. For more information about the Apache API, refer to the Apache Software Foundation documentation at

http://www.apache.org/docs/misc/API.html

H.3.6.9 suEXEC Support

The suEXEC feature provides the ability to run CGI programs under user IDs that are different from the user ID of the calling Web server. This is not supported by Oracle HTTP Server for OpenVMS.

H.3.7 File Formats

All file formats are supported. However, the Web browser status bar will not show page loading progress for Variable or VFC format files larger than 8 KB.

Page loading progress relies on an accurate byte count, which is not readily available for files in Variable or VFC format. For files in these formats, Oracle HTTP Server must count the bytes as the files load. The counting process can slow performance, so it has been turned off in this situation.

H.3.8 File Naming Conventions

In general, users running Oracle HTTP Server for OpenVMS can specify either UNIX-style file names or OpenVMS-style file names. Oracle HTTP Server usually displays UNIX-style file names.

The On-Disk Structure Level 5 (ODS-5) volume structure, shipped with OpenVMS version 8.2, supports long file names, enables the use of a wider range of characters within file names, and preserves case within file names. However, the DEC C RTL that is shipped with OpenVMS Alpha version 7.2-1 does not provide full support for extended file names on ODS-5 devices. This lack of full support imposes certain restrictions on users running Oracle HTTP Server for OpenVMS.

Because mixed UNIX-style and OpenVMS-style extended file names are not yet supported by the DEC C RTL, you may be required to use UNIX-style syntax when interacting with Oracle HTTP Server. An example would be appending additional directories or a file name to a root.

The following examples illustrate mixed UNIX-style and OpenVMS-style file names that are not supported in OpenVMS version 8.2:

doc/foo.bar.bar
./tmp/foo.bar.b^_ar
~foo^.bar

You can, however, modify the last example so that it works as an OpenVMS extended file name that has a tilde (~) as the first character. Precede the leading tilde (~) with the Extended File Specifications escape character (^) as shown in the following example:

^~foo^.bar

For more information about using the tilde (~) in OpenVMS extended file names, refer to the OpenVMS Guide to Extended File Specifications at the following Web site:

http://h71000.www7.hp.com/doc/73final/6536/6536PRO.HTML

H.3.9 File Transfer Process and Access Control List

When performing an FTP operation, ensure that the access control list (ACL) for the target directory on Oracle HTTP Server has FTP access enabled as follows:

When transferring new files:

$ SET SECURITY/ACL=(IDENTIFIER=yourFTPname,ACCESS=READ+WRITE) [directory]

When replacing existing files:

$ SET SECURITY/ACL=(IDENTIFIER=yourFTPname,ACCESS=READ+WRITE) [directory]*.*

H.3.10 Logical Names

Oracle HTTP Server for OpenVMS creates the following logical names, which are listed with their descriptions in table Table H-2.

Table H-2 Oracle HTTP Server Logical Names and Their Descriptions

Logical Name Description

APACHE$COMMON

Concealed logical name that defines clusterwide files in APACHE$ROOT (device:[APACHE])

APACHE$FIXBG

System executive mode logical name pointing to installed, shareable images.

Not intended to be modified by the user.

APACHE$HTTPD_SHR

System executive mode logical name pointing to installed, shareable images.

Not intended to be modified by the user.

APACHE$INPUT

Used by CGI programs for PUT and POST methods of reading the input stream.

APACHE$PLV_ENABLE_username

System executive mode logical name defined during startup and used to control access to the services provided by the APACHE$PRIVILEGED image.

Not intended to be modified by the user.

APACHE$PLV_LOGICAL

System executive mode logical name defined during startup and used to control access to the services provided by the image.

Not intended to be modified by the user.

APACHE$PRIVILEGED

System executive mode logical name pointing to installed, shareable images.

Not intended to be modified by the user.

APACHE$ROOT

System executive mode logical name defined during startup that points to the top-level directory. (device:[APACHE], device:[APACHE.SPECIFIC.node-name])

APACHE$SPECIFIC

Concealed logical name that defines system-specific files in APACHE$ROOT (device:[APACHE.SPECIFIC.node-name])

APACHE$CGI_MODE

System logical name that controls how CGI environment logicals are defined in the running CGI process. There are three different options. Note that only one option is available at a time.

0: Default. Environment logicals are defined as local symbols and are truncated at 970 (limitable with DEC C).

1: Environment logicals are defined as local symbols unless they are greater than 970 characters. If the environment value is greater than 970 characters, then it is defined as a multi-item logical.

2: Environment logicals are defined as logicals. If the environment value is greater than 512 characters, then it is defined as a multi-item logical.

APACHE$DEBUG_DCL_CGI

If defined, this system logical name enables APACHE$VERIFY_DCL_CGI and APACHE$SHOW_CGI_ SYMBOL.

APACHE$VERIFY_DCL_CGI

If defined, this system logical name provides information for troubleshooting DCL command procedure CGIs by forcing a SET VERIFY before running any DCL CGI. Use with APACHE$DEBUG_DCL_CGI.

APACHE$SHOW_CGI_SYMBOL

If defined, this system logical name provides information for troubleshooting the CGI environment by dumping all the symbols and logicals (job/process) for a given CGI. Use with APACHE$DEBUG_DCL_CGI.

APACHE$PREFIX_DCL_CGI_SYMBOLS_WWW

If defined, this system logical name prefixes all CGI environment logical symbols with WWW_. By default no prefix is used.

APACHE$CREATE_SYMBOLS_GLOBAL

If defined, this system logical name causes CGI environment symbols to be defined globally. They are defined locally by default.

APACHE$CGI_USE_DCLCOM_FOR_IMAGES

If defined, this system logical name forces CGI images to run within a DCL process. The default is to run CGI images directly. (Note: Direct running of CGI images in not currently supported.)

APACHE$DL_NO_UPPERCASE_FALLBACK

If defined to be true (1, T, or Y), this system logical name disables case-insensitive symbol name lookups whenever case-sensitive lookups fail. Refer to APACHE$DL_FORCE_UPPERCASE.

APACHE$DL_FORCE_UPPERCASE

If defined to be true (1, T, or Y), this system logical name forces case-sensitive dynamic image activation symbol lookups. By default, symbol lookups are first done in a case-sensitive manner, and then if failed, a second attempt is made by using case-insensitive symbol lookups. This fallback action can be disabled with APACHE$DL_NO_UPPERCASE_FALLBACK.


H.3.11 OpenVMS Cluster Considerations

An OpenVMS Cluster is a group of OpenVMS systems that work together as one virtual system. Oracle HTTP Server runs in an OpenVMS Cluster so that you can take advantage of the resource sharing that increases the availability of services and data.Bear the following points in mind:

  • Oracle HTTP Server is supported on OpenVMS Version 8.2-1 or later.

  • Oracle HTTP Server runs in an Alpha Itanium, or in a mixed architecture cluster, separate Apache installations are required for Alpha and Itanium.

H.3.11.1 Individual System Versus Clusterwide Definition

To define clusterwide versus individual configuration files, APACHE$ROOT uses the following concealed logical names:

  • APACHE$COMMON defines clusterwide files

  • APACHE$SPECIFIC defines system-specific files

When reading a file, the server first looks for a system-specific version of the file in APACHE$SPECIFIC:[directory]. If it does not find one, then it looks for a clusterwide file in APACHE$COMMON:[directory].

To avoid confusion, always use the appropriate concealed logical name to specify the file that you want to edit. For example, to edit a clusterwide version of HTTPD.CONF, refer to:

$ EDIT APACHE$COMMON:[CONF]HTTPD.CONF

If you refer to:

$ EDIT APACHE$ROOT:[CONF]HTTPD.CONF

then the server would open the clusterwide file but save it as a system-specific version. The latest version of HTTPD.CONF would then be visible only to the individual node on which it was saved.

Within HTTPD.CONF itself, you should make this distinction whenever you refer to a path or to a file location. This improves performance and ensures that the server will return a complete directory listing. For example, you should specify APACHE$COMMON or APACHE$SPECIFIC (instead of APACHE$ROOT) with directory directives.

The following extract, from the HTTPD.CONF file, refers to APACHE$COMMON, because the content for the default Web page is in the clusterwide directories.

DocumentRoot "/apache$common/htdocs"
        ...
      <Directory "/apache$common/htdocs">
      Options Indexes FollowSymLinks Multiviews
      AllowOverride None
      Order allow,deny
      Allow from all
      </Directory>

If there was content for one specific node in a cluster, then the APACHE$SPECIFIC logical name would be used.

H.3.11.2 Mixed-Architecture Cluster

In a mixed-architecture cluster containing VAX nodes, do not use a cluster alias IP address with Oracle HTTP Server. Because the VAX systems will not have Oracle HTTP Server running, they will not be able to service HTTP requests.

H.3.12 CGI Programs

Common gateway interface (CGI) programs run within the DCL shell on Oracle HTTP Server for OpenVMS. This section discusses the following CGI topics:

H.3.12.1 CGI Environment Logical

By default, an environment logical symbol takes the form that is designated by the name of the environment logical. You can determine how environment logicals are set when the server runs a CGI program. You can define the APACHE$PREFIX_DCL_CGI_SYMOBLS_WWW logical name to prefix all environment logical symbols with WWW_. By default, no prefix is used.

The APACHE$CGI_MODE logical name controls how CGI environment logicals are defined in the running CGI program as follows:

APACHE$CGI_MODE      option 

where option can have one of the following values at a time:

  • 0: Default. Environment logicals are defined as local symbols and are truncated at 970 (limitable with DEC C).

  • 1: Environment logicals are defined as local symbols unless they are greater than 970 characters. If the environment value is greater than 970 characters, it is defined as a multi-item logical.

  • 2: Environment logicals are defined as logicals. If the environment value is greater than 512 characters, it is defined as a multi-item logical.

APACHE$DCL_ENV is a foreign symbol that lets you define CGI environment logical, as follows:

APACHE$DCL_ENV [-c] [-d] [-e env-file]

where:

  • -c: Default. Indicates create environment logicals.

  • -d: Indicates delete environment logicals.

  • -e env-file: Specifies an alternate environment file.

    The environment file does not need to be specified by the caller because the parent derives it (it can be easily determined by default).

The following example deletes the environment and then re-creates it:

Example: diff_mode_cgi.com
$ APACHE$DCL_ENV -d
$ Define APACHE$PREFIX_DCL_CGI_SYMBOLS_WWW 1
$ APACHE$DCL_ENV -c

H.3.12.2 Referencing Input

CGI scripts that reference input to Oracle HTTP Server must refer to APACHE$INPUT.

H.3.12.3 Running CGI Images

On OpenVMS, CGI images run within a DCL process. You cannot run CGI images directly.

H.3.12.4 Logical Names for Debugging CGI Scripts

Use the following logical names to debug CGI scripts:

Logical Name Description
APACHE$DEBUG_DCL_CGI If defined, this system logical name enables APACHE$VERIFY_DCL_CGI and APACHE$SHOW_CGI_SYMBOL.
APACHE$VERIFY_DCL_CGI If defined, this system logical name provides information for troubleshooting DCL command procedure CGIs by forcing a SET VERIFY before running any DCL CGI. Enabled by APACHE$DEBUG_DCL_CGI.
APACHE$SHOW_CGI_SYMBOL If defined, this system logical name provides information for troubleshooting the CGI environment by dumping all of the symbols and logicals (job/process) for a given CGI. Enabled by APACHE$DEBUG_DCL_CGI.

H.3.12.5 Displaying Graphics with CGI Command Procedures

To display a graphics file with a CGI command procedure, use the APACHE$DCL_BIN foreign symbol in the following format:

APACHE$DCL_BIN [-s bin-size] bin-file

where:

  • -s bin-size: Specifies the actual or approximate file size in bytes. The value of bin-size is automatically determined if the image file is larger than 32768 KB (default value). If the image file is smaller than 32768 KB, then you can provide an approximate (or actual) size. This boosts performance.

  • bin-file: Specifies the file to be displayed.

For example:

$ SAY := WRITE SYS$OUTPUT
$ SAY "Content-type: image/gif"
$ SAY ""
$ APACHE$DCL_BIN APACHE$ROOT:[ICONS]APACHE_PB.GIF
$ EXIT

H.4 Security Information

Oracle HTTP Server for OpenVMS is a nonprivileged, user-mode, socket-based network application. TMPMBX and NETMBX are the only privilege requirements. The server runs under its own unique UIC and user account (APACHE$WWW).

H.4.1 Process Model

Oracle HTTP Server runs as a single job that consists of:

  • One master process (APACHE$WWW)

  • Several subprocesses

    Subprocesses are created to service incoming HTTP requests and to run CGI scripts.

Because the server runs as a single job, the OpenVMS security profile for each process is identical and no enhanced mechanism is required for these processes to communicate with one another. Resource utilization is controlled by a single user account (oracle) where pooled quotas are defined.

H.4.2 Privileged Images

Oracle HTTP Server performs three operations that require additional privileges:

  • Binding to a port below 1024 (privileged ports)

    By default, the server binds to port 8080 (HTTP).

  • Fetching path information for other users

    The server provides a replacement for the getpwnam C RTL routine to enable the server to fetch default path information for other users (required by MOD_UTIL and MOD_USERDIR).

  • Changing the carriage-control attribute on socket (BG) devices

    The server also enables or disables (or both) the carriage-control attribute on BG (socket) devices for certain stream operations.

Two protected, shareable images are installed at startup to enable the server to perform the following functions:

  • APACHE$PRIVILEGED.EXE (exec-mode services)

  • APACHE$FIXBG.EXE (kernel-mode services)

The APACHE$PRIVILEGED.EXE image provides exec-mode services for binding to privileged sockets and fetching user default path information. Access to these services is limited to processes running under the oracle username and is controlled by the APACHE$PLV_ENABLE_APACHE$WWW logical name. This logical name is defined as:

"APACHE$PLV_ENABLE_APACHE$WWW" = "3,80,1023"

The "3,80,1023" string represents three parameters where:

  • The first parameter (3) is a bit-mask that enables or disables the two services:

    • Binding to privileged ports

    • Fetching user default path information

  • The second and third parameters indicate the minimum and maximum port that are allowed to be bound.

When a call to either service is made, the service code does the following:

  1. Temporarily enables the SYSPRV, OPER, SYSNAM, and NETMBX privileges

  2. Performs the function

  3. Restores the process original privileges

The APACHE$FIXBG.EXE_ALPHA image provides a kernel-mode service for manipulating the carriage-control attribute for BG devices that are owned by the calling process. No special access control exists on this service. This function can also be performed using a setsocketopt C RTL run-time call, but it is not supported by all TCP/IP stack vendors, which is the reason this service exists. This service does not enable privileges, but runs in kernel mode.

H.4.3 Privileges Required to Start and Stop the Server

Oracle HTTP Server runs under the oracle username and UIC and is started as a detached, network process. During startup, protected images are installed and logical names are placed in the system logical name table. Shutdown is accomplished by sending a KILL signal to the master process and its subprocess.

In order to startup the Oracle HTTP Server, the following privileges are required:

  • SYSPRV

  • SYSNAM

  • IMPERSONATE

  • BYPASS

  • CMKRNL

  • ALTPRI

  • WORLD

The privileges ALTPRI and BYPASS are not essential privileges for installing and running an Oracle database. These privileges can either be added to the oracle account, or a separate account can be created to maintain and run the Oracle HTTP Server.

If you have already configured Oracle HTTP Server using the oracle account and want to run under a different account, then the file ORA_ROOT:[APACHE.APACHE.SPECIFIC.node.CONF]HTTPD.CONF must be modified to change the USER parameter before attempting to start it up.

H.4.4 File Ownership and Protection

All the server files reside under the root directories that the APACHE$ROOT logical name points to. During installation, file protection is set to (S:RWED, O:RWED, G, W). During configuration, all files are set to be owned by the oracle user.

H.4.5 Server Extensions (CGI Scripts)

Server extensions, such as CGI scripts, run within the context of Oracle HTTP Server process or its subprocesses. These extensions have complete control over the server environment. You can configure the server to enable processing of arbitrary user scripts, but standard practice is to limit such activity to scripts that are written by completely trusted users. Oracle HTTP Server includes directives that enable a Web administrator to control script execution and client access. The use of these directives is described in numerous books and is not duplicated here.

H.4.6 suEXEC Not Available for Protecting Script Execution

Oracle HTTP Server for OpenVMS does not currently support the suEXEC method of running scripts under the username that owns the script. Many sites use this feature to allow execution of arbitrary, user-written scripts without the fear of compromising the server environment.

H.5 Open Source Licenses

This section provides open source license acknowledgments and license references.

H.5.1 Apache

This product includes software developed by the Apache Software Foundation. You can visit the Web site of this organization at

http://www.apache.org/

You can view the license at the following Web site

http://www.apache.org/licenses/LICENSE-2.0

This product also includes software that is developed by Hewlett-Packard.