IBM Communications Server v6.2.2 for Linux Web Administration package
* (c) Copyright International Business Machines Corp. 2004,2006
* All Rights Reserved
* Licensed Material - Property of IBM
*
* US Government Users Restricted Rights - Use, duplication or
* disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Table of Contents
-----------------
0. Third-party license terms and conditions, notices, and information
1. About this release
1.1 Package compatibility
1.2 Package configuration requirements
2. Installation process
2.1 Configuration process
3. Uninstallation information
4. Known limitations and problems
5. Documentation updates
6. Notices and trademarks
SUBJECT TO ANY STATUTORY WARRANTIES WHICH CAN NOT BE EXCLUDED, IBM MAKES NO
WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABLITY, FITNESS FOR A
PARTICULAR PURPOSE, AND NON-INFRINGEMENT, REGARDING THE PROGRAM OR TECHNICAL
SUPPORT, IF ANY.
The Communications Server for Linux Web Administration package is a tool designed to
provide remote web connectivity for managing a CS Linux server installation. A full range
of remote query and status information is provided in general and specific functional areas.
Some start and stop functions for node, connection and host resources are also provided.
Diagnostic tools for examining logs, taking traces and capturing problem determination data should be very useful.
Use this tool for most normal operations and not for large query operations.
If you need to query results for more than several hundred LUs or connections, use direct
Telnet or SSH connections.
This release of the Communications Server for Linux Web Administration V6.2.2 package has
The package depends on Common Gateway Interface (CGI) capabilities shipped with the "perl" package for Linux.
This package requires the administrator of a Linux system to perform configuration.
This package can be installed with the IBM Communications Server for Linux (P/N 5724-i33) or
Follow the instructions in the Configuration process to reference these directories.
Install the Web Administration package by using the following RPM command:
The instructions for configuring the Web Server is designed to have http://server_name/cscdoc/cslinuxweb.html
Update the Web Server configuration file, usually httpd.conf, with
The Web Server uses /etc/httpd/httpd.conf, /etc/httpd/conf/httpd.conf or
# For CS Linux Web Administration Document directory <Directory "/opt/ibm/sna/web/cscdoc"> In the Directory statements listed above for the Web Administration "html" documents
The permissions for CS Linux command line executables are set to the 'sna' group.
The visudo command in Linux allows the system administrator to give specific access to a application to run
wwwrun DNS_name = (snauser) NOPASSWD: /opt/ibm/sna/bin/snaadmin, /opt/ibm/sna/bin/snagetpd, /opt/ibm/sna/bin/sna
,where wwwrun is the Apache user ID on SLES8 (use apache for RHEL Apache systems,
If the user id, "snauser", is not an ID you wish to use, you can rename the user id in the Web Admin files by running
3.0 Uninstallation information:
rpm -e ibm-commserver-webadmin
4.0 Known limitations and problems:
5.0 Notices and trademarks:
This information was developed for products
more security features than the previous release. This package includes the instructions for running the
Web Admin tool under a "sna" group id, not as 'root'. This will allow a HTTP server to execute the "snaadmin" commands
using an id other than root. You must follow the instructions provided in section 2.1, Configuration process,
to provide this access. Additional query commands for RTP Tuning have been added in this release.
1.1 Package compatibility:
You must have an Apache server or IBM HTTP Server (IHS) and the perl-CGI RPMs installed.
The distributions tested for this package are those supported for the CS Linux products:
- Red Hat Enterprise Linux 3 (i686,s390,s390x)
- SUSE Linux Enterprise Server 8 (i686,s390,s390x).
- Red Hat Enterprise Linux 4 (i686,x84_64,ppc_64,s390,s390x)
- SUSE Linux Enterprise Server 9 and 10 (i686,x84_64,ppc64,s390,s390x).
1.1 Package configuration requirements:
You must update the Web Server configuration file, httpd.conf. For secure access,
use visudo to update the /etc/sudoer file. The package uses full path specification
for execution of snaadmin, sna and snagetpd executables using the "sna" group user.
You will need to create a "snauser" user id in the "sna" group and then assign the web server the authority
to run under that user. This will prevent vulnerable attacks by insertion of rogue execution files in the
paths executed by a 'root' user. It is assumed the administrator will be familiar
with the procedures described to configure the Web Server so that the proper security and
performance requirements are met.
1.2.2 Package dependencies:
IBM Communications Server for Linux on System z (P/N 5724-i34). These do not need to be installed for this package
to load successfully. The Web Servers used to test with are the Apache 1.3.26 and 27 and IBM HTTP Server (IHS) 2.0.47.1.
Most web browsers that support CGI enabled forms will work. Netscape V4.7 will not work with this package.
The Communications Server for Linux and Communications Server for Linux on System z
products have been tested with this Communications Server Web Administration package.
For RHEL3-s390* and SLES8-s390* Linux on zSeries systems, the perl-CGI package is not
included by default. Go to http://www.redhad.com/ and http://www.suse.com/ to get the
appropriate packages. We used perl-CGI-2.81-88.7.s390.rpm for our testing.
For security purposes, you will need to also install the sudo package. This allows specific
access to CS Linux Administration commands for specific users.
2.0 Installation process:
The ibm-commserver-webadmin-version.rpm file will install into the /opt/ibm/sna/web directory. In this
directory, you will find this README and the three sub-directories that the web server should reference:
.../cscdoc,.../cscbin, .../cscicons. These files will all have user "bin" and group "sna" access rights.
Perform all installation instructions under the "root" system id.
rpm -U ibm-commserver-webadmin-version.rpm
2.1 Configuration process:
as the main page for the Web Administration package. You will want to put a link to this main page
somewhere on the Web Server to make access easy.
Alias and Directory information. For secure access, it is recommended
you use the htpasswd tool shipped with Apache or IHS to set a user and password access.
Updating the HPPTD.CONF file:
/opt/IHS-version/conf/httpd.conf as the base configuration file, depending on the Web
server installed. The http.conf file must be updated to list Alias for .../cscdoc, .../cscbin,
and .../cscicons. Secure access should be imposed using a htpasswd file.
Here are the additions needed to the httpd.conf file to provide Web Server access for
the Web Administration tool:
- Add to ScriptAlias section:
ScriptAlias /cscbin/ "/opt/ibm/sna/web/cscbin/"
- Add to Directory section:
# For CS Linux Web Administration CGI directory
<Directory "/opt/ibm/sna/web/cscbin">
AuthName cslinux
# type of authentication
AuthType Basic
# the path of the password file, here in the same directory as httpd.conf
AuthUserFile /opt/ibm/sna/.webpasswd
# the valid users
require valid-user
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
Alias /cscdoc "/opt/ibm/sna/web/cscdoc/"
Alias /cscdoc/ "/opt/ibm/sna/web/cscdoc/"
AuthName cslinux
# type of authentication
AuthType Basic
# the path of the password file, here in the same directory as httpd.conf
AuthUserFile /opt/ibm/sna/.webpasswd
# the valid users
require valid-user
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
# For CS Linux Web Administration Icon directory
Alias /cscicons "/opt/ibm/sna/web/cscicons/"
Alias /cscicons/ "/opt/ibm/sna/web/cscicons/"
<Directory "/opt/ibm/sna/web/cscicons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Setting User and Password access:
and CGI directory, the AuthUserFile is set. To build this file, use the htpasswd command
to create and set the file. An example of using this file would be:
htpasswd -bc /opt/ibm/sna/.webpasswd admin passw0rd
This example creates /opt/ibm/sna/.webpasswd with a user of "admin" and a password
of "passw0rd". Any reference to the http://server/cscdoc/ will prompt the initial access to
request the proper user id and password.
Setting Access for Web Server requests:
Specific configuration is needed to allow Web clients proper access to the CS Linux commands.
Before setting access to allow execution by the Web client, you will need to create a dummy user
in the "sna" group. Using root authority,execute "/usr/sbin/useradd -g sna snauser". This
will create a "snauser" id in the "sna" group. The following steps will allow a Web client to execute the snaadmin
commands under the dummy id.
as a specific user for specific executables. Care must be taken that the paths are fully provided so rogue execution
will not be possible. Using visudo, set the user-specific access to:
use nobody for IHS systems), the DNS_name is
the DNS name for the interface that the Web Server is allowing
access over. The (snauser) is required so that the web client runs as "snauser", a member of the "sna" group.
Use the NOPASSWD option so the system will not prompt for root password
when the web server executes the script. On RHEL systems, view the
/var/log/httpd/error_logs, for SLES systems
view
/var/log/apache/error_logs (or apache2), for messages
if pages do not get invoked properly.
the script /opt/ibm/sna/web/rename_user.pl. This will prompt for the new id to use. You should backup the /opt/ibm/sna/web/cscbin
directory first. This directory contains the files were the "snauser" id is defined in the Web Admin scripts.
To remove the CS Linux Web Administration package, you should first
de-configure the Web Server and then remove the package. To remove the package
from the Web Server configuration, edit the httpd.conf file and remove any
references to .../cscdoc, .../cscbin and .../cscicons. Run the visudo command to
remove the access permission for the Web Server from the /opt/ibm/sna/bin/... files.
Remove the .../cscdoc, .../cscbin and .../cscicons directories from the Web
Server path. Remove the CS Linux Web Administration package by using the rpm
command:
Forms presented by this package to allow action on SNA resources, like starting
or stopping the node, do not prompt for confirmation. The assumption is that selected
options are chosen action as submitted on the forms.
Errors that occur due to web server invocation problems are logged in the
/var/log/httpd/error_log or /opt/IHS-version/logs/error_log file.
and services offered in the U.S.A.
SUBJECT TO ANY STATUTORY WARRANTIES WHICH CANNOT BE EXCLUDED,
IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR
CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, AND NON-INFRINGEMENT, REGARDING THE PROGRAM OR
TECHNICAL SUPPORT, IF ANY.
The exclusion also applies to any of IBM's Program
developers and suppliers.
Manufacturers, suppliers, or publishers of non-IBM Programs
may provide their own warranties.
IBM does not provide technical support, unless IBM
specifies otherwise.
Trademarks
----------
The following terms are trademarks of the IBM Corporation
in the United States or other countries or both:
Advanced Peer-to-Peer Networking
AIX
Application System/400
APPN
AS/400
CICS
IBM
MQSeries
MVS
NetView
OpenPower
Power5
S/390
SP
System p
System x
System z
System/370
System/390
SAA
Systems Application Architecture
VTAM
WebSphere
z/OS
z9
zSeries
The following terms are trademarks or registered trademarks of other
companies:
Java and all Java-based trademarks are trademarks of Sun Microsystems,
Inc., in the United States, other countries, or both.
UNIX is a registered trademark in the United States and other countries
licensed exclusively through The Open Group.
Intel and Pentium are trademarks of Intel Corporation.
Linux is a trademark of Linus Torvalds.
Microsoft, Windows, Windows NT, Windows XP, Windows 2003, and the
Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
RedHat and RPM are trademarks of Red Hat, Inc.
SuSE Linux is a trademark of SuSE Linux AG.
UnitedLinux is a trademark of UnitedLinux LLC.
Other company, product, and service names may be trademarks or service
marks of others.