NOTE: SOME FUNCTIONALITY EMPLOYS JAVASCRIPT WASD Features and Facilities – Server Administration

WASD Features and Facilities

9.Server Administration

9.1Access Before Configuration
9.2Access Configuration
9.3Server Instances
9.4HTTPd Server Reports
9.5HTTPd Server Revise
9.6HTTPd Server Action
9.7HTTPd Command Line
9.7.1Accounting
9.7.2Alignment Faults
9.7.3Authentication
9.7.4Cache
9.7.5Configuration Check
9.7.6DCL/Scripting Processes
9.7.7DECnet Scripting Connections
9.7.8Hhelppp!
9.7.9HTTP/2 Connection
9.7.10Instances
9.7.11Instance Status
9.7.12Logging
9.7.13Mapping
9.7.14Network Connection
9.7.15Shutdown and Restart
9.7.16Secure Sockets Layer
9.7.17Throttle
9.7.18WebSocket

The online Server Administration facility provides a rich collection of functionality, including server control, reports and configuration. Some of these are intended as general administration tools while other provide more detailed information intended for server debugging and development purposes.

The value of the WATCH facility 10. WATCH Facility as a general configuration and problem-solving tool cannot be overstated.

All server configuration files, with the exception of the authentication databases, are plain text and may be modified with any prefered editor. However the majority of these can also be administered online through a browser. In addition the update facility allows some administration of file system portions of the Web. See 12. HTTPd Web Update.

Access to many portions of the package is constrained by file protections and directory listing access files. See for a method for circumventing these restrictions.

9.1Access Before Configuration

It is often a significant advantage for the inexperienced administrator on a new and largely unconfigured installation to be able to gain access to the facilities offered by Server Administration, particularly the WATCH facility (10. WATCH Facility). This can be done quite simply by using the authentication skeleton-key (3.12 Skeleton-Key Authentication). This allows the site administrator to register a username and password from the command-line that can be used to gain access to the server. In addition, the server ensures that requesting an otherwise non-authorized Server Administration facility generates a challenge which invokes a username/password dialog at the browser allowing the user to enter the previously registered username and password and gain access.

Method

9.2Access Configuration

Once established the site should make the Server Administration facility a configured facility of the site. The value of its facilities cannot be overstated.

It is also recommended that for production sites the path to these reports be controlled via authentication and authorization, using both host and username restrictions, similar to the following:

[WHATEVER-REALM] /httpd/-/admin/* host.ip.addr,~WebMaster,~WhoEverElse,r+w

If a full authorization environment is not required but administration via browser is still desired restrict access to browsers executing on the server system itself, using an appropriate SYSUAF-authenticated username. Provision of a VMS account for server administration only is quite feasable, see 3.10.6 Nil-Access VMS Accounts.

[VMS] /httpd/-/admin/* #localhost,~username,r+w

If SSL is in use (4. Transport Layer Security) then username/password privacy is inherently secured via the encrypted communications. To restrict server administration functions to this secure environment add the following to the WASD_CONFIG_MAP configuration file:

/httpd/-/admin/* "403 Access denied." ![sc:https]

When using the revise capability of the Server Administration facility it is necessary to comply with all the requirements for Web update of files. This is discussed in general terms in 12. HTTPd Web Update. Revision of server configuration files requires path permissions allowing write access for the username(s) doing the administration, as well as the required ACL on the target directory (in the following example WASD_ROOT:[LOCAL]).

[VMS] /httpd/-/admin/* #localhost,~username,r+w /wasd_root/local/* #localhost,~username,r+w

It is possible to allow general access to the Server Administration facility and reports while restricting the ability to initiate server actions such as a restart! Using the WORLD realm against the path is necessary, for the obvious security reason, the server administration module will not allow itself to be used without an authenticated username, provided as a pseudo-authenticated "WORLD".

[VMS] /httpd/-/admin/control/* #localhost,~username,r+w [WORLD] /httpd/-/admin/* r

When GZIP compression is configured for the server (see GZIP Encoding of WASD Configuration) it is not by default applied to Server Admin reports or other pages. It can be applied, selectively if desired, using mapping rules. For instance, to apply it to all requests not from the local intranet a rule similar to the following can be added before the Server Admin path mapping itself.

if (!remote-addr:192.168.0.0/8) set /httpd/-/admin/* response=GZIP=all pass /httpd/-/admin/* /httpd/-/admin/*

GZIP content-encoding can never be applied to WATCH reports.

9.3Server Instances

With a single instance (see 8.1 Server Instances) access to Server Administration reports, etc. is always serviced by the one server process. If multiple instances are configured then in common with all requests administration requests will be serviced by any one of the associated processes depending on the momentary state of the round-robin distribution.

There are many circumstances where it is preferable to access only the one server. This can be accomplished for two differing objectives.

  1. To facilitate access to a specific instance's Server Administration page, including instance-specific reports etc. This is provided through the use of an administration service port (see Administration Services of WASD Configuration) available from the Server Administration page.
  2. The Server Administration page (‘Control Section’ in 9.6 HTTPd Server Action) and the command-line 9.7.10 Instances) provides the capability to explicitly set the number of instances supported, overriding any configuration directive. After explicitly setting this, using either means, the server must be restarted. The explicit startup setting remains in effect until it is changed to "max" allowing the WASD_CONFIG_GLOBAL configuration directive [InstanceMax] to once again determine the number of instances required.

The latter approach is particularly useful when performing detailed WATCH activities (10. WATCH Facility).

When multiple per-node instances are executing the Server Administration pages and reports all include an indication of which process serviced the request. When accessing no instance in particular the process name is presented in parentheses after the page title

HTTPd www.example.com:80 Server Administration (HTTPd:80)
When a particular instance's administration service port is being used the process name is separated from the page title by a hyphen
HTTPd www.example.com:80 Server Administration - HTTPd:80

Multi-instance status (see 8.1.4 Status) snapshots are available via HTTPDMON, the Server Admin main page and can be reported from the command line using

$ HTTPD /DO=STATUS

9.4HTTPd Server Reports

The server provides a number of internally generated reports. Some of these are of general interest. Others are more for evaluating WASD behaviour and performance for development purposes. Appropriate reports have a refresh selector allowing the report to be updated at the selected period. The following list is in the approximate order in which they occur top-to-bottom, left-to-right in the menu layout.

It is possible to use this facility standalone, without configuring authorisation (9.1 Access Before Configuration).

9.5HTTPd Server Revise

The server provides a comprehensive configuration revision facility.

Enabling Server Access

Many of the server activites listed above require server account write access to the directory in which the configuration files are stored. Where an autononmous scripting account is in use this poses minimal threat to server configuration integrity.

  1. Specifically map the /wasd_root/local/ path and mark it as access always requiring authorization (ensure this is one on the first mappings in the file and certainly before any other /wasd_root/ ones).
    # WASD_CONFIG_MAP pass /wasd_root/local/* auth=all
  2. Add appropriate authorization rules (example from Authorization Configuration (Basics) of WASD Configuration).
    # WASD_CONFIG_AUTH ["Web Admin"=WASD_WEBADMIN=id] /httpd/-/admin/* r+w /wasd_root/local/* r+w
  3. Update access to the directory can be applied using the SECHAN utility (13.13 SECHAN Utility).
    $ SECHAN /WRITE WASD_ROOT:[000000]LOCAL.DIR $ SECHAN /WRITE WASD_ROOT:[LOCAL]
  4. Load the new mapping and authorization rules.
    $ HTTPD /DO=MAP $ HTTPD /DO=AUTH=LOAD
Alternative Using /PROFILE

If a site is using SYSUAF authentication and security profiles enabled using the /PROFILE startup qualifier (13.13 SECHAN Utility) then a more restrictive set up is possible, retaining the default no-access to the [LOCAL] directory. This relies on the administering account(s) having read and write access to the [LOCAL] directory. It is then not necessary to grant that to the server account. It is possible to limit the application of VMS user profiles. This is an example.

# WASD_CONFIG_MAP set /wasd_root/local/* profile auth=all set * noprofile

To use this approach perform steps 1, 2 and 4 from above, substituting the following for step 3.

$ SECHAN /PACKAGE WASD_ROOT:[000000]LOCAL.DIR $ SECHAN /PACKAGE WASD_ROOT:[LOCAL] $ SECHAN /CONTROL WASD_ROOT:[000000]LOCAL.DIR

9.6HTTPd Server Action

The server allows certain run-time actions to be initiated. Many of these functions can also be initiated from the command line, see 9.7 HTTPd Command Line.

When multiple servers are executing on a single node or within a cluster a JavaScript-driven checkbox appears in the bottom left of the administration menu. Checking that box applies any subsequently selected action to all servers!

Control Section
Configuration Action Section

9.7HTTPd Command Line

A foreign command for the HTTPD control functionality will need to be assigned in the adminstration users' LOGIN.COM, for example:

$ HTTPD == "$WASD_EXE:HTTPD"
or (perhaps more likely)
$ HTTPD == "$WASD_EXE:HTTPD_SSL"

Some control of the executing server is available from the DCL command line on the system on which it is executing. This functionality, via the /DO= qualifier, is available to the privileged user.

These directives are communicated from the command-line (and Server Administration page analogue - ‘Control Section’ in 9.6 HTTPd Server Action) to the per-node or per-cluster servers using the Distributed Lock Manager. On pre-VMS V8.2 the command buffer is limited to 15 bytes. From VMS V8.2 the buffer space available is 63 bytes. In a cluster all systems must support the larger buffer before WASD enables it. The smaller buffer space limits some of the directives that take free-form parameters (e.g. /DO=DCL=PURGE=USER=DANIEL).

Multi-Server/Cluster-Wide

If multiple servers are executing on a host or cluster it is possible to control all of them by adding the /CLUSTER or /ALL qualifiers. Of course, these commands are available from batch jobs as well as interactively. In a clustered WASD environment the same functionality is available via checkboxes from the online Server Administration facility.

Need it to be jogged?

Can't quite remember what it can (and by implication can't) do?

$ HTTPD /DO=HELP
Server Log Annotation

Significant server events (e.g. restart, exit, mapping rule change) can often benefit (post-mortem :-) from an annotation in the server process log, especially in a production environment. The command-line /NOTE="<string>" can be used to insert the supplied string as an ad hoc annotation, or in conjunction with a /DO=".." CLI command.

$ HTTPD /NOTE="just a note test!" $ HTTPD /DO=RESTART /NOTE="adding services ""download."" and ""mail."""

The server process log annotation appear as follows.

%HTTPD-I-NOTE, 10-DEC-2017 22:32:30, just a note test! %HTTPD-I-NOTE, 10-DEC-2017 22:33:05, adding services "download." and "mail."

Note may also be inserted from the Server Admin main page by using the [/DO=] button and field and prefixing the string with /NOTE= (string delimitting quotation marks are not required). Using the Server Admin page annotation and commands cannot be combined.

9.7.1Accounting

Server counters may be zeroed. These counters are those visible from the statistics Server Admininstration item and when using the HTTPDMON utility.

$ HTTPD /DO=ZERO

The HTTPDMON utility displays a status line during startup or server exit on error. For example:

KLAATU:: 1 HTTPDMON v2.6.0 AXP Friday, 21-SEP-2018 21:40:54 Process: WASD:80 PID: 00001F9B User: HTTP$SERVER Version: 11.3.0 Up: 6 18:21:20.96 CPU: 0 00:07:25.54 Startup: 55 Exit: %X00000001 8< snip 8< Rx: 1,365,809 (0 err) Tx: 26,965,420 (0 err) (477kB/s) STATUS: %HTTPD-I-STARTUP, 21-SEP-2018 21:40:52, WASD:80

On occasion this can status message become constantly displayed (e.g. command-line misoperation) with

$ HTTPD /DO=ZERO=STATUS
restoring normal request information.

9.7.2Alignment Faults

On Alpha and Itanium platforms alignment faults can be a significant performance issue and considerable effort has been invested in completely eliminating them. This was done using a internal reporting tool (primarily intended for the WASD developer) available from the Server Admin interface. Defining the logical name WASD_ALIGN_MAP to be a linker map of the build provides additional information.

$ HTTPD /DO=ALIGN=START $ HTTPD /DO=ALIGN=STOP $ HTTPD /DO=ALIGN=ZERO $ HTTPD /DO=ALIGN=FAULT=1

9.7.3Authentication

See 3. Authentication and Authorization.

The authorization rule file (HTTP$AUTH) may be reloaded using either of these variants.

$ HTTPD /DO=AUTH $ HTTPD /DO=AUTH=LOAD

The authentication cache may be purged, resulting in re-authentication for all subsequent authorization-controlled accesses. This may be useful when disabling authorization or if a user has been locked-out due to too many invalid password attempts (3.9 Authorization Cache).

$ HTTPD /DO=AUTH=PURGE

A "skeleton-key" username and password may be entered, amongst things allowing access to the Server Administration facility (9. Server Administration).

$ HTTPD /DO=AUTH=SKELKEY=_<username>:<password>[:<period>]

9.7.4Cache

Server cache control may also be exercised from the Server Administration page (9. Server Administration). The file cache (see Cache Configuration of WASD Configuration) may be enabled, disabled and have the contents purged (declared invalid and reloaded) using

$ HTTPD /DO=CACHE=ON $ HTTPD /DO=CACHE=OFF $ HTTPD /DO=CACHE=PURGE

9.7.5Configuration Check

Changes to configuration files can be validated at the command-line before reload or restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the intent of the rules.

$ HTTPD /DO=AUTH=CHECK $ HTTPD /DO=CONFIG=CHECK $ HTTPD /DO=GLOBAL=CHECK $ HTTPD /DO=MAP=CHECK $ HTTPD /DO=MSG=CHECK $ HTTPD /DO=SERVICE=CHECK

The config check sequentially processes each of the authorization, global, mapping, message and service configuration files.

If additional server startup qualifiers are required to enable specific configuration features then these must also be provided when checking. For example:

$ HTTPD /DO=AUTH=CHECK /SYSUAF /PROFILE

9.7.6DCL/Scripting Processes

These commands can be useful for flushing any currently executing CGIplus applications from the server, enabling a new version to be loaded with the next access. See "Scripting Environment" document.

All scripting processes, busy with a request or not, can be deleted (this may cause the client to lose data).

$ HTTPD /DO=DCL=DELETE

A gentler alternative is to delete idle processes and mark busy ones for deletion when completed processing.

$ HTTPD /DO=DCL=PURGE

For VMS V8.2 and later, a more selective DELETE and PURGE is possible. A user name, script name, or script file name can be supplied and only matching tasks have the specified action peformed.

$ HTTPD /DO=DCL=PURGE=USER=username $ HTTPD /DO=DCL=PURGE=SCRIPT=script-path $ HTTPD /DO=DCL=PURGE=FILE=script-file-name

9.7.7DECnet Scripting Connections

All DECnet connections, busy with a request or not, can be disconnected (this may cause the client to lose data).

$ HTTPD /DO=DECNET=DISCONNECT

Purging is a better alternative, disconnecting idle tasks and marking busy ones for disconnection when complete.

$ HTTPD /DO=DECNET=PURGE

9.7.8Hhelppp!

$ HTTPD /DO=HELP o ALIGN= START, STOP, ZERO with [<buf-size>,<items>,<mask>] o AUTH reload authorization file o AUTH=CHECK elementary check of authorization file … o ZERO zero all accounting o ZERO=NOTICED zero the 'errors noticed' accounting o ZERO=PROXY zero proxy accounting $

9.7.9HTTP/2 Connection

Disconnect idle HTTP/2 connections.

$ HTTPD /DO=HTTP2=PURGE

All HTTP/2 connections can be disconnected (this may cause clients to lose data), or a specific connection number.

$ HTTPD /DO=HTTP2=PURGE=ALL $ HTTPD /DO=HTTP2=PURGE=number

9.7.10Instances

The number of server instances (see 8.1 Server Instances) may be set from the command line. This overrides any configuration file directive and applies at the next startup. Any configuration directive value may be used from the command line.

$ HTTPD /DO=INSTANCE=MAX $ HTTPD /DO=INSTANCE=CPU $ HTTPD /DO=INSTANCE=integer

Note that the server must be restarted for this to take effect, that this can be applied to the current node only or to all servers within a cluster, and that it remains in effect until explicitly changed to "MAX" allowing the WASD_CONFIG_GLOBAL configuration directive [InstanceMax] to once again determine the number of instances required. The same functionality is available from the Server Administration page (9.6 HTTPd Server Action).

There are also directives to assist with WATCH activities (8.1 Server Instances).

$ HTTPD /DO=INSTANCE=PASSIVE $ HTTPD /DO=INSTANCE=ACTIVE

9.7.11Instance Status

Multi-instance (see 8.1 Server Instances) status (see 8.1.4 Status) can be reported from the command line using

$ HTTPD /DO=STATUS

In addition, stale entries in the status table may be purged using

$ HTTPD /DO=STATUS=PURGE
and the table completely emptied then repopulated over the next minute using
$ HTTPD /DO=STATUS=RESET

9.7.12Logging

Server logging control may also be exercised from the server administration menu (9. Server Administration).

Open the access log file(s).

$ HTTPD /DO=LOG=OPEN

Close the access log file(s).

$ HTTPD /DO=LOG=CLOSE

Close then reopen the access log file(s).

$ HTTPD /DO=LOG=REOPEN

Unwritten log records may be flushed to the file(s).

$ HTTPD /DO=LOG=FLUSH

9.7.13Mapping

See Request Processing Configuration of WASD Configuration.

The mapping rule file (WASD_CONFIG_MAP) may be reloaded using either of these variants.

$ HTTPD /DO=MAP $ HTTPD /DO=MAP=LOAD

9.7.14Network Connection

Disconnect idle (persistent) connections.

$ HTTPD /DO=NET=PURGE

All network connections can be disconnected (this may cause clients to lose data), a specific connection number and those matching the specified URI.

$ HTTPD /DO=NET=PURGE=ALL $ HTTPD /DO=NET=PURGE=number $ HTTPD /DO=NET=PURGE=URI=pattern

Additionally, network connection acceptance can be suspended (leaving in-progress requests to complete), suspended and in-progress disconnected, and resumed.

$ HTTPD /DO=NET=SUSPEND $ HTTPD /DO=NET=SUSPEND=NOW $ HTTPD /DO=NET=RESUME

9.7.15Shutdown and Restart

Server shutdown may also be exercised from the Server Administration page (9. Server Administration).

The server may be shut down, without loss of existing client requests. Connection acceptance is stopped and any existing requests continue to be processed until conclusion.

$ HTTPD /DO=EXIT

The server may be immediately and unconditionally shut down.

$ HTTPD /DO=EXIT=NOW

The server may be restarted, without loss of existing client requests. Connection acceptance is stopped and any existing requests continue to be processed until conclusion. This effectively causes the server to exit normally and the DCL wrapper procedure to restart it.

$ HTTPD /DO=RESTART

The now variant restarts the server immediately regardless of existing connections.

$ HTTPD /DO=RESTART=NOW

The when– quiet variant restarts the server whenever request processing drops to zero for more than one second. It allows (perhaps non-urgent) changes to be put into effect through restart when everything has gone "quiet" and no demands are being placed on the server.

$ HTTPD /DO=RESTART=QUIET

Significant server events such as these are prime candidates for server log annotation!

$ HTTPD /DO=RESTART=NOW /NOTE="Restarting the server just so I can note it :-)"

9.7.16Secure Sockets Layer

If the optional SSL component is installed and configured these directives become effective.

If X.509 authentication is enabled the Certificate Authority (CA) verification list can be reloaded.

$ HTTPD /DO=SSL=CA=LOAD

Server certificates, after being updated, may be reloaded into the running services (i.e. without restart). This is a synonym for /DO=SERVICE=LOAD.

$ HTTPD /DO=SSL=CERT=LOAD

If a private key password is not included with the encode key it is requested by the server during startup. The following example shows the directive and the resulting prompt. When entered the password is not echoed.

$ HTTPD /DO=SSL=KEY=PASSWORD Enter private key password []:

9.7.17Throttle

Unconditionally release all queued requests for immediate processing.

$ HTTPD /DO=THROTTLE=RELEASE

Unconditionally terminate all requests queued waiting for processing. Clients receive a 503 "server too busy" response.

$ HTTPD /DO=THROTTLE=TERMINATE

For VMS V8.2 and later, a more selective RELEASE and TERMINATE is possible. A user name or script name can be supplied and only matching requests have the specified action peformed.

$ HTTPD /DO=THROTTLE=TERMINATE=REMOTE=pattern $ HTTPD /DO=THROTTLE=TERMINATE=SCRIPT=pattern

9.7.18WebSocket

Unconditionally disconnects all WebSocket applications.

$ HTTPD /DO=WEBSOCKET=DISCONNECT

For VMS V8.2 and later, more selective disconnects are possible. Disconnects WebSocket applications with connection number, with matching script names, and with matching scripting account usernames, respectively.

$ HTTPD /DO=WEBSOCKET=DISCONNECT=number $ HTTPD /DO=WEBSOCKET=DISCONNECT=SCRIPT=pattern $ HTTPD /DO=WEBSOCKET=DISCONNECT=USER=pattern