Apache 2.0, 503 Service Unavailable

pkidiag completed with no errors and no repairs

I have a valid RootCert.der now, but did not when I first posted. All I had was RootCert.der.bak

I unloaded all components and just reloaded TOMCAT4 and AP2WEBUP. Checked the logger screen and it said tha there was a problem with the certificate. I did what it said (tckeygen) successfully. Tomcat loaded, Apache loaded and I still have the same problem.

I also found out NLDAP wasn't loaded or in my autoexec.ncf. What normally adds that line to the autoexec.ncf? Even loading this changes nothing. I think at this point, a reboot is in order. What order should all this be in in my autoexec.ncf? Should it come before or after anything in particular?

Have you got LDAP objects defined?  NLDAP won't do anything if you don't have at least the default LDAP object set, which (being a default) you should have - however, the LDAP objects, when set to use TLS, will require a valid cert - and if you had cert problems, you need to make sure your LDAP objects use valid certs.

Also, if you're having "name of cert doesn't match name of site" issues, then you have a mismatch of cert types - either your SSL CertificateDNS - MyServer object has the IP address of the server rather than the DNS name, or the SSL CertificateIP - MyServer object has the DNS name instead of the IP address.

OR - since you had secondary IP address issues, maybe the cert doesn't match the IP address you want to use.  You need a cert for each IP address.  The default cert will take the primary IP address automatically, so you'd have to create another cert for the secondary IP address to make sure there's no "name mismatch" issues when you try to use the cert...

The line to load the NetWareLDAP server is usually --> LOAD NLDAP

We'll be happy to look over your AUTOEXEC.NCF and make suggestions. Prolly best if you post it here, after suitable scrubbing of any confidential info.

Check out this PAQ for an example of a re-written AUTOEXEC.NCF --> http://www.experts-exchange.com/Networking/Netware/Q_21605500.html

I have an LDAP Server and an LDAP Group for each of my servers, but I am only concerned with server MAIN.

On the SSL CertificateDNS - MAIN properties General tab it says Certificate for server: MAIN.HPM
It says the same thing for the SSL CertificateIP - MAIN, so guess that could be a problem. Ho wdo I change that?

not following on the last part

In response to PsiCop, here's the autoexec.ncf. I know it's still a mess, but I just migrated and haven't installed most of my apps yet or cleaned up the extraneous crap.

SET LEVEL 2 OPLOCKS ENABLED = OFF
SET CLIENT FILE CACHING ENABLED = OFF
SET BINDERY CONTEXT = O=HPM
SET DAYLIGHT SAVINGS TIME OFFSET = 1:00:00
set start of daylight savings time = (MARCH SUNDAY SECOND 2:00 AM)
set end of daylight savings time = (NOVEMBER SUNDAY FIRST 2:00 AM)
SET TIME ZONE = EST5EDT


# Note: The Time zone information mentioned above
# should always precede the SERVER name.
SEARCH ADD SYS:\JAVA\BIN
SEARCH ADD SYS:\JAVA\NWGFX\BIN
SEARCH ADD SYS:\JAVA\NJCLV2\BIN
SEARCH ADD SYS:\NI\UPDATE\BIN
# WARNING!!
FILE SERVER NAME MAIN
# WARNING!!
# If you change the name of this server, you must update
# the server name in all the licenses that are assigned
# to it using iManager.
SERVERID 2211DCD
#LOAD IPXRTR
#LOAD Q57.LAN SLOT=10020 FRAME=ETHERNET_802.2  NAME=Q57_1_E82
#BIND IPX Q57_1_E82 NET=E1
#LOAD IPXRTRNM
load conlog MAXIMUM=100
; Network driver LOADs and BINDs are initiated via
; INITSYS.NCF. The actual LOAD and BIND commands
; are contained in INITSYS.NCF and NETINFO.CFG.
; These files are in SYS:ETC.
sys:etc\initsys.ncf
#LOAD TCPIP
#LOAD Q57.LAN SLOT=10020 FRAME=ETHERNET_II  NAME=Q57_1_EII
#BIND IP Q57_1_EII addr=X.X.X.20 mask=255.255.255.0 gate=X.X.X.250
#add secondary ipaddress X.X.X.10

MOUNT ALL
IPMINIT.NCF

SYS:\SYSTEM\NMA\NMA5.NCF
BSTART.NCF
load nile.nlm
load httpstk.nlm /SSL /keyfile:"SSL CertificateIP"
LOAD PORTAL.NLM
LOAD NDSIMON.NLM
load slpda
LOAD NICISDI.XLM
LOAD SASDFM.XLM
# -- Added by AFP Install --
;AFPSTRT.NCF
# -- End of AFP Install --
# -- Added by CIFS Install --
CIFSSTRT.NCF
# -- End of CIFS Install --
SYS:/BIN/UNIXENV.NCF
LOAD PKI.NLM
# Storage Management Services components required for Backup
SMSSTART.NCF
#---Added By Native File Access For Unix---
;nfsstart
#---Added By Native File Access For Unix END---
openwbem.ncf
#RCONAG6.NLM is required by RConsoleJ
#LOAD SPXS
#LOAD RCONAG6 <Your Password Here> 2034 16800 2036
?STARTX

;LOAD BROKER HPM_BROKER.HPM
;LOAD NDPSM HPM_MANAGER

;SET TCP DELAYED ACKNOWLEDGEMENT = OFF
;SET TCP NAGLE ALGORITHM = OFF



SET TIMESYNC TYPE = SINGLE
# Uncomment the following  line after creating DNS Server Object
LOAD NAMED.NLM
# Uncomment the following line after creating DHCP Server Object
LOAD DHCPSRVR.NLM

SEARCH ADD SYS:system

SYS:system\GRPWISE.NCF

# SYS:system\GWTSA.NCF

SYS:\system\gwia.ncf
# Loading Posix Semantic Agent
;PSA
SEARCH ADD SYS:\APACHE2
AP2WEBUP
#Apache2 is now the admin server
ADMSRVUP
# tc4admin begin
SEARCH ADD SYS:/tomcat/4/bin
tcadmup.ncf
# tc4admin end
# tomcat4 begin
sys:/tomcat/4/bin/tomcat4.ncf
# tomcat4 end

It's not so much what it says on the General tab - it's what it says on the Certificates tab, in the Public Key Certificate Subject Name field.

Both certs should be for the server object in the General tab,  In this case it should say "Certificate for server: MAIN.HPM"

However, the CertificateIP, on the Public Key Certificates dialog, instead of "Subject name: CN=MAIN.O=HPM." it should say "Subject name: CN=10.10.10.10.O=HPM." (or whatever the IP address is)

If it doesn't say what it's supposed to say, you should be able to fix it by repairing the certs for that server by running PKIDIAG on that server.  If you don't want to go through the PKIDIAG thing, you'll have to delete and manually re-create the CertificateIP object.

Actually, also check the CertificateDNS to make sure it's got the proper hostname in the Subject name field for that cert.  If it says "CN=MAIN.O=HPM" that's probably not right, because that's just the hostname part of the domain name.  It should have the full DNS name for the server, i.e. "CN=main.hpm.com.O=HPM" if your domain were "hpm.com."

The dns name has to also match what Apache is expecting, if you're using DNS naming for your Apache config and not the IP address.

To ShineOn,
  my CertificateDNS says CN=main.hpmlaw.com.O=.HPM, is that correct?
My CertificateIP says  CN=x.x.x.20.O=.HPM.

######################
# SYS:SYSTEM\AUTOEXEC.NCF #
######################
# Server initialization file - read at boot-up
#
# Change Log:
# Who    When                   What
# -------  -----------------    -------------------------------
#
#
#
######################

# Note: The Time zone informationcshould always
# precede the SERVER name.
SET DAYLIGHT SAVINGS TIME OFFSET = 1:00:00
SET START of daylight savings time = (MARCH SUNDAY SECOND 2:00 AM)
SET END of daylight savings time = (NOVEMBER SUNDAY FIRST 2:00 AM)
SET TIME ZONE = EST5EDT

# Set this server to be its own Time source
#   (must be only server in eDirectory tree)
SET TIMESYNC TYPE = SINGLE

# Disable all client-side file caching and
#    opportunistic locking to avoid Windoze
#    corrupting data
SET LEVEL 2 OPLOCKS ENABLED = OFF
SET CLIENT FILE CACHING ENABLED = OFF

# Set eDirectory context for Bindery Emulation
#   (an eDirectory replica containing this OU must reside
#   on this server)
# NOTE: Do not enable unless needed
SET BINDERY CONTEXT = O=HPM

# Set search paths for NetWare executables and NCFs
SEARCH ADD SYS:\JAVA\BIN
SEARCH ADD SYS:\JAVA\NWGFX\BIN
SEARCH ADD SYS:\JAVA\NJCLV2\BIN
SEARCH ADD SYS:\NI\UPDATE\BIN
SEARCH ADD SYS:system
SEARCH ADD SYS:\APACHE2
SEARCH ADD SYS:/tomcat/4/bin

# WARNING!!
FILE SERVER NAME MAIN
# If you change the name of this server, you must update
# all the licenses that are assigned to this server. Using
# NWAdmin, double-click on a license object and click on
# the Assignments button. If the old name of
# this server appears, you must delete it and then add the
# new server name. Do this for all license objects.
# WARNING!!

# The ServerID is the "Internal IPX Network Number" and
#   is not needed if Bindery Emulation and IPX are removed
SERVERID 2211DCD

# Load the NetWare Server Console Logging Utility
#    Logs console output to SYS:ETC\CONSOLE.LOG
#   MAXIMUM = Size of log file in KB before existing log is
#        discarded and logging is restarted
load conlog MAXIMUM=100

# Initialize Linux/UNIX console support for the BASH shell
SYS:/BIN/UNIXENV.NCF
# Load Posix Semantic Agent
;PSA

######################
# Network Configuration #
######################
# NOTE: On this server, the network configuration has been transferred
#          to the menu-driven INETCFG.NLM utility - these lines are retained
#          for historical purposes
#LOAD IPXRTR
#LOAD Q57.LAN SLOT=10020 FRAME=ETHERNET_802.2  NAME=Q57_1_E82
#BIND IPX Q57_1_E82 NET=E1
#LOAD IPXRTRNM
; Network driver LOADs and BINDs are initiated via
; INITSYS.NCF. The actual LOAD and BIND commands
; are contained in INITSYS.NCF and NETINFO.CFG.
; These files are in SYS:ETC.
sys:etc\initsys.ncf
#LOAD TCPIP
#LOAD Q57.LAN SLOT=10020 FRAME=ETHERNET_II  NAME=Q57_1_EII
#BIND IP Q57_1_EII addr=X.X.X.20 mask=255.255.255.0 gate=X.X.X.250
#add secondary ipaddress X.X.X.10
######################

##############################
# TCP/IP Protocol Stack Tweaks #
##############################
;SET TCP DELAYED ACKNOWLEDGEMENT = OFF
;SET TCP NAGLE ALGORITHM = OFF

# Mount all Volumes not yet mounted
MOUNT ALL

# Initialize IP Management
IPMINIT.NCF

# Load the NetWare Management Agent
SYS:\SYSTEM\NMA\NMA5.NCF

# Start the BTrieve RDBMS (used by Novell Licensing Services, NLS)
BSTART.NCF

################################
# NetWare Remote Manager (NRM) #
################################
# Load Secure Socket Services for NRM
LOAD nile.nlm
# Load the mini-HTTP/HTTPS stack for NRM and iMonitor
LOAD httpstk.nlm /SSL /keyfile:"SSL CertificateIP"
# Load the NRM portal module
LOAD PORTAL.NLM
# Load NDS iMonitor
LOAD NDSIMON.NLM
################################

# Load a Service Location Protocol Directory Agent
# SLP.NLM was loaded when the TCP/IP stack was initialized
# There generally needs to be only one SLPDA per network
LOAD slpda

######################
# Cryptographic Support #
######################
# Novell International Crypto Infrastructure
LOAD NICISDI.XLM
# Secure Authentication Services
LOAD SASDFM.XLM
# Load the Public-Key Infrastructure
LOAD PKI.NLM
######################

###################################
# Native File Access Protocols (NFAP) #
###################################
# AppleTalk Filing Protocol
;AFPSTRT.NCF
# Common Internet File System
CIFSSTRT.NCF
# Network File Services (UNIX)
;nfsstart
###################################

#################
# Backup Support #
#################
# Storage Management Services components required for Backup
SMSSTART.NCF
# NOTE: The next two lines have been added by PsiCop
# Load the NetWare Filesystem Target Services Agent
LOAD TSAFS
# Load the eDirectory Target Services Agent
LOAD TSANDS
# Call the load script for the GroupWise Target Services Agent
#    (modern GroupWise should use the /EnableGW=yes parameter on TSAFS instead)
SYS:system\GWTSA.NCF
#################

# Call the load script for Open Web-Based Enterprise Management support
openwbem.ncf

#########################
# Remote Console Support #
#########################
#RCONAG6.NLM is required by RConsoleJ
#LOAD SPXS
#LOAD RCONAG6 <Your Password Here> 2034 16800 2036
#########################

######################################
# Novell Distributed Print Services (NDPS) #
######################################
# NDPS Service Broker
;LOAD BROKER HPM_BROKER.HPM
# NDPS Service Manager
;LOAD NDPSM HPM_MANAGER
######################################

# Load the NetWare DNS Server
LOAD NAMED.NLM
# Load the NetWare DHCP Server
LOAD DHCPSRVR.NLM

#############
# GroupWise #
#############
# Call the load script for the GroupWise POA and MTA
SYS:system\GRPWISE.NCF
# Call the load script for the GroupWise Internet Agent
SYS:\system\gwia.ncf
#############

##################################
# Apache Web Server (user instance) #
##################################
# Apache v2
AP2WEBUP
# TomCat v4
sys:/tomcat/4/bin/tomcat4.ncf
##################################

##########################################
# Apache Web Server (administrative instance #
##########################################
# These two statements load iManager
ADMSRVUP
tcadmup.ncf
##########################################

# Prompt to load the NetWare Java-based X-Windows GUI
# A Yes/No prompt will appear during execution
?STARTX

########################
# End of AUTOEXEC.NCF #
########################

It's correct, to the best of my knowledge.  You're not using the CertificateIP with named sites or CertificateDNS with IP-accessed sites, right?

To ShineOn,
   Um... what?

To PsiCop,
   I didn't see a line for NLDAP, but I'll put it somewhere above AP2WEBUP.

I'd put it before NFAP and NRM...perhaps right after BSTART.NCF

I rebooted the server, but still get the 503 Service Unavailable error. I noticed in the logger screen after the reboot that it indicated the "SLP Directory Agent has not been configured". Would there be any problem with letting it auto-configure with SLPDA /a or is that something I should do in NWAdmin?

ShineOn, what would I look for to see if I am using the CertificateIP with named sites or CertificateDNS with IP-accessed sites?

Now when I go to i go to https://<ip address of server>:2200, I get "The page cannot be displayed". Just the ip address of the server gets me the 503 error.

I still have this error in apache2\logs\mod_jk.log

[Mon Jan 15 22:31:49 2007] [error] jk_ajp_common.c (1758): Error connecting to tomcat. Tomcat is probably not started or is listening on the wrong port. worker=ajp13admin failed

Neither Apache or Tomcat show up in TCPCON, but the Apache screen shows
              Listening on port(s): 443 80

Well, for example, with the portal, if you have:

LOAD httpstk.nlm /SSL /keyfile:"SSL CertificateIP"

you will get a name mismatch error if you try to browse to

HTTPS://MYSERVER.MYCOMPANY.COM:8009

but won't if you browse to

HTTPS://10.20.30.40:8009.

In your Apache config files, for sake of example an excerpt from the old adminserv.conf file from 6.0 (I don't have a 6.5 to look at) you'd have the lines:

<IfModule mod_tls.c>
    SecureListen 10.20.30.40:443 "SSL CertificateIP"
</IfModule>

or

<IfModule mod_tls.c>
    SecureListen myserver.mycompany.com:443 "SSL CertificateDNS"
</IfModule>

not

<IfModule mod_tls.c>
    SecureListen myserver.mycompany.com:443 "SSL CertificateIP"
</IfModule>

or

<IfModule mod_tls.c>
    SecureListen 10.20.30.40:443 "SSL CertificateDNS"
</IfModule>

Now, since you're also working with Tomcat and since the newer versions of iManager leverage LDAP contextless login on the auth page, you also have secure LDAP in the mix.  The appropriate cert for the LDAP objects has to be imported into Tomcat for the secure LDAP lookup to work.  If the LDAP object refers to the hostame, you should use CertificateDNS, and if it refers to the IP address, then CertificateIP.  I don't have a secure LDAP setup at home so I cant give you an example until tomorrow, if I remember...

NetWare v6.x uses SLP v2, which requires an SLP Scope. You should have had an SLP Scope Object already, since you were running NetWare v6.0. If you didn't, or you've moved the server context, or something else has happened to cause the SLPDA.NLM Agent to think there is no Scope object, you'll need to create/move/whatever a Scope Object. You can have an SLP Scope object with a Scope of the entire eDirectory Tree, so this shouldn't be a big deal. Might just take, as you suggested, executing SLPDA/a

Error messages for NoRM do NOT show up in the Apache logs!!!

NoRM does NOT use Apache. The HTTPSTK.NLM is a custom HTTP/HTTPS stack designed specifically for NoRM. It has very little logging capabilities.

The Asker's configuration loads *both* the User and Adminstrative (iManager) instance of Apache. Each instance logs to different log files (in the default configuration). We need to establish IN WHICH SET OF LOGS the Tomcat error messages are found. If the Tomcat errors cited above are coming from the User instance of Apache, they may not be reflective of issues with the Adminstrative (iManager) instance of Apache.

OK, by default, HTTPSTK.NLM logs to SYS:HTTPLOG.TXT. It maxes out at 8MB (at which time the file is erased and logging restarted).

Authenticating via User Objects will look in the Context specified by the SET BINDERY CONTEXT statement in AUTOEXEC.NCF, or in the "default eDirectory context" as set in the NRM Configuration Options page.

WARNING: NRM has two, hardcoded, user IDs that do NOT exist in eDirectory. Intruder Detection/Lockout does not apply to these IDs, passwords are limited to 80 characters but *are* case-sensitive. You should set the password for these accounts to something very hard.

I wasn't saying NoRM uses Apache.  I'm saying the same thing applies to NoRM as to Apache *as*regards*the*use*of*certificates.*  To wit:  If you specify CertificateIP it (PKI) expects you to address >whatever< using an IP address, not a DNS-based URL.  If you specify CertificateDNS it expects to see a DNS-based URL, not an IP address.

In response to ShineOn's posting from yesterday,

I have the line LOAD httpstk.nlm /SSL /keyfile:"SSL CertificateIP" in my autoexec.ncf

HTTPS://MYSERVER.MYCOMPANY.COM:8009 gives "page cannot be displayed"
HTTPS://x.x.x.20:8009. brings up NoRM. I understand why this works.
How would I/can I get both forms of addressing to work?

My apache2\conf\httpd.conf has this:
Listen x.x.x.20:80
SecureListen 443 "SSL CertificateDNS"

Should it be this?
Listen x.x.x.20:80
SecureListen MYSERVER.MYCOMPANY.com:443 "SSL CertificateDNS"

My adminsrv\conf\adminserv.conf has this:
Listen x.x.x.20:2211
SecureListen x.x.x.20:2200 "SSL CertificateDNS"

Should I change it to either
SecureListen MYSERVER.MYCOMPANY.com:2200"SSL CertificateDNS"  OR
SecureListen x.x.x.20:2200 "SSL CertificateIP"

Does it matter if the Listen line is in IP form and the SecureListen in DNS form or should they match and if so is there a reason for one over the other?

And finally, on the properties of my LDAP server on the SSL Configuration tab my SSL Certificate has SSL CertificateDNS selected. So this selection should match my SecureListen line in the Apache config files?

If I make changes to the LDAP server will using the "Refresh NLDAP Server Now" button apply any changes?
If I edit the Apache conf files, do I just unload and reload each instance of Apache to apply those changes?

To PsiCop

First posting:  I don't have an SLP anything in C1. I vaguely remember when I was installing NW6.0 that, given the basic configuration of our network, it was not required, so I skipped it. I will proceed with SLPDA /a.

The Tomcat error message I believe you are referring to is as I stated above, located in apache2\logs\mod_jk.log, but now that I look, it is also in adminsrv\logs\mod_jk.log.

I do not currently have ADMSRVUP and TCADMUP loaded as I wanted to see if I could just get the Apache welcome page to come up. Can also load those now, but it doesn't look like Tomcat will load anyways for now.

Actually, with Apache, it depends on what you have in the ServeName directive and/or the VirtualHost directive.  If you have the DNS name for the server in the ServerName directive, you actually should have the IP address/port that the named server is listening on, in the Listen and SecureListen directives, but use the CertificateDNS cert on the SecureListen.  If you have the IP address of the server in ServerName, or are using something that doesn't match the name in the CertificateDNS cert, you will have problems.

It's perfectly normal to have the IP adrress/port in SecureListen with CertificateDNS, provided, as I said, the server named in either the ServerName or VirtualHost directive matches the server name in the CertificateDNS cert.

In that regard, I was slightly misleading, because I was basing my comments on my old home server...

I will post back later if I remember...

ShineOn,

I know *you* know the difference. I didn't think the postings made the difference clear enuf for the uninitiated reader, tho, so I felt it necessary to stress that.

ShineOn, so there is nothing wrong with these  lines in the Apache conf files

Listen x.x.x.20:80
SecureListen x.x.x.20:443 "SSL CertificateDNS"

ServerName MYSERVER.MYCOMPANY.com

My Public Key Certificate Subject Name is CN=main.hpmlaw.com.O=.HPM. for my SSL CertificateDNS for this server.

If this is the case, are these things configured correctly?

PsiCop, I haven't even installed iManager yet. I wanted to make sure Apache and Tomcat were working and configured properly. When I do install iManager, what version should I go with? It looked like a lot of people were having issues with 2.6 in the forums. Should I just go with 2.5?

"... I haven't even installed iManager yet."

There's the problem.  You have the administrative instance of Apache calling the administrative instance of Tomcat, but Tomcat doesn't have what's being called...

Your statement "I need to get this much to work before i proceed with installing WebAccess, iManager and iPrint." in your question didn't click until now.

ShineOn, right now, all I am loading is ap2webup and tomcat4. admsrvup and tcmadmup are not loaded. Shouldn't I at least get the "Welcome to Apache...if you are seeing this page..." screen if I go to x.x.x.20?

Don't know...  Depends on what the default virtualhost page says, I suppose.  With the administrative instance, you should get a "Welcome to NetWare 6.5" page, if it follows how the NetWare 6.0 admsrvup works.

If you go to http:\\x.x.x.20:8080 do you get the generic "tomcat" page?  (or http:\\x.x.x.20:8080\index.jsp).  Have you tried going to http://myserver.mycompany.com/nps to see if you get a generic exteNd login page?

If so, but you get a "503" for the port 80 page, then there's something wrong with that page.  

A 503 error means the web server is functioning and responding, essentially with an "I can't do that, Dave" message.  The request it was sent couldn't be serviced because something the server needs to service the request wasn't available, so it sent back a "503" to the requester.

All of these return a "page cannot be displayed"

As in an Internet Explorer message, which could be like a timeout or an otherwise "unreachable" issue?
The only thing you get a response from is the port 80 and that gives you a 503?

You don't by any chance have the stupid Windows firewall running on your PC, do you?
Or any other kind of firewall or packet filter (including FILTSRV.NLM/IPFLT.NLM) running anywhere between you and the server?

Windows Firewall is turned off nothing else is between me and the server.

I just finished insttalling iManager 2.5. I still don't think tomcat is loading. I can now get the NetWare OES welcome page when I go to https://x.x.x.20:2200. I really don't have time tonight to look further. I've already been here 12 hours and the wife is getting testy. I do know iManager isn't coming up though.

Instead of :2200, go to https://myserver.mycompany.com/nps/iManager.html

:2200 is the old 1.x iManager from NW6.0.  Starting with 2.0, it's /nps/iManager.html

Starting with 2.6, it's just /iManager.html, without the /nps.

Sorry about the delay, I was really busy yesterday.  https://myserver.mycompany.com/nps/iManager.html
doesn't work.  I was trying to follow the iManager link from the OES welcome page that loaded with https://x.x.x.20:2200. I don't think Tomcat is loading. How do I check that? Does it have an entry on the CTRL-ESC screen listing? If so, it isn't running.

The last three lines in my logger screen when I try to load Tomcat4 are

      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:156)
Stopping service Tomcat-standalone
java: Class org.apache.catalina.startup.Bootstrap exited with status 1

I get the same message when I run tcadmup, except the 2nd line says "Stopping service NetWare Administration Tomcat"

On your console screen, enter "JAVA -SHOW" - that will show what Java services are running.  Tomcat doesn't usually have its own console screen.

Tomcat4 will show up, IIRC, as "catalina." while Tomcat 3.3 shows up as "tomcat."
Mine says "org.apache.catalina.startup.Bootstrap."  That ties back to what you've said about the lines on your logger screen.

Is there something like that in your JAVA -SHOW results?

Tomcat apparently doesn't like something from what you're saying, so maybe if you go to sys:\tomcat\4\logs and cut'n'paste the last log or 2.  Don't post any that obviously don't have errors though.  You'll see stuff like "suchandso for servlet jsp threw an exception" or something along those lines...

I have two instances of tomcat running according to JAVA -SHOW. I assume one of those is the standalone and one is the admin instance. So I guess it is loaded.

I thought I'd unload and reload them again. TC4STOP gave me a successfully exited message in the logger. TCADMDN did too. When I did AP2WEBDN about 3 minutes ago, nothing is happening. My console is frozen and my utilization is hovering between 75-80%. It looks like I will need to reboot the server later today, but I can't remember the key combo for the "emergency" console screen

OK, false alarm.

I went tothe apache screen and it had a message stating that host myserver.mydomain.com had multiple addresses and that i had to choose on explicitly <to continue, press any key>. when I did so, it finished exiting.

"host myserver.mydomain.com had multiple addresses"

I thought we fixed that in your other Question...

You mean the two DNS servers?

It looks like both instances of Tomcat are loading now. I get the line that ajp13 is listening on /0.0.0.0:9010 and ajp13 is listening on /0.0.0.0:9009.

I have an entry for Apache 2 Web Manager in my screens list, so I assume that is loading, but my regular Apache Web server won't load now. About three minutes after I run AP2WEBUP, I get the message:

MAIN/SYS:/SYSTEM/IPCONF/APACHE/APPCONF.XML Parse failed.
(Invalid Xml file format!!)

and although I have unloaded and reloaded named, the IP Address Management in NoRM still shows a DNS server on both addresses.

In Apache2/conf/httpd.conf, I changed these lines

Listen x.x.x.20:80
SecureListen MYSERVER.MYCOMPANY.com:443 "SSL CertificateDNS"
ServerName MYSERVER.MYCOMPANY.com

to this

Listen x.x.x.20:80
SecureListen  x.x.x.20:443 "SSL CertificateDNS"
ServerName  x.x.x.20

and the Apache server came up no problem. This is probably a stupid question, but I have been told before that this is OK, my ETC\hosts file contains these lines and has for years

x.x.x.20   MYSERVER.MYCOMPANY.com   MYSERVER
x.x.x.10   MYSERVER.MYCOMPANY.com   MYSERVER

Could this cause a problem? I was told since both Ip addresses were bound to the same NIC, it was correct, but it has always bugged me.
----------------------------------------------------------------------------------------------------------
My iManager works now!! I wish I knew which changes were instrumental in this. Is it safe to assume now that I have the necessary framework for installing WebAccess? Everyone has been breathing down my neck for the last four days.

We cross-posted.

The answer to your question about the HOSTS file is, "Yes."  I had briefly thought about SYS:ETC\HOSTS but didn't mention it for some reason.

Kill one of them, or change the name.  If you want to stick with just IP address access, then do the servername directive thing, but if you want URL access, pick another hostname, and make sure it'll resolve.

As far as "since both addresses are on the same NIC" thing is concerned, that may have been true with the old IP stack, because I do recall that there were strange things that would happen with secondary ipaddress, where if you sent to port 80 on x.x.x.20, the service listening on x.x.x.10:80 would get the packet, just because it was on the same physical interface.  Once upon a time, you couldn't have 2 addresses on different subnets on the same physical NIC, but now you can (not with "secondary ipaddress, but with a second BIND to the NIC.)

A lot of those multihoming issues have been fixed over time, so I wouldn't assume what worked with NW6.0 will necessarily work the same way with NW6.5/OES, so as I sort-of said, maybe at the time you were told it was OK because you were multihoming with add secondary ipaddress, I would recommend against it today.

If you're planning on having the .10 address for NCP access and the .20 address for other services, then perhaps you should pick another hostname for your .20 address so the .10 address still has the server name.  Don't know how that will affect NAMED, though.

Since it is all on the same NIC, anyway - scratch my curiosity bump and tell me why you are doing the secondary ipaddress thing...

I actually removed the x.x.x.20 adress. I wanted x.x.x.10 to be the DNS server. I just went and checked and both addresses are back.

The A record for MYSERVER points to x.x.x.10. an A record by the name of MAIL points to x.x.x.20

IN the reverse lookups, 10 points to MYSERVER.MYDOMAIN.com and 20 points to MAIL.MYDOMAIN.com

20 has always been our GW server and the default IP for our server. I added 10 to be the web server and it always just worked. I guess I got lucky when I built the 6.0 server three years ago, but this time, not so much.

Would it just be easier to scrap the x.x.x.10 and put it all on the same IP? Are there any port conflicts between apps other than secure iPrint?

Wal, iPrint has to meet the IPP RFC, which requires port 443 for secure authentication and printing, but the lates iPrint also does secure printing using TLS over port 631.  If you're using the latest iPrint client with iPrint on NW6.5/OES, it will attempt TLS over port 631 first.

However, if you must use port 443 for some other service, and you want to be able to access the ipp service using SSL authentication, you still need to go with a secondary ipaddress, but you can just use the secondary address for iPrint and let everything else go over the primary address.

There are instructions in the NetWare 6.5 iPrint documentation on setting up DNS and secondary ip addresses and stuff, which you've probably seen already.

For iManager, of course, it uses port 2200, so there's no conflict there.  NoRM should default to port 8008/8009 for unsecure/secure.  For the other Apache-based things, you can always change the secure port to something other than 443 in the SecureListen directive.

Are you planning on having everything under the sun on one server, including GWIA and GWWA?  Do you also plan to provide Internet access to the Web-based services like iPrint and such?

Is this small-business or is it OES red-box/VLA/CLA/ELA or what?  You know, you can have up to 5 servers at no extra license cost with Small Business, and as many servers as you can fit in all of your rooms and other buildings and wherever else you can think of to put a server, at no extra license cost, right?  

It's really cheap insurance to segregate your web-facing services on a separate server, and PsiCop will yell at you if you put the POA, MTA, GWWA and GWIA all on the same box.

We have OES with VLA. The server license is either unlimited or good for 1000, I can't remember. And yes, everything will run on one box (file & print, DNS/DHCP, POA, MTA, GWWA, GWIA, iFolder, QuickFinder, intranet and anything else i have forgotten). I also have two Windoze servers each running one app that "requires a dedicated server" and one low power NW6.0 server running an old DOS database application that frequently causes problems so I shunted it off on its own server. I do have the old hardware i just migrated from (1 GHz Xeon, 1 GB RAM and two 72GB drives. I was thinking that eventually I would put the web-based services on that, but I don't have any place to put it right now. I probably won't use Internet access for iPrint, but I will need to do this for iFolder and/or NetStorage.

What I really need is some documentation that explains how everything interacts and ties together and where it pulls information from. Maybe something that offers recommendations on what services ideally should be on separate hardware and why. We went from a plain vanilla 4.11 server to a 6.0 server with everything on it. It seemed like the 6.0 documentation assumed I had extensive experience with many of these "new" features introduced in 5.x.

Obviously, given the conflicting settings in how I have my DNS server set up, the settings in some of my configuration files and what appears in IP Adress Manager and TCPCON, it's a minor miracle anything works. I just don't know where to start trying to fix it without bringing the whole house of cards tumbling down. I don't even know if what I have working now will still work if I reboot the server.

If my default IP is x.x.x.20, then anything that shows as using "Default IP" or "0.0.0.0" in IP Adress Manager is using that IP right? If so, then the only services I have running on x.x.x.10 are the DNS server (the real one) and my MTA. I have no idea how that happened. I used my previous GW config files after I reinstalled and double checked them. Everything GW has always used x.x.x.20. When does the ETC\HOSTNAME file come into play? The info in that file directly conflicts with what is in my HOSTS file.

As suspected, what little I had working ceased to work after I rebooted the server. I installed WebAccess and, of course,  it doesn't work. It starts on the server, I just can't access the page.

Since nothing browser-based is working except for NoRM (and that doesn't count), I might as well start over.

My GW is set up on x.x.x.20, the default IP of the server. All of my users that have GW Remote and my spam hardware are pointing there or to the public IP NATed to it. This next part is probably wrong , but years ago when I was fumbling through my one and only DNS/DHCP set up, I set up an A record for this IP and called it mail.mydomain.com and then created an MX record for mail.mydomain.com.

I set up my DNS server on the secondary IP address, x.x.x.10 and created an  A record named myserver.mydomain.com. I then created an NS record for  myserver.mydomain.com. My ISP has another of our public IPs pointing to to myserver.mydomain.com so we can hit the main page of our intranet internally or externally (when it's working). I used a step-by-step procedure spelled out by a Joe Moore, Novell Support Connection Sysop from May 2000. All of this was working, for the most part, until I did the migration. Should I close out this question and start another at this point? Although my initial problem still exists, you guys have helped considerably.

Since the important thing is GroupWise, and it's all set for x.x.x.20, can you set it up to use x.x.x.20 for everything (including changing the NAT for myserver.mydomain.com to point to x.x.x.20) and add the x.x.x.10 secondary address for just the iPrint secure access?

I think the big issue will be the "myserver" hostname, with multiple IP addresses getting associated to that same hostname, along with that hostname also being the server name.  Things can get confusing when you use multihoming, but sometimes you have to.  Sometimes you don't.  Since all of the services are on the same server and you aren't static NATting through the NetWare server to get to another server/device on the LAN, there shouldn't be any issue having multiple hostnames assigned to the same IP.  The only problem you might encounter is what you mentioned, the iPrint secure port issue.

As such, I recommend going with a "normal" hosts file with only one IP assigned to the server name, and let DNS handle the rest, running the DNS server on the x.x.x.20 address, with as many A records as necessary to resolve the URLs to the .20 address.

The changes required shouldn't be insurmountable by any means.  

My 2cents.

Actually, the GroupWise Agents also have HTTP/HTTPS interfaces for administration/monitoring, so NoRM is not the only browser-based service beyond iManager.

As I recall, the GroupWise Agents generally default to ports like 3080 or 3180 or something around there. It's configurable.

You can instrust the individual GroupWise Agents to bind to specific IP addresses. By default, all services in NetWare bind to all available IP addresses when they start (this is true of most platforms/environments). There are switches in the Agent configuration files, and also in the ConsoleOne configuration pages, that allow you to specify the IP address(es) to which the Agents should bind in a multi-homed environment.

The issue is with secure iPrint having to use port 443...  If you want to use standard ports for your general web services you have to put iPrint on a separate IP address so it can use port 443.

Most often, in my experience, services in NetWare attach themselves to the first-bound address.  Only a few, like NCP, will listen on all addresses unless you tell it not to.  Since only one address is really being "bound" in this case, that means most services will default to the primary address of the NIC and not to the secondary.

If everything - DNS, DHCP, all of the GroupWise agents, all Apache instances, all Tomcat instances, all LDAP objects, the default server certificates, the mini HTTP server for NoRM , etc. - are all grabbing the primary IP address, and you follow the instructions for putting iPrint on a secondary IP address, it all should function fine.  The user instance of the web server should be able to listen on ports 80 and 443, NoRM on 8008/8009, iManager on 2200/2211, GW Monitor on 3080/3180 or whatever, and so on, all on the primary ip address, and anywhere there might be a conflict with Apache, you can simply change the listen ports in the conf file, and most other services including all of the internal connection ports for the various GroupWise agents, can be set to different ports as need be.

I've decided to go a differnt route. I switched my DNS server to x.x.x.20 and will be removing the secondary address, x.x.x.10, from the server once everyone is pointing to the new DNS Server. Nothing else appears to be using this IP. Although I wanted to preserve the source server for a while longer, I slicked it yesterday and am setting it up to have the x.x.x.10 address. It will run GWWA, our intranet, and any other web services that I can put on it. I'm starting with Apache, Tomcat 4, iManager 2.5, LDAP and QuickFinder. Anything else I should put on other than GWWA? Should I make this a DA or does it matter? Should I also make this a DNS server and maybe switch this to be the primary?

Also, can i have a hosts file that looks like this?

x.x.x.10      MAIN.MYDOMAIN.COM     WEB
x.x.x.20      MAIN

 MAIN is the primary server. WEB is the new server and I want MAIN.MYDOMAIN.COM to point to my new server. Our ISP is already pointing MAIN.MYDOMAIN.COM at the public IP NATed to x.x.x.10. This way my users can get to what they need using the same URL whether they are here or at home. Is this the standard way of doing things? Is there any problem with the server name not matching the first part of the URL? In the second line, can I just have the server name and no URL? Or should I put MAIL.MYDOMAIN.COM to match the A record I have in DNS fro x.x.x.20?

MAIN or MAIL?

If the new primary server is called MAIN and is on x.x.x.20, then everything for "main" or on "main" should point to x.x.x.20.  If the server called MAIN is on x.x.x.10, then you should  have everything for "main" or on "main" using x.x.x.10.

Personally, if you have an internal DNS, my opinion is that your HOSTS file shouldn't have anything that's already handled by your DNS server, whether on the server SYS:ETC/HOSTS or on the workstation C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS.

URLs can have a many-to-one relationship with IP addresses, but not a many-to-many or one-to-many.  (... unless you're using a load-balancer that would handle the routing and/or address translation transparent to the user.)

Sorry, I keep trying to stick with MYSERVER but I forget and put the server's name "MAIN" sometimes. What I 'm trying to figure out is what to fix given that I have an A record and PTR that says x.x.x.20 is MAIL.mydomain.com and my server hosts file says x.x.x.20 is MAIN.mydomain.com.  I want my users to hit our home page by typing MAIN.mydomain.com. The step-by-step I followed to set up DNS recommended I use MAIL, because that was the IP of my GW serverand I would be creating an MX record. Months later when I went to try to get GWWA, iManager, etc working, I had to put this in my hosts file to get anything to work.
 
x.x.x.20   MAIN.MYCOMPANY.com   MAIN
x.x.x.10   MAIN.MYCOMPANY.com   MAIN

If I remove this from the hosts file, what do I need to do in DNS to get this work the way i want?

So, if I leave my DNS the way it is and add an A record and PTR that sys x.x.x.20 is also MAIN.mydomain.com in adittion to MAIL.mydomain.com, that's OK?

OK.  Why?  Are you sending SMTP mail directly from non-GroupWise clients, internally, to your GWIA?

Host names and IP addresses, as I said, can have a many-to-one relationship.

If you have a WEB server listening on port 80 of your x.x.x.20 address, and you want to call it MAIN.MYCOMPANY.COM, then put an A record in your internal DNS pointing to x.x.x.20 with a hostname of MAIN in your MYCOMPANY.COM zone.

If your external DNS says you have a MAIL.MYCOMPANY.COM that is the target of your MX record, cool.  No biggie.  

You can also have your ISP add another A record called MAIN.MYCOMPANY.COM pointing to the same address as your A record for MAIL.MYCOMPANY.COM.  You can also have the default MYCOMPANY.COM record point to the same address, so WWW.MYCOMPANY.COM and MYCOMPANY.COM both resolve to the same address.

So, if the public IP that's NATted to your x.x.x.20 is 62.127.2.55, you'd have 3 A records in your public MYCOMPANY.COM zone, for hosts MAIL, MAIN and WWW with that address, an @ A record with that address, an MX record pointing to MAIL, and reverse-lookup IN-ADDR.ARPA PTRs  for that IP address pointing to MAIL, MAIN and WWW.