Groupwise Web Access Agent

You need to make sure that apache web access is working before you install. Can you go to the server ip in browser? you should get an apache page. If you load ap2webup what do you get?
If not need you'll need to fix apache first. May need to re-install (using the startx - add remove programs)
Then once you get the page, install web access and make sure that you select apache as your web server in the install.
Often apache doesn't load because of certificate issues. run PKIDIAG and check the system out.
I've also found that the support site always has good stuff for webacess http://support.novell.com so if you get an error type it in there and see what you get.
Also make sure you have the latest service packs on Groupwise and Novell.

apache will load up, the only way I got it to do that was to create the httpd conf file from scratch. The ap2webup command you referenced did not work. Apache was working before I installed web access but I'll reinstall.

Wait to re-install Apache.  Confirm some things for me please:

1) type java -show on the console and see if you see anything related to Catalina something or other.  This will show that the tomcat servlet gateway is functioning.  If you don't see it, type TOMCAT4 at the console and as soon as you press Enter, go to the Logger screen and see if you see something like "LDAP is waiting...."  If you see "Doing A Start" then Tomcat is likely working.  If you see the LDAP is waiting then

2) Run PKIDIAG at the console, login with your admin.context and password and choose #4 then press #0 to kick off the diagnose and repair.  How many problems were found and how many were fixed?  If there are no problems found/fixed then

3) Type JAVA -EXIT at the console to unload java and its related files.  Then type TCKEYGEN press enter and go the Logger screen where you should see Exporting a certificate one time and Importing certificates two or three times.  If that doesn't happen, you'll see "LDAP connection refused".

4)  If the "LDAP connection is refused".  Go to Consoleone, delete the SAS -<servername> object and each of the SSL CertificateXXX - <servername> objects and the LDAP Server - <servername> and the LDAP Group - <servername> and wait fo the obituary process to complete (probably about 5 minutes).

5) Open Windows Explorer and navigate to the SYS volume of the server to run WebAccess and get into the SYS:SYSTEM\SCHEMA directory and copy the LDAP.SCH and LDAPUPDT.SCH out to the root of the SYS: volume.

6) Type NWCONFIG at the console of the server and press enter.  Choose Directory Options and Extend Schema.  Login and then press F3 to change the focus from A:\ to SYS: and press enter.  The re-extend of the schema is how you re-create the LDAP Group and LDAP Server objects.

7) Run PKIDIAG again like in step 2 above.  It will re-create the SAS object and the SSL CertificateIP and SSL CertificateDNS.

8) In ConsoleOne, open the LDAP Server object and go the SSL/TLS page (ignore the warning about snapin version).  Add the SSL CertificateIP or DNS to the Server Certificate attribute (the second one) and click ok.

9) Run TCKEYGEN again (which will reload java) and confirm you get one Exporting... and two or three Importing...  in the logger screen.  If that works.  Go to the console and type TOMCAT4 go back to logger and look for Doing a Start.

10) Type AP2WEBUP at the console.  Apache will now and Tomcat will now be working.  Open a browser and go to the http://<serverIP> and press enter and you should get the NetWare/OES welcome.

11) Go back to the server and type STRTWEB to start WebAccess.  Confirm you see the agent screen and the Document Viewer screen.  Go back to your browser and type http://<serverIP>/gw/webacc and see if you get the login screen.  It should be there and you should be able to login unless there are problems with your WebAccess configuration inside GroupWise...if there is post back.

I've done the above at least 100 times and it works every time.

Hope this helps..

Scott Kunau

On Step 6 When I extend the schema and point it to the sys: after copying the schema files, it the screen flashes real quick and I check the logger and don't notice anything is that normal?

And on step 8 I go to the LDAPProvider object under console one but there is no SSL/TLS page.

ap2webup command does not work. I think i resolved step 6 by deleting the two files from the schema folder, and then running nwconfig.

found the ladpp server object, but there is no SSL/TLS tab under the properties of it.

Step 6 will just flash since your schema has already been extended.  The purpose is to re-create two objects in the same OU as your server object, the LDAP server and the LDAP Group objects.  You won't find the SSL/TLS in the LDAPProvider object as that is specific to WebAccess Application (the web server component of WebAccess).

Also, look in the SYS:\SYSTEM directory for the ap2webup.ncf and ap2webdn.ncf files.  Look in the SYS:\APACHE2 directory to see if you see the APACHE2.NLM.  Lastly, look in the SYS:\APACHE2\CONF directory and confirm accurate information in your httpd.conf file (IP address to listen on, etc.)

Before you installed WebAccess, did you see the Apache for NetWare as a module screen on the server...IOW, was it running and now it won't?

I'd also copy/paste the two schema files back into the sys:\system\schema directory.

Let me know.

ap2webup and ap2webdn.ncf are not in sys:\system

Found apache2.nlm in the apache2 folder, as well as apachedown.ncf.

I have an httpd.conf file with the groupwise settings loaded on it.

Apache2 is a functional module, it generates that default page if you hit the ip address. I found the ssl/tls settings tab under the consoleone on the SERVER, but not consoleone for the workstation. I only see one spot to put certificate files and its called "Server Certificate:" but i need to add both right?

Also, when I extended the schema, it recreated the two files in the schema folder.

Your ConsoleOne from the server has the snapins necessary.  Sounds like your desktop install doesn't.  Add the newly generated SSL CertificateDNS (or IP) to the Server Certificate that you've found.

Then continue on with my steps above with the TCKEYGEN and such.

Also, here is the syntax for the ap2webup.ncf

# Startup for Apache Web Server for Netware
# This is called from autoexec.ncf

# Make sure that httpstk isn't listening on 80
httpcloseport 80 /silent

load apache2 -E sys:\apache2\logs\startup.err


and for the ap2webdn.ncf:

# Shutdown for Apache Web Server for Netware

unload address space = os apache2

hmm still didnt work. Service not available 503. Is there any kind of error log I can put up to help you?

The service 503 is caused because Tomcat either hasn't finished running/loading or won't load.  There isn't any log files that I need rather just the results of step 1 above.  If you type JAVA -show, do you see the one or two entries for org.apache.catalina.startup.Bootstrap?

If not, type java -exit wait 30 seconds and type tomcat4.  Quickly go to the logger screen and watch for the words "Doing a Start".  If you don't see those, we still have a security certificate issue.  And we'll need to walk through some of the steps above together.

I see the "doing a start" when I start tomcat4. Here is what I see when I do a show.
here.JPG

Ok. the above shows that you have an occurrence of Tomcat successfully running.  Now if you do CTRL + ESC on the console, do you see a listing for Apache for NetWare 2.something?  And, can you go to a browser and at least get to the welcome screen for Open Enterprise Server?

If you can do that, next try going to WebAccess.

Thanks,

I tired the address and http://serveraddress/gw/webacc 

the second one gives me a 503 service unavailable error
java.JPG
apache.JPG

In the screen of the Apache module, do you see it listening on port 80 and 443?  I cannot tell from the screen.   Also, when you installed WebAccess, did you installed the WebAccess Application?  There should have been two checks in the install, one for the agent and one of the application.

Do you have the flexibility to re-install WebAccess?  And make sure that things get installed into the SYS:SYSTEM directory?  Also, on your server have you run the STRTWEB.NCF to start the WebAccess Agent?

I have it only listening on port 80.
Yes I installed the WebAccess application.

I ran the strtweb.ncf after you mentioned it, but from your walkthrough post it looked like we were trying to test the welcome page first, then launch the webaccess agent, and test complete functionality.

I'm not sure why the Apache is not behaving like normally.  Your Apache screen is correct.  Look in the logger screen to see in the section (you may have to page up) where Tomcat loaded, do you see anything "GroupWise WebAccess"?

Something is not re-directing your browser to the "Welcome" page.  That said, can you go to the WebAccess Login now that you've started the agent? (http://<serverIP>/gw/webacc?

If not, it may be easier to get your overlay CD (NetWare 6.5.x products), remove Apache and Tomcat, reinstall both and then re-install the WebAccess Application.

The tomcat servlet is showing the groupwise applications loading. Even with the webaccess agent on, I'm not able to access it due to a 503 error. Perhaps this will help. after the web access installation, apache would not load because it was missing an httpd.conf file, and I had to paste a generic one in manually, and configure it. After I REINSTALLED WEBACCESS A second time, it wrote the groupwise commands to the bottom of the conf file. But then it still wouldnt load, because it was referencing the java module, but had no way to load it. I had to add in a couple lines for it to load the java module as well.
tomcat.JPG

I just did a quick search on your 503 error and the ones that come up point to Java.  What NetWare SP are you using (type version on the console).  Perhaps a re-install of Java or better yet a re-install of the SP will fix the Java problem.  From what I'm seeing in your screen captures things should be working.  Sorry to keep asking for more info.

I'm still running on 6.5 support pack 6. Let me update to 7. One sec.

Did an upgrade. Apache2 won't load now. When I attempt to, it just says "Press any Key to continue".

I checked and its still using the same httpd.conf file as it was before. weiiird

Check the bottom of the httpd.conf and remark out anything with "include" that points to other .conf files such as iPrint or iFolder.  These items will be clear at the bottom.  You also mentioned adding some lines to your httpd.conf file so java something or other would load.  Check those lines, remark them and then see if Apache2 will load.  

the only include at the bottom of the conf file is the one for groupwise

Do you have a sample http.conf file from one of your groupwise systems I could look at?

Here is the bottom of my file.  There is an entry for gwcal because I've upgraded to GroupWise 8 and their is a Calendar Publishing component for Apache.


</IfModule>

<IfModule mod_auth_ldap.c>

#
#This directive specifies the file that contains all of the character set information
#that auth_ldap needs to do the charset conversions
#
    AuthLDAPCharsetConfig conf/charset.conv
</IfModule>

<IfModule mod_mime_magic.c>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
    MIMEMagicFile conf/magic
</IfModule>

# Include the welcome page configuration
Include "SYS:/adminsrv/webapps/welcome/web-inf/welcome-apache.conf"

# This is to work around a bug in IE that doesn't handle the server shutting
# down keepalive requests on secure sockets
<VirtualHost _default_:443>
    BrowserMatch "MSIE" nokeepalive downgrade-1.0 force-response-1.0
</VirtualHost>
Include sys:/tomcat/4/conf/tomcatdocs-apache.conf
Include sys:/tomcat/4/conf/tomcatadmin-apache.conf
Include sys:/tomcat/4/conf/tomcatmanager-apache.conf
##### Begin Novell iPrint configuration #####
include iprint/ipp.conf
##### End Novell iPrint configuration #####
include sys:\apache2\ifolder\server\httpd_ifolder_nw.conf
# Include XTier configuration file
Include sys:/netstorage/xsrv.conf
# NetWare iManager Config
Include sys:/tomcat/4/conf/nps-Apache.conf
##### Begin Novell eGuide configuration #####
include "SYS:/tomcat/4/webapps/eGuide/WEB-INF/eGuide-apache.conf"
##### End Novell eGuide configuration #####
 
 
##### Begin Novell GroupWise WebAccess configuration #####
include "sys:apache2/conf/GWapache2.conf"
##### End Novell GroupWise WebAccess configuration #####
 
 
##### Begin Novell GroupWise Calhost configuration #####
include "sys:Apache2/conf/gwcal.conf"
##### End Novell GroupWise Calhost configuration #####

The rest of my file is straight default.

##### Begin Novell GroupWise WebAccess configuration #####
include "sys:apache2/conf/GWapache2.conf"
##### End Novell GroupWise WebAccess configuration #####


This is the only part of my httpd.conf file that I have that involves gw.

You uninstall all groupwise components (mta poa gwia etc)?

No. You don't need to un-install any of the GroupWise components.  When installing WebAccess you'll be prompted that things like the WebAccess agent object exists and to use the existing one.  Same goes for the WA application objects.  Just be sure that the Apache2 is off and that java is unloaded which will bring down Tomcat4.

I've uninstalled tomcat and apache2, but how do I readd them? I have the overlay cd but I don't see a way other than running the sp7 upgrade all over again. Also, when I originally rana the upgrade, once I finished the install, APACHE2 WEBADMIN was the process running under system console, not APACHE 2.0.59 FOR NETWARE.

How do I reinstall the two products?

Nevermind, I found it, I'm under the component selection. I want to add Imanager as well so I can add licenses to the server, but it wants to install tomcat5, is this ok? Will it conflict with my tomcat 4 setup?

reinstalled, I now get the  oes welcome screen when I load apache2.  However I check tomcat when I start it and I do not get the certificates importing and exporting anymore, so webaccess still does not work. The tckeygen command does not work anymore either.

tomcat does not have the bootstrap process working either.

Tomcat is needed for iManager 2.7 but not for GroupWise WebAccess on NetWare (Tomcat 5 will work fine on OES2-Linux with GW).  The two aren't supposed to step on each other but in case they do, remark out the loading of Tomcat5 and confirm that Tomcat4 is starting.

Also, confirm that you see a "Doing a Start" when you type both tomcat4 and tcadmup (the Tomcat Administrator...not required but can be run).  If you do, then Tomcat is loading fine.  If not, unload java (java -exit) and then do your tckeygen and make sure that you see the exporting once and either two or three importing certificates.  

If tckeygen.ncf doesn't work, copy that file from another NetWare server or use the code here and make a new one:

# This tool queries the LDAP server for a host certificate, and imports that
# to the keystore used by Tomcat.
# Note:  There are other functions that EDirectoryIntegrator performs to
# further eDirectory-enable Tomcat.  Refer to sys:/system/tcedirint.ncf, or
# execute the java command below with no arguments for a usage description.
# Other possible actions include adding JNDIRealm to server.xml, and creating
# the necessary security objects in eDirectory (as well as assigning a user to
# the roles required to access Tomcat's manager and admin applications.
# Note also that you can change the keystorealias to import certificates from
# different servers and have them not overwrite each other.

# pulls the host certificate out of eDirectory, adding it into the keystore
java -classpath sys:/adminsrv/lib/tcnwutils.jar;sys:/adminsrv/lib/ecbldap.jar;sys:/adminsrv/lib/ecbsecurity.jar;sys:/adminsrv/lib/jdom.jar;sys:/adminsrv/lib/ecb.jar com.novell.application.tomcat.util.EDirectoryIntegrator -keystoreWork=true -keystore=sys:\adminsrv\conf\.keystore -keystorealias=mykey -keystorePass=apache -servername=localhost -secureport=636

I applied the sp7 patch again and tckeygen is working. As soon as I ran tckeygen, it paired tomcat with apache. And webaccess is working! Thanks a bunch!!!!!

A+

Amazing help from zenemailguy. Couldn't have done it without him.