Novell ® GroupWise ® WebAccess Tips, Tricks and Troubleshooting Danita Zanré Senior Consultant,...

Novell® GroupWise® WebAccess Tips, Tricks and Troubleshooting

Danita ZanréSenior Consultant, [email protected]

Jim MichaelIS Manager, City of [email protected]

© March 9, 2004 Novell Inc.2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:

© March 9, 2004 Novell Inc.3

The one Net vision

Novell Nterprise is an innovative family of products which gives you the power to enable and manage the constant interaction of people with your business systems — regardless of who they are or where they are.

Novell Nterprise™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:

© January 6, 2004 Novell Inc.4

Overview

• WebAccess: How does it work?

• Placement Issues

• Optimizing WebAccess for failover

• Troubleshooting WebAccess

• Customizing WebAccess

• Q & A

5

WebAccess Operation


WebAccess Operation

• The WebAccess Application is a collection of Java servlets that run within a servlet container – in this case, Tomcat. Tomcat is “plugged in” to another web server – in this case, Apache.

• The servlets communicate with the WebAccess Agent via TCP/IP. Agent can be local or remote.

• The WebAccess Agent (GWINTER) is a client that talks to the POAs, and returns GroupWise contents to the servlets.

• The WebAccess servlets merge the returned dynamic content with template (.htt) files, resulting in a complete HTML page.

• The page is passed back to Apache, where it – along with other static content – is returned to the browser as a web page.


WebAccess Operation: What do the objects do?

Gateway Object• Manages properties of the agent (gwinter). One object

must exist for every agent you run.

WebAccess Application Object• Simply provides a GUI for setting the various

application parameters within webacc.cfg/webpub.cfg/spellchk.cfg

• Not strictly necessary at this time for WebAccess to function. A WebAccess application will function perfectly fine without them, as long as the settings in webacc.cfg are correct.

• In some cases, it makes more sense to edit webacc.cfg manually vs. using the application objects (we'll get to that.)


WebAccess Operation: What do the objects do?

Service Provider Object• Manages properties of the GroupWise® provider.

• Like the application object, it is really just a fancy GUI that writes out parameters to webacc.cfg and places commgr.cfg in the correct location.

Object gotchas!• Be careful when adding new WebAccess applications.

By default the installer will try to put the objects in the same location others may already exist, with the same name.

• If you rely on these objects to configure your applications, you could accidentally overwrite an existing application object!


Everything you wanted to know about WebAccess placement, but were afraid to ask...

• Where should my web server sit? Inside the firewall, outside, or in a DMZ?

• Where should the gwinter (agent) sit?

• What are the ramifications of having the web server on the public/DMZ side, and my agent on the inside?

• Should I use multiple GroupWise domains?


Placement Scenario #1

• This is probably the worst configuration possible.

• The agent belongs to the primary GroupWise domain, thus it must authenticate to the file system on the MTA server -- through the firewall.

• The WebAccess application and agent can be on the same box or separated, but neither changes the fact that this is an ugly configuration.

http client

Web Access Application

Web Access Agent

(gwinter) GroupWise POA MTA1

Firewall



• In this configuration, the agent is in its own secondary GroupWise domain, thus it needs no file access to the primary domain. The MTAs communicate via TCP/IP.

• It is most effective and secure when the agent is in its own eDirectory tree, as well. Otherwise, you need to allow DS to sync through the firewall.

• However, when you do use a separate tree, management of the public server can become problematic.

http client


Web Access Agent

(gwinter)MTA2

GroupWise POA MTA1

Firewall



• This is a good configuration. Only the WebAccess application is on the public side, and it can communicate with the agent through a pinhole in the firewall.

• Management is easy as all agents and domains are on the private LAN.

• The agent can be in its own domain or belong to the primary.

http client


GroupWise POA MTA1

Firewall

Web Access Agent

(gwinter)MTA2



• In this configuration all GroupWise components are behind a firewall/reverse-proxy.

• It is a great configuration, as none of the services are exposed directly to Internet clients, and there are no management issues as all components are on the private LAN.

• It can be a potentially faster solution due to the caching of static content on the proxy box.

http client

Web Access Application GroupWis

e POA MTA1

Firewall

Web Access Agent

(gwinter)

REV

ER

SE-P

RO

XY


Optimizing WebAccess for Failover• With multiple WebAccess Agents, you can configure

WebAccess for failover

• Even if you only have a “need” for one WebAccess Agent, you can install additional agents on other servers for failover purposes

• Choose your primary agent

• Choose failover agents – keep versions in mind

• Edit webacc.cfg to add/change order of agents

• Provider.GWAP.Default.address.1=192.168.1.225:7205

• Provider.GWAP.Default.address.2=192.168.2.238:7205


Troubleshooting WebAccess

• Several processes must work together to create the final WebAccess interface.

• The key to troubleshooting WebAccess errors is learning to identify which process is causing the error.

• The four main processes are:

• Apache

• Tomcat

• WebAccess Application

• WebAccess Gateway

1

2

3

4


Troubleshooting WebAccess (cont.)

Consider the following WebAccess error...


Troubleshooting WebAccess (cont.)

What can be learned from this error?

• The 404 Page Not Found is being returned by Apache.

• Apache is trying to find a “page” called /servlet/webacc, which doesn't exist.

• This tells us that something is wrong with mod_jk.

• Either mod_jk isn't loaded, or the directives telling Apache how to communicate with Tomcat are not correct.


WebAccess error: Apache 404

• Double check the mod_jk directives in the Apache conf file.

• LoadModule jk_module modules/mod_jk.soJkWorkersFile “<tomcat>/conf/jk/workers.properties”JkLogFile “<tomcat>/conf/jk/mod_jk.log”JkLogLevel errorJkMount /servlet/* ajp13

• Be sure mod_jk is actually loading. Apache itself won't load if mod_jk throws an error loading, so this one should be obvious!

• Verify that workers.properties exists in the location JKWorkersFile is pointing to, and that it contains valid parameters.


WebAccess error: Tomcat 404


WebAccess error: Tomcat 404

• Since Tomcat is returning the 404, we can assume that mod_jk is configured correctly and that Apache handed off the request for /servlet/webacc just fine.

• Tomcat itself can't find /servlet/webacc, which points to the web.xml file as the culprit.

• Most likely the <servlet-mapping> tag is missing or incorrect.

• <servlet-mapping><servlet-name>

webacc</servlet-name><url-pattern>

/servlet/webacc/*</url-pattern>

</servlet-mapping>


WebAccess error: Compile Error


WebAccess error: Compile Error

• Here we can see that both Apache and Tomcat are configured correctly, because the webacc servlet is returning the error.

• The clue is that the servlet cannot find login.htt, which indicates that the Templates.path in webacc.cfg is incorrect, or that the templates are really not where they should be on the file system.

• Verify that Templates.path in \novell\webaccess\webacc.cfg is pointing to the correct path. It should be

<tomcat>\webapps\ROOT\WEB-INF\classes\com\novell\webaccess\templates


WebAccess error: Blank browser

• Quite confusing as there is no error at all!

• Happens after you are prompted for login, and supply valid credentials.

• Tomcat screen (or logger screen) on server shows many Java exceptions.

• Cause is that there is no commgr.cfg file in \novell\webaccess and/or \novell\webpublisher

• commgr.cfg normally gets copied to these locations by the install program, but when you “manually” install WebAccess this step is easily forgotten.

• WebAccess application needs to be restarted to see the file.


WebAccess error: Unable to Communicate


WebAccess error: Unable to Communicate

• The problem here is the WebAccess Application can't communicate with the agent.

• Be sure the agent (gwinter) process is actually running!

• Be sure the correct commgr.cfg is being used. It could be “valid” but pointing at the wrong IP address/port. This can happen when you modify the IP address or port in the agent object, then forget to re-copy the commgr.cfg back to the web server.

• Verify there is no firewall or filtering happening between the WebAccess Application and agent. The application needs to communicate with the agent over TCP 7205 (default), and the agent replies on the dynamic ports 1024-65535.


WebAccess error: Missing Graphics


WebAccess error: Missing graphics• WebAccess functions perfectly, but all of the graphics are

missing.

• Recall that Apache is handling the static content, while Tomcat is handling the dynamic content... so which process do you think is at fault?

• This implies the static content in webaccessdocs.zip was either extracted to the incorrect location, or that Apache is not really serving up documents from the location you think it is.

• Check that the DocumentRoot directive in the Apache conf file is correct, and that webaccessdocs.zip is extracted there.

• This is a common error on NetWare 6, where two copies of Apache are running against the same Tomcat 3.3 instance. If the “WebAccess Apache” is not launched via gwwebup.ncf, WebAccess will still function via the “NetWare Apache” instance, but the graphics will be missing.



• “500 Internal Server Error” tells us that Apache tried to hand off a request for /servlet/webacc to Tomcat, but there was no process listening on the other end.

• Most often, Tomcat is simply not loaded. • Use JAVA -SHOW to determine if Tomcat is running.

• Verify that Tomcat and mod_jk agree on the IP address/port.

• Tomcat sets the AJP13 address/port in server.xml

• mod_jk sets the AJP13 address/port in workers.properties


WebAccess error: Miscellaneous

• “Page Cannot be Displayed”• BrowserMatch “MSIE” nokeepalive downgrade-1.0 force-

response-1.0

• See TID #1008126

• “Error Sending Mail Message”• Need to change the cryptographic provider in the Win32

client.

• See TID #10081813

• java.lang.IllegalMonitorStateException: current thread not owner

• Occurs when starting Tomcat

• Often seen when running Tomcat on older NetWare/JVM versions

• Add envset JAVA_COMPILER=none to the Tomcat startup file.


Customizing WebAccess - Simple

• Edit the index page• The WebAccess index page is just an HTML form. Edit

it to you heart's desire

• Add 'disclaimer' to login page.• Edit webacc.cfg and set Templates.Cache.enable=false

• The login screen is a combination of login.htt and several .inc include files. Put the HTML you want displayed in a .inc file, then include this in login.htt

• Be careful. Finding the correct location can be tricky!

• Caveat: Your changes will likely be overwritten if login.htt is modified in a future update or service pack.

• Set Templates.Cache.enable=true when you're done making modifications.


Customizing WebAccess - Disclaimer


Customizing WebAccess - GW65SP1

GroupWise 6.5 Service Pack 1• Customization.Properties was introduced in

SP1.

• Simply edit the file and follow the directions within. You can change

• Right-side image (red “Novell”)

• Color scheme

• Applet colors

• Unlike modifying templates with caching disabled, the servlets need to be restarted for any changes to take effect.


A Customized Login Page...

LOGIN


Customizing WebAccessComplex Customizations

• Extreme modifications can be done to the templates, or entirely new templates can be created to make WebAccess look the way you want.

• One example is a “public calendar.”• By default, logging in to WebAccess hosting a

public calendar would be a security risk, as the credentials are passed via a URL or form.

• The solution is to use a new GroupWise Provider that logs into WebAccess via credentials stored within a file, rather than via the URL.

• Another problem is potential “URL tampering”. WebAccess cannot restrict the “actions” that the servlets perform, thus a knowledable hacker could easily deface your caledar, send mail, etc.


Customizing WebAccessComplex Customizations

• New webacc.cfg parameters to support this functionalityActions.allowed=#User.Login#Proxy.Login#Calendar.Search#

Item.Read#Actions.NoAccess.template=noaccessAction.Login=StartupAction.Login.userId=<GW user ID>Action.Login.password=<GW password>Provider.default=GWAPACCProvider.GWAPACC.class=com.novell.webaccess.providers.gwap.access.XGWAPAccessor

• This provider is available free of charge, just ask me for it!

• Learn all about how temlates work via the WebAccess Customization Guide at http://developer.novell.com

The solution is to use a new GroupWise Provider that restricts the actions the servlets can perform to a strict list.


A Public Calendar Example...


General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

Novell ® GroupWise ® WebAccess Tips, Tricks and Troubleshooting Danita Zanré Senior Consultant,...

Documents

Transcript of Novell ® GroupWise ® WebAccess Tips, Tricks and Troubleshooting Danita Zanré Senior Consultant,...