Contents

Getting Started with Your Internet POWERsolutions Server
How to Configure TCP/IP on Your Server
Using a Web Browser for System Administration
Server Security

Thanks for choosing our products! We look forward to serving your needs in the future.

Getting Started with Your Internet POWERsolutions Server

In this POWERsolution, IBM has:

To get your proxy server up and running, you must:

1. Follow the directions for configuring TCP/IP on your server. These directions are on the following pages.
2. Examine the on-line documentation included with the server and decide how you want to configure your server. You can access this on-line documentation by pressing the Help button which appears on most of the Proxy administration server's forms.
3. Configure the Netscape Proxy server using a web browser. The steps required to do this are describe in Using a Web Browser for System Administration.

How to Configure the TCP/IP on your Server

Using a Character-Only tty Console

Using a Graphics Console

If you are using a graphics terminal as the console to use and access your Proxy server, follow these instructions:

1. Power-up your machine.
2. In the lower portion of the Help Viewer screen on the Installation Assistant Task List, click on the airplane icon next to the Configure Network Communications option. This will launch the System Management Interface Tool (SMIT).
3. In SMIT, click on the option for TCP/IP Startup.
4. Select your primary interface, usually en0 (for Ethernet) or tr0 (for Token-Ring).
5. Input your network settings for the following attributes and hit Enter (consult your LAN administrator if you don't know which network settings will be used by your server).

     HOSTNAME...........................................<localhost>
     Internet ADDRESS (dotted decimal)..................<>
     Network MASK (dotted decimal)......................<>
     Network INTERFACE..................................en0
     NAMESERVER
              Internet ADDRESS (dotted decimal).........<>
              DOMAIN Name...............................<>
     Default GATEWAY Address............................<>
     (dotted decimal or symbolic name)
     Your CABLE Type....................................N/A
     START Now..........................................yes
   
   

   Note: Your system was configured with a HOSTNAME of localhost; change the hostname to your desired name. Be sure to enter your fully qualified hostname here (e.g., serverName.domainName).

   Note: Internet ADDRESS and HOSTNAME must be defined for the server to properly connect into your network. The other parameters are optional and must only be entered if they are needed by your site. Some parameters specific to the communications adapter may also be required.

   If you see a TCP/IP error message like: Bind error to port 8080 - already in use. ignore it. Your proxy server has been configured to use this port.

6. Exit SMIT by pressing the F12 key.
7. At this point, you may choose to perform any of the other installation assistant tasks on the menu.
8. When complete, click on the airplane icon next to the Task Completed option.
9. The AIX Welcome screen will appear. Press the Options button and select Command Line Login.
10. Login as root.
11. Run the script /usr/ns-proxy-home/ns-update to update your Proxy server with your new TCP/IP configuration.
12. Type exit. The AIX Welcome screen will appear.
13. Type root in the user name field and press the OK button.

At this point your machine is running AIX, the Common Desktop Environment, TCP/IP, Proxy server and Proxy administration server.

Using a Web Browser for System Administration

One of the first things you'll want to do is change your server's administration id, administration password, and the hosts that are allowed to administer your server. To do this:

1. Access the administration server by typing the following into the Navigator's Location field:

   http://<servername>.<your_domain>:<port_number>/

   For example, http://rs6000.ibm.com:8888/

   The port number for your administration server is 8888.

   If your Netscape Navigator is not running, open a DT Terminal and type:

   netscape http://<servername>.<your_domain>:<port_number>/ &

   If for some reason your administration server is not running, the Netscape Navigator will display an error message complaining that the network connection was refused by the server. If you see this error, restart the administration server by entering the command /usr/ns-proxy-home/start-admin and try again.

   If you see the message: Error: Can't open display, then your DISPLAY environment variable is not set to the correct value.

2. The administration server will first prompt you for a username and password. Your userid is admin and your password is admin. The Netscape Server Selector appears. For more information on this screen and configuring Proxy in general, please refer to the on-line Proxy Server Administrator's Guide.
3. Select Configure Administration from the Server Selector. The Administration Configuration screen appears.
4. Select Access Control. The Administration Server Access Control form appears with the following fields:
   • Hostnames to allow. You will probably want to restrict which hosts are allowed to administrate your server, so that only hosts that you know are safe can access the server manager. That way only hosts that you know can make changes to your configuration. Any computer that isn't on the list of host names (or IP addresses, see below), is denied access to the administration server. You can use wildcard patterns to specify a group of hostnames, such as *.rs6000.ibm.com. Separate entries with commas.
   • IP addresses to allow. Any computer that isn't on this list of IP addresses (or Hostnames, see above), is denied access to the administration server. Separate entries with commas.
   • Authentication user name. You can also change the user name your server uses to verify that you are in fact the server administrator. This user name is the name you gave when you accessed the server manager for the very first time - your browser should have shown you a dialog box that said "Server Administrator", and you entered a username and a password to authenticate yourself. This name is an HTTP user name, so it is only useable within the server. Simply choosing a name and entering it here will cause the server to create the user for you.
   • Authentication Password. Allows you to change the password for the authentication user name. If you leave this field blank, the password will not be changed.
   • Authentication Password (again). You have to type in the password twice to change it.

   Type in your changes. Unfortunately, the Help button on this form does not work properly. This will be fixed in a future release.

The first time you select the link to the right of the Server Selector's on/off switch, you may see the following message: "Warning manual edits not loaded. Some configuration files have been edited by hand. Use the Apply button on the upper-right side of the screen to load the latest configuration files." If you see this message click the Apply button and load the configuration files (the files were changed by ns-update). Note that you might have to increase the width of the Netscape Navigator window to see the Apply button.

Server Security

When a web browser requests a SSL (Secure Sockets Layer) connection to a secure web server through the Netscape Proxy server, the Proxy opens a connection to the web server and then simply copies encrypted data in both directions. This does not in any way compromise the security of an SSL session. Since the Proxy server can't read the data (its encrypted), it can't verify that the protocol spoken between the client and server is SSL. This means the Proxy can't prevent other protocols from being passed through an SSL connection. Consequently, you should restrict SSL connections to only port 443 (or other well-known HTTPS ports as assigned by the Internet Assigned Numbers Authority).

As a server owner, you are responsible for maintaining the integrity of your RS/6000 and the operating environment that your products are using. There are many sources of information to help you understand the issues involved with securing your system from unwanted intruders

The resources listed below introduce many concepts related to computer system and network security. You can access these documents on the Internet, using the Netscape Navigator browser.

• Site Security Handbook, (URL: gopher://ds1.internic.net:70/0/fyi/fyi8.txt).
• Securing Internet Information Servers, Computer Security Technology Center at Lawrence Livermore National Laboratory (URL: ftp://ciac.llnl.gov/pub/ciac/ciacdocs/ciac2308.txt).