Forum OpenACS Q&A: having problems with the installing openacs4

Hello,

I am trying to get openacs running on solaris7(ad patched aolserver
3.3.1 and oracle 8.1.7)  I do not have the BASFE lib installed, do I
need it, I edited the AD build script to set BSAFE to true, if I
remember correctly.  I also remember there was a document that said
how to get a opy of BSAFE from somewhere at aol and I cannot find it.
  If it exists could some kind soul give me a pointer?

below is my log file I hope it helps

Thanks marc

$ pwd
/opt/aolserver
$ /opt/aolserver/bin/nsd -ft /opt/aolserver/openacs4.tcl
[21/Aug/2001:20:20:37][2371.1][-main-] Notice: nsd.tcl: starting to
read config file...
[21/Aug/2001:20:20:37][2371.1][-main-] Notice:
/opt/aolserver/servers/oacs/modules/nsssl/keyfile.pem
^^^^-I put this infor debuging and the file does not exist
[21/Aug/2001:20:20:37][2371.1][-main-] Warning: nsd.tcl: nsssl not
loaded because key/cert files do not exist.
[21/Aug/2001:20:20:37][2371.1][-main-] Notice: nsd.tcl: finished
reading config file.
[21/Aug/2001:20:20:37][2371.1][-main-] Notice: nsmain:
AOLserver/3.3.1+ad13 starting
[21/Aug/2001:20:20:37][2371.1][-main-] Notice: nsmain: security info:
uid=5002, euid=5002, gid=1, egid=1
[21/Aug/2001:20:20:37][2371.1][-main-] Notice: nsmain: max files:
FD_SETSIZE = 1024, rl_cur = 1024, rl_max = 1024
[21/Aug/2001:20:20:37][2371.1][-main-] Notice: return: redirecting
'404' to 'global/file-not-found.html'
[21/Aug/2001:20:20:37][2371.1][-main-] Notice: return: redirecting
'403' to 'global/forbidden.html'
[21/Aug/2001:20:20:37][2371.1][-main-] Notice: modload: loading
'/opt/aolserver/bin/ora8.so'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: ora8 driver
LobBufferSize = 16384
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: ora8 driver
PrefetchRows = 0
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: ora8 driver
PrefetchMemory = 0
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: Loaded ArsDigita Oracle
Driver version 2.6, built on 17:58:29/Aug 10 2001
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: adp: mapped /*.adp
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: modload: loading
'/opt/aolserver/bin/nssock.so'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: modload: loading
'/opt/aolserver/bin/nslog.so'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: nslog: opened
'/opt/aolserver/log/oacs.log'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: modload: loading
'/opt/aolserver/bin/nsperm.so'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: modload: loading
'/opt/aolserver/bin/nssha1.so'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: modload: loading
'/opt/aolserver/bin/nscache.so'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: nscache module version
@VER@
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: modload: loading
'/opt/aolserver/bin/nsrewrite.so'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: modload: loading
'/opt/aolserver/bin/nsxml.so'
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: nsxml module starting
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: conf:
[ns/server/oacs]enabletclpages = 1
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: tcl: enabling .tcl pages
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: tcl: generating interp
init script
[21/Aug/2001:20:20:38][2371.1][-main-] Warning: keepalive:
insufficient maxkeepalive 0: keepalive disabled
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: nsmain:
AOLserver/3.3.1+ad13 running
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: nsmain: security info:
uid=5002, euid=5002, gid=1, egid=1
[21/Aug/2001:20:20:38][2371.5][-sched-] Notice: sched: starting
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: serv: waiting for warmup
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: serv: warmed up
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: socks: idle
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: sched: idle
[21/Aug/2001:20:20:38][2371.1][-main-] Notice: nssock: listening on
167.206.9.143:8080
[21/Aug/2001:20:20:38][2371.6][-nssock-] Notice: nssock: starting
[21/Aug/2001:20:20:38][2371.6][-nssock-] Notice: nssock: accepting
connections
[21/Aug/2001:20:20:59][2371.7][-conn0-] Error: return: failed to
redirect '404': exceeded recursion limit of 3

Collapse
Posted by S. Y. on
  1. You do not need BSAFE to run OpenACS.
  2. You need BSAFE to compile nsssl.so or nsssle.so (the old SSLv2 modules)
  3. BSAFE Crypto-C is a product of RSA Security. It costs money. Lots.
  4. You can use OpenSSL, a free, open source SSL SDK instead of RSA BSAFE if you're willing to use Scott Goodwin's nsopenssl.so module.
  5. If you don't know if you need nsssl(e).so over nsopenssl.so, then you don't. Just use nsopenssl.so. Try nsopenssl 1.1c rather than the new nsopenssl 2.0.
  6. You're seeing keyfile/certfile error messages in your log file because those files don't exist.
  7. nsd will die if the nsssl(e) module doesn't load correctly. You can
    1. comment out the module,
    2. temporarily fix it by using the demo keyfile and certfile pair,
    3. permanently fix it by generating a valid keyfile and certfile pair, or
    4. compile and configure nsopenssl instead.
  8. Don't forget to double check your paths, spelling, file permissions/ownerships of for the security certificates. Assuming that user id 5002 is called "nsadmin" on your machine, then you'll should chown nsadmin keyfile.pem certfile.pem; chmod 600 keyfile.pem certfile.pem.

I'm not sure what sort of problems you're having. You should try getting AOLserver to run without OpenACS before trying to get it run with the OpenACS: basically, turn off everything in the server modules section in your nsd.tcl file except nssock and nslog. If you can't serve up plain "Hello, world" type HTML files, you've hosed your configuration.

Once you get nsd to serve up regular HTML pages, try your OpenACS install again with debug turned on in your nsd.tcl and put your server log and your nsd.tcl configuration files somewhere on the web here people can view them.

Collapse
Posted by S. Y. on
Note that there are some versions of the nsd.tcl file that will check to see if keyfile.pem and certfile.pem variables have been set, and then they will try to load the module at the very bottom of the script. There are other versions of the nsd.tcl file that simply have the nsssl(e).so module listed in the modules section and expect that you, the server administrator, have set things up properly.

I forget what happens if module doesn't even exist, but if it does exist and the certfile and keyfile aren't readable, then nsd will die (I was just mucking around with this myself earlier today and witnessed it). I had $sslkeyfile and $sslcertfile set to the appropriate files and in the nsssl module section I had the parameters set to $sslkeyfile.pem and $sslcertfile.pem (meaning, AOlserver was unsuccessfully looking for files called keyfile.pem.pem and certfile.pem.pem). Doh!
Good luck.

Collapse
Posted by Marc Spitzer on
One thing I have figured out is that you can get nsssle.so to load if you use the verison that comes with the aolserver 3.4 binary distribution

marc

Collapse
Posted by S. Y. on
Marc,

That's right. nsssl.so = 128-bit "U.S. domestic-grade" encryption. nsssle.so = 40-bit "export-grade" encryption (hence the 'e' suffix). I guess the export version of the module is being included in some binary distributions (it's been such a long time since I personally downloaded a binary distribution).

The SSL modules (nsssl.so, nsssle.so, or nsopenssl.so) are recommended for A.) administrative purposes, and possibly B.) for e-commerce. They're basically used if you want/need HTTPS.

nsssl.so and nsssle.so only support the SSLv2 protocol. Scott's nsopenssl.so module supports SSLv2, SSLv3, and TLSv1. In addition, Scott continues to work on nsopenssl, adding more support for client verification, etc. It appears that no work has been done on the AOLserver nsssl(e) module for a couple of years (e.g., not even SSLv3 nor TLSv1).

Collapse
Posted by carl garland on
BTW It looks like from your log file that the one of first pages you are trying to load is not in your docroot and you have a 404 redirect to
global/file-not-found.html It looks like that file doesnt exist and is caught in a redirect/not exist loop.  That is probably source of last line in your log output that is giving you error.

Best Regards,

Collapse
Posted by Marc Spitzer on
Thanks for the help.  I apear to have everything working except for an oracle issue that I will take care of tomarrow at work.  The root cause of my problems was pride, I thought I knew better then the directions.  When I followed the directions( install guide) things worked well.  oracle looks like I do not have a login configured correctly, but that is for another day.

Good night

Collapse
Posted by S. Y. on
Carl's right. It looks like whatever file you're trying to access (maybe your document root is misconfigured in your nsd.tcl file), the server can't find. If the doc root is misconfigured, it's not going to find your 404 and 500 redirect pages. I strongly suggest you to try serving up plain old HTML pages before chasing down OpenACS problems. If nsd can't find your 404 and 500 redirect pages, something is probably really messed up with your config file.

Your log file is pretty hard to read. Next time please wrap PRE tags around the output and post as HTML (this is a good thing to do if you post your nsd.tcl file, code fragments, etc.). If you post to an OpenACS or Classic ACS bboard as "plain text", only double carriage returns will signify a paragraph. Single carriage returns are totally ignored and sentences are strung together to form a paragraph until the next double carriage return.