You can find the product documentation for IBM HTTP Server online at http://www-306.ibm.com/software/webservers/httpservers/library/.
The license agreement for this product refers you to this file for a list of "Eligible Support Entitlements" for this product. To the extent you have acquired an "Eligible Support Entitlement" for an earlier version of the Program, you may replace such earlier version with a copy of the Program and receive Program Services under the terms and conditions of the Eligible Support Entitlement for the Program (instead of the earlier version of the Program). The Eligible Support Entitlements for this product are:
Operating system prerequisites for IBM HTTP Server are the same as those for the corresponding WebSphere Application Server release. Refer to the table at http://www-306.ibm.com/software/webservers/appserv/doc/v60/prereqs/was_v602.htm . Additional operating system fixes may be appropriate in some cases.
The presence of an AIX APAR can be verified with the
instfix command:
# /usr/sbin/instfix -vik IYnnnnn
On AIX, make sure that the xlC.rte 6.0 runtime library (for example: xlC.rte.6.0.0.0) is installed before installing IBM HTTP Server V6.0. This runtime library is needed to install and use SSL with IBM HTTP Server V6.0 on AIX. You can install the runtime library from the AIX V5.2 CD. However, it is not available on the AIX V5.1 CD. You can download it from the Fix Delivery Center for AIX V5 Web site.
xlC.rte.7.0.0.1 and higher is also sufficient.
IBM HTTP Server supports Update2 of HP-UX 11i v2, along with patch PHSS_30414. If you do not have these updates, IBM HTTP Server may fail to start and you will see the following message:
Jan 10 11:29:52 2005] [crit] (223)Operation not supported: make_sock: for address [::]:80, apr_socket_opt_set: (IPV6_V6ONLY) no listening sockets available, shutting down
A Solaris patch to correct problems with AF_UNIX sockets must be installed. The SPARC version of the patch is 120664-01. The x86-64 version of the patch is 120665-01.
In previous versions of IBM HTTP Server, to use the mod_ibm_ldap module, a separate IDS client was needed. This requirement has been removed. A separate download of the IDS client is no longer required on any supported platforms.
The SSLFIPSEnable directive of mod_ibm_ssl enables a special FIPS 140-2 SSL processing mode. The FIPS implementation in GSKit undergoes a certification procedure in order to achieve FIPS compliance. The FIPS implementation in certain levels of GSKit on certain platforms has not completed certification.
In order to use SSLFIPSEnable with a GSKit FIPS implementation
which has not completed certification, the ICC_IGNORE_FIPS environment
variable must be set in ihsroot/bin/envvars, as
follows:
ICC_IGNORE_FIPS=yes export ICC_IGNORE_FIPS
If an uncertified GSKit FIPS implementation is used and SSLFIPSEnable is specified but the ICC_IGNORE_FIPS setting has been omitted, the following error will be written to the error log:
SSL0100S: GSK could not initialize, GSK_ERROR_FIPS_NOT_SUPPORTED
Here are GSKit versions distributed with IBM HTTP Server (including interim fixes) known to have this issue:
| Platform | GSKit levels |
|---|---|
| HP-UX/PA-RISC | 7.0.3.20, 7.0.3.27 |
| Solaris/x64 | 7.0.3.20, 7.0.3.27 |
On SuSE SLES 8.0 (United Linux 1.0), set the following environment variable before starting IBM HTTP Server V6.0 with SSL enabled, otherwise, IBM HTTP Server V6.0 will not start:
export LD_PRELOAD=/usr/lib/libstdc++-libc6.2-2.so.3
IBM HTTP Server V6.0.2.3 and later support IPv6 on Windows XP and 2003 operating systems. IPv6 is not supported on Windows 2000 operating systems.
Support for IPv6 on Windows operating systems is configured slightly differently than Unix platforms in that the Listen directive should always include either an IPv4 address or an IPv6 address. Any existing Listen directives that are not qualified with an IP address should be updated to include one even if Windows IPv6 networking is not configured. Use 0.0.0.0 for the default IPv4 address and [::] for the default IPv6 address. e.g. Add the following line in httpd.conf to Listen on IPv6 port 80
Listen [::]:80"Listen 0.0.0.0:80" or "AfpaPort 80" should also be configured if you wish to accept connections over IPv4. Afpa is only supported for IPv4.
Windows IPv6 networking must be configured before enabling IPv6 Listens.
Update packages include the updateinstaller/responsefiles/install.txt file, which provides inputs for silent installations. Refer to the instructions in that file.
Full install packages include the responsefile.txt file, which provide inputs for silent installations. Refer to the instructions in that file.
Beginning with V6.0.2.3, if the ihsdiag module mod_whatkilledus is used, ensure that the module is obtained from ihsdiag 1.4.2 or later.
Refer to the Fix list for IBM HTTP Server Version 6.0.2 document for the list of fixes in each fix pack. The fix list is no longer duplicated in this file.
- PK39018 Restart sidd if it crashes or exits unexpectedly - PK38839 Allow coredumps and other serviceability data for SIGFPE - PK34981 The IHS administrative console incorrectly reports the stop/start status of the IHS server - PK35675 mod_mem_cache crashes when used with client certificate authentication - PK34180 Fix incorrect 304 responses for objects which have expired from the cache - PK31460 Fix handling of non-200 success status codes when "ProxyErrorOverride On" is configured. - PK30837 mod_ibm_ldap problems when enabled in .htaccess files - PK37731 no client certificate prompt when multiple SSL vhosts configured - PK33253 SSL virtualhosts unable to perform SSLV3 handshake when keyfile directive has been specified with an invalid parameter
- PK29154 mod_rewrite defect led to vulnerability with IHS 6.x on Windows - PK28359 mod_ibm_ssl crypto card initialization problem when SSLServerCert directive is used - PK28348 mod_cgid misprocessing when ScriptLog is defined inside VirtualHost
- PK21998 SSLProtocolDisable directive can disable specific protocols - PK24631 HTML-escape the value of the Expect header in the error response to a bad Expect value - PK24686 Fix missing path information in arg0 of CGI scripts spawned by mod_cgid - PK22995 Fix excessive forking in worker MPM if child process startup is slow. - mod_cache: Fix inconsistent results from requests which are implemented as subrequests. - PK25428 Periodic IHS admin seg faults on start/stop request from WAS console - Correct a problem with ikeyman.bat on Windows 2000
- PK20167 correct GSKit packaging problem - PK22485 memory leak and crash if files being served are truncated - PK23962 ikeyman.bat on Windows broken with GSKit 7.0.3.20 - htdbm crash with -d option on HP-UX/ia64 - allow diagnostic modules to track activity in log-transaction hook
- PK20184 crashes related to mod_ibm_ssl and mod_ext_filter - PK20050 status line problem with WebSphere plug-in and byterange filter - PK17802 mod_speling crash with WebSphere request - PK13784 GSKit upgrade to 7.0.3.20 (except for HP-UX/PA-RISC) - PK17867 mod_ibm_ldap LDAPCodePageDir directive - PK19060 mod_ibm_ldap doesn't retry request when server timed out connection - PK18642 mod_ibm_ldap memory leak - PK19865 ikeyman won't start on AIX due to JAVA_HOME setting - mod_ibm_ssl now removes null ciphers from default list - Apache.exe -V on Windows and apachectl -V on other platforms now displays CVE ids of applicable Apache vulnerabilities resolved in this level of IBM HTTP Server
- PK13858 Do not remove Content-Length header for a proxied HEAD request, allowing Windows Update to work through an IBM HTTP Server proxy. - PK15553 multiple mod_include fixes, including a change to log a warning mssage if mod_include is only partially configured (filter enabled but option not enabled) - Prevent hosts with SSLProxyEngine On from covering up failed initialization of primary SSL environment. - Enable TLS protocol in the GSKit proxy environment to allow for connections to backends using FIPS ciphers. - PK13453 Allow SID reuse when SSLClientAuth is optional and client does not provide certificate. - PK16390 Change disk space requirements for the update to require only 15MB free on the filesystem used for temporary files and 30MB free on the filesystem where IBM HTTP Server is installed - PK15926 Resolve conflict between mod_ibm_ldap and the use of ldap in /etc/nsswitch.conf for system user authentication on Linux.
- CAN-2005-2970 worker MPM memory leak after aborted connection (non-Windows platforms) - Prevent double-free of GSKit memory during stop or restart which sometimes caused a coredump (non-Windows platforms) - Prevent double-free when an error occurred reading data from sidd. (non-Windows platforms only) - CAN-2005-2491 Fix integer overflow in PCRE which leads to a heap- based buffer overflow. - CAN-2005-2728 Fix byte-range filter which allowed remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. - Handle strerror() returning NULL on Solaris, resolving possible crashes when writing to the error log. - Handle SSL requests where FIN is received from the client on Keepalive connections before the response is written. - sidd now reports specific error code and filename when its trace or error log can't be opened. - Fixed swapped references to ciphers 62 and 64. This resulted in SSLCipher* directives operating on the wrong cipher (i.e. using 64 if 62 had been specified). - Fix SSL handling of Timeout values larger than 2000 seconds, resolving SSL handshake failures - PK09327 IHS Admin running on 64 bit fails to propagate the files from websphere application server to IHS. - PK08359 IHS 6.0 Admin service cannot start as non-root, nor can run multiple concurrent instances on same machine. - PK10954 Statically linked LDAP client libraries upgraded to version 6.0 fp1.
- PK07831 Resolve incompatibility between IBM HTTP Server and certain GSKit levels - PK07747 Resolve incompatibility between AFPA support on Windows operating systems and Microsoft Security Patch MS05-019 - CAN-2005-2088 preventative measures to prevent HTTP request smuggling, from Apache 2.1.6 and future Apache 2.0.55 - mod_ibm_ssl: include client IP address on many messages - mod_ibm_ssl: improve reporting of many SSL communication errors - PK03603 worker mpm: do not take down the whole server for a transient thread creation failure - PK05830 Prevent hangs of child processes when writing to piped loggers at the time of graceful restart - PK05957 Support the suppress-error-charset setting, as with Apache 1.3.x - Set REDIRECT_REMOTE_USER for redirection of authenticated requests - worker mpm: lower severity of mutex "error" message which can occur normally during restart - display time taken to process request in mod_status - mod_proxy: Handle client-aborted connections correctly - mod_mime_magic on Windows: support magic files with native line endings - support SHA1 passwords for mod_auth and mod_auth_dbm - support SendBufferSize on Windows operating systems - start piped loggers via the shell on Unix platforms, to support redirection - mod_cgid: Fix buffer overflow processing ScriptSock directive - mod_ibm_ldap: put timestamp on ldap trace records for correlation with other logs - mod_ibm_ldap: return authorization error instead of internal server error when password has expired - mod_ibm_ldap: add configuration control over whether or not referrals are chased via "LdapReferrals [On|Off]" and "LdapReferralHopLimit nnn" - mod_ibm_ldap: add rebind support for improved compatibility with Microsoft Active Directory 2003
- Fix storage corruption problem with mod_userdir+suexec processing - Fix memory leak in the cache handling of mod_rewrite - Fix problem with default service name on Windows with 6.0.1. Service name is 6.0 for life of 6.0.x release. - PK04429 mod_rewrite: improve performance with large RewriteMap files - dbmmanage: Select the database format which is accepted by IBM HTTP Server - Set RH variable to indicate which module handled or failed the request - Fix a servlet timeout when a POST response page contains SSI tags - fix mod_fastcgi incompatibility with WebSphere plug-in - rename zlib symbols used by mod_deflate to avoid collision with third-party modules - fix ownership of sidd socket if IBM HTTP Server started as non-root on HP-UX platforms - PK00175 mod_ibm_ssl corrupts LIBPATH, breaking startup of third-party module - add "/server-status?showmodule" support for displaying name of module where request is stuck; ihsdiag 1.4.0 also exploits this support - PQ86346 Seg fault with IBM HTTP Server ldap/nss ldap on 390
- CAN-2003-0020 escape data before writing to error log
- remove 2GB log file size restriction on Linux and Unix systems - PQ98957 fix HTTP RFC violations with handling of request bodies by proxy - PQ97712 fix worker MPM problem which left stranded processes after shutdown - fix mod_deflate problems handling 304 or 204 responses - PQ97125 CAN-2004-0942 fix memory consumption dos for folded MIME headers - reduce severity of message for TCP_NODELAY error