Hitachi

uCosminexus Application Server HTTP Server User Guide

G. Notes on migration from earlier versions

The following table lists points to note when migrating from an older version, and indicates whether settings need to be changed.

Table G‒1: Points to note when migrating from an older version

No.

Item

Application Server version before the migration

V8

V9

1

Change of program product name

Y

-

2

The program menu is no longer provided (Windows version only)

Y

-

3

The SSLv2 protocol is not supported

Y

-

4

The SSLv3 protocol is not supported

Y

Y

5

Stricter verification of CA certificates

Y

Y

6

Change of the request log output format

Y

Y

7

Change in directives

Y

Y

8

Addition of message IDs

Y

Y

9

Change of SSL-related commands

Y

Y

10

Change in supported encryption types

Y

Y

11

The static contents cache functionality is not supported

Y

Y

12

The SSL session management functionality is not supported

Y

Y

13

The user authentication and access control functionality using the directory service are not supported

Y

Y

14

Change in status codes

Y

Y

15

The NameVirtualHost directive is not supported

Y

Y
(Legend)

  • V8 and V9 stand for Application Server Version 8 and Version 9 (excluding this version), respectively.

  • Items for which settings need to be changed are as follows:

    Y: Settings need to be changed at migration

    -: No settings need to be changed

The following are points to note for each item. If settings need to be changed, perform the tasks from installation to startup.

  1. Change of program product name

    The name of the program product has been changed from Hitachi Web Server to Cosminexus HTTP Server. Accordingly, the names used for logs or HTTP communications have changed from Hitachi Web Server to Cosminexus HTTP Server. In the Windows version, the service name created by default has also been changed, except when the service Hitachi Web Server already exists in your environment from an installation of an earlier version.

  2. The program menu is no longer provided (Windows version only)

    The program menu of this product is no longer created in the Windows Start menu.

  3. The SSLv2 protocol is not supported

    SSLv2 can no longer be specified for the SSLProtocol directive. If you send a request from a client that supports SSLv2 only, the SSL handshake will result in an error and the connection will fail.

  4. The SSLv3 protocol is not supported

    SSLv3 can no longer be specified for the SSLProtocol directive. If you send a request from a client that supports SSLv3 only, the SSL handshake will result in an error and the connection will fail.

  5. Stricter verification of CA certificates

    More strict rules are applied according to the contract when a CA certificate is verified during client authentication. If the CA certificate does not follow the rules, a security problem might occur, and client authentication might result in an error. Use the following check method to ensure that your CA certificate follows the rules.

    To quickly check the CA certificate:

    1. Execute the following command to display the contents of the certificate:

    openssl.sh x509 -text -in CA-certificate-file

    2. If the text displayed by executing the command does not include CA:TRUE, client authentication might result in an error.

    - Output example (snip)

    X509v3 extensions:

    X509v3 Basic Constraints:

    CA:TRUE

    To check the CA certificate in 09-00-60 or later, 09-65-60 or later, or 09-87:

    1. Execute the following command to verify the certificates:

    openssl.sh verify -CAfile CA-certificate-file client-certificate-file

    operand

    - -CAfile CA-certificate-file

    Specify the CA certificate file. If a certificate chain is configured by issuing the intermediate CA certificate from the root CA certificate, specify these CA certificates in a single file.

    - client-certificate-file

    Specify the certificate file authenticated by the CA.

    2. If OK is not displayed by executing the command, client authentication might result in an error.

    - Output example (when cert.pem is specified for client-certificate)

    cert.pem: OK

  6. Change of the request log output format

    The location of the server process ID output to the request log is changed to immediately after the time. For details, see 4.2.6 Collecting the module trace, 4.2.7 Collecting request trace information, and 4.2.8 Collecting I/O filter trace information.

  7. Change in directives

    The following directives have been added in 09-80 or later:

    • HWSPrfId

    • HWSStackTrace

    • HWSWebSocketLog

    • MaxSpareThreads

    • MinSpareThreads

    • ServerLimit

    • SSLCARevocationCheck

    • SSLCARevocationFile

    • SSLEngine

    • SSLCipherSuite

    • SSLOptions

    • ThreadLimit

    The following directives have been deleted and cannot be specified in 11-00:

    • DefaultType

    • HWSContentCacheSize

    • HWSContentCacheMaxFileSize

    • LDAPBaseDN

    • LDAPNoEntryStatus

    • LDAPRequire

    • LDAPServerName

    • LDAPServerPort

    • LDAPSetEnv

    • LDAPTimeout

    • LDAPUnsetEnv

    • NameVirtualHost

    • SSLCacheServerPath

    • SSLCacheServerPort

    • SSLCacheServerRunDir

    • SSLCertificateKeyPassword

    • SSLCRLAuthoritative

    • SSLCRLDERPath

    • SSLCRLPEMPath

    • SSLDenySSL

    • SSLDisable

    • SSLECCCertificateFile

    • SSLECCCertificateKeyFile

    • SSLECCCertificateKeyPassword

    • SSLEnable

    • SSLExportCertChainDepth

    • SSLExportClientCertificates

    • SSLFakeBasicAuth

    • SSLRequireCipher

    • SSLRequiredCiphers

    • SSLSessionCacheSize

    • SSLSessionCacheSizePerChild

    • SSLSessionCacheTimeout

    In addition, the default values of the following directives have been changed in 09-80 or later. Revise the settings if necessary:

    • AllowOverride (default value: None)

    • FileETag (default value: MTime Size)

    • KeepAliveTimeout (default value: 5)

    • Options (default value: None)

    • SSLVerifyClient (default value: none)

    • SSLVerifyDepth (default value: 1)

    • ThreadsPerChild (default value: 64)

    • Timeout (default value: 60)

    • UseCanonicalName (default value: Off)

    • UserDir (default value: No default value)

    • RequestReadTimeout (default value: header=20 body=20#)

      # This applies if mod_reqtimeout.so is specified in the LoadModule directive. If it is not specified, no default value is provided.

    The specifications of the following directives have been changed. See 6. Directives and revise the settings if necessary.

    • AllowOverride

    • CoreDumpDirectory

    • CustomLog

    • HWSKeepStartServers

    • HWSProxyPassReverseCookie

    • HWSRequestLogType

    • LoadModule

    • MaxClients

    • MaxSpareServers

    • MinSpareServers

    • ProxyErrorOverride

    • ProxyPass

    • ServerName

    • SSLBanCipher

    • SSLCACertificateFile

    • SSLCACertificatePath

    • SSLCertificateFile

    • SSLCertificateKeyFile

    • SSLProtocol

    • SSLRequireSSL

    • SSLVerifyClient

    • SSLVerifyDepth

    • StartServers

    • ThreadsPerChild

  8. Addition of message IDs

    A unique ID is added to each message. For details, see the manual uCosminexus Application Server Messages.

  9. Change of SSL-related commands

    The sslccert command, sslckey command, keygen command, and certutil command have been changed to openssl.sh command. The sslccert command, sslckey command, sslpasswd command, keygen command, and certutil command are deleted during overwrite installation. For details on the openssl.sh command, see 5. Authentication and Encryption by Using SSL.

  10. Change in supported encryption types

    Supported encryption types have been changed. For details, see (29) SSLCipherSuite encryption-type [:encryption-type ...] in 6.2.7 Directives starting with S, and then revise the settings if necessary.

  11. Static contents cache functionality is not supported

    The static contents cache functionality is no longer supported.

  12. SSL session management functionality is not supported

    The SSL session management functionality for the Web server is no longer supported.

  13. The user authentication and access control functionality using the directory service are not supported

    The user authentication functionality and access control functionality using the directory service are no longer supported.

  14. Change in status codes

    The Web server of HTTP Server is based on Apache HTTP Server. In accordance with the change of the version of Apache HTTP Server to 2.4, the status codes are changed. See Appendix A. Status codes.

    If the communication with the backend server is disabled when using the reverse proxy functionality, the error status code 503 might be returned rather than 502.

    If the request line was not received and a timeout occurred, the status code 408 is output to the access log.

  15. The NameVirtualHost directive is not supported

    The NameVirtualHost directive is no longer supported. Therefore, if the same IP address is specified in multiple VirtualHost blocks, the host operates as a virtual host based on the server name. In this case, operation might be different from virtual host operation based on the IP address in older versions. Revise the settings if necessary.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2022, Hitachi, Ltd.