Skip to main content
Version: 3.14.x.x LTS

Installation and Deployment

Overview

This chapter describes the steps that have to be executed when installing nevisProxy. The package is operating-system-specific and uses the package mechanism of the target OS. It may also be provided in various flavors (i.e. with customer-specific modifications).

Prerequisites

The following requirements need to be fulfilled to install nevisProxy:

  • Linux (RHEL 5/6 / Suse 10/11) operating system on a host with ~60MB of free space in the installation directory (see destdir below) and ~20MB of free space in the spool directory (see spooldir below).
  • nevisOrb 1.3.x or higher as mentioned in the Release Notes for the 32-bit version of nevisProxy.

If you want to use all the features that nevisProxy provides, it is necessary to install the MariaDB libaries mariadb-libs on machines running Red Hat Enterprise Linux. On machines that run the SUSE Linux, you have to install the MySQL libraries mysql-libs.

  • Use the following command to install the MariaDB libaries:
yum install mariadb-libs
  • And this command to install the MySQL libraries:
yum install mysql-libs

Installation

Two RPM packages

nevisProxy comes with two RPM packages: nevisproxy-<version>-1.el5.x86_64.rpm and nevisproxy-<version>-1.el7.x86_64.rpm.

  • nevisproxy-<version>-1.el5.x86_64.rpmThis package runs on the following platforms:
  • nevisproxy-<version>-1.el7.x86_64.rpmThis package runs on the following platforms:

Both packages have the same code base, except for:

  • The ModSecurity library The nevisproxy-<version>-1.el5.x86_64.rpm package uses version 2.9.2 of the ModSecurity library, whereas the nevisproxy-<version>-1.el7.x86_64.rpm package uses version 3.0.2.
  • Apache httpd The nevisproxy-<version>-1.el7.x86_64.rpm package only supports Apache httpd/2.4. The nevisproxy-<version>-1.el5.x86_64.rpm package supports both Apache httpd/2.2 and httpd/2.4, but we strongly recommend moving to Apache httpd/2.4 ").

We strongly recommend that you install the package nevisproxy-<version>-1.el7.x86_64.rpm whenever possible.

If you encounter problems with the package nevisproxy-<version>-1.el7.x86_64.rpm, you can switch back to the package nevisproxy-<version>-1.el5.x86_64.rpm. Inform the Nevis support about the problem(s) you have encountered, so that we can fix it.

In the near future, only the package nevisproxy-<version>-1.el7.x86_64.rpm will be built and delivered.

Installation instructions

Proceed as follows to install the package and start the server:

  • Install the package (Linux):
# rpm -i nevisproxy<version>-1.<flavour>.<architecture>.rpm

If no configuration package is provided for nevisProxy, proceed as described in the chapter Preparing the initial installation .

Deprecated

*As of the beginning of 2018, Solaris is not supported anymore. Use another platform instead.** Unpack and install the package (Solaris):

# gunzip nevisproxy-<version and architecture>.tar.gz
# gtar xf nevisproxy-<version and architecture>.tar
# pkgadd -d <pkg_dir> nevisproxy

Charset settings

The default charset of nevisProxy is ISO-8859-1, but we propose setting the charset of all Nevis components (nevisAuth, nevisLogRend …) including nevisProxy to UTF-8. Set

Linux

user.locale=en_US.utf8

in the bc.properties for nevisProxy.

Solaris

Deprecated

As of the beginning of 2018, Solaris is not supported anymore. Use another platform instead.

user.locale= en_US.UTF-8

in the bc.properties for nevisProxy.

Software upgrade

Proceed as follows to upgrade to a new software version without changing the configuration:

  • Deinstall the old package.
  • Install the new package.

Deinstallation

Proceed as follows to deinstall the nevisProxy package:

  • Deinstall the package (Linux):
# rpm -e nevisproxy

Deprecated

*As of the beginning of 2018, Solaris is not supported anymore. Use another platform instead.** Deinstall the package (Solaris):

# pkgrm nevisProxy

Troubleshooting

OpenSSL compatibility

Because nevisProxy usually uses the most recent OpenSSL version, it is possible that some backends will not be accessible anymore due to a stricter security policy. For example, because a cipher algorithm has been disabled or some key size has been restricted.

If a backend cannot be reached anymore, check the possible cause of it in navajo.log. Usually an SSL/TLS error should be logged. For example:

2016 02 08 20:46:14.011 isi3web OpenSSLHan 18203.140737049229056.471b-14549607721132811-152c26b8412 3-ERROR : OpenSSL-failure: 140737049229056:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3448:0x0a

In this case, the dh-key (Diffie-Hellman) provided by the backend is too small. You can now either update your backend or remove the DH-algorithm from the SSLCypherSuites of the HttpsConnectorServlet (e.g., "!aNULL:!aDSS:!MD5:!kEDH+AES:RSA+AES:!kEDH+3DES:RSA+3DES").

In any case, it is better to keep the backends up to date. If you run a java-based backend, you can set the following java-property:

  • javax.net.debug=ssl,handshake

This will provide more information on the backend on why it refuses the connection. Common cases are:

  • Starting from java8, SSLv3 and MD5 are not supported anymore. In this case you should update your certificates.
  • Starting from java8, the Diffie-Hellman key must be at least 1024 bytes.