Installation and Deployment
This chapter describes the steps that have to be executed when installing nevisProxy. The package is operating-system-specific and uses the package mechanism of the target OS. It may also be provided in various flavours (i.e. with customer-specific modifications).
The following requirements need to be fulfilled to install nevisProxy:
- Linux (RHEL 5/6 / Suse 10/11) operating system on a host with ~60MB of free space in the installation directory (see destdir below) and ~20MB of free space in the spool directory (see spooldir below).
- nevisOrb 1.3.x or higher as mentioned in the Release Notes for the 32-bit version of nevisProxy.
If you want to use all the features that nevisProxy provides, it is necessary to install the MariaDB libaries mariadb-libs on machines running Red Hat Enterprise Linux. On machines that run the SUSE Linux, you have to install the MySQL libraries mysql-libs.
- Use the following command to install the MariaDB libaries:
yum install mariadb-libs
- And this command to install the MySQL libraries:
yum install mysql-libs
Two RPM packages
nevisProxy comes with two RPM packages: nevisproxy-
<version>-1.el5.x86_64.rpm and nevisproxy-
<version>-1.el5.x86_64.rpmThis package runs on the following platforms:
<version>-1.el7.x86_64.rpmThis package runs on the following platforms:
Both packages have the same code base, except for:
- The ModSecurity library
<version>-1.el5.x86_64.rpm package uses version 2.9.2 of the ModSecurity library, whereas the nevisproxy-
<version>-1.el7.x86_64.rpm package uses version 3.0.2.
- Apache httpd
<version>-1.el7.x86_64.rpm package only supports Apache httpd/2.4. The nevisproxy-
<version>-1.el5.x86_64.rpm package supports both Apache httpd/2.2 and httpd/2.4, but we strongly recommend moving to Apache httpd/2.4 ").
We strongly recommend that you install the package nevisproxy-
<version>-1.el7.x86_64.rpm whenever possible.
If you encounter problems with the package nevisproxy-
<version>-1.el7.x86_64.rpm, you can switch back to the package nevisproxy-
Inform the NEVIS support about the problem(s) you have encountered, so that we can fix it.
In the near future, only the package nevisproxy-
<version>-1.el7.x86_64.rpm will be built and delivered.
Proceed as follows to install the package and start the server:
- Install the package (Linux):
# rpm -i nevisproxy<version>-1.<flavour>.<architecture>.rpm
If no configuration package is provided for nevisProxy, proceed as described in the chapter Preparing the initial installation .
*As of the beginning of 2018, Solaris is not supported anymore. Use another platform instead.** Unpack and install the package (Solaris):
# gunzip nevisproxy-<version and architecture>.tar.gz
# gtar xf nevisproxy-<version and architecture>.tar
# pkgadd -d <pkg_dir> nevisproxy
The default charset of nevisProxy is ISO-8859-1, but we propose setting the charset of all NEVIS components (nevisAuth, nevisLogRend …) including nevisProxy to UTF-8. Set
in the bc.properties for nevisProxy.
As of the beginning of 2018, Solaris is not supported anymore. Use another platform instead.
in the bc.properties for nevisProxy.
Proceed as follows to upgrade to a new software version without changing the configuration:
- Deinstall the old package.
- Install the new package.
Proceed as follows to deinstall the nevisProxy package:
- Deinstall the package (Linux):
# rpm -e nevisproxy
*As of the beginning of 2018, Solaris is not supported anymore. Use another platform instead.** Deinstall the package (Solaris):
# pkgrm nevisProxy
Because nevisProxy usually uses the most recent OpenSSL version, it is possible that some backends will not be accessible anymore due to a stricter security policy. For example, because a cipher algorithm has been disabled or some key size has been restricted.
If a backend cannot be reached anymore, check the possible cause of it in navajo.log. Usually an SSL/TLS error should be logged. For example:
2016 02 08 20:46:14.011 isi3web OpenSSLHan 18203.140737049229056.471b-14549607721132811-152c26b8412 3-ERROR : OpenSSL-failure: 140737049229056:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3448:0x0a
In this case, the dh-key (Diffie-Hellman) provided by the backend is too small. You can now either update your backend or remove the DH-algorithm from the SSLCypherSuites of the HttpsConnectorServlet (e.g., "!aNULL:!aDSS:!MD5:!kEDH+AES:RSA+AES:!kEDH+3DES:RSA+3DES").
In any case, it is better to keep the backends up to date. If you run a java-based backend, you can set the following java-property:
This will provide more information on the backend on why it refuses the connection. Common cases are:
- Starting from java8, SSLv3 and MD5 are not supported anymore. In this case you should update your certificates.
- Starting from java8, the Diffie-Hellman key must be at least 1024 bytes.