VSI-AXPVMS-CSWS-V0204-3O-1 RELNOTES.PDF

This document outlines the Release Notes for Secure Web Server (CSWS) for OpenVMS Version 2.4-30, released in May 2018. This version is based on Apache HTTP Server 2.4-12 and OpenSSL 1.0.2n.

Key Features and Enhancements:

• Significant Update: A major refresh from previous versions, offering numerous new features and enhancements.
• Improved Security: Supports higher encryption levels due to the updated OpenSSL.
• Performance & Configuration: Reduced memory utilization and more flexible configuration options.
• New Modules: Includes various new loadable modules for session management, request filtering, and rate limiting.
• Custom Module Support: Improved support for developing custom loadable modules, making it easier to include necessary header files via APACHE$LIBRARY.TLB.
• Log Publishing Utility: Introduces log2rabbitmq.exe to publish web server log messages to a RabbitMQ broker.

Important Changes and Upgrade Considerations:

• Configuration File Incompatibility: Existing httpd.conf and ssl.conf files from previous versions are largely incompatible and require manual review and re-customization for 2.4-30.
• Directive Changes: The AcceptMutex directive has been replaced by a single Mutex directive, defaulting to the OpenVMS Distributed Lock Manager for coordination.
• Authentication/Authorization Model: The authentication and authorization model for mod_authnz_openvms has changed, requiring explicit provider specification (AuthBasicProvider OpenVMS) and uppercase usernames for Require user directives.
• Deprecated Logical Names: Several logical names (e.g., APACHE$BG_PIPE_BUFFER_SIZE) are deprecated and will be removed in future releases.
• Custom Modules Rebuild Required: All custom-written dynamically loaded modules must be rebuilt for Version 2.4, using specific compilation (/POINTER_SIZE=32 /DEFINE=(_USE_STD_STAT) /NAMES=(AS_IS,SHORTENED)) and linking (CASE_SENSITIVE=YES) flags.
• Incompatible Optional Kits: Version 2.4-30 is incompatible with older optional kits like CSWSPERL V2.1 or earlier, CSWSPHP V5.2-17A or earlier, and CSWS_JAVA.

Installation Process:

• ODS-5 Requirement: The SWS Version 2.4-30 kit must be installed on an ODS-5 target volume.
• Upgrade Steps: For upgrades, users must shut down the existing CSWS, back up site-specific files, uninstall the previous version (ensuring all documentation is removed), and rename old configuration files before installing.
• Post-Installation Configuration: The server is configured via SYS$MANAGER:APACHE$CONFIG.COM or an interactive menu (APACHE$MENU.COM), including setting up the APACHE$WWW user and enabling SSL (which requires generating a certificate and uncommenting an Include directive).

Bug Fixes (Cumulative): Numerous bugs have been addressed, including issues with serving web pages from user-specific directories, large file transfers, IPv6 usage, OpenSSL version mismatches, CGI script execution, DAV functionality, file versioning, proxy module linking, WebDAV binary file attributes, inconsistencies in DBM database usage, and ensuring core web server locking functions utilize the OpenVMS distributed lock manager.

Known Issues:

• CSWS will fail to start correctly if the audit server is not running.