VSI-I64VMS-CSWS-V0204-38A-1-RELNOTES.PDF

This document provides release notes for Secure Web Server for OpenVMS (CSWS) Version 2.4-38A, based on Apache HTTP Server Version 2.4.38, released in May 2019.

Key Highlights:

• Significant Update: This is a major release with many new features and enhancements from Apache 2.4.38, including reduced memory utilization, more flexible configuration, and new loadable modules for session management, request filtering, and rate limiting.
• Enhanced Security: It integrates MOD_SSL and OpenSSL 1.0.2r, offering higher levels of encryption and improved security.
• Improved Custom Module Development: Offers better support for developing custom loadable modules.

Major Changes and Upgrade Considerations:

• Configuration File Changes: Upgrades require changes to httpd.conf. Some dynamically loadable modules are no longer available or loaded by default and must be explicitly uncommented.
• Mutex Directive: The AcceptMutex and related directives are replaced by a single Mutex directive. The OpenVMS Distributed Lock Manager (DLM) is now always used by default for network sockets and shared resources, meaning vmsdlm cannot be explicitly specified for Mutex.
• OpenVMS Authentication: The SYSUAF-based authentication module has changed, requiring explicit registration of authentication providers (e.g., AuthBasicProvider OpenVMS) and loading specific modules (mod_authn_core.exe, mod_authz_core.exe, mod_auth_basic.exe, mod_authnz_openvms.exe). Older directives like AuthOpenVMSUser and AuthOpenVMSGroup have been removed. Usernames for Require user are now case-insensitive.
• Logging: A new log2rabbitmq.exe utility is provided to publish web server log messages to a RabbitMQ broker.
• Deprecated Logical Names: Several APACHE$ prefixed logical names (e.g., APACHE$BG_PIPE_BUFFER_SIZE, APACHE$MB_PIPE_BUFFER_SIZE, APACHE$SSL_DBM_TYPE) are deprecated or ignored; new APR$ prefixed names should be used.
• Custom Modules: All custom-written dynamically loaded modules must be rebuilt for Version 2.4, requiring specific compiler switches and linker options.
• ScoreBoardFile Ignored: The ScoreBoardFile directive is ignored as CSWS now uses a shared memory scoreboard.
• Silent Startup Failures: Configuration errors can cause silent startup failures; temporary disabling of shared process logging can aid diagnosis.
• ServerName: Explicitly setting the ServerName directive and port in httpd.conf is strongly recommended.

Installation/Upgrade Procedure:

• ODS-5 Requirement: CSWS 2.4 must be installed on an ODS-5 enabled disk.
• Crucial Upgrade Steps: If upgrading from a previous version, users must shut down the old CSWS, back up site-specific files, uninstall the previous version (answering "YES" to delete Htdocs & Icons directories), rename existing customized configuration files, and then install CSWS 2.4. Existing customizations must be manually reapplied to the new configuration files.

Bug Fixes:

• Addressed issues with worker process startup, serving web pages from user directories, large file transfers, IPv6 configuration, SSL version mismatches, long-running CGI scripts, WebDAV functionality (Expat XML, binary file attributes, DBM locking), proxy module linking, and case-sensitive username checks.

Known Issues:

• CSWS may fail to start if the audit server is not running.
• CSWS may fail to start correctly or listen on a port if the Listen directive is not explicitly specified in httpd.conf.