Part 4. Appendixes

Appendix A. Command reference

This chapter describes how to use the server's commands.

certutil command

For a secure server, use the certutil command to process certificate requests for the clients and servers for whom you're acting as a Certificate Authority (CA). The output of the certutil command is a client or server certificate that has been signed with your private CA key.

Note: How to become your own CA and how to process certificate requests as a CA is described in Chapter 11. "Acting as a certification authority for a private Web network". You should follow the step-by-step instructions in that chapter unless you are familiar with the procedure.

Syntax

certutil [-p validity-period] [-k ca-key-ring]
< cert-req-file > cert-file-name

Note: The certutil command should be on one line. It is shown on more than one line because of formatting.

The < and > symbols, redirect the standard input and standard output.

Flags

-p validity-period

Validity period in days of the certificate to be issued. Acceptable values are from 1 to 9999. If you omit this flag, the default validity period is 365 days.

-k ca-key-ring

Specifies the fully qualified path and file name of the key ring file containing your private CA key. This is the name you specified as the CA Key ring on the Create Key and Request Certificate form, if you did not accept the default key ring file, keyfile.kyr. If you omit this flag, the default keyfile.kyr is assumed.

cert-req-file

Specifies the fully qualified path and file name of the file that contains the client or server certificate you are processing.

For clients or servers who mail their certificate request to you through e-mail, it is the file into which you received the certificate request with your e-mail program.

For a certificate request on the same server, it is the file you specified for Save certificate request to file on the Create Key and Request Certificate form when you were requesting the server certificate.

cert-file-name

Specifies the unique fully qualified path and file name of the output file where you want to put the certificate created by this command.

Example

To create a certificate that is valid for two years:

certutil -p 730 -k D:/WWW/BIN/cakeyfil.kyr < D:/WWW/BIN/CertReq.txt
  > D:/WWW/BIN/Cert.txt

Note: The certutil command must be on one line. It is shown here on more than one line because of formatting restrictions.

After you enter the command, you are prompted for the key ring password. This is the password for the key ring that holds the CA key.

If the certutil command cannot create the signed certificate, it returns an error message.

cgiparse command

Use the cgiparse command to parse the QUERY_STRING environment variable for CGI scripts. If the QUERY_STRING environment variable is not set, the command reads CONTENT_LENGTH characters from its standard input. All returned output is written to its standard output.

This corresponds to the GET and POST methods from HTML forms. QUERY_STRING and CONTENT_LENGTH are environment variables. For a GET request, QUERY_STRING holds the form data. For a POST request, CONTENT_LENGTH is set and the form data is sent on standard input.

Syntax

   cgiparse -Flag [Modifier]

Flags

Flags have one-character equivalents: -k -f -v -r -i -s -p -c -q -P

-keywords

Parses QUERY_STRING for keywords. Keywords are decoded and written to standard output, one per line.

-form

Parses input as form request. Outputs one or more SET statements that set environment variables beginning with FORM_ followed by a field name. Field values are the contents of the variables.

-value field-name

Parses input as form request. Prints only the value of field-name.

-read

Reads CONTENT_LENGTH characters from standard input and writes them to standard output.

-init

If QUERY_STRING is not set, reads the value of standard input and returns a SET statement that sets QUERY_STRING to this value. This can be used with both the GET and POST methods. A typical use is:

'cgiparse -init > tempfile'
'CALL tempfile'

This will set the QUERY_STRING environment variable, regardless of whether the GET or POST method was used.

The cgiparse command may be called multiple times in the same script when the GET method is used, but it should only be called once if the POST method is used. With the POST method, after standard input is read, the next cgiparse would find standard input empty and would hang.

-sep separator

Specifies the string used to separate multiple values. If you are using the -value flag, the default separator is newline. If you are using the -form flag, the default separator is a comma (,).

-prefix prefix

Used with -POST and -form, specifies the prefix to use when creating environment variable names. The default is "FORM_".

-count

Used with -keywords, -form, and -value, returns a count of items related to these flags.

-keywords

Returns the number of keywords

-form

Returns the number of unique fields (multiple values are counted as one)

-value field-name

Returns the number of values for field-name (if there is not a field named field-name, output is 0).

-number

Used with -keywords, -form, and -value, returns the specified occurrence related to these flags.

-keywords

Returns the n'th keyword. (For example -2 -keywords outputs the second keyword.)

-form

Returns all the values of the n'th field. (For example -2 -form outputs all the values of the second field.)

-value field-name

Returns the n'th of the multiple values of field field-name. (For example -2 -value -whatsit outputs the second value of the whatsit field).

-quiet

Suppresses all error messages. (Non-zero exit status still indicates error.)

-POST

Information from stdin is directly decoded and parsed into shell variables, QUERY_STRING is not used. -POST is equivalent to consecutive use of the -init and -form options.

Exit statuses

0

Success

1

Illegal command line

2

Environment variables not set correctly

3

Failed to get requested information (for example, there is no such field or QUERY_STRING contains keywords when form field values are requested).

Note: When you receive one of these error codes, you may receive additional informational messages, too. The message varies depending on the command issued.

cgiutils command

Use the cgiutils command in no-parse header programs to produce a full HTTP 1.0 response.

Note: If you want to supply your own no-parse header (nph) programs specifically to return your own return values, the name of the program must begin with nph-. This prevents the server header from overriding your return value with the standard server return value.

Syntax

   cgiutils -Flag [Modifier]

If Modifier contains blanks, enclose it in quotes.

Flags

-version

Returns version information.

-nodate

Does not return the Date: header.

-noel

Does not return a blank line after headers. This is useful if you want other MIME headers after the initial header lines.

-status nnn

Returns full HTTP response with status code nnn, instead of only a set of HTTP headers. Do not use this flag if you only want the Expires: header.

-reason explanation

Specifies the reason line for the HTTP response. You can only use this flag with the -status nnn flag. If the explanation text contains more than one word, you must enclose it in quotes.

-ct [type/subtype]

Specifies MIME Content-Type header. This example specifies a MIME content type of text/html:

   cgiutils -ct text/html

If you omit the type/subtype, the MIME content type is set to the default text/plain. This example sets the MIME content type to text/plain.

   cgiutils -ct

-ce encoding

Specifies MIME Content-Encoding header. For example:

   cgiutils -ce  x-compress

-cl language-code

Specifies MIME Content-Language header. For example:

   cgiutils -cl en_UK

-length nnn

Specifies MIME Content-Length header.

-expires Time-Spec

Specifies MIME Expires header. This flag specifies the time to live (the expiration date of a document) in any combination of years, months, weeks, days, hours, minutes, and seconds. These values and keywords specify the length of time a document is considered valid. You must enclose them in quotes. For example:

   cgiutils -expires "2 days 12 hours"

The cgiutils command adds the time you specify to the current Greenwich Mean Time to determine the expiration date. The expiration date is put in the Expires: header in the HTTP format.

-expires now

Produces an Expires: header that matches the Date: header.

-uri URI

Specifies the Universal Resource Identifier (URI) for the returned document. URI can be considered to be the same as URL.

-extra xxx: yyy

Specifies an extra header that cannot otherwise be specified for cgiutils.

Examples

• This example calculates the expiration date for the Expires: header.

     cgiutils -expires "1 year 3 months 2 weeks 4 days 12 hours 30 mins"
  

• The following example specifies a status code and reason, and sets the Expire: header equal to the Date: header.

     cgiutils -status 200 -reason "Virtual doc follows" -expires now
  

  This might produce headers similar to these:

     HTTP/1.0 200 Virtual doc follows
     MIME-Version: 1.0
     Server: IBM-ICS
     Date: Tuesday, 05-Jan-96 03:43:46 GMT
     Expires: Tuesday, 05-Jan-96 03:43:46 GMT
  

  The cgiutils command automatically produces the Server: header because it is available in the CGI environment. The Date: field is also automatically generated unless the -nodate flag is specified.

  This would include a blank line after the output to mark the end of the MIME header section. If you want to follow this with some more headers yourself, use the -noel (NO-Empty-Line) flag as shown in the next example.

• If you do not want the blank line after the header line, use the -noel flag:

     cgiutils -noel -expires "2 days" -nodate
  

     HTTP/1.0 200 Virtual doc follows
     MIME-Version: 1.0
     Server: IBM-ICS
     Expires: Tuesday, 07-Jan-96 03:43:46 GMT
  

htadm command

Note: When you use htadm to add a user, change a password, or verify a password, you must enter the password on the command line. Because htadm destroys the password from the command line as soon as possible, it is highly unlikely that you can see a user's password by looking at the process listing on the machine (with the pstat command, for example).

Syntax

   htadm -Flag  [Modifier]

Flags

-adduser password-file user-name [password [real-name]]

Adds a user and password into the password file. If you enter the command with only password-file, you are prompted for the other parameters.

password-file

The path and name of the password file to which you want to add the user.

user-name

The name of the user you want to add.

Use only alphabetic and numeric characters for the user name; do not use special characters.

The command fails if there is already a user of the same name in the password file.

password

The password you want to define for the user name.

Passwords can be up to 32 characters long. Use only alphabetic and numeric characters for the password; do not use special characters.

Note: Some browsers are unable to read and send passwords longer than eight characters. Because of this limitation, if you define a password longer than eight characters, the server recognizes either the complete password or just the first eight characters of the password as valid.

real-name

A comment or name you want to use to identify the user name you are adding. Whatever you enter will be written into the password file.

-deluser password-file [user-name]

Deletes a user from the password file. If you enter the command with only password-file, you are prompted for the user-name parameter.

password-file

The path and name of the password file from which you want to delete a user.

user-name

The name of the user you want to delete. The command fails if the user name you specify does not exist in the password file.

-passwd password-file [user-name [password]]

Changes the password for a user name already defined in the password file. If you enter the command with only password-file, you are prompted for the other parameters.

password-file

The path and name of the password file that contains the user name whose password you want to change.

user-name

The user name whose password you want to change. The command fails if the user name you specify does not exist in the password file.

password

The new password you want to define for the user name.

Passwords can be up to 32 characters long. Use only alphabetic and numeric characters for the password; do not use special characters.

Note: Some browsers are unable to read and send passwords longer than eight characters. Because of this limitation, if you define a password longer than eight characters, the server recognizes either the complete password or just the first eight characters of the password as valid.

-check password-file [user-name [password]]

Verifies the password for a user name already defined in the password file and lets you know if it is correct or not. If you enter the command with only password-file you are prompted for the other parameters.

password-file

The path and name of the password file that contains the user name whose password you want to verify.

user-name

The user name whose password you want to verify. The command fails if the user name you specify does not exist in the password file.

password

The password that you want to verify. If the password you enter is the one defined for the user name, the command writes Correct to standard output and completes with a 0 return code. If the password you enter is not the one defined for the user name, the command writes Incorrect to standard output.

-create password-file

Create an empty password file.

password-file

The path and name of the password file that you want to create.

Examples

• To add a user to a password file:

     htadm -adduser d:\WINNT35\heroes.pwd clark superman "Clark Kent"
  

• To delete a user from a password file:

     htadm -deluser d:\tcpip\etc\heroes.pwd clark
  

htimage command

Use the htimage command to process clickable image maps. It allows defined regions within an image map to be associated with specific URLs. When users click on a defined region, the htimage command executes a CGI script that displays the URL associated with the region. When the server returns the URL associated with the region, it issues a 302 return code (Moved Temporarily) and a location header containing the URL.

Note:

The URL specified in the location header must be fully qualified, or absolute. Include the protocol, host, and request path in the URL. For example:

   http://hostname/filename.html

The Internet Connection Secure Server assumes, if the URL in the map file is not absolute, that the URL is local, and serves it directly. While this saves some network overhead, the browser thinks the original request was satisfied and continues to use the original request as the base for future requests.

When the URL is not fully qualified and the server finds the file locally, the Internet Connection Secure Server issues a Content-Location header which some browsers use to make future requests.

Many browsers understand the HTML tag, <BASE HREF= >, which can be used to specify the base URL, (for example, http://hostnamebase URL). When this tag is used, URLs that are not fully qualified are evaluated relative to this base URL and are correctly found.

The command is used in conjunction with a map file. Map files are text files that define regions within a graphics file by their x,y coordinates and map them to the various URLs. For additional information on using htimage and creating map files and images, see the Web design information on the Internet Connection Family Web site (http://www.ics.raleigh.ibm.com). The Web design information is accessible from the Front Page of your server.

Note: Currently the universal image file accepted by all browsers and servers is the GIF format. GIF is an 8-bit 256 color image file.

You cannot use htimage from the command line. You include it as part of an anchor tag within an HTML document, and it is called when the server processes that document.

The htimage command is located in the CGI Bin scripts directory you specified at installation. The installation default is C:\WWW\CGI-BIN.

Syntax

Since htimage can only be called from an anchor tag within an HTML document, the syntax is shown as HTML markup.

   <A HREF="/CGI-BIN/htimage/mapfile.txt">
   <IMG SRC="/ICONS/image.gif" ISMAP></A>

<A HREF="/CGI-BIN/htimage/mapfile.txt">

The HREF attribute of the anchor (A) tag specifies the URL of the htimage command followed by the URL of the map file.

This syntax description assumes that the default configuration file is being used. The default configuration file contains an Exec directive that maps requests beginning with /CGI-BIN/ to the directory that contains the htimage command.

The server uses everything following /htimage/ as the URL of the map file. If the server is using the default configuration and the URL contains only a file name, the server would look for the file in the document root directory.

<IMG SRC="/ICONS/image.gif" ISMAP></A>

The SRC attribute of the image (IMG) tag specifies the URL of the file that contains the graphic you want to use as an image map.

The ISMAP attribute indicates that the graphic is an image map.

Examples

Following is a description of the map files that must be used with the htimage command. A map file is a text file. Each line of the file is in the following format:

   region-identifier [region-definition]  URL

region-identifier

A keyword that identifies the type of region being defined. Valid values are:

• rectangle
• circle
• polygon
• default

region-definition

A set of numbers that defines a particular region of the graphic. The format of the region definition is different for each type of region.

Coordinates within parentheses identify a point relative to the top left corner of the image. The first number is the number of pixels to the right of the top left corner. The second number is the number of pixels down from the top left corner. There are several shareware programs available that can help you easily identify the coordinates of particular points within a graphic file.

default   URL
rectangle (x1,y1) (x2,xy) URL
circle    (x,y)   r       URL
polygon   (x1,y1) (x2,y2) (x3,y3) URL

• The default keyword does not define a region. The keyword is followed by a URL to link to when the client clicks on a portion of the image map that is not covered by any of the other region definitions.

• For rectangle, the first point is the upper left corner of the rectangle. The second point is the lower right corner. In other words, define any two diagonally opposite corners having coordinates (x1,y1) and (x2,y2).

• For circle, the point is the center of the circle. The single number following the point is the radius of the circle as measured in pixels.

• For polygon, up to 100 points can be defined. The shape is formed by connecting the points in the order they are given. The last point is connected to the first.

For example, you might use the following HTML in a document:

   <A HREF="/cgi-bin/htimage/mapit.txt">
   <IMG SRC="/icons/mapimage.gif" ISMAP></A>

The above example calls the htimage command with a map file named mapit.txt. The mapit.txt file would define regions of the mapimage.gif graphic file. Because no path is specified for mapit.txt, the server would look for it on the document root directory. Following is an example of what mapit.txt might look like.

   default                                   http://brimstone/cgi-bin/go_home
   rectangle (50, 100) (200,200)             http://brimstone/cgi-bin/go_to_it
   circle    (100,300) 50                    http://brimstone/pub/example.html
   polygon   (450,350) (450,500) (150, 500)  http://brimstone/pub/triangle.html

One example of a shareware program for determining the x,y coordinates is mapedit. You can obtain mapedit from the following URL:

http://sunsite.unc.edu/~boutell/mapedit/mapedit.html

Please note that output from mapedit is in NCSA format. It is different from the CERN examples shown.

The same examples in NCSA format require anchor tags within an HTML document as follows:

   <a href="/cgi-bin/imagemap/mapit.txt">
   <img src="/icons/mapimage.gif" ISMAP></a>

The map file will be an EBCDIC text file with the following format:

   default   http://brimstone/cgi-bin/go_home
   rect      http://brimstone/cgi-bin/go_to_it       50, 100  200,200
   circle    http://brimstone/pub/example.html       100,300  100,350
   poly      http://brimstone/pub/triangle.html      450,350  450,500  150, 500

URL

The fully qualified or absolute URL, including the protocol, hostname and filename, is required. If the URL in the map file is not absolute, the Internet Connection Secure Server assumes that the URL is local and serves it directly.

whttpg command

Use the whttpg command to start the server. The default setting is to export the /Public directory tree.

You can set all these flags (except -r and -noservice) using the directives in the server configuration file.

You can set the directory-browsing flags with the DirAccess configuration directive.

It is common practice to create a file named README containing instructions or notices to be read by anyone new to the directory. By default, whttpg will imbed any README file in the hypertext version of a directory. The README file instructions can also be set with the DirReadme configuration directive.

Syntax

   whttpg [-Flag [-Flag [-Flag..]]] -noservice

-B bounce

The server normally does not bind to its listen ports with the SO_REUSEADDR socket option. This helps to prevent running multiple instances of the server with the same Pid, log, and proxy cache files. When a server is shutdown or terminates abnormally, there may be sockets remaining in TIMED_WAIT state in the TCP/IP stack. The Internet Connection Secure Server retries the bind to its listen ports for up to two minutes to allow previously used sockets to close.

If you know that the prior instance of the server has terminated, you can use the -B flag to set SO_REUSEADDR on to the servers listen ports before binding to them. This avoids the TIMED_WAIT delay. This flag is expecially useful if you have automation software that recognizes Internet Connection Secure Server termination and needs to start a replacement server as quickly as possible.

-db

Same as the -dt flag but puts the README at the bottom, after the listing. You can combine -db with the -dy and -dt options (for example, -dyb, -dtb).

-dn

Disables directory browsing. The server responds with an error message to requests for a directory listing.

-dr

Disables the README inclusion feature.

-ds

Enables selective directory browsing. Directory browsing is allowed only for directories containing a file named .www_browsable.

-dt

For any browsable directory that contains a README file, includes the text of the README file at the top of the document before the listing. This is the default setting. You can combine -dt with the -db and -dy options (for example, -dtb, -dty).

-dy

Enables directory browsing. By default, directories can be returned as hypertext documents. This is the default setting. You can combine -dy with the -db and -dt options (for example, -dyb, -dty).

-gc_only

Only does garbage collection and then exits. This flag is used only for caching proxy servers.

-l log-file

Specifies the file to use to log requests.

-noservice

For Windows NT, runs your server in a window instead of as an NT service. This parameter is required if you are using whttpg from a command line.

-nobg

Runs the server as a background process. Do not run the server as a background process.

-nosec

Specifies the flag to use to force a base server. Security loads are bypassed.

-nosnmp

Turns SNMP support off.

-p port-number

Listens on this port number. The default port number is 80. This flag overrides the Port directive specified in the configuration file.

-r configuration-file

Specifies the file to use as the configuration file. You must use this flag if you want to start the server with a configuration file other than the default configuration file.

Note: If you specify the -r option and either the normalmode or sslmode option, you must specify normalmode or sslmode before -r.

-snmp

Turns SNMP support on.

-sslmode [on|off]

For a secure server, turns on the SSL protocol.

-sslport [port]

For a secure server, sets the port used for the SSL protocol.

-version

Returns the version number of httpd and libwww (the WWW Common Library).

SIGTERM

This causes httpd to stop and exit when complete. You can use SIGKILL or CANCEL to immediately terminate.

SIGHUP

Restart a running httpd. This causes httpd to stop accepting new requests, complete current requests, and, if there are no errors, reload the configuration file and resume processing. If there are errors, you must fix the configuration file.

Examples

• To start the server on port 80, using the d:\tcpip\httpd.config configuration file instead of the default configuration file:

     whttpg -r d:\tcpip\httpd.config  -p 80
  

  If the Port directive is given in the configuration file, the -p flag is not required. The -p flag can be used to override the value set in the configuration file.