Installing ICAP and Jive ICAP Demo Wed Jun 28 16:43:07 PDT 2000 Donald W. Gillies 1-408--822-3750 Steps ===================== 1. Installing 5.0 (brutus) on netcache 2. Make sure that NetCache is working 3. Set up the NetCache registry for ICAP 4. Install icap server and linux jive filters 5. Questions or comments 1. Installing 5.0 (brutus) on netcache Ideally, start with a system that has an empty cache. Otherwise, you will sometimes see stale non-ICAP content from your cache, rather than the actual content from the Jive filters and ICAP. With either Netscape or IE, you can reload a web page by doing either Shift-Reload, Ctrl-Reload, or Ctrl-Shift-Reload. This will eradicate stale content. Once your cache is powered on and empty (if possible), then ftp to network appliance: ftp ftp.netapp.com login as anonymous with your email address, then : ftp> binary 200 Type okay. ftp> cd netcache ftp> cd download ftp> cd 5.0 ftp> cd x86 ftp> cd icap ftp> ls alphatest_0XXX00_iserver_demo.tar alphatest_0XXX00_zip_image_pc.zip ftp> mget alphatest_0XX* mget alphatest_0XXX00_iserver_linux.tar? y mget alphatest_0XXX00_zip_image_pc.zip? y This is an image that can be uploaded into any C1100 cache. Let's assume your cache is at 172.30.50.244. Fill out the following form to configure your cache. These items need to be configured, and can be reconfigured any time with the "setup" command by telnetting to the cache, or connecting to the serial console. IP for ea0: ____________ e.g. "172.30.50.244" subnet mask: ____________ e.g. "255.255.255.0" hostname: ____________ e.g. "mycache" dns domain: ____________ e.g. "mycompany.com" nameserver: ____________ e.g. "172.30.49.28" gateway: ____________ e.g. "172.30.50.1" (1st 3 bytes == IP) autosupport: ____n_______ ICAP IP: ____________ e.g. "172.30.42.12" Once you have configured your cache, connect to your cache using the raw IP address, e.g. : http://172.30.50.244:3132/cgi/install # If running 5.0 (brutus) http://172.30.50.244:3132/cache_manager # If running 4.x (julius) log into your cache using the default user name and password (if you haven't changed it yet) : username: admin password: NetCache With a 4.x cache ( julius ), you should see the "NetCache Manager" page. Select "Maintain NetCache" and then "Install NetCache Software". Then, you should delete any old software files (these are .zip files, deleting them will not affect the netcache software that is running, even after a reboot). With a 5.0 cache ( brutus ), you should immediately get a page for installing new software (no existing .zip files will be shown). Enter the name of your binary file for upload in the upload box and hit confirm ( alphatest_0XXX00_zip_image_pc.zip ). The binary should be on the same computer as your browser (i.e. do everything from one UNIX/Linux box). Once the binary has been uploaded, make sure to COMMIT the software. Click "Commit" in the HTML box. Then, telnet to your cache : telnet 172.30.50.244 and reboot your cache. 172.30.50.244> reboot 2. Make sure that NetCache is working configure your browser to proxy data to netcache: Netscape : Edit / Preferences / Advanced / Proxies / Manual Proxy Configuration / View / HTTP address: yourNetCache.company.com port: 3128 Explorer: View / Internet Options / Connection / Proxy server / address: yourNetCache.company.com port: 3128 telnet to netcache console (telnet yourNetCache.company.com) and type "uptime". Then fetch a url with your browser, and then type "uptime" again and make sure the # url's fetched is increasing. This verifies that NetCache is working without ICAP. 3. Set up the NetCache registry for ICAP Here is a set of sample NetCache command-line (registry) settings that are sufficient to enable ICAP on our test station, "orbit.sim.netapp.com" (172.30.42.12). This ICAP server is behind the firewall at Network Appliance; it cannot be used from you cache; you will need to create your own ICAP server (below). We use a default 'port' of 2345; the 'resource' is ignored, except for the 'preview' field, which indicates the size of ICAP preview transactions. The domain limit is a maximum limit on the number of TCP connections (ICAP transactions) that can be executing at a single time. This is set as 'domain.limit'; the latter should not be changed once the server begins operation because it indicates the actual number of ICAP server connections that are transferring data at any given time. set config.icap.server.url.host 172.30.42.12 # YOUR ICAP Server !! set config.icap.server.url.port 2345 set config.icap.server.url.resource /respmod?preview=1000 set config.icap.server.url.type respmod set config.icap.domain.limit 20 set config.icap.enabled on In the future, when you want to disable ICAP for a moment, simply "set config.icap.enabled off" to stop data from being proxied through the ICAP server. Display these config items to make sure that all values have been set properly: show config.icap.* Once all these items are set you should get this error message WHENEVER you try to browse with your cache : 500 Server Error The following error occurred: Cannot connect to ICAP server Could not open error file This is a _good_ thing; it means your cache is trying to connect to the ICAP server, in the next section we will create the ICAP server on a solaris box and these error messages will disappear. 4. Install icap server and jive filter program extract the 3 programs from the tar file > cd icap_directory > tar -xf alphatest_0XXX00_iserver.tar This extracts the jive source code (modified by netapp), including solaris binaries. If you are on a solaris machine, you will want to delete the solaris binaries and rebuild. > ls -l -rw-r--r-- 1 gillies 650 Jun 28 16:40 Makefile -rw-r--r-- 1 gillies 978 Feb 3 1997 POSTER -rw-r--r-- 1 gillies 650 Feb 3 1997 README -rwxr-xr-x 1 gillies 9340 Jun 28 16:39 html -rw-r--r-- 1 gillies 234 Jun 28 16:30 html.c -rw-r--r-- 1 gillies 3484 Jun 28 16:39 html.o -rw-r--r-- 1 gillies 6621 Jun 28 17:01 icap_install.txt -rw-r--r-- 1 gillies 25326 Jun 24 02:04 icap_internals.txt -rw-r--r-- 1 gillies 1309 Jun 28 16:55 icap_jive.txt -rwxr-xr-x 1 gillies 14123 Jun 28 16:35 iserver -rwxr-xr-x 1 gillies 56208 Jun 28 16:39 jive -rw-r--r-- 1 gillies 795 Feb 3 1997 jive.1 -rw-r--r-- 1 gillies 88273 Jun 27 00:19 jive.c -rw-r--r-- 1 gillies 8322 Jun 27 00:19 jive.l -rw-r--r-- 1 gillies 455 Feb 3 1997 jive.lsm -rw-r--r-- 1 gillies 61788 Jun 28 16:39 jive.o -rw-r--r-- 1 gillies 238 Feb 3 1997 main.c -rw-r--r-- 1 gillies 3112 Jun 28 16:39 main.o The binaries are compiled for Solaris. Type "make clean" and then "make" to compile and build the "jive" and "html" binaries. On a PC, you would need the "flex" program to translate jive.l into a "C" program, and a perl interpreter, and a C compiler for your environment. Type "which perl" to determine the location of your perl interpeter. Edit the "iserver" script and change the first line to point to your perl interpreter. Now, run the icap server (iserver) in your local directory: You might find this line in the iserver program : #!/usr/local/bin/perl5.002 # You might end up changing it to something like this : #!/usr/local/bin/perl5 # Now, you can start the ICAP server by typing "iserver" to the solaris box. > iserver ICAP content modifying server (port: 2345, percent 100) [./iserver 23887: listening on port 2345 at Mon Oct 9 16:31:57 2000] [./iserver 23887: server started on port 2345 at Mon Oct 9 16:31:57 2000] [./iserver 23887: waiting ( 0 ) for conn at Mon Oct 9 16:31:57 2000] The iserver expects to be run with a search path that finds commands in the current directory. It expects to run in user mode. If you run it as root, edit "iserver" to specify the search $PATH variable (i.e. $PATH="/tmp/" or whatnot). When you run iserver, you are an icap-200 CONTENT MODIFYING SERVER. all content will be filtered on the icap server, and text and text/html content will be translated to "jive". Whenever the icap server is idle, you may kill it (^C) and change modes TO NOT MODIFY CONTENT : > iserver 204 ICAP content echoing server (port: 2345, percent 100) [./iserver 24023: listening on port 2345 at Mon Oct 9 16:33:21 2000] [./iserver 24023: server started on port 2345 at Mon Oct 9 16:33:21 2000] [./iserver 24023: waiting ( 0 ) for conn at Mon Oct 9 16:33:21 2000] In this mode, the iserver will always respond "204 not modified". This allows you to perform ICAP transactions, but to avoid translating content into jive. If ICAP is configured properly on the netcache, you will see a message like the one below when the cache probes the ICAP server: connect from gillies1.sim.netapp.com [ 10.120.5.103 ] port 1029 at Wed Jun 7 22:34:52 2000] Try using "telnet" to make sure the ICAP server is working (telnet yourIcapUnixHost.company.com 234, then type POST GET HTTP/1.1 end of message body You should see the iserver parser running ( Server-rhdr means its reading the ICAP "request" header, Server-chdr means its reading the "client" request header, Server-ohdr means its reading the "origin" server header, RXXX, CXXX, and OXXX mean that an end-of-header has been found.) 5. Debugging with NetCache To see what happened to a failed or successful ICAP transaction: nclog -ta -100 http # print 100 lines of http log To see how many URL's your cache has served: uptime # show system uptime To see what your cache is doing (is it still working on ICAP transactions, or is there no activity sysstat 2 # print activity every 2 seconds # hit crtl-c to cancel. Other useful commands, like BSD unix: ping netstat traceroute In addition, it is possible to take network packet traces from the netcache. Type pktt start all # begins tracing pktt dump all # dumps current trace to file, resets tracing pktt stop all # terminates tracing Once the trace has been taken, the file name may be viewed with the GUI Under Utilities / Network / Packet Trace. These traces can also be ftp'd to a different host from this page. This is a standard network packet trace, in tcpdump format, and can be viewed with publically available trace analyzers, such as ethereal or any other tcpdump-compatible analyzers. See www.ethereal.com for more details. 6. Limitations ------------- if you have problems ----------- If a web page doesn't download, kill the browser and try a different page. If everything stops working, kill the ICAP (^C) server and restart the icap server. Some pages may have problems. In some cases, this is because the jive filter has modified some java code. The html filter and jive both use simple heuristics to skip over HTML TAGS, however, comparisons ('<' and '>') in java are likely to confuse the jive filters. If you find other problems, please contact one of the people listed below : Mike Resong Network Appliance Building 3-3-??? 495 East Java Drive Sunnyvale, CA 94089 408-822-6446 (ofc) miker@netapp.com Donald W. Gillies Network Appliance Building 3-3-165 495 East Java Drive Sunnyvale, CA 94089 408-822-3750 (ofc) gillies@netapp.com