17.992 bytes

Service Hints & Tips

Document ID: MIGR-47SVUQ

Network Station - AS/400: Release 3 Browser Notes (NC Navigator) - II11283

Applicable to: World-Wide

AS/400 - Release 3 Browser Notes (NC Navigator) - II11283

This document includes information about the IBM Network Station and IBM Network Station Manager AS/400 product. This document relates to AS/400 systems running R370, R410, R420 and subsequent version and release levels, as needed. Since this document will be updated on a regular basis, it is recommended that you refer to it on a regular basis.

Release 3 Browsers

The new Release 3 of NSM (Network Station Manager, product 5648C05) is discussed in document: II10405 - AS/400: Network Station Release 3 Reference. In NSM Release 3, there are two possible Browsers: (1) the NC Navigator 40-bit (subcomponent 5648C05BR), and (2) the NC Navigator 128-bit Browser (product 5648C20). The 40-bit NC Navigator subcomponent is included in the base NSM product (5648C05). But the 128-bit NC Navigator product is a separate installable product (5648C20). Document (insert) contains information about NSM 2.0 and NSM 2.5 relative to IBM and NC Navigator Browsers, while this document (13715844) will discuss the new Release 3 (40-bit and 128-bit NC Navigator) Browsers.

NC Navigator Install Instructions

Following are installation steps for install/setup of the 128-bit NC Navigator product 5648C20.

Note: These steps do not apply to the 40-bit NC Navigator Browser because the 40-bit NC Navigator Browser (5648C05BR) is automatically included in the base NSM product 5648C05.

Install 128-Bit NC Navigator:


5648B08 IBM 40-bit Browser5648B18 NC Navigator 40-bit Browser (Rel 2.x)5648B10 IBM 128-bit Browser5648B20 NC Navigator 128-bit Browser (Rel 2.x)
For each product found on your system use the following command:

DLTLICPGM LICPGM(xxxxxxx)

Replace the xxxxxxx with the Product ID from above.

Note: The associated PTFs will also be removed.


RSTLICPGM LICPGM(5648C20) DEV(OPT01)


Note: Without the change in the environment variable, the Network Stations will default to the 40-bit NC Navigator Browser.

a) Sign on to Network Station Manager for this system.
b) Expand the "Startup" category under Setup Tasks.
c) Select the "Environment Variables" task.
d) Select the desired level of defaults to work with System, Group or User and press the Next button.
e) Type in NAV_128SSL in the Environment Variable box, and TRUE in the Value box, then press Finish.

Note: To deactivate the 128-bit Browser, go back and change the Value to FALSE or blank. This will re-activate the 40-bit version.
New as of 09/04/98, the first PTFs for Network Station Manager Release 3 are available. Refer to document 13493634 for more information. To link to 13493634 immediately, click here . As part of these new PTFs, changes have been made with regards to the Java functionality within the browser.

Here are some Q&As to explain these changes:

Question:
What changes are made with regards to the functionality of Java applets within the NC Navigator browser in the first PTF for Rel 3.0 NSM product?

Answer:
The first PTFs for the NC Navigator browser in Rel 3.0 (SF51019 - 40-bit) and (128-bit not available yet, see APAR SA74058) will result on an upgraded ClassLoader and Security Manager that supports up to JVM 1.1.6 functions in Java applets executed within the browser context. The browser that was shipped as part of the NSM Rel 3.0 GA in June '98 included a ClassLoader and Security Manager that worked mostly with JVM 1.0.2 function and only some of JVM 1.1.x function. Besides the upgrade to the ClassLoader and Security Manager, there has also been a new mechanism put into place that will allow system administrators or users to set Java properties within Network Station Manager application for the AppletViewer that will allow them to control the security policy that gets enforced by the browser's security manager for applet execution within the browser context.

Question:
What is the rationale in making this change in the browser in this first PTF?

Answer:
The NC Navigator browser on the IBM Network Station shares the external JVM that is provided on the Network Station. It does not use an built-in JVM like most browsers on other platforms like PCs, Work Stations, and so on. The JVM that is provided in NSM Rel 3.0 of IBM Network Station is JVM 1.1.4. The browser uses the JVM to be able to run applets within its context. Most commercially written applets worked fine with the browser that was released as part of the GA package but there is certain new function that is specific to JVM 1.1.x that was not being handled correctly by the ClassLoader present in the browser shipped in the GA package of NSM Rel 3.0. In order to provide some of this valuable function required by customers and based on certain expectations of Java given that the JVM is at level 1.1.4, it became necessary to upgrade the ClassLoader and the corresponding Security Manager in NC Navigator's code to handle some of this new function. By providing the upgrade we are able to achieve consistency in the functioning of Java applets using JVM 1.1.x function while executing in the context of the browser.

Question:
Identify the function that is typically available in a JVM at level 1.x which will now be available for use by applets running in the browser after running in the browser after the ClassLoader and Security Manager upgrade.

Answer:
Functionality that will now be supported in the browser as part of this upgrade includes the following:

  1. Use of JAR files (Java zip/tar files) - The applet tag can now specify single or multiple JAR files be used in the applet code.
  2. Support for Reflection APIs (for viewing class and instance information).
  3. Use of Resource Bundles (for NLS translations).
  4. With the use of the new mechanism to control the security policy enforced by the browser's security manager within the browser's appletviewer context it is possible now to bypass certain security checks and enable certain trusted signed applets to run in the browser, which otherwise would have failed with security exceptions. The administrator /user is now able to set Java appletviewer properties from within Network Station Manager to enable or disable a set of specific security checks by the Browser's Security Manager. See question number 5 for ncNavSec syntax and properties.


Question:
What is the customer likely to see after this upgrade?

Answer:
Because of the more restrictive nature of the Security Manager, certain applets that ran previously in the browser shipped with the GA package, may fail now with Security Exceptions. The Security Exceptions will normally be logged in the Network Station console. The most likely candidates to fail are those applets:

  1. Manipulating AWT threads (property: Access).
  2. Trying to access (read from/write to) the local file system (properties: Read, Write).
  3. Trying to connect via sockets to a network host other than the host from which the applet itself was downloaded (properties: Accept, Connect, Listen).
  4. Trying to access (copy to/paste from) the system clipboard (property: SystemClipboard).
  5. Trying to initiate a print job request (property: PrintJobAccess).
  6. Trying to access system properties (properties: SecurityAccess, Property, Properties).
  7. Trying to launch other programs on the client (properties: Exec, Exit).


Question:
How does one set Java appletviewer properties to enable or disable specific security checks?

Answer:

NC Navigator 3.04 ncNavSec: Syntax and Properties

Where to enter property settings:
Network Station Manager->Internet->AppletViewer->Properties

Syntax:
ncNavSec.<property>=<boolean>

Properties:
where <property> can be one of:
Accept
Access
Connect
Exec
Exit
Listen
Member
Package
PrintJobAccess
Properties
Property
Read
SecurityAccess
SystemClipboard
Write
All (comprises all listed properties) where <boolean> can be one of:

  1. TRUE (must be all caps)
  2. FALSE (must be all caps)


Definitions:
The default setting is ncNavSec.All=FALSE, which means that applets are not allowed to bypass security checks for any of the listed security properties.
A boolean value of TRUE for any property means that applets will bypass the security check for the defined security property.

Examples:


Notes:
If the All property is set, along with individual properties, the All property setting will override any individual property setting. That is, all individual property settings will be ignored. Enter each individual property on a separate line, that is, enter a carriage-return after each setting. To have changes take effect, reboot your network station after changing properties in NSM.

Question:
Why did we choose the ncNavSec properties mechanism?

Answer:
The interface of the NC Navigator 3.04 browser does not have the capability to handle signed applets, which could allow trusted applets to execute locally and perform certain restricted operations. This support is available only in newer browsers, such as in Netscape Navigator 4.0x and IE 4.0x. In order for the NC Navigator 3.04 browser to emulate such capability, we have incorporated this mechanism to allow the user some control over the enforcement of the security policy by the browser security manager.

Question:
What the user must understand about disabling security checks in order to run certain applets.

Answer:
ncNavSec properties should be used discriminatory, with the understanding that setting a certain property to true allows all applets to bypass the security check for the set property. These properties should only be set if the System Administrator deems that the applets being run belong to a trusted codebase.

Question:
Are there any known types of applets that might still fail with Security Exceptions even after setting ncNavSec.All=TRUE to bypass all security checks?

Answer:
Currently we know of one case -- if the applet is using ObjectInputStream or ObjectOutputStream (object serialization), it will not work. This is not allowed even in Netscape Navigator 4.0x.

Note: Since NC Navigator 3.04 browser enforces the Netscape Security model, applets that normally tend to run in a native appletviewer environment might still fail within the browser context. The Class Loader and Security Manager upgrade ensures enforcement of the Netscape Security model when interfacing with JVM 1.1.4 on the IBM Network Station.

Note: DLTLICPGM for 5648C20 (128-bit browser) does not delete the file nav128.bak from the directory /QIBM/ProdData/NetworkStation/mods/.

When the user then applies the 128-bit browser PTF, the original nav128.nws file in the /QIBM/ProdData/NetworkStation/mods/ directory is renamed to nav128.bak, and the new nav128.nws file is from the PTF (for example, now the directory contains both of the files nav128.nws and nav128.bak). After the user then does a DLTLICPGM for the 128-bit browser (Product 5648C20), both files nav128.nws and nav128.bak should be deleted, but this is not the case -- the nav128.nws file is deleted but the nav128.bak file remains.

This does not result in any functional problems with the 128-bit browser. The only concern is that the nav128.bak file is not deleted. The user must manually delete the nav128.bak file from the directory /QIBM/ProdData/NetworkStation/mods/ after doing a DLTLICPGM of the 128-bit browser (Product 5648C20).


Search Keywords

Document Category

General Information, Installation Guides, System Administration Tools, User Guides

Date Created

12-05-99

Last Updated

11-05-99

Revision Date

12-11-99

Brand

IBM Network Station, Network Computers

Product Family

Network Station, AS/400 - Network Station, NT Server - Network Station, OS/2 Warp Server - Network Station, RS/6000 - Network Station, S/390 OS/390 - Network Station, S/390 VM/ESA - Network Station

Machine Type

8361, 8362

Model

All

TypeModel

Retain Tip (if applicable)

Reverse Doclinks
and Admin Purposes