(--------------------------------------------------------------------) (Server Administration\cr_server_admin)

The online Server Administration facility provides a rich collection of functionality, including server control, reports and configuration. Some of these are intended as general administration tools while other provide more detailed information intended for server debugging and development purposes. (....................................................................) (HTML=

[graphic]  Server Administration Graphic
) (....................................................................) (HTML/OFF)

(online graphic) (HTML/ON)

The value of the WATCH facility (cr_watch) as a general configuration and problem-solving tool cannot be overstated.

All server configuration files, with the exception of the authentication databases, are plain text and may be modified with any prefered editor. However the majority of these can also be administered online through a browser. In addition the (update) facility allows some administration of file system portions of the Web. See (cr_web_update).

Access to many portions of the package is constrained by file protections and directory listing access files. See (hd_auth_sysuaf_profile_site) for a method for circumventing these restrictions. (....................................................................) (Access Before Configuration\hd_admin_no_config)

It is often a significant advantage for the inexperienced administrator on a new and largely unconfigured installation to be able to gain access to the facilities offered by Server Administration, particularly the WATCH facility ((cr_watch)). This can be done quite simply by using the authentication skeleton-key ((hd_auth_skeleton_key)). This allows the site administrator to register a username and password from the command-line that can be used to gain access to the server. In addition, the server ensures that requesting an otherwise non-authorized Server Administration facility generates a challenge which invokes a username/password dialog at the browser allowing the user to enter the previously registered username and password and gain access. (Method\hd_admin_no_config_method) (UNNUMBERED) Register the skeleton-key username and password. $ HTTPD == "$WASD_EXE:HTTPD_SSL.EXE" $! HTTPD == "$WASD_EXE:HTTPD.EXE" $ HTTPD /DO=AUTH=SKELKEY=(_username:password)

Note that the username must begin with an underscore, be at least 6 characters, is delimited by a colon, and that the password must be at least 8 characters. By default this username and password remains valid for 60 minutes. (Choose strings that are less-than-obvious!\BOLD) Access the server via a browser and use the server Server Administration facility. (HTML=

  http://the.host.name:port/httpd/-/admin/
) (HTML/OFF) http://the.host.name:port/httpd/-/admin/ (HTML/ON) After use the skeleton-key may be explicitly cancelled if desired. $ HTTPD /DO=AUTH=SKELKEY=0 (....................................................................) (Access Configuration\hd_admin_access_config)

Once established the site should make the Server Administration facility a configured facility of the site. The value of its facilities cannot be overstated.

It is also recommended that for production sites the path to these reports be controlled via authentication and authorization, using both host and username restrictions, similar to the following: [WHATEVER-REALM] /httpd/-/admin/* host.ip.addr,~WebMaster,~WhoEverElse,r+w

If a full authorization environment is not required but administration via browser is still desired restrict access to browsers executing on the server system itself, using an appropriate SYSUAF-authenticated username. Provision of a VMS account for server administration only is quite feasable, see (hd_auth_web_only). [VMS] /httpd/-/admin/* #localhost,~(username),r+w

If SSL is in use ((cr_ssl)) then username/password privacy is inherently secured via the encrypted communications. To restrict server administration functions to this secure environment add the following to the WASD_CONFIG_MAP configuration file: /httpd/-/admin/* "403 Access denied." ![sc:https]

When using the (revise) capability of the Server Administration facility it is necessary to comply with all the requirements for Web update of files. This is discussed in general terms in (cr_web_update). Revision of server configuration files requires path permissions allowing write access for the username(s) doing the administration, as well as the required ACL on the target directory (in the following example WASD_ROOT:[LOCAL]). [VMS] /httpd/-/admin/* #localhost,~(username),r+w /wasd_root/local/* #localhost,~(username),r+w

It is possible to allow general access to the Server Administration facility and reports while restricting the ability to initiate server actions such as a restart! Using the WORLD realm against the path is necessary, for the obvious security reason, the server administration module will not allow itself to be used without an authenticated username, provided as a pseudo-authenticated (WORLD). [VMS] /httpd/-/admin/control/* #localhost,~(username),r+w [WORLD] /httpd/-/admin/* r

When GZIP compression is configured for the server (see ([-.CONFIG]DOC_config.sdml) document, (GZIP Encoding) section) it is not by default applied to Server Admin reports or other pages. It can be applied, selectively if desired, using mapping rules. For instance, to apply it to all requests not from the local intranet a rule similar to the following can be added before the Server Admin path mapping itself. if (!remote-addr:192.168.0.0/8) set /httpd/-/admin/* response=GZIP=all pass /httpd/-/admin/* /httpd/-/admin/*

GZIP content-encoding can never be applied to WATCH reports. (....................................................................) (Server Instances\hd_server_reports_instances)

With a single instance (see (hd_server_instances)) access to Server Administration reports, etc. is always serviced by the one server process. If multiple instances are configured then in common with all requests administration requests will be serviced by any one of the associated processes depending on the momentary state of the round-robin distribution.

There are many circumstances where it is preferable to access only the one server. This can be accomplished for two differing objectives. (NUMBERED) To facilitate access to a specific instance's Server Administration page, including instance-specific reports etc. This is provided through the use of an (administration service) port (see (HREF=[-.config]config.sdml!../config/#hd_service_admin) ([-.CONFIG]DOC_config.sdml)) available from the Server Administration page. The Server Administration page ((hd_server_action_control)) and the command-line ((hd_admin_do_instance)) provides the capability to explicitly set the number of instances supported, overriding any configuration directive. After explicitly setting this, using either means, the server must be restarted. The explicit startup setting remains in effect until it is changed to (max) allowing the WASD_CONFIG_GLOBAL configuration directive [InstanceMax] to once again determine the number of instances required.

The latter approach is particularly useful when performing detailed WATCH activities ((cr_watch)).

When multiple per-node instances are executing the Server Administration pages and reports all include an indication of which process serviced the request. When accessing no instance in particular the process name is presented in parentheses after the page title HTTPd www.example.com:80 Server Administration (HTTPd:80) When a particular instance's administration service port is being used the process name is separated from the page title by a hyphen HTTPd www.example.com:80 Server Administration - HTTPd:80

Multi-instance status (see (hd_instance_status)) snapshots are available via HTTPDMON, the Server Admin main page and can be reported from the command line using $ HTTPD /DO=STATUS (....................................................................) (HTTPd Server Reports\hd_server_reports)

The server provides a number of internally generated reports. Some of these are of general interest. Others are more for evaluating WASD behaviour and performance for development purposes. Appropriate reports have a refresh selector allowing the report to be updated at the selected period. The following list is in the approximate order in which they occur top-to-bottom, left-to-right in the menu layout.

It is possible to use this facility standalone, without configuring authorisation ((hd_admin_no_config)). (UNNUMBERED) (Statistics - \BOLD) Server process up-time, CPU-time and other resources consumed, number of connections processed, number of requests of each HTTP method, type of processing involved (HTTPd module used), number of bytes processed, etc. (Log - \BOLD) Display the server process (SYS$OUTPUT) log. (Configuration - \BOLD) A tabular summary of the server's current configuration. This is a convenient method for viewing the information from the WASD_CONFIG_GLOBAL file. (Services - \BOLD) A tabular report listing the current services (virtual servers) and the service-specific parameters. (Messages - \BOLD) A tabular report of the server's current message database, multiple languages shown if configured that way. (Mapping - \BOLD) All loaded mapping rules and any cached USER rule paths. A selector allows rules applying only to one particular virtual server to be displayed. (Path Authorization - \BOLD) If authorization is in use ((cr_authorization)) this report lists the paths with associated authorization and access control. (User Authentication - \BOLD) List any users that have been authorized since the server was last started, the realm authorized from, the group it applies to (if any), and what the user's capabilities are (allowed HTTP methods). A time-stamp and counters provide additional information. (Secure Sockets - \BOLD) The SSL report lists counts of the number of SSL transactions initiated and completed, along with session cache statistics for the currently connected SSL service. It also lists the ciphers available and current session information. Other reports allow the Certificate Authority (CA) database to be view and edited, if available due to X.509 authentication being enabled. (AlnFlt - \BOLD) On Alpha and Itanium, memory access alignment faults are constantly monitored. This displays the accumulated statistics since the most recent startup. Should always be zero! (Cache - \BOLD) Allows monitoring of cache behaviour and performance, as well as the files currently in the cache (see (HREF=[-.config]config.sdml!../config/#cr_cache)([-.CONFIG]DOC_config.sdml)). (Cluster - \BOLD) For clustered systems generates a report similar to the (System Report) but with a cluster emphasis. (DCL Scripting - \BOLD) Provides some DCL, CGI and CGIplus scripting information.

DCL module statistics (same information as displayed in the server statistics report). These are cumulative for the entire life of the system (unless zeroed).

Process information shows how many actual processes exist at the time of the report, as indicated by the PID and bolded, non-zero liftime (in minutes). The (soft-limit) specifies how many CGIplus scripts are allowed to continue existing before the least used is deleted and the (hard-limit) show how many processes may actually exist at any one time (the margin allows for process deletion latency). A count of how many times the CGIplus processes have been explicitly purged (button available on this report page). The (life-time) of zombie processes (in minutes, zero implying use of zombies is disabled) and the number that have been purged due to expiry. CGIplus process life-time (in minutes, zero implying indefinite), the number purged due to life-time expiry and the number of CGIplus processes that the server has actually purged (deleted) to maintain the soft-limit margin specified above.

Each of the allocated process data structures is listed. There may be zero up to hard-limit items listed here depending on demand for DCL activities and the life of the server. Items with a PID shown indicate an actual process existing. This can be a zombie process or a CGIplus process. If no process is indicated then the other information represents the state the last time the item's associated process completed. Information includes the script (URL-style path) or DCL command, total count of times the item has been used and the last time it was. The zombie count indicates the number of time the same process finished a request and entered the (zombie) state. The CGIplus column indicates it is/was a CGIplus script and shows the total number of times that particular script has been/was used. If the process is currently in use the client information show the client host name.

If any processes are associated with any data structure a (purge) button is provided that forces all processes to be deleted. This can be useful if a new script image is compiled and it is required all scripts now use this. If a script is currently processing a request the process deletion occurs when that processing is complete. The purge button (does not force\BOLD) a process to delete, so a second button (forces\BOLD) all processes to delete immediately. This can be used to forceably clear errant scripts, etc., but be warned script processing is indiscrimately stopped! (DECnet Scripting - \BOLD) DECnet module information shows totals for DECnet scripting usage and the DECnet connection list.

This list will grow, up to the specified configuration maximum, as conconurrent scripting demand occurs. Maintained connections are indicated by the bolded, non-zero lifetime (in minutes). When this reaches zero the task is disconnected. The current/last task for that connection is indicated, along with the number of times the connection was reused and a total number of uses for that list item.

(Purge) and (force) buttons allow current links to be broken after request completion or forcibly disconnected. (HTTP - \BOLD) Reports HTTP/2 and HTTP/1.(n) statistics together as well as providing a list of current HTTP/2 connections with some per-connection data. See (cr_http2) for details. (Lock - \BOLD) Lists the names and status of all lock resources used to manage single and multiple instances across single systems or a cluster. This report is more relevant for evaluating and debugging WASD behaviour. (Match - \BOLD) To assist with the refinement of string matching patterns (see (HREF=[-.config]config.sdml!../config/#cr_string_matching)([-.CONFIG]DOC_config.sdml)). this report allows the input of target and match strings and allows direct access to the server's wildcard and regular expression matching routines. Successful matches show the matching elements and a substitution field allows resultant strings to be assessed. (Memory - \BOLD) Provides a report and does an integrity check on each of the Virtual Memory (VM) zones employed by the WASD HTTPd. (Process - \BOLD) Lists all processes on the current system owned by the server account. From this list a process can be selected to have a (SHOW PROCESS /ALL) performed on it, displayed on a report page. (Proxy - \BOLD) If proxy serving is enabled a report providing statistics on the various HTTP methods used, network and cache traffic, cache reads and writes, requests not cachable, and host name lookup are provided. This may used to help guage the effectiveness of the cache. (Request - \BOLD) Lists in-progress requests (always shows at least your own connection accessing this report :-) Additional buttons after the report allow selection of a report that in addition displays current persistent network connections, requests currently under throttle control, and if enabled a list (history) of the most recent requests (enabled by the configuration parameter [RequestHistory]). Current requests may be selected for (one-shot) WATCH-processing reports from this page ((cr_watch)).

Two other diagnostic tools are available from the same link. The first, (WATCH-peek Report), providing a snapshot of the contents selected internal fields and data structures of the request. This is primarily intended as a problem investiagtion and development tool, and will be of limited value without an understanding of server internals. The second accesses the (peek) internals plus a one-shot WATCH-processing report.

For servers handling a great quantity of concurrent traffic this can generate a very large report. The (Supervisor) report can also provide a profile of the servers current load. (Supervisor - \BOLD) Provides a simple table displaying each timer list and any associated request count. Shows how many requests are set be scanned and evaluated for continued processing every so-many seconds. For very busy servers this is another method for gaining an idea of the traffic profile (this is perhaps more meaningful for those with an understanding of WASD internals). (System - \BOLD) Shows the system, all users, memory and CPU status as a single report. (Throttle - \BOLD) This report provides a list of paths with throttle rules mapped against them. It provides the throttle values along with current and history activity counters. (WATCH - \BOLD) This report provides an online, real-time, in-browser-window view of request processing on the (running server\BOLD). See (cr_watch) for details. (WebDAV - \BOLD) Provides configuration and statistics. (WebSocket - \BOLD) Lists in-progress WebSocket requests with connection statistics and the scripting process associated with. (Activity - \BOLD) Provide a graphical (snapshot) of server activity of a given period.

The statistics are stored in a permanent global section and so carry-over between server restarts. Where multiple instances are executing the data represents an accumulation of all instances' processing. It is enabled by the configuration parameter [ActivityDays]. The Server Administration facility provides several, represented as a period of hours before the present time. Number of requests and bytes sent to the client are represented by a histogram with respective means for each by a line graph. A bar across the column of the request histogram indicates the peak number of concurrent requests during the period. A (greyed) area indicates no data available for that time (i.e. before the latest server startup, or in the future).

Server startup and shutdown events are indicated by solid, vertical lines the full height of the graph (see example for a restart event). (SIMPLE) startup - green shutdown - black restart - grey error exit - red

Activity data is accumulated on a per-minute basis. This is the maximum granularity of any report. When reports are selected that can display less than this one minute granularity (i.e. with periods greater than four hours) the value shown is the (peak\BOLD) of the number of minutes sampled for display. This better represents the load on the server than would a mean of those samples.

The graph is an image map, various regions of which allow the selection of other reports with different periods or durations. This allows previous periods to be examined at various levels of detail using the graph for navigation. Various sections may have no mapping as appropriate to the current report.

For multiple hour reports the upper and lower sections have distinct functions. The middle 50% of the upper section allows the same end time (most commonly the current hour) to be examined over twice the current period, in this case it would be over eight hours. The left 25% allows the previous fours hours to be viewed (if such data exists), and for non-current reports the right 25% allows the next four hours to be viewed. The lower half can be divided into sections representing hours or days depending on the period of the current report. This allows that period to be viewed in greater detail. For single hour reports this section, of course, is not mapped.

Remember that the URL of the mapped section will be displayed in the status bar of the browser. As the URL contains time components it is not a difficult task to decipher the URL displayed to see the exact time and period being selected. (....................................................................) (HTML=

[graphic]  Server Activity Graphic
) (HTML/OFF)

(online graphic) (HTML/ON) (....................................................................) (HTTPd Server Revise\hd_server_revise)

The server provides a comprehensive configuration revision facility. (UNNUMBERED) (Configuration - \BOLD) A form-driven interface allows the current configuration of the server to be altered online. This configuration may then be saved to the on-disk file and then the server could be restarted using the new parameters. The source of the current configuration can be either the server itself (from its volatile, in-memory parameters) or from the on-disk configuration file. In addition it is possible to directly edit and update the on-disk file. (Services - \BOLD) A form-driven interface allows service (virtual server) configuration. It is also possible to directly edit and update the on-disk file. The server must be restarted for service changes to take effect. (Messages - \BOLD) A form-driven interface allows the the server messages to be modified. It is also possible to directly edit and update the on-disk file. The server can then be restarted to use the modified database ((hd_server_action)). (Mapping - \BOLD) No form-driven interface is currently available for changing the mapping rules. However it is possible to directly edit and update the on-disk file. The mapping rules could then be reloaded, changing the current server rules ((hd_server_action)). (Path Authorization - \BOLD) No form-driven interface is currently available for changing the path authorization configuration. However it is possible to directly edit and update the on-disk file. The path authorization directives could the be reloaded, changing the current server authorization ((hd_server_action)). (User Authentication - \BOLD) User authentication comprises a number of dialogues that allow the WASD-specific (HTA) authentication databases to be administered. These include:

(SIMPLE) creating databases deleting databases accessing databases for administering usernames listing usernames within databases adding usernames deleting usernames modifying username permissions and other data reseting in-server (cached) authentication information

Chapter (cr_authorization) covers authentication detail. (Site Log - \BOLD) This accesses a plain-text file that could be used to record server or other significant site configuration changes if desired. Two methods of access are provided. (NUMBERED) Site-Log - open the file for editing, placing a date/time/author timestamp at the top Edit - open the file editing

The file name and/or location may be specified using the logical name WASD_SITELOG. (Enabling Server Access\hd_server_access)

Many of the server activites listed above require server account write access to the directory in which the configuration files are stored. Where an autononmous scripting account is in use this poses minimal threat to server configuration integrity. (NUMBERED) Specifically map the /wasd_root/local/ path and mark it as access always requiring authorization (ensure this is one on the first mappings in the file and certainly before any other /wasd_root/ ones). # WASD_CONFIG_MAP pass /wasd_root/local/* auth=all Add appropriate authorization rules (example from (HREF=[-.config]config.sdml!../config/#cr_auth_config)([-.CONFIG]DOC_config.sdml)). # WASD_CONFIG_AUTH ["Web Admin"=WASD_WEBADMIN=id] /httpd/-/admin/* r+w /wasd_root/local/* r+w Update access to the directory can be applied using the SECHAN utility ((hd_sechan)). $ SECHAN /WRITE WASD_ROOT:[000000]LOCAL.DIR $ SECHAN /WRITE WASD_ROOT:[LOCAL] Load the new mapping and authorization rules. $ HTTPD /DO=MAP $ HTTPD /DO=AUTH=LOAD (Alternative Using /PROFILE\hd_server_access_profile)

If a site is using SYSUAF authentication and security profiles enabled using the /PROFILE startup qualifier ((hd_auth_security_profile)) then a more restrictive set up is possible, retaining the default no-access to the [LOCAL] directory. This relies on the administering account(s) having read and write access to the [LOCAL] directory. It is then not necessary to grant that to the server account. It is possible to limit the application of VMS user profiles. This is an example. # WASD_CONFIG_MAP set /wasd_root/local/* profile auth=all set * noprofile

To use this approach perform steps 1, 2 and 4 from above, substituting the following for step 3. $ SECHAN /PACKAGE WASD_ROOT:[000000]LOCAL.DIR $ SECHAN /PACKAGE WASD_ROOT:[LOCAL] $ SECHAN /CONTROL WASD_ROOT:[000000]LOCAL.DIR (....................................................................) (HTTPd Server Action\hd_server_action)

The server allows certain run-time actions to be initiated. Many of these functions can also be initiated from the command line, see (hd_admin_do_cli).

When multiple servers are executing on a single node or within a cluster a JavaScript-driven checkbox appears in the bottom left of the administration menu. (Checking that box applies any subsequently selected action to all servers!\BOLD) (Control Section\hd_server_action_control) (UNNUMBERED) (Server Restart/restartNOW/restartQuiet/Exit/exitNOW - \BOLD) The difference between restart/exit and restartNOW/exitNOW is the former waits for any current requests to be completed, while the latter does it immediately regardless of any current connections. The restartQuiet variant continues processing until demand drops to zero for more than one second at which point it commences restart. If the browser has JavaScript enabled a cautionary alert requesting confirmation is generated (otherwise there is no confirmation). (Logging On/Off/Flush - \BOLD) The WASD_CONFIG_LOG logical must be configured to allow access logging to be enabled and disabled from this menu. (Caching On/Off/Purge - \BOLD) Caching may be enabled and disabled in an ad hoc fashion using these controls. When being disabled after being enabled all previous data is retained. If subsequently reenabled that data is then again available for use. This allows convenient assessment of the subject or even object benefits on the cahing. If purged all entries in the cache are removed. (Instance Startup - \BOLD) An instance value may be set that overrides the configuration directive [InstanceMax] at next startup. This may be used to change the number of server processes on an ad hoc basis. Reset to (max) to return to configuration control. Note that this can be applied to the current node only or to all servers within a cluster, and that a subsequent restart is required. ((/DO=) Button and Field - \BOLD) Provides a on-line facility parallel to that provided by the command-line /DO qualifier ((hd_admin_do_cli)). Any directive available via the command-line can be entered using this interface and applied on a per-node or per-cluster basis. (Configuration (Action) Section\hd_server_action_config) (UNNUMBERED) (Statistics Zeroed - \BOLD) All counters are zeroed (except the (number-of-times-zeroed) counter!) (Mapping Rules Reload - \BOLD) Reloads the path mapping rules from the on-disk file into the running server, clears the user SYSUAF mapping cache.

(Caution! \BOLD) If changing CGIplus script mapping it is advised to restart the server rather than reload. Some conflict is possible when using new rules while existing CGIplus scripts are executing. (Path Authorization Reload - \BOLD) Reloads the path authorization directives from the on-disk file into the running server. (User Authentication Cache Purge - \BOLD) For efficiency reasons authenticated user information is cached for a limited period within the running server. All this cached information may be completely purged using this action, forcing subsequent requests to be reauthenticated from the on-disk database. (--------------------------------------------------------------------) (HTTPd Command Line\hd_admin_do_cli)

A foreign command for the HTTPD control functionality will need to be assigned in the adminstration users' LOGIN.COM, for example: $ HTTPD == "$WASD_EXE:HTTPD" or (perhaps more likely) $ HTTPD == "$WASD_EXE:HTTPD_SSL"

Some control of the executing server is available from the DCL command line on the system on which it is executing. This functionality, (via the /DO= qualifier\BOLD), is available to the privileged user.

These directives are communicated from the command-line (and Server Administration page analogue - (hd_server_action_control)) to the per-node or per-cluster servers using the Distributed Lock Manager. On pre-VMS V8.2 the command buffer is limited to 15 bytes. From VMS V8.2 the buffer space available is 63 bytes. In a cluster all systems must support the larger buffer before WASD enables it. The smaller buffer space limits some of the directives that take free-form parameters (e.g. /DO=DCL=PURGE=USER=DANIEL). (Multi-Server/Cluster-Wide\hd_server_multiple)

If multiple servers are executing on a host or cluster it is possible to control all of them by adding the /CLUSTER or /ALL qualifiers. Of course, these commands are available from batch jobs as well as interactively. In a clustered WASD environment the same functionality is available via checkboxes from the online Server Administration facility. (Need it to be jogged?\hd_server_do_help)

Can't quite remember what it can (and by implication can't) do? $ HTTPD /DO=HELP (Server Log Annotation\hd_admin_do_note)

Significant server events (e.g. restart, exit, mapping rule change) can often benefit (post-mortem :-) from an annotation in the server process log, especially in a production environment. The command-line /NOTE="()" can be used to insert the supplied string as an ad hoc annotation, or in conjunction with a /DO=".." CLI command. $ HTTPD /NOTE="just a note test!" $ HTTPD /DO=RESTART /NOTE="adding services ""download."" and ""mail."""

The server process log annotation appear as follows. %HTTPD-I-NOTE, 10-DEC-2017 22:32:30, just a note test! %HTTPD-I-NOTE, 10-DEC-2017 22:33:05, adding services "download." and "mail."

Note may also be inserted from the Server Admin main page by using the [/DO=] button and field and prefixing the string with /NOTE= (string delimitting quotation marks are not required). Using the Server Admin page annotation and commands cannot be combined. (Accounting\hd_admin_do_accounting)

Server counters may be zeroed. These counters are those visible from the (statistics) Server Admininstration item and when using the HTTPDMON utility. $ HTTPD /DO=ZERO

The HTTPDMON utility displays a status line during startup or server exit on error. For example: KLAATU:: 1 HTTPDMON v2.6.0 AXP Friday, 21-SEP-2018 21:40:54 Process: WASD:80 PID: 00001F9B User: HTTP$SERVER Version: 11.3.0 Up: 6 18:21:20.96 CPU: 0 00:07:25.54 Startup: 55 Exit: %X00000001 (8< snip 8<) Rx: 1,365,809 (0 err) Tx: 26,965,420 (0 err) (477kB/s) STATUS: %HTTPD-I-STARTUP, 21-SEP-2018 21:40:52, WASD:80

On occasion this can status message become constantly displayed (e.g. command-line misoperation) with $ HTTPD /DO=ZERO=STATUS restoring normal request information. (Alignment Faults\hd_admin_do_align)

On Alpha and Itanium platforms alignment faults can be a significant performance issue and considerable effort has been invested in completely eliminating them. This was done using a internal reporting tool (primarily intended for the WASD developer) available from the Server Admin interface. Defining the logical name WASD_ALIGN_MAP to be a linker map of the build provides additional information. $ HTTPD /DO=ALIGN=START $ HTTPD /DO=ALIGN=STOP $ HTTPD /DO=ALIGN=ZERO $ HTTPD /DO=ALIGN=FAULT=1 (Authentication\hd_admin_do_auth)

See (cr_authorization).

The authorization rule file (HTTP$AUTH) may be reloaded using either of these variants. $ HTTPD /DO=AUTH $ HTTPD /DO=AUTH=LOAD

The authentication cache may be purged, resulting in re-authentication for all subsequent authorization-controlled accesses. This may be useful when disabling authorization or if a user has been locked-out due to too many invalid password attempts ((hd_auth_cache)). $ HTTPD /DO=AUTH=PURGE

A (skeleton-key) username and password may be entered, amongst things allowing access to the Server Administration facility ((cr_server_admin)). $ HTTPD (/DO=AUTH=SKELKEY=_:[:]) (Cache\hd_admin_do_cache)

Server cache control may also be exercised from the Server Administration page ((cr_server_admin)). The file cache (see ([-.CONFIG]DOC_config.sdml) document, (Cache Configuration) section) may be enabled, disabled and have the contents purged (declared invalid and reloaded) using $ HTTPD /DO=CACHE=ON $ HTTPD /DO=CACHE=OFF $ HTTPD /DO=CACHE=PURGE (Configuration Check\hd_admin_do_check)

Changes to configuration files can be validated at the command-line before reload or restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the (intent) of the rules. $ HTTPD /DO=AUTH=CHECK $ HTTPD /DO=CONFIG=CHECK $ HTTPD /DO=GLOBAL=CHECK $ HTTPD /DO=MAP=CHECK $ HTTPD /DO=MSG=CHECK $ HTTPD /DO=SERVICE=CHECK

The (config) check sequentially processes each of the (authorization), (global), (mapping), (message) and (service) configuration files.

If additional server startup qualifiers are required to enable specific configuration features then these must also be provided when checking. For example: $ HTTPD /DO=AUTH=CHECK /SYSUAF /PROFILE (DCL/Scripting Processes\hd_admin_do_dcl)

These commands can be useful for flushing any currently executing CGIplus applications from the server, enabling a new version to be loaded with the next access. See (Scripting Environment) document.

All scripting processes, busy with a request or not, can be deleted (this may cause the client to lose data). $ HTTPD /DO=DCL=DELETE

A gentler alternative is to delete idle processes and mark busy ones for deletion when completed processing. $ HTTPD /DO=DCL=PURGE

For VMS V8.2 and later, a more selective DELETE and PURGE is possible. A user name, script name, or script file name can be supplied and only matching tasks have the specified action peformed. $ HTTPD /DO=DCL=PURGE=USER=(username) $ HTTPD /DO=DCL=PURGE=SCRIPT=(script-path) $ HTTPD /DO=DCL=PURGE=FILE=(script-file-name) (DECnet Scripting Connections\hd_admin_do_decnet)

All DECnet connections, busy with a request or not, can be disconnected (this may cause the client to lose data). $ HTTPD /DO=DECNET=DISCONNECT

Purging is a better alternative, disconnecting idle tasks and marking busy ones for disconnection when complete. $ HTTPD /DO=DECNET=PURGE (Hhelppp!\hd_server_do_help2) $ HTTPD /DO=HELP o ALIGN= START, STOP, ZERO with ([,,]) o AUTH reload authorization file o AUTH=CHECK elementary check of authorization file o ZERO zero all accounting o ZERO=NOTICED zero the ('errors noticed') accounting o ZERO=PROXY zero proxy accounting $ (HTTP/2 Connection\hd_admin_do_http2)

Disconnect idle HTTP/2 connections. $ HTTPD /DO=HTTP2=PURGE

All HTTP/2 connections can be disconnected (this may cause clients to lose data), or a specific connection number. $ HTTPD /DO=HTTP2=PURGE=ALL $ HTTPD /DO=HTTP2=PURGE=(number) (Instances\hd_admin_do_instance)

The number of server instances (see (hd_server_instances)) may be set from the command line. This overrides any configuration file directive and applies at the next startup. Any configuration directive value may be used from the command line. $ HTTPD /DO=INSTANCE=MAX $ HTTPD /DO=INSTANCE=CPU $ HTTPD /DO=INSTANCE=(integer)

(Note that the server must be restarted for this to take effect\BOLD), that this can be applied to the current node only or to all servers within a cluster, and that it remains in effect until explicitly changed to (MAX) allowing the WASD_CONFIG_GLOBAL configuration directive [InstanceMax] to once again determine the number of instances required. The same functionality is available from the Server Administration page ((hd_server_action)).

There are also directives to assist with WATCH activities ((hd_watch_instances)). $ HTTPD /DO=INSTANCE=PASSIVE $ HTTPD /DO=INSTANCE=ACTIVE (Instance Status\hd_admin_do_status)

Multi-instance (see (hd_server_instances)) status (see (hd_instance_status)) can be reported from the command line using $ HTTPD /DO=STATUS

In addition, stale entries in the status table may be purged using $ HTTPD /DO=STATUS=PURGE and the table completely emptied then repopulated over the next minute using $ HTTPD /DO=STATUS=RESET (Logging\hd_admin_do_logging)

Server logging control may also be exercised from the server administration menu ((cr_server_admin)).

Open the access log file(s). $ HTTPD /DO=LOG=OPEN

Close the access log file(s). $ HTTPD /DO=LOG=CLOSE

Close then reopen the access log file(s). $ HTTPD /DO=LOG=REOPEN

Unwritten log records may be flushed to the file(s). $ HTTPD /DO=LOG=FLUSH (Mapping\hd_admin_do_map)

See (HREF=[-.config]config.sdml!../config/#cr_mapping_rule)([-.CONFIG]DOC_config.sdml).

The mapping rule file (WASD_CONFIG_MAP) may be reloaded using either of these variants. $ HTTPD /DO=MAP $ HTTPD /DO=MAP=LOAD (Network Connection\hd_admin_do_network)

Disconnect idle (persistent) connections. $ HTTPD /DO=NET=PURGE

All network connections can be disconnected (this may cause clients to lose data), a specific connection number and those matching the specified URI. $ HTTPD /DO=NET=PURGE=ALL $ HTTPD /DO=NET=PURGE=(number) $ HTTPD /DO=NET=PURGE=URI=(pattern)

Additionally, network connection acceptance can be suspended (leaving in-progress requests to complete), suspended and in-progress disconnected, and resumed. $ HTTPD /DO=NET=SUSPEND $ HTTPD /DO=NET=SUSPEND=NOW $ HTTPD /DO=NET=RESUME (Shutdown and Restart\hd_admin_do_shutdown)

Server shutdown may also be exercised from the Server Administration page ((cr_server_admin)).

The server may be shut down, without loss of existing client requests. Connection acceptance is stopped and any existing requests continue to be processed until conclusion. $ HTTPD /DO=EXIT

The server may be immediately and unconditionally shut down. $ HTTPD /DO=EXIT=NOW

The server may be restarted, without loss of existing client requests. Connection acceptance is stopped and any existing requests continue to be processed until conclusion. This effectively causes the server to exit normally and the DCL (wrapper) procedure to restart it. $ HTTPD /DO=RESTART

The (now) variant restarts the server immediately regardless of existing connections. $ HTTPD /DO=RESTART=NOW

The when-(quiet) variant restarts the server whenever request processing drops to zero for more than one second. It allows (perhaps non-urgent) changes to be put into effect through restart when everything has gone (quiet) and no demands are being placed on the server. $ HTTPD /DO=RESTART=QUIET

Significant server events such as these are prime candidates for server log annotation! $ HTTPD /DO=RESTART=NOW /NOTE="Restarting the server just so I can note it :-)" (Secure Sockets Layer\hd_admin_do_ssl)

If the optional SSL component is installed and configured these directives become effective.

If X.509 authentication is enabled the Certificate Authority (CA) verification list can be reloaded. $ HTTPD /DO=SSL=CA=LOAD

Server certificates, after being updated, may be reloaded into the running services (i.e. without restart). This is a synonym for /DO=SERVICE=LOAD. $ HTTPD /DO=SSL=CERT=LOAD

If a private key password is not included with the encode key it is requested by the server during startup. The following example shows the directive and the resulting prompt. When entered the password is not echoed. $ HTTPD /DO=SSL=KEY=PASSWORD Enter private key password []:

Service SSL parameters may be (re)loaded from the configuration file and modified on the running server (i.e. without restart), for all existing services or just a single, specified service. $ HTTPD /DO=SSL=SERVICE=LOAD $ HTTPD /DO=SSL=SERVICE=LOAD=(host:port) (Throttle\hd_admin_do_throttle)

Unconditionally release all queued requests for immediate processing. $ HTTPD /DO=THROTTLE=RELEASE

Unconditionally terminate all requests queued waiting for processing. Clients receive a 503 (server too busy) response. $ HTTPD /DO=THROTTLE=TERMINATE

For VMS V8.2 and later, a more selective RELEASE and TERMINATE is possible. A user name or script name can be supplied and only matching requests have the specified action peformed. $ HTTPD /DO=THROTTLE=TERMINATE=REMOTE=(pattern) $ HTTPD /DO=THROTTLE=TERMINATE=SCRIPT=(pattern) (WebSocket\hd_admin_do_websocket)

Unconditionally disconnects all WebSocket applications. $ HTTPD /DO=WEBSOCKET=DISCONNECT

For VMS V8.2 and later, more selective disconnects are possible. Disconnects WebSocket applications with connection number, with matching script names, and with matching scripting account usernames, respectively. $ HTTPD /DO=WEBSOCKET=DISCONNECT=(number) $ HTTPD /DO=WEBSOCKET=DISCONNECT=SCRIPT=(pattern) $ HTTPD /DO=WEBSOCKET=DISCONNECT=USER=(pattern) (--------------------------------------------------------------------) (WATCH Facility\cr_watch)

The WATCH facility is a powerful adjunct in server administration. From the Server Administration facility ((cr_server_admin)) it provides an (online, real-time, in-browser-window view of request processing in the running server\BOLD). The ability to observe live request processing on an ad hoc basis, without changing server configuration or shutting-down/restarting the server process, makes this facility a great configuration and problem resolution tool. It allows (amongst other uses) (SIMPLE) assessment of mapping rules assessment of authorization rules investigation of request processing problems observation of script interaction general observation of server behaviour

A single client per server process can access the WATCH facility at any one time. It can be used in one of two modes. (UNNUMBERED) As a (one-shot), one-off WATCH of a particular request. This is available from the (Request Report) page of the Server Administration facility. In this case the single indicated request is tagged to be WATCHed in all categories (see below) for the duration of the request (or until the client stops WATCHing). As described in the following chapter the server and all new requests being processed are candidates for being WATCHed. Categories are selected before initiating the WATCH and the report can be generated for a user-specified number of seconds or aborted at any time using the browser's (stop) button.

Options immediately below the duration selector allows the WATCH output to concurrently be included in the server process log. This allows a permanent record (at least as permanent as server logs) to be simply produced. (Server Instances\hd_watch_instances)

With a single instance (see (hd_server_instances)) access to WATCH is always through the one server process. If multiple instances are configured WATCH requests, in common with all others, will be serviced by any one of the associated processes depending on the momentary state of the round-robin distribution.

This is often an issue for request WATCHing. The simplest scenario involves two instances. When the WATCH report is activated it will be serviced by the first process, when the request wishing to be WATCHed is accessed it (in the absence of any other server activity) will be serviced by the other process and will not be reported by WATCH on the first.

The solution is to suspend the round-robin request processing for the period of the WATCH activity. This does not shut any instance down but instead makes all but the supervisor instance quiescent. (Technically, it dequeues all the listening I/Os from non-supervisor instance server sockets, making the TCP/IP network driver send all connection requests to the one instance left with listening I/Os.) It is just a matter of making the non-supervisor instances active again when the WATCH activity is concluded.

This may be done from the command-line using $ HTTPD /DO=INSTANCE=PASSIVE $ HTTPD /DO=INSTANCE=ACTIVE or using the Server Administration facility ((cr_server_admin)) where there are [Active] and [Passive] buttons available when multiple instances are in use. Neither transition disrupts any requests being established or in-progress. (Event Categories\hd_watch_categories)

An (event) is considered any significant point for which the server code has a reporting call provided. These have been selected to provide maximum information with minimum clutter and impact on server performance. Obvious examples are connection acceptance and closure, request path resolution, error report generation, network reads and writes, etc. Events are collected together into groupings to allow clearly defined areas of interest to be selected for reporting. (....................................................................) (HTML=

[graphic]  WATCH Selection Graphic
) (HTML/OFF)

(online graphic) (HTML/ON) (....................................................................)

The report menu provides for the inclusion of any combination of the following categories. (Request\hd_watch_request) (UNNUMBERED) (Processing - \BOLD) Each major step in a request's progress. For example, path resolution and final response status. (Header - \BOLD) Provides the HTTP request header as a section of blank-line terminated text. (Body - \BOLD) The content (if a POST or PUT method) of the request. This is provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. (Response\hd_watch_response) (UNNUMBERED) (Processing - \BOLD) Each major step in generating a response to the request. These generally reflect calls to a major server module such as file CACHE, FILE access, INDEX-OF, SSI processing, etc. One or more of these events may occur for each request. For instance a directory listing will show an INDEX-OF call and then usually a FILE call as any read-me file is accessed. (Header - \BOLD) The blank-line terminated HTTP header to the response. Only server-generated headers are included. Scripts that provide a full HTTP stream do not have the header explicitly reported. The response body category must be enabled to observe these (indicated by a STREAM notation). (Body - \BOLD) The content of the response. This is provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. Some requests also generate very large responses which will clutter output. Generally this category would be used when investigating specific request response body problems. (General\hd_watch_general) (UNNUMBERED) (Connection - \BOLD) Each TCP/IP connection acceptance and closure. The connect shows which service the request is using (scheme, host name and port). (Path Mapping - \BOLD) This, along with the authorization report, provides one of the most useful aspects of the WATCH facility. It comprises an event line indicating the path to be mapped (it can also show a VMS file specification if a (reverse-mapping) has been requested). Then as each rule is processed a summary showing current path, match (Y)/(N) for each path template and any conditional, then the result and conditional. Finally an event entry shows the resulting path, VMS file specification, any script name and specification resolved. The path mapping category allows the administrator to directly assess mapping rule processing with live or generated traffic. (Authorization - \BOLD) When authorization is deployed this category shows the rules examined to determine if a path is controlled, any authentication events in assessing username and password, and the consequent group, user and request capabilities (read and/or write) for that path. No password information is displayed. (Error - \BOLD) The essential elements of a request error report are displayed. This may include a VMS status value and associated system message. (CGI - \BOLD) This category displays the generated CGI variable names and values as used by various forms of scripting and by SSI documents, as well as the processing of the response header returned by scripts. (DCL - \BOLD) Debugging scripts can sometimes present particular difficulties. This category may help. It reports on all input/output streams with the process (SYS$INPUT, SYS$OUTPUT, SYS$COMMAND, CGIPLUSIN). (DECnet - \BOLD) For the same reason as above this category reports all DECnet scripting input/output of the DECnet link. In particular, it allows the observation of the OSU scripting protocol. (WebDAV - \BOLD) Provides WebDAV specific processing points including request and meta-data XML associated with resources. (Network\hd_watch_network) (UNNUMBERED) (Activity - \BOLD) For each raw network read and write the VMS status code and size of the I/O is recorded. (Data - \BOLD) For each raw network read or write the contents are provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. (HTTP/2 - \BOLD) Provides a detailed overview of the underlying HTTP/2 framing and connection management exchanges between client and server. See (hd_http2_watch) for further detail. (Other\hd_watch_other) (UNNUMBERED) (Logging - \BOLD) Access logging events include log open, close and flush, as well as request entries. (Match - \BOLD) Shows a significant level of detail during string matching activities. May be useful during mapping, authorization and conditional processing. (Script - \BOLD) Sets CGI variable WATCH_SCRIPT allowing a script to explicitly detect this so as to output specific debugging or other information when being WATCHed. (SSL - \BOLD) If the Secure Sockets Layer image is in use this category provides a indication of high-level activity. (Internal - \BOLD) Includes information on other significant internal server processing. Examples are dictionary entries at various stages of request processing, and the high-level timing and timeout events occuring within that processing and the server in general. (Proxy\hd_watch_proxy) (UNNUMBERED) (Processing - \BOLD) Each major step during the serving of a proxied request. (Request Header - \BOLD) The proxy server rebuilds the request originally received from the client. This category shows that rebuilt request, the one that is sent to the remote server. (Request Body - \BOLD) In the case of HTTP POST or PUT methods any request body is displayed. This is provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. (Response Header - \BOLD) The blank-line terminated HTTP header to the response from the remote, proxied server. (Response Body - \BOLD) The content of the response sent from the remote server. This is provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. (Cache - \BOLD) When proxy caching is enabled this category provides information on cache reading (serving a request from cache) and cache loading (writing a cache file using the response from a remote server). It will provide a reason for any request or response it does not cache, as well as report errors during file processing. (Cache Maintenance - \BOLD) This category is not related to request processing. It allows routine and reactive cache purging activities to be watched. (Code Modules\hd_watch_codemodules)

If the server has been compiled using the WATCH_MOD=1 macro a set of module WATCHing statements is included. These provide far more detailed processing information than available with the generic WATCH, are intended primarily for debugging the server during development and testing. This is considered a specialized tool, with the quantity and level of detail produced most likely proving counter-productive in addressing general site configuration issues. The module items are shown below the usual WATCH items. (Request Filtering\hd_watch_filter)

By default all requests to all services are WATCHed. Fine control may be exercised over exactly which requests are reported, allowing only a selected portion of all requests being processed to be concentrated on, even on a live and busy server. This is done by (filtering) requests according the following criteria. (UNNUMBERED) (Protocol - \BOLD) The HTTP protocol being used to transport the request. Multiple protocols may be selected and concurrently filtered against. (Client - \BOLD) The originating host name or address. Unless server DNS host name resolution is enabled this must be expressed in dotted-decimal notation. (Service - \BOLD) The service connected to. This includes the (scheme) of the service (i.e. (http:), (https:)), the host name (real or virtual), and the port. The host name is the (official) name of the service as reported during server startup. As the port number is a essential part of the service specification it must always be explicitly supplied or wildcarded. (Request - \BOLD) This filter operates on the entire HTTP request header. All fields supplied with the request are available to be filtered against. As this is a large, multi-line dataset filters can become quite complex and regular expression (see ([-.CONFIG]DOC_CONFIG.SDML) document, (String Matching) section) matching may be useful (see examples below). (Path/Track - \BOLD) Either, the request path, or a specific track identifier string. A path may be specified with a leading (/) for local paths or if WATCHing proxy requests with a full, or part of a full, URL. To WATCH requests associated with a particular access track (see ([-.CONFIG]DOC_CONFIG.SDML) document, (Access Tracking) section) enter the track's unique identifier string preceded by a dollar symbol (e.g. ($ORoKJAOef8sAAAkuACc)). (Realm User - \BOLD) This filters against request authentication information. As authorization occurs relatively late in request processing some data reported earlier by WATCH will not be available. (HTTP Status - \BOLD) This allows a class of response status (1 (informational), 2 (success), 3 (redirection), 4 (client error) and 5 (server error)) or a specific response status (e.g. 200 (success), 404 (not found), 503 (service unavailable), etc.) to be filtered into the WATCH report. As this happens very late in request processing the number of reported events are limited but may provide some insight into particular processing problems.

In addition there are ((in) and (out) selectors\BOLD) against each of the filters which include or exclude the particular request based on it matching the filter.

These filters are controlled using fully-specified, wildcarded strings or using regular expression patterns (see ([-.CONFIG]DOC_CONFIG.SDML) document, (Request Processing Configuration) section). In common with all WASD processing, filter matching is case-insensitive. Of course, due to the point of application of a particular filter during request processing, some information may or may not be displayed. When a request is into or out of the report because of a matching filter a FILTER informational item is reported. (Examples\hd_watch_filter_examples) (NUMBERED) This first example shows various strings and patterns that could be applied to the client filter. alpha.example.com *.example.com 131.185.250.202 131.185.250.* (^)10.68.250.*|10.68.251.* This example various filters applied to the service (virtual server). beta.example.com:8000 beta.example.com:* http://* https:* *:80 The request filter contains the entire HTTP request header. This includes multiple, newline-delimited fields. Filtering can be simple or quite complex. These examples filter all POST requests (either in or out of the report depending on the respective selector), and all POSTs to the specified script respectively. POST * POST /cgi-bin/example*

These are the equivalent regular expressions but also will stop comparing at the end of the initial request line. The second, in this case, will also only filter against HTTP/1.1 version requests (note the final period matching the () of the () carriage control). (^^)POST .*$ (^^)POST */cgi-bin/example *HTTP/1\.1.$

This example uses a regular expression to constrain the match to a single header field (line, or newline-delimited string), matching all requests where the user agent reports using the (Gecko) browser component (Mozilla, Firefox, etc.) (^^)User-agent:.*Gecko.*$ The path and track filter. The path contains a proxied origin server request and so can be used to filter proxy requests to specific sites. /wasd_root/src/* /cgi-bin/* /web/*/cyrillic/* $ORoKJAOef8sAAAkuACc http://proxied.host.name/* The authentication filters, realm and user, can be used to select requests for a particular authenticated user, all authenticated requests or all non-authenticated requests, amongst other application. The realm field allows the authenticated user to be further narrowed as necessary. All of the following examples show only the user field with the default (in) selector set.

Authenticated requests for user DANIEL. DANIEL

All authenticated requests. %* (Report Format\hd_watch_format)

The following example illustrates the format of the WATCH report. It begins with multi-line heading. The first two record the date, time and official server name, with underline. The third provides the WASD server version. The fourth provides some TCP/IP agent information. Lines following can show OpenSSL version (if deployed), system information, server startup command-line, and then current server process quotas. The last three lines of the header provide a list of the categories being recorded, the filters in use, and the last, column headings described as follows: (SIMPLE) (time\BOLD) the event was recorded the (module\BOLD) name of the originating source code the (line\BOLD) in the code module a unique (item\BOLD) number for each thread being WATCHed event (category\BOLD) name free-form, but generally interpretable (event\BOLD) data (....................................................................) (HTML=

[graphic]  WATCH Report Graphic
) (HTML/OFF)

(online graphic) (HTML/ON) (....................................................................)

Note that some items also include a block of data. The request header category does this, providing the blank-line terminated text comprising the HTTP header. Rule mapping also provides a block of information representing each rule as it is interpreted. Generally WATCH-generated information can be distinguished from other data by the uniform format and delimiting vertical bars. Initiative and imagination is sometimes required to interpret the free-form data but a basic understanding of HTTP serving and a little consideration is generally all that is required to deduce the essentials of any report. (HTML=

HTTPd-WASD/11.0.0 OpenVMS/AXP SSL (24-FEB-2016 12:02:29.57)
HP TCPIP$IPC_SHR V5.7-ECO1 (21-MAY-2010 14:44:46.64)
OpenSSL 1.0.2f  28 Jan 2016 (30-JAN-2016 09:50:05.33) [WASD_ROOT.SRC.OPENSSL-1_0_2F.INCLUDE.OPENSSL]*.H WASD [ALPHA.EXE.SSL]SSL_LIBSSL32.OLB
$ CC (V8.3/70390009) /DECC /STAND=RELAXED_ANSI /PREFIX=ALL /OPTIMIZE /NODEBUG /WARNING=(NOINFORM,DISABLE=(PREOPTW)) /FLOAT=IEEE /IEEE=DENORM /DEFINE=(WASD_VMS_V7,SESOLA,WATCH_CAT=1,WATCH_MOD=0,WASD_ACME=1)
Digital Personal WorkStation  with 1 CPU and 1536MB running VMS V8.3 (ODS-5 enabled, VMS NAML, VMS FIB, ZLIB disabled, REGEX enabled, lksb$b_valblk[64])
$ HTTPD /PRIORITY=4 /SYSUAF=(ID,SSL)/PERSONA=RELAXED/PROFILE
AST:1983/2000 BIO:1986/2000 BYT:49966656/49999424 DIO:5000/5000 ENQ:453/500 FIL:294/300 PGFL:451216/500000 PRC:0/100 TQ:97/100
DCL Scripting: detached, as HTTP$NOBODY, PERSONA enabled
Process: WASD:80 OTHER $1$DKA0:[wasd_root.][STARTUP]STARTUP_SERVER.COM;44
$1$DKA0:[wasd_root.][LOG_SERVER]KLAATU_20160224171154.LOG;1
Instances: KLAATU::WASD:80
Watching: connect, request, req-header, response, res-header, error (603) via HTTP/2
Filter: NONE
|Time_______|Module__|Line|Item|Category__|Event...|
|01:57:59.30 WATCH    1713 0001 CONNECT    HTTP/2 with 192.168.1.2,58855 on https://wasd.*****.***,443 (0.0.0.0)|
|++++++++++++++++++++++++++++++++++++++++++
|01:57:59.30 HTTP2REQ 0235 0001 REQ-HEADER HEADER 463 bytes|
GET /httpd/-/admin/ HTTP/1.1
cache-control: max-age=0
authorization: Basic ************************
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
dnt: 1
accept-encoding: gzip, deflate, sdch
accept-language: en-US,en;q=0.8
host: wasd.*****.***:443

|01:57:59.32 REQUEST  2980 0001 REQ-HEADER DATA|
ENTRY 001 [012] $ {12}request_line={28}GET /httpd/-/admin/ HTTP/1.1
ENTRY 002 [024] > {13}cache-control={9}max-age=0
ENTRY 003 [031] > {13}authorization={30}Basic ************************
ENTRY 004 [014] > {6}accept={74}text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
ENTRY 005 [010] > {25}upgrade-insecure-requests={1}1
ENTRY 006 [001] > {10}user-agent={121}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
ENTRY 007 [004] > {3}dnt={1}1
ENTRY 008 [018] > {15}accept-encoding={19}gzip, deflate, sdch
ENTRY 009 [007] > {15}accept-language={14}en-US,en;q=0.8
ENTRY 010 .024. > {4}host={22}wasd.*****.***:443
|01:57:59.35 SERVICE  1721 0001 CONNECT    VIRTUAL wasd.*****.***:443|
|01:57:59.35 REQUEST  3640 0001 REQUEST    GET /httpd/-/admin/|
|01:57:59.38 ADMIN    0250 0001 RESPONSE   ADMIN /httpd/-/admin/|
|01:57:59.39 NET      2308 0001 RES-HEADER DATA|
ENTRY 001 .018. $ {15}response_status={3}200
ENTRY 002 [028] < {12}x-user-agent={121}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
ENTRY 003 .011. < {6}server={34}HTTPd-WASD/11.0.0 OpenVMS/AXP SSL
ENTRY 004 [002] < {4}date={29}Wed, 24 Feb 2016 15:27:59 GMT
ENTRY 005 .005. < {13}accept-ranges={5}bytes
ENTRY 006 [008] < {15}accept-encoding={13}gzip, deflate
ENTRY 007 [020] < {25}strict-transport-security={16}max-age=16416000
ENTRY 008 .004. < {7}expires={29}Fri, 13 Jan 1978 14:00:00 GMT
ENTRY 009 [030] < {13}cache-control={18}no-cache, no-store
ENTRY 010 .028. < {6}pragma={8}no-cache
ENTRY 011 .030. < {12}content-type={29}text/html; charset=ISO-8859-1
ENTRY 012 [006] < {14}content-length={5}15719
|01:57:59.40 HTTP2REQ 0713 0001 RES-HEADER HEADER 497 bytes|
HTTP/1.1 200 OK
x-user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
server: HTTPd-WASD/11.0.0 OpenVMS/AXP SSL
date: Wed, 24 Feb 2016 15:27:59 GMT
accept-ranges: bytes
accept-encoding: gzip, deflate
strict-transport-security: max-age=16416000
expires: Fri, 13 Jan 1978 14:00:00 GMT
cache-control: no-cache, no-store
pragma: no-cache
content-type: text/html; charset=ISO-8859-1
content-length: 15719

|01:57:59.41 REQUEST  1143 0001 REQUEST    STATUS 200 (OK) rx:29 tx:15809 bytes 0.109368 seconds 144,813 B/s|
|------------------------------------------
|01:58:50.58 end|
) (HTML/OFF) (Report manually wrapped for completeness.) HTTPd-WASD/11.0.0 OpenVMS/AXP SSL (24-FEB-2016 12:02:29.57) HP TCPIP$IPC_SHR V5.7-ECO1 (21-MAY-2010 14:44:46.64) OpenSSL 1.0.2f 28 Jan 2016 (30-JAN-2016 09:50:05.33) [WASD_ROOT.SRC.OPENSSL-\ 1_0_2F.INCLUDE.OPENSSL]*.H WASD [ALPHA.EXE.SSL]SSL_LIBSSL32.OLB $ CC (V8.3/70390009) /DECC /STAND=RELAXED_ANSI /PREFIX=ALL /OPTIMIZE /NODEBUG \ /WARNING=(NOINFORM,DISABLE=(PREOPTW)) /FLOAT=IEEE /IEEE=DENORM /DEFINE=(WASD_VMS_V7,SESOLA,WATCH_CAT=1,WATCH_MOD=0,WASD_ACME=1) Digital Personal WorkStation with 1 CPU and 1536MB running VMS V8.3 (ODS-5 \ enabled, VMS NAML, VMS FIB, ZLIB disabled, REGEX enabled, lksb$b_valblk[64]) $ HTTPD /PRIORITY=4 /SYSUAF=(ID,SSL)/PERSONA=RELAXED/PROFILE AST:1983/2000 BIO:1986/2000 BYT:49966656/49999424 DIO:5000/5000 ENQ:453/500 \ FIL:294/300 PGFL:451216/500000 PRC:0/100 TQ:97/100 DCL Scripting: detached, as HTTP$NOBODY, PERSONA enabled Process: WASD:80 OTHER $1$DKA0:[wasd_root.][STARTUP]STARTUP_SERVER.COM;44 $1$DKA0:[wasd_root.][LOG_SERVER]KLAATU_20160224171154.LOG;1 Instances: KLAATU::WASD:80 Watching: connect, request, req-header, response, res-header, error (603) via HTTP/2 Filter: NONE |Time_______|Module__|Line|Item|Category__|Event...| |01:57:59.30 WATCH 1713 0001 CONNECT HTTP/2 with 192.168.1.2,58855 on \ https://wasd.*****.***,443 (0.0.0.0)| |++++++++++++++++++++++++++++++++++++++++++ |01:57:59.30 HTTP2REQ 0235 0001 REQ-HEADER HEADER 463 bytes| GET /httpd/-/admin/ HTTP/1.1 cache-control: max-age=0 authorization: Basic ************************ accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 \ (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36 dnt: 1 accept-encoding: gzip, deflate, sdch accept-language: en-US,en;q=0.8 host: wasd.*****.***:443 |01:57:59.32 REQUEST 2980 0001 REQ-HEADER DATA| ENTRY 001 [012] $ {12}request_line={28}GET /httpd/-/admin/ HTTP/1.1 ENTRY 002 [024] > {13}cache-control={9}max-age=0 ENTRY 003 [031] > {13}authorization={30}Basic ************************ ENTRY 004 [014] > {6}accept={74}text/html,application/xhtml+xml,\ application/xml;q=0.9,image/webp,*/*;q=0.8 ENTRY 005 [010] > {25}upgrade-insecure-requests={1}1 ENTRY 006 [001] > {10}user-agent={121}Mozilla/5.0 (Macintosh; Intel Mac OS X \ 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36 ENTRY 007 [004] > {3}dnt={1}1 ENTRY 008 [018] > {15}accept-encoding={19}gzip, deflate, sdch ENTRY 009 [007] > {15}accept-language={14}en-US,en;q=0.8 ENTRY 010 .024. > {4}host={22}wasd.*****.***:443 |01:57:59.35 SERVICE 1721 0001 CONNECT VIRTUAL wasd.*****.***:443| |01:57:59.35 REQUEST 3640 0001 REQUEST GET /httpd/-/admin/| |01:57:59.38 ADMIN 0250 0001 RESPONSE ADMIN /httpd/-/admin/| |01:57:59.39 NET 2308 0001 RES-HEADER DATA| ENTRY 001 .018. $ {15}response_status={3}200 ENTRY 002 [028] < {12}x-user-agent={121}Mozilla/5.0 (Macintosh; Intel Mac OS X \ 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36 ENTRY 003 .011. < {6}server={34}HTTPd-WASD/11.0.0 OpenVMS/AXP SSL ENTRY 004 [002] < {4}date={29}Wed, 24 Feb 2016 15:27:59 GMT ENTRY 005 .005. < {13}accept-ranges={5}bytes ENTRY 006 [008] < {15}accept-encoding={13}gzip, deflate ENTRY 007 [020] < {25}strict-transport-security={16}max-age=16416000 ENTRY 008 .004. < {7}expires={29}Fri, 13 Jan 1978 14:00:00 GMT ENTRY 009 [030] < {13}cache-control={18}no-cache, no-store ENTRY 010 .028. < {6}pragma={8}no-cache ENTRY 011 .030. < {12}content-type={29}text/html; charset=ISO-8859-1 ENTRY 012 [006] < {14}content-length={5}15719 |01:57:59.40 HTTP2REQ 0713 0001 RES-HEADER HEADER 497 bytes| HTTP/1.1 200 OK x-user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.\ 36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36 server: HTTPd-WASD/11.0.0 OpenVMS/AXP SSL date: Wed, 24 Feb 2016 15:27:59 GMT accept-ranges: bytes accept-encoding: gzip, deflate strict-transport-security: max-age=16416000 expires: Fri, 13 Jan 1978 14:00:00 GMT cache-control: no-cache, no-store pragma: no-cache content-type: text/html; charset=ISO-8859-1 content-length: 15719 |01:57:59.41 REQUEST 1143 0001 REQUEST STATUS 200 (OK) rx:29 tx:15809 \ bytes 0.109368 seconds 144,813 B/s| |------------------------------------------ |01:58:50.58 end| (HTML/ON) (Usage Suggestions\hd_watch_suggestions)

The following provides a brief explanation on the way WATCH operates and any usage implications.

A single client may be connected to the WATCH facility at any given time. When connecting the client is sent an HTTP response header and the WATCH report heading lines. The request then remains connected until the WATCH duration expires or the client overtly aborts the connection. During this period the browser behaves as if receiving a sometimes very slow, sometimes stalled, plain-text document. As the server processes WATCHable events the text generated is sent to the WATCH-connected client.

If the connection is aborted by the user some browsers will consider document retrieval to be incomplete and attempt to reconnect to the service if an attempt is made to print or save the resulting document. As the printing of WATCH information is often quite valuable during problem resolution this behaviour can result in loss of information and generally be quite annoying. Appropriate use of the duration selector when requesting a report can work around this, as at expiry the (server) disconnects, browsers generally interpreting this as legitimate end-of-document (when no content-length has been specified).

During report processing some browsers may not immediately update the on-screen information to reflect received data without some application activity. If scroll-bars are present on the document window manipulating either the horizonal or vertical slider will often accomplish this. Failing that minimizing then restoring the application will usually result in the most recent information being visible.

Browser (reload/refresh) may be used to restart the report. A browser will quite commonly attempt to remain at the current position in the document, which with a WATCH report's sustained but largely indeterminate data stream may take some time to reach. It is suggested the user ensure that any vertical scroll-bar is at the beginning of the current report, then refresh the report.

Selecting a large number of categories, those that generate copious output for a single event (e.g. response body) or collecting for extended periods can all result in the receipt of massive reports. Some browsers do not cope well with documents megabytes in size. WATCH reports are written using non-blocking I/O into an internal buffer. This buffer is written when filled, or flushed on a one second timer. Slight latency may be experienced with sporadic WATCH report items.

(When supplying WATCH output as part of a problem report\BOLD) please ZIP the file and include it an an e-mail attachment. Mailers often mangle the report format making it difficult to interpret. (Command-Line Use\hd_watch_cli)

Although intended primarily as a tool for online use WATCH can be deployed at server startup with a command-line qualifier and provide report output to the server process log. This is slightly more cumbersome than the Web interface but may still be useful in some circumstances. Full control over event categories and filters is possible. (UNNUMBERED) (/NOWATCH\BOLD) Disables the use of the online WATCH facility. (/WATCH=\BOLD) Enables the server WATCH facility, dumping to standard output (and the server process log if detached). When in effect the online facility is unavailable. The string supplied to the qualifier may comprise four comma-separated components. Only the first is manadatory. Stated order is essential. It will probably be necessary to enclose the complete string in quotation marks. (UNNUMBERED) (LIST - \BOLD) The LIST keyword provides a list of all the categories (items) available for WATCHing. (NOSTARTUP - \BOLD) This keyword suppresses WATCH output until the server is ready to process requests. It must be the leading keyword. ((items) - \BOLD) A parenthesized, comma-separated list of category keywords. Available keywords can be displayed using the LIST facility. ((filters) - \BOLD) A client, service and path filters can be provided following the specification of required items. They must be provided in the order listed above. Leading filters that are not required must be provided as single, asterisk wildcards. WATCH parameter with filters containing forward-slashes will require quoting.

The following examples illustrate the command-line WATCH specification. /NOWATCH /WATCH=NOSTARTUP,ITEMS=(REQUEST,RESPONSE,MAPPING) /WATCH="ITEMS=(REQUEST,RESPONSE,ERROR),*,*,/cgi-bin/*" /WATCH=LIST (--------------------------------------------------------------------)