| Wiki Markup |
|---|
Note: Next revision cycle, start building everything into $HOME/\[app\]-\[version#\] and creating a symlink to $HOME/\[app\] so that there is no question about what the current, in use, directory is. Note: When downloading software to install in these instructions, always download the source code, and avoid binary installers. Binary installers tend to make inaccurate assumptions about what libraries you have installed on your system, as well as other problems. 1. download openssl 0.9.8a source from [http://www.openssl.org/source/]. follow the instruction in the INSTALL document, compile and install the binaries. the default location is /usr/local/ssl. If you want to change it, run config like this: cd /opt tar \-xzvf /root/openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config \--prefix=/usr/local/ssl \--openssldir=/usr/local/ssl make make install 2. set up certificates: 2a: get the mitca at [http://ca.mit.edu/mitClient.crt] and save it as /usr/local/ssl/certs/mitClient.crt 2b: convert mitCA.crt to pem format: openssl x509 \-in /usr/local/ssl/certs/mitClient.crt \-inform DER \-outform \ PEM \-out /usr/local/ssl/certs/mitCA.pem 2c: Generate rsa key This simply generates some random stuff: ps > /tmp/foo ps \-elf >> /tmp/foo cd /usr/local/ssl/bin ./openssl genrsa \-rand /tmp/foo 1024 >/usr/local/ssl/private/`hostname`-key.pem 2d: Generate request for a certificate \--------------------------------\- cd /usr/local/ssl/bin ./openssl req \-key /usr/local/ssl/private/`hostname`-key.pem \-new \ >../certs/`hostname`-req.pem send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu, Please be aware, the organization (O) is: Massachusetts Institute of Technology and the common name (CN) is the name of the server or service, including the domain name (.mit.edu). Also, some servers, such as Thalia servers, can represent an entire subdomain. These servers will need certificates issued with a wildcard in the domain name, such as \*.isda-thalia-1.mit.edu. Remember, if the server is a Thalia server, if will need a wildcard certificate and DNS record for \*.\[hostname\], and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well). 2db. To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line. cd /usr/local/ssl/bin ./openssl req \-key /usr/local/ssl/private/`hostname`-key.pem \-new \ \-x509 \-nodes >../certs/`hostname`-temp.cert 2e:When you receive a certificate from MIT Certificates, save it as /usr/local/ssl/certs/`hostname`-cert.pem 2f: to look at a request: openssl req \-in ./req.pem \-text to look at the private key: openssl rsa \-in /usr/local/ssl/private/`hostname`-key.pem \-text to look at the server certificate: openssl x509 \-in /usr/localx/ssl/certs/`hostname`-cert.pem \-text 3 set up apache-ssl 3a: download Apache 2.2.4 from apache archive site at [http://archive.apache.org/dist/httpd/] 3b: Unpack apache 2.2.4 (tar \-xzvf) and do "cd httpd-2.2.4" cd /opt tar \-xzvf /root/httpd-2.2.4.tar.gz cd httpd-2.2.4 3c. compile apache following the instruction in the INSTALL file. To enable the SSL, do the following: ./configure \--prefix=/home/apache \--enable-ssl \ \--with-ssl=/usr/local/ssl \ \--enable-modules="most mod_rewrite" make make install 4. set up mod-jk 4a. download mod-jk 1.2.21 source (previous versions have a security hole that could allow a remote attacker to execute arbitary code) from [http://tomcat.apache.org/connectors-doc/]. cd /opt tar \-xzvf /root/tomcat-connectors-1.2.21-src.tar.gz cd tomcat-connectors-1.2.21-src 4b. build and install binaries according to BUILD.txt. apxs is at /home/apache/bin/apxs. mod_jk.so will be put at /home/apache/modules cd native ./configure \--with-apxs=/home/apache/bin/apxs \--enable-ssl make make install 5. install jdk 1.6 which is required by tomcat 5.5.25 5a. download jdk 1.6 binary at [http://java.sun.com/javase/downloads/index.jsp] 5b. You may need to set the binary file to be executable: chmod u+x,u-w jdk-6-linux-i586.bin 5c. execute the binary installer as root. If it produces a rpm file, use rpm \-ivh to install it. If you downloaded the straight binary installer, move to a directory with installed software, such as /usr/local. Also, you will need to page through a licensing agreement and type yes to accept it. cd /usr/local /root/jdk-6-linux-i586.bin or ./jdk-6-linux-i586-rpm.bin rpm \-ivh jdk-6-linux-i586 5d. create a file in /etc/profile.d named java_home.sh. It should contain a line exporting a variable pointing to the Java home directory. Then make this file world executable.: cat > /etc/profile.d/java_home.sh export JAVA_HOME=/usr/local/jdk1.6.0 \^C chmod a+xr,a-w /etc/profile.d/java_home.sh 6. install the SASH Server NOTE: These instructions are written assuming version 2.0.3 of the SASH Server, but this version has been deprecated. We are waiting on version 2.0.4 to become officially supported. 6a. download sash-server-2.0.3-1.noarch.tar.gz from: [https://portal.sourcelabs.com/?module=download]You will need to register and login to the web site to be able to download the SASH Server. Also, copy the modify-instance-file.sh and mit-worker-consolidater.sh out of the ISDA repository and onto the machine. 6b. unzip and untar (gunzip , tar \-xvf) into your working directory, such as /home cd /home tar \-xzvf /root/sash-server-2.0.3-1.noarch.tar.gz cd sash-server-2.0.3-1 6c. Copy the modify instance file and the MIT worker consolidator file into the SASH server bin directoryEdit /etc/profile.d/sash_home.sh to export a home variable, and set it world executable. cpcat > /etc/root/modify-instance-file.sh $SASHSRV_HOME/binprofile.d/sash_home.sh cpexport SASHSRV_HOME=/roothome/mitsash-workerserver-consolidater.sh $SASHSRV_HOME/bin2.0.3-1 \^c chmod ug+rx,a-w $SASHSRV_HOME/bin/modify-instance-file.sh $SASHSRV_HOME/bin/mit-worker-consolidater.sh 7. If this server is going to authenticate users to a Shibboleth server (does WebSSO authentication), then download and install the software needed for ,a+rx /etc/profile.d/sash_home.sh source /etc/profile.d/sash_home.sh 6d. Copy the modify instance file and the MIT worker consolidator file into the SASH server bin directory. Shibboleth from [http://shibboleth.internet2.edu/downloads/:] 7a. [http://shibboleth.internet2.edu/downloads/log4cpp-0.3.5rc1.tar.gz]  cp /root/modify-instance-file.sh $SASHSRV_HOME/bin [http://shibboleth.internet2.edu/downloads/opensaml-1.1.tar.gz] cp /root/mit-worker-consolidater.sh $SASHSRV_HOME/bin [http://shibboleth.internet2.edu/downloads/shibboleth-sp-1.3.tar.gz]   chmod ug+rx,a-w $SASHSRV_HOME/bin/modify-instance-file.sh $SASHSRV_HOME/bin/mit-worker-consolidater.sh 7. Do the configuration: 7a. SASH Server part: cd into the tomcat home directory [http://shibboleth.internet2.edu/downloads/xerces-c-src_2_6_1.tar.gz] cd $SASHSRV_HOME/conf/template [http://xml.apache.org/security/dist/c-library/xml-security-c-1.3.1.tar.gz] 7aa. enter the conf directory and create a jk directory [http://curl.haxx.se/download/curl-7.16.2.tar.gz] 7b. Set up cURL: cd conf cd /opt mkdir jk tar \-xzvf /root/curl-7.16.2.tar.gz cd curl-7.16.2/jk 7ab./configure \--disable-static \--without-ca-bundle \--enable-thread \ copy the workers.properties file from /opt/tomcat-connectors-1.2.21-src/conf and put it in conf/jk \--prefix=/home/shibboleth-sp cp /opt/tomcat-connectors-1.2.21-src/conf/workers.properties \ make make install $SASHSRV_HOME/conf/template/conf/jk 7b7ac. Setmake certain upthe log4Cppfollowing (adirectives loggerin simialrworkers.properties toare log4j)set: cd /opt workers.tomcat_home=%%CATALINA_BASE%% workers.java_home=/usr/local/jdk1.6.0 tar \-xzvf /root/log4cpp-0.3.5rc1.tar.gzps=/ worker.list=ajp13 cd log4cpp-0.3.5rc1 worker.ajp13.port=%%AJP_PORT%% worker.ajp13.host=localhost ./configure \--disable-static \--disable-doxygen \ worker.ajp13.type=ajp13 worker.ajp13.lbfactor=1 \--prefix=/home/shibboleth-sp worker.loadbalancer.type=lb make make install 7c. Set up XercesC: cd /opt worker.loadbalancer.balanced_workers= ajp13 tar \-xzvf /root/xerces-c-src_2_6_1.tar.gz cd xerces-c-src_2_6_1 cat > /etc/profile.d/xerces_home.sh export XERCESCROOT=/opt/xerces-c-src_2_6_1 \^C chmod a+x,a-w /etc/profile.d/xerces_home.sh comment out the ajp12 lines in workers.properties. . /etc/profile.d/xerces_home.sh cd $XERCESCROOT/src/xercesc autoconf ./runConfigure \-p linux \-c gcc \-x g+\+ \-r pthread \-b 32 \-P /home/shibboleth-sp make make install 7d. Set up XmlSecurityC7ad. edit conf/server.xml and add the following: cd /opt after <Server port="%%SHUTDOWN_PORT%%" shutdown="SHUTDOWN"> tar \-xzvf /root/xml-security-c-1.3.1.tar.gz add cd xml-security-c-1.3.1 <Listener className="org.apache.jk.config.ApacheConfig" ./configure \--prefix=/home/shibboleth-sp \--without-xalan modJk="/home/apache/modules/mod_jk.so" jkDebug="info" makeworkersConfig="%%CATALINA_BASE%%/conf/jk/workers.properties" make installjkLog="%%CATALINA_BASE%%/logs/mod_jk.log"/> 7e. Set up OpenSAML: after cd /opt<Engine name="Catalina" defaultHost="localhost"> tar \-xvzf /root/opensaml-1.1.tar.gzadd cd cd opensaml-1.1 <Listener className="org.apache.jk.config.ApacheConfig" append="true" /> ./configure \--with-curl=/home/shibboleth-sp \ 7ae. If this is going to be a Web Services servers, disable direct \--with-log4cpp=/home/shibboleth-sp \--prefix=/home/shibboleth-sp \-C connections to the SASH Server and force communications to go through apache, make make install by commenting out the http port 7f.connector Setblock upin Shibbolethserver.xml: <\!-\- cd /opt<Connector port="%%HTTP_PORT%%" tar \-xzvf /root/shibboleth-sp-1.3.tar.gz cd shibboleth-1.3 ./configure \--with-saml=/home/shibboleth-sp \ maxHttpHeaderSize="8192" \--with-log4cpp=/home/shibboleth-sp \--enable-apache-22 \ \--with-apxs22=/home/apache/bin/apxs \--prefix=/home/shibboleth-sp \-C \maxThreads="150" minSpareThreads="25" maxSpareThreads="75" \--with-apr1=/home/apache/bin/apr-1-config make make install 7g. Additional information about shibboleth at MIT is available at: enableLookups="false" redirectPort="8443" acceptCount="100" [https://wikis.mit.edu/confluence/display/ZEST/Building+Shibboleth+SP+on+Linux] 8. Do the configuration: 8a. SASH Server part: cd into the tomcat home directory cd /home/sash-server-2.0.3-1/conf/template 8aa. enter the conf directory and create a jk directory connectionTimeout="20000" disableUploadTimeout="true" /> \--> cd conf If this is going to be a Thalia server, skip this step. 7af. Uncomment the AJP block in server.xml. <\!-\- An AJP Connector - uncomment if needed --> mkdir jk<Connector port="%%AJP_PORT%%" cd jk 8ab. copy the workers.properties file from protocol="AJP/1.3" /> /opt/tomcat-connectors-1.2.21-src/conf and put it in conf/jk 7ag. edit tomcat_users.xml, and add the following user definition just above cpthe /opt'</tomcat-connectors-1.2.21-src/conf/workers.properties \users>' line: <role rolename="manager"/> /home/sash-server-2.0.3-1/conf/template/conf/jk 8ac. make certain the following directives in workers.properties are set: workers.tomcat_home=%%CATALINA_BASE%% workers.java_home=/usr/local/jdk1.6.0 ps=/ worker.list=ajp13 worker.ajp13.port=%%AJP_PORT%% worker.ajp13.host=localhost worker.ajp13.type=ajp13 worker.ajp13.lbfactor=1 & worker.loadbalancer.type=lb <user username="tomcat" password="zest2006" roles="tomcat,manager"/> worker.loadbalancer.balanced_workers= ajp13 be certain to change the password to be the password for the team the server is providing services to. A server for the Zest group (Web Services machines are usually for the Zest group) would be comment out 'zest2006', and for the ajp12Thalia lines in workers.propertiesgroup, 'thalia2006'. 7ah. Add the sashsrv user. useradd \-d $SASHSRV_HOME \-M \-r sashsrv chown \-R sashsrv:sashsrv $SASHSRV_HOME 8ad7ai. edit conf/server.xml and add the following: Add the JAVA_HOME location to $SASHSRV_HOME/conf/sashsrv.conf. Also after <Server port="%%SHUTDOWN_PORT%%" shutdown="SHUTDOWN"> change the ACTIVE_PROBE_PLAN and LD_LIBRARY_PATH to have add $SASH_HOME in their paths. The conf file is read by the startup <Listener className="org.apache.jk.config.ApacheConfig" modJk="/home/apache/modules/mod_jk.so" jkDebug="info" & workersConfig="%%CATALINA_BASE%%/conf/jk/workers.properties" jkLog="%%CATALINA_BASE%%/logs/mod_jk.log"/> script, so putting the variables in will not work. They must be after <Engine name="Catalina" defaultHost="localhost"> addfully qualified. 7aj. <Listener className="org.apache.jk.config.ApacheConfig" append="true" /> 8ae. If this is going to be a Web Services servers, disable direct To progate the changes made to the config, delete the default connections to the SASH Serverserver container, and forcecreate communicationsa to go through apache,new one. by commenting out the http port connector block in server.xml: <\!-\- cd $SASHSRV_HOME/servers <Connector port="%%HTTP_PORT%%" & rm \-rf default maxHttpHeaderSize="8192" cd $SASHSRV_HOME/bin maxThreads="150" minSpareThreads="25" maxSpareThreads="75"./mkInstance \-N default cd $SASHSRV_HOME/servers/default enableLookups="false" redirectPort="8443" acceptCount="100" $SASHSRV_HOME/bin/modify-instance-file.sh /conf/jk/workers.properties $SASHSRV_HOME 7ak. connectionTimeout="20000" disableUploadTimeout="true" /> \--> Run the java_home.sh script and start the SASH Server If this is going to be a Thalia server, skip this step. source /etc/profile.d/java_home.sh 8af. Uncomment the AJP block in server.xml. <\!-\- An AJP Connector - uncomment if needed \--> <Connector port="%%AJP_PORT%%"$SASHSRV_HOME/bin/sashctl all start 7am. Tomcat creates a mod_jk.conf file in ./core/conf/auto/ directory protocol="AJP/1.3" /> 8ag. edit tomcat_users.xml, and add the following user definition just the first time is runs. Correct it to point to where mod_jk.so above the '</tomcat-users>' line:resides. <role rolename="manager"/>& change LoadModule jk_module "/usr/local/apache/libexec/mod_jk.so" to LoadModule jk_module "/home/apache/modules/mod_jk.so" 7b. apache side: edit /home/apache/conf/httpd.conf edit the following directives: ServerRoot "/home/apache" # change to apache home directory User apache <user username="tomcat" password="zest2006" roles="tomcat,manager"/> # change from daemon Group apache be certain to# change the password to be the password for the teamfrom daemon Include conf/extra/httpd-vhosts.conf # Uncomment the server is providing services to. A server for the Zest group Include conf/extra/httpd-ssl.conf # Uncomment (Web Services machines are usually for the Zest group) would be 7c. add to /home/apache/conf/httpd.conf, and the bottom of the other includes: 'zest2006', and for the Thalia group, 'thalia2006'.# SASH Server/mod_jk includes 8ah. Add the sashsrv user. useradd \-d /home/sash-server-2.0.3-1 \-M \-r sashsrv Include /home/sash-server-2.0.4-BETA/core/conf/auto/mod_jk.conf 7d. edit /home/apache/conf/extra/httpd-vhosts.conf to have ONLY one of the chownfollowing \-RVirtualHost sashsrv:sashsrv /home/sash-server-2.0.3-1/ 8ai. Add a sash home script. cat > /etc/profile.d/sash_home.sh export SASHSRV_HOME=/home/sash-server-2.0.3-1 \^C chmod a+rx,a-w /etc/profile.d/sash_home.sh source /etc/profile.d/sash_home.sh 8aj. Add the JAVA_HOME location to $SASHSRV_HOME/conf/sashsrv.conf. Also change the ACTIVE_PROBE_PLAN and LD_LIBRARY_PATH to have $SASH_HOME in their paths. The conf file is read by the startup script, so putting the variables in will not work. They must be fully qualified. 8ak. To progate the changes made to the config, delete the default server container, and create a new one. cd $SASHSRV_HOME/servers rm \-rf default cd $SASHSRV_HOME/bin ./mkInstance \-N default cd $SASHSERV_HOME/servers/default $SASHSRV_HOME/bin/modify-instance-file.sh /conf/jk/workers.properties 8al. Run the java_home.sh script and start the SASH Server source /etc/profile.d/java_home.sh /home/sash-server-2.0.3-1/bin/sashctl all start 8am. Tomcat creates a mod_jk.conf file in ./core/conf/auto/ directory the first time is runs. Correct it to point to where mod_jk.so resides. change LoadModule jk_module "/usr/local/apache/libexec/mod_jk.so" to LoadModule jk_module "/home/apache/modules/mod_jk.so" 8b. apache side: edit /home/apache/conf/httpd.conf edit the following directives: ServerRoot "/home/apache" # change to apache home directory User apache # change from daemon Group apache # change from daemon Include conf/extra/httpd-vhosts.conf # Uncomment Include conf/extra/httpd-ssl.conf # Uncomment 8c. add to /home/apache/conf/httpd.conf, near the end of the file: <IfModule \!mod_rewrite.c> LoadModule rewrite_module modules/mod_rewrite.so </IfModule> <IfModule \!mod_jk.c> LoadModule jk_module "/home/apache/modules/mod_jk.so" </IfModule> JkWorkersFile "/home/sash-server-2.0.3-1/servers/default/conf/jk/workers.properties" JkLogFile "/home/sash-server-2.0.3-1/servers/default/logs/mod_jk.log" JkLogLevel info 8d. edit /home/apache/conf/extra/httpd-vhosts.conf to have ONLY one of the following VirtualHost blocks: 8d1. Thalia: NameVirtualHost \*:80 <VirtualHost \*:80> ServerName \*.isda-thalia2.mit.edu RewriteEngine On RewriteCond % {HTTP_HOST} \!^isda-thalia2\.mit\.edu \[NC\] RewriteCond %{HTTP_HOST} \!^test\.isda-thalia2\.mit\.edu \[NC\] RewriteCond % {HTTP_HOST} \!^demo\.isda-thalia2\.mit\.edu \[NC\] RewriteCond %{HTTP_HOST} \!^hst\.isda-thalia2\.mit\.edu \[NC\]blocks: 7d1. Thalia: RewriteCond % {HTTP_HOST} NameVirtualHost \*:80 \!^ap\.isda-thalia2\.mit\.edu \[NC\] <VirtualHost \*:80> RewriteRuleServerName \^/(.*)*.isda-thalia2.mit.edu RewriteEngine On [http://isda-thalia2.mit.edu/$1] \[L,R\] \\ </VirtualHost> 8d2. Web Services: <VirtualHost \*:80> RedirectPermanent / [https://isda-ws2.mit.edu/] </VirtualHost> 8e. edit /home/apache/conf/extra/httpd-ssl.conf and alter the following directives: DocumentRoot "/home/sash-server-2.0.3-1/servers/default/webapps" RewriteCond % {HTTP_HOST} \!^isda-thalia2\.mit\.edu \[NC\] RewriteCond %{HTTP_HOST} \!^test\.isda-thalia2\.mit\.edu \[NC\] # points to directory with tomcat webappsRewriteCond % {HTTP_HOST} \!^demo\.isda-thalia2\.mit\.edu \[NC\] RewriteCond %{HTTP_HOST} \!^hst\.isda-thalia2\.mit\.edu \[NC\] ServerName gybe.mit.edu:443 RewriteCond % {HTTP_HOST} \!^ap\.isda-thalia2\.mit\.edu \[NC\] # the servername of the server RewriteRule \^/(.*) ServerAdmin dracus@mit.edu,dongq@mit.edu,dtanner@mit.edu [http://isda-thalia2.mit.edu/$1] \[L,R\] \\ </VirtualHost> 7d2. Web Services - edit for correct server name: # the admins of this server<VirtualHost \*:80> ErrorLog /home/apache/logs/error_log RedirectPermanent / [https://isda-ws2.mit.edu/] </VirtualHost> 7e. edit /home/apache/conf/extra/httpd-ssl.conf and alter the following # error log filedirectives: TransferLogDocumentRoot "/home/apache/logs/access_logsash-server-2.0.4-BETA/servers/" # access log file points to directory with tomcat servers SSLCertificateFile /usr/local/ssl/certs/ServerName gybe.mit.edu.pem:443 # public the servername of the server certificate SSLCertificateKeyFile /usr/local/ssl/private/https-key.pemServerAdmin dracus@mit.edu,dongq@mit.edu,dtanner@mit.edu # private the admins of this server certificate SSLCACertificatePathErrorLog /usrhome/localapache/ssllogs/certserror_log # error #certificatelog pathfile SSLCACertificateFileTransferLog /usrhome/localapache/ssl/certs/mitCA.pemlogs/access_log # certificateaccess authoritylog keyfile nbsp; SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem SSLVerifyClient require SSLVerifyDepth 10 8f. add the following after the '<Directory "/home/apache/cgi-bin">' # blockpublic in /home/apache/conf/extras/httpd-ssl.conf server certificate SSLOptions \+StdEnvVars \+ExportCertData 8g. add the following at the end of SSLCertificateKeyFile /homeusr/apachelocal/confssl/extraprivate/httpdhttps-sslkey.conf:pem JKMount / ajp13 # JKMountprivate /\* ajp13 server certificate JkMount /manager ajp13 JkMountSSLCACertificatePath /usr/local/manager/\* ajp13 ssl/certs JkMount /uaws ajp13 JkMount /uaws/\* ajp13 JkMount /webdav ajp13 JkMount /webdav/\* ajp13 #certificate path JkMount /geows ajp13 JkMountSSLCACertificateFile /geows/\* ajp13 usr/local/ssl/certs/mitCA.pem JkMount /servlets-examples ajp13 JkMount /servlets-examples/\* ajp13 JkMount /tomcat-docs ajp13 JkMount /tomcat-docs/\* ajp13 # JkMount /host-manager ajp13certificate authority key JkMount /host-manager/\* ajp13 JkMount /jsp-examples ajp13 SSLVerifyClient require JkMount /jsp-examples/\* ajp13 SSLVerifyDepth JkMount /balancer ajp13 10 7f. add the following after the '<Directory "/home/apache/cgi-bin">' JkMount /balancer/\* ajp13 block JkMount /mitidws ajp13in /home/apache/conf/extras/httpd-ssl.conf JkMountSSLOptions /mitidws/\* ajp13+StdEnvVars \+ExportCertData 98. to pass environment variables from apache to tomcat, add the following to the end of httpd.conf (note, the name for those environment variables might change between different apache versions. Apache comes with a cgi script in cgi-bin/printenv. Run this script in your https enabled browser to verify that these variables still holds). JkEnvVar SSL_CLIENT_DN nodefault JkEnvVar SSL_CLIENT_S_DN_CN nodefault JkEnvVar SSL_CLIENT_S_DN_Email nodefault JkEnvVar SSL_CLIENT_S_DN nodefault JkEnvVar HTTP_ACCEPT_LANGUAGE nodefault JkEnvVar SSL_CLIENT_CERT none 9. copy the following files to the noted locations. They should be bundled with this document: in the ISDA software repository. 9a. MitIdService.jar moves to: $SASHSRV_HOME/core/shared/lib cp /home/sash-server-2.0.3-1root/MitIdService.jar $SASHSRV_HOME/core/shared/lib 9b. rolesApplicationContext.xml moves to: $SASHSRV_HOME/core/shared/classes cp /home/sash-server-2.0.3-1root/rolesApplicationContext.xml $SASHSRV_HOME/core/shared/classes/ 9c. rootauth moves to /root 1110. install the web init script into /etc/init.d, and place starter links into the /etc/rc.d/ runlevel directories. It should be bundled with this document. 11a10a. edit the variables in the top section of the web file to use the directories and binaries correct for this system 11b10b. be certain to check if apache is using a httpdctl or apachectl starter program, usually contained in /home/apache/bin, and set the apachectl variable accordingly 11c10c. set web to be executable chmod a+rx,a-w /etc/init.d/web 11d 10d. link startweb and stopweb to the web program, from wherever it is located, and link start scripts in /etc/init.d: ln \-s /etc/init.d/web /root/startweb ln \-s /etc/init.d/web /root/stopweb ln \-s /etc/init.d/web /etc/rc.d/rc1.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc2.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc3.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc4.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc5.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc6.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc2.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc3.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc4.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc5.d/S15web 11e10e. Copy the SASH Server init file into /etc/init.d cp $SASHSRV_HOME/bin/sash-server.init /etc/init.d/sash-server chmod a+rx,a-w /etc/init.d/sash-server 11f10f. Link the SASH Server init file to runlevels. ln \-s /etc/init.d/sash-server /etc/rc.d/rc1.d/K16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc2.d/K16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc3.d/K16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc4.d/K16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc5.d/K16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc6.d/K16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc2.d/S16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc3.d/S16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc4.d/S16web ln \-s /etc/init.d/sash-server /etc/rc.d/rc5.d/S16web 11g10g. Edit /etc/init.d/sash-server and correct the value of SASHSRV_HOME. 1211. Add line to /var/spool/cron/root to cause rootauth to run every 15 min, and freshen the Kerberos tickets. cat >> /var/spool/cron/root 0,15,30,45 * * * * /root/rootauth \^C 1312. update paths in /etc/profile, by adding the following line in the path manipulation code block (you can find it by searching for /usr/local/sbin) pathmunge /usr/local/bin pathmunge /usr/kerberos/bin 1413. If this is an upgrade on a server that had previously had a tomcat on it, there are additional steps to move necessay files and code to the new directories. 14a13a. copy the webapps from the old deploy of tomcat to the new one. Be certain to restart the server if it was running previously. cd /home/apache-tomcat-5.5.20 cp \-a geows\* mapws\* mitidws\* uaws\* testcert\* TestRemoteAlfresco\* \ /home/apache-tomcat-5.5.23/webapps/ to see the applications deployed on a server that are not part of the default tomcat install, get a listing of the directory: ls \-1 \--hide=balancer \--hide ROOT \--hide=jsp-examples \ \--hide=servlets-examples \--hide=tomcat-docs \--hide=webdav 14b13b. Move the /home/https/weblib directory into /home mv /home/https/weblib/ /home/weblib ln \-s /home/weblib /home/https/weblib Alternatively, if there is not /home/https/weblib, create a /home/weblib directory mkdir /home/weblib 14c13c. Edit /etc/init.d/web to have the following global variable: export LD_LIBRARY_PATH=/usr/lib:/home/weblib 14d13d. Restart web services and tomcat /etc/init.d/web restart 1514. Install an AFS client, or check that a client is installed. 15a14a. Check if an AFS client is installed by looking at the root directory. If a client is installed, the afs directory will be near the top. ls \-l / 15b14b. If an AFS client is not installed, download these packages from the MIT Athena or Thalia software lockers: mit-openafs-setup-1.2-3.noarch.rpm mit-krb-config-1.0-3.noarch.rpm mit-openafs-package.patch 15c Unless the server is a virtual server. If this is the case, email server ops to have the virtualized AFS kernel module installed. 14c. Use rpm to install these packages, installing the Kerberos configuration package first. rpm \-ivh mit-krb-config-1.0-3.noarch.rpm rpm \-ivh mit-openafs-setup-1.2-3.noarch.rpm Please note: There are no paths in these commands. Store them in a conveinent install directory, and cd to it first. 15d14d. Go to the OpenAFS client binary directory and execute the setup script. It will ask if you want the AFS client to be started at boot time. Type yes. cd /opt/mit-openafs-setup/bin ./setup If system is a SMP (multiprocessor) machine, apply the SMP patch before compiling. cd /opt/mit-openafs-setup/bin patch < /root/mit-openafs-package.patch ./setup 1615. Install version of moira that uses Kerberos 5 16a15a. upload moira-rhel4-clients.tar.gz onto the server, and untar to /usr/local cd /usr/local tar \-xzvf /root/moira-rhel4-clients.tar.gz 1716. To start and stop tomcat and apache, use the initialization scripts in /etc/init.d. Be certain to leave them running when you are finished. starting /etc/init.d/web start stopping /etc/init.d/web stop |
Page History
Overview
Content Tools
Activity