...
2f: to look at a request:
Code Block |
---|
openssl req \-in ./req.pem \-text |
to look at the private key:
Code Block |
---|
openssl rsa \-in /usr/local/ssl/private/`hostname`-key.pem \-text |
to look at the server certificate:
Code Block |
---|
openssl x509 \-in /usr/localx/ssl/certs/`hostname`-cert.pem \-text |
3. Setup local directory structure and users.
...
Code Block |
---|
groupadd www useradd \-g www \-d /home/www \-m \-r \-s /bin/bash www |
3aa. Set the www user directory structure and copy the config files into place.
Code Block |
---|
mkdir /home/www/weblib mkdir /home/www/etc cp \-a /root/weblib /home/www/weblib scp \-r root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-user/etc /home/www/etc cp /root/map-dev-ws1-new-keytab /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab chown \-R www:www /home/www/etc chmod a-w,o-rx,u+r /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab |
...
Code Block |
---|
scp -R root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-userweblib /home/www/weblib/
|
3b. If needed (if this system is going to hold an Alfresco instance, or something similar), setup the repository user.
Code Block |
---|
groupadd repos useradd \-g dbusr \-d /home/www \-m \-r \-s /bin/bash repos |
3c. If needed, setup the database user.
Code Block |
---|
groupadd dbuser useradd \-g dbusr \-d /home/www \-m \-r \-s /bin/bash dbusr |
4 set up apache-ssl
4a: download Apache 2.2.4 from apache archive site at
http://archive.apache.org/dist/httpd/
4b: Unpack apache 2.2.4 (tar -xzvf) and do "cd httpd-2.2.4"
Code Block |
---|
cd /opt
tar \-xzvf /root/httpd-2.2.4.tar.gz
cd httpd-2.2.4
|
4c. compile apache following the instruction in the INSTALL file.
To enable the SSL, do the following:
Code Block |
---|
./configure \--prefix=/home/www/apache-2.2.4 \--enable-ssl \ \--with-ssl=/usr/local/ssl \ \--enable-modules="most mod_rewrite" make make install ln \-s /home/www/apache-2.2.4 /home/www/apache |
...
5a. download mod-jk 1.2.21 source (previous versions have a security hole
that could allow a remote attacker to execute arbitary code) from
http://tomcat.apache.org/connectors-doc/.
Code Block |
---|
cd /opt
tar \-xzvf /root/tomcat-connectors-1.2.21-src.tar.gz
cd tomcat-connectors-1.2.21-src
|
...
Code Block |
---|
./jdk-6-linux-i586-rpm.bin
rpm \-ivh jdk-6-linux-i586
|
6d. create a file in /etc/profile.d named java_home.sh. It should contain
a line exporting a variable pointing to the Java home directory. Then
make this file world executable.:
...
Code Block |
---|
cd /home/www tar \-xzvf /root/sash-server-2.0.4-BETA.tar.gz ln \-s sash-server-2.0.4-BETA sash-server cd sash-server-2.0.4-BETA |
...
Code Block |
---|
cd ${SASHSRV_HOME}/core/server/webapps/manager/WEB-INF/lib
unzip \-j /root/sash-2.0-flattened-jars.zip sash-2.0-flattened-jars/commons-io-1.3.1-1.jar
|
...
7ai. Update the www user.
Code Block |
---|
chown \-R www:www /home/www
|
And edit $SASHSRV_HOME/bin/setvars, $SASHSRV_HOME/bin/sash-server.init, and $SASHSRV_HOME/bin/sash-server-CS2.init, and change the
SASHSRV_USER.
...
Code Block |
---|
cd $SASHSRV_HOME/servers rm \-rf default cd $SASHSRV_HOME/bin ./mkInstance \-N default cd $SASHSRV_HOME/servers/default |
...
Code Block |
---|
LoadModule jk_module "/home/www/apache/modules/mod_jk.so"
|
7b. apache side: edit /home/www/apache/conf/httpd.conf
edit the following directives:
...
Code Block |
---|
# points to directory with tomcat servers
DocumentRoot "/home/www/sash-server-2.0.4-BETA/servers/"
# the servername of the server
ServerName gybe.mit.edu:443
# the admins of this server
ServerAdmin dracus@mit.edu,dongq@mit.edu,dtanner@mit.edu
# error log file
ErrorLog /home/www/apache/logs/error_log
# access log file
TransferLog /home/www/apache/logs/access_log
# public server certificate
SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem
# private server certificate
SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem
#certificate path
SSLCACertificatePath /usr/local/ssl/certs
# certificate authority key
SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem
SSLVerifyClient require
SSLVerifyDepth 10
|
7f. add the following after the '<Directory "/home/www/apache/cgi-bin">'
block in /home/www/apache/conf/extras/httpd-ssl.conf
...
Code Block |
---|
cp /root/libMitIdNativeClient.so /home/www/weblib
|
13e. Restart web services and tomcat
...
Wiki Markup |
---|
14a. Send email to accounts@mit.edu and ask for a kerberos principle in the format of daemon.\[hostname\].krb5.keytab. When you receive it, install it in /home/www/etc/krb as daemon.\[hostname\].krb5.keytab. |
Wiki Markup |
---|
14b. Send email to Mark Silis or Jim Repa and request that the kerberos principle above (daemon/\[hostname\].mit.edu@ATHENA.MIT.EDU) be added to the access control list for the databases on Illinois that the web service will be using (often mitid or roles). |
...
15c. Use rpm to install these packages, installing the Kerberos
configuration package first.
Code Block |
---|
rpm \-ivh mit-krb-config-1.0-3.noarch.rpm rpm \-ivh mit-openafs-setup-1.2-3.noarch.rpm |
...
Code Block |
---|
cd /usr/local
tar \-xzvf /root/moira-rhel4-clients.tar.gz
|
...