Versions Compared

Old Version 25

changes.mady.by.user J. Hunter Heinlen

Saved on

compared with

New Version 26

changes.mady.by.user J. Hunter Heinlen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  2f:  to look at a request:

Code Block
openssl req \-in ./req.pem \-text

       to look at the private key:

Code Block
openssl rsa \-in /usr/local/ssl/private/`hostname`-key.pem \-text

       to look at the server certificate:

Code Block
openssl x509 \-in /usr/localx/ssl/certs/`hostname`-cert.pem \-text

3.  Setup local directory structure and users.

...

Code Block
groupadd www
useradd \-g www \-d /home/www \-m \-r \-s /bin/bash www

     3aa.  Set the www user directory structure and copy the config files into place.

Code Block
mkdir /home/www/weblib
mkdir /home/www/etc
cp \-a /root/weblib /home/www/weblib
scp \-r root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-user/etc /home/www/etc
cp /root/map-dev-ws1-new-keytab /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab
chown \-R www:www /home/www/etc
chmod a-w,o-rx,u+r /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab

...

Code Block
scp -R  root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-userweblib  /home/www/weblib/

  3b.  If needed (if this system is going to hold an Alfresco instance, or something similar), setup the repository user.

Code Block
groupadd repos
useradd \-g dbusr \-d /home/www \-m \-r \-s /bin/bash repos

  3c.  If needed, setup the database user.

Code Block
groupadd dbuser
useradd \-g dbusr \-d /home/www \-m \-r \-s /bin/bash dbusr

4 set up apache-ssl
  4a: download Apache 2.2.4 from apache archive site at
      http://archive.apache.org/dist/httpd/

  4b: Unpack apache 2.2.4 (tar -xzvf) and do "cd httpd-2.2.4"

Code Block
cd /opt
tar \-xzvf /root/httpd-2.2.4.tar.gz
cd httpd-2.2.4

  4c. compile apache following the instruction in the INSTALL file.
      To enable the SSL, do the following:

Code Block
./configure \--prefix=/home/www/apache-2.2.4 \--enable-ssl \
  \--with-ssl=/usr/local/ssl \
  \--enable-modules="most mod_rewrite"
make
make install
ln \-s /home/www/apache-2.2.4 /home/www/apache

...

  5a. download mod-jk 1.2.21 source (previous versions have a security hole
      that could allow a remote attacker to execute arbitary code) from
      http://tomcat.apache.org/connectors-doc/.

Code Block
cd /opt
tar \-xzvf /root/tomcat-connectors-1.2.21-src.tar.gz
cd tomcat-connectors-1.2.21-src

...

Code Block
./jdk-6-linux-i586-rpm.bin
rpm \-ivh jdk-6-linux-i586

   6d. create a file in /etc/profile.d named java_home.sh.  It should contain
        a line exporting a variable pointing to the Java home directory.  Then
        make this file world executable.:

...

Code Block
cd /home/www
tar \-xzvf /root/sash-server-2.0.4-BETA.tar.gz
ln \-s sash-server-2.0.4-BETA sash-server
cd sash-server-2.0.4-BETA

...

Code Block
cd ${SASHSRV_HOME}/core/server/webapps/manager/WEB-INF/lib
unzip \-j /root/sash-2.0-flattened-jars.zip  sash-2.0-flattened-jars/commons-io-1.3.1-1.jar

...

    7ai.  Update the www user.

Code Block
chown \-R www:www /home/www

            And edit $SASHSRV_HOME/bin/setvars,  $SASHSRV_HOME/bin/sash-server.init, and $SASHSRV_HOME/bin/sash-server-CS2.init, and change the      
                 SASHSRV_USER.

...

Code Block
cd $SASHSRV_HOME/servers
rm \-rf default
cd $SASHSRV_HOME/bin
./mkInstance \-N default
cd $SASHSRV_HOME/servers/default

...

Code Block
LoadModule jk_module "/home/www/apache/modules/mod_jk.so" 

  7b. apache side: edit /home/www/apache/conf/httpd.conf
   edit the following directives:

...

Code Block
# points to directory with tomcat servers
DocumentRoot "/home/www/sash-server-2.0.4-BETA/servers/"
# the servername of the server
ServerName gybe.mit.edu:443
# the admins of this server
ServerAdmin dracus@mit.edu,dongq@mit.edu,dtanner@mit.edu
# error log file
ErrorLog /home/www/apache/logs/error_log
# access log file
TransferLog /home/www/apache/logs/access_log
# public server certificate
SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem
# private server certificate
SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem
#certificate path
SSLCACertificatePath /usr/local/ssl/certs
# certificate authority key
SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem

SSLVerifyClient require
SSLVerifyDepth  10

   7f. add the following after the '<Directory "/home/www/apache/cgi-bin">'
       block in /home/www/apache/conf/extras/httpd-ssl.conf

...

Code Block
cp /root/libMitIdNativeClient.so&nbsp; /home/www/weblib

  13e.  Restart web services and tomcat

...

Wiki Markup
&nbsp;&nbsp;&nbsp; 14a.&nbsp; Send email to accounts@mit.edu and ask for a kerberos principle in the format of daemon.\[hostname\].krb5.keytab.&nbsp; When you receive it, install it in /home/www/etc/krb
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; as daemon.\[hostname\].krb5.keytab.

Wiki Markup
&nbsp;&nbsp;&nbsp; 14b.&nbsp; Send email to Mark Silis&nbsp; or Jim Repa and request that the kerberos principle above (daemon/\[hostname\].mit.edu@ATHENA.MIT.EDU) be added to the access control
&nbsp; &nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; list for the databases on Illinois that the web service will be using (often mitid or roles).
&nbsp;

...

  15c. Use rpm to install these packages, installing the Kerberos
       configuration package first.

Code Block
rpm \-ivh mit-krb-config-1.0-3.noarch.rpm
rpm \-ivh mit-openafs-setup-1.2-3.noarch.rpm

...

Code Block
cd /usr/local
tar \-xzvf /root/moira-rhel4-clients.tar.gz

...