...
- Request Server Ops setup the standard system user configuration on this system. This will include groups and system users for logs, www, and db.
- Download the following software from the ISDA software repository onto the system being configured:
Code Block httpd-2.2.4.tar.gz php-5.2.3.tar.gz MySQL/MySQL-*community-5.0.45-0.rhel4.i386.rpm MySQL/my.cnf mod_authz_mitgroup/mod_authz_mitgroup_rhel4.c
- If this is a 32 bit RHEL 5 system, download these additional RPMs.
Code Block scp root@trogdor:/mnt/iso-2/Server/php-* root@trogdor:/mnt/iso-3/Server/php-* /root scp root@trogdor:/mnt/iso-1/Server/curl-7.15.5-2.el5.i386.rpm \ root@trogdor:/mnt/iso-2/Server/gmp-4.1.4-10.el5.i386.rpm \ root@trogdor:/mnt/iso-1/Server/libidn-0.6.5-1.1.i386.rpm \ root@trogdor:/mnt/iso-1/Server/pcre-6.6-1.1.i386.rpm /root
- If this is a 64 bit RHEL system, download these additional RPMs.
Code Block
- If this is a 32 bit RHEL 5 system, download these additional RPMs.
- Remove previous version of MySQL and install current version
Code Block rpm -ev cyrus-sasl-sql-2.1.19-5.EL4.i386 rpm -ev dovecot-0.99.11-4.EL4.i386 rpm -ev mysql-4.1.20-1.RHEL4.1.i386 rpm -ev mysqlclient10-3.23.58-4.RHEL4.1.i386 rpm -ivh MySQL-client-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-test-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-devel-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-server-community-5.0.45-0.rhel4.i386.rpm
- Stop the MySQL server and reconfigure my.cnf. The MySQL server startups as part of the rpm install process.
Code Block /etc/init.d/mysql stop mv /var/lib/mysql /home/db chown -R db:db /home/db cd /etc/ cp /root/my.cnf . /etc/init.d/mysql start
- Be certain to use the my.cnf file from the ISDA software repository, as it sets the database user to be 'db' (and not the default 'mysql'), and put the home and data directories into /home/db.
- Install OpenSSL and setup certificates.
Code Block mkdir /home/www/tmp cd /home/www/tmp tar -xzvf /root/openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config --prefix=/home/www/ssl --openssldir=/home/www/ssl make make install
- Setup certificates
- get the mitca at http://ca.mit.edu/mitClient.crt and save it as /usr/local/ssl/certs/mitClient.crt
- convert mitCA.crt to pem format:
Code Block openssl x509 -in /home/www/ssl/certs/mitClient.crt -inform DER -outform PEM -out /home/www/ssl/certs/mitCA.pem
- Generate rsa key. This simply generates some random stuff:
Code Block ps > /tmp/foo ps -elf >> /tmp/foo cd /home/www/ssl/bin ./openssl genrsa -rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem
- Generate request for a certificatecd /home/www/ssl/bin
send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,Code Block ./openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \ >../certs/`hostname`-req.pem
- Please be aware, the organization (O) is Massachusetts Institute of Technology and the common name (CN) is the name of the server or service, including the domain name (.mit.edu). Also, some servers, such as Thalia servers, can represent an entire subdomain. These servers will need certificates issued with a wildcard in the domain name, such as *.isda-thalia-1.mit.edu.
Wiki Markup Remember, if the server is a Thalia server, if will need a wildcard certificate and DNS record for \*.\[hostname\], and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).
- To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.
Code Block cd /home/www/ssl/bin ./openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \ \-x509 \-nodes >../certs/`hostname`-temp.cert
- When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem
- to look at a request:
Code Block openssl req \-in ./req.pem \-text
- to look at the private key:
Code Block openssl rsa \-in /home/www/ssl/private/`hostname`-key.pem \-text
- to look at the server certificate:
Code Block openssl x509 \-in /home/www/ssl/certs/`hostname`-cert.pem \-text
- to look at a request:
- Install Apache
Code Block cd /home/www/tmp tar -xzvf /root/httpd-2.2.4.tar.gz cd httpd-2.2.4 ./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \ --with-ssl=/home/www/ssl \ --enable-modules="most mod_rewrite" --enable-so make make install ln -s /home/www/apache-2.2.4 /home/www/apache
- Set up PHP
- If this is a RHEL 4 32 bit system, build it for source to get ver 5.
Code Block cd /home/www/tmp tar -xzvf /root/php-5.2.3.tar.gz cd php-5.2.3 ./configure --with-mysql --with-kerberos=/usr/kerberos --prefix=/home/www/php-5.2.0 --with-apxs2=/home/www/apache-2.2.4/bin/apxs \ --enable-fastcgi --enable-magic-quotes --with-openssl --with-mysql-sock=/home/db/mysql/mysql.sock --with-mysqli --enable-sockets --enable-soap \ --with-openssl-dir=/home/www/ssl --with-pear=/usr/share/pear make make install ln -s php-5.2.0 php
- If this is a RHEL 5 64 bit system, install from RPMs build with 64 bit libraries
Code Block rpmcd /home/www/tmp tar -ivh libidn-0.6.5-1.1.i386.rpm rpm -ivh curl-7.15.5-2.el5.i386.rpm rpm -ivh gmp-4.1.4-10.el5.i386.rpm xzvf /root/php-5.2.3.tar.gz cd php-5.2.3 ./configure --with-mysql --with-kerberos=/usr/kerberos --prefix=/home/www/php-5.2.0 \ --with-apxs2=/home/www/apache-2.2.4/bin/apxs --with-libxml2-dir=/usr/lib64 \ --enable-fastcgi --enable-magic-quotes --with-openssl --with-mysql-sock=/home/db/mysql/mysql.sock \ --with-mysqli --enable-sockets --enable-soap \ --with-openssl-dir=/home/www/ssl make make install ln -s php-5.2.0 php
- If this is a RHEL 4 32 bit system, build it for source to get ver 5.
- Configure Apache