...
- Request Server Ops setup the standard system user configuration on this system. This will include groups and system users for logs, www, and db.
- Download the following software from the ISDA software repository onto the system being configured:
Code Block httpd-2.2.4.tar.gz php-5.2.3.tar.gz MySQL/MySQL-*community-5.0.45-0.rhel4.i386.rpm MySQL/my.cnf mod_authz_mitgroup/mod_authz_mitgroup_rhel4.c
- If this is a 32 bit RHEL 5 system, download use the native Apache and PHP installs. Link the config directories into place. Download these additional RPMs.
If this is a 64 bit RHEL system, download these additional RPMs.Code Block mkdir /home/www/apache-2.2.3 ls -s /home/www/apache-2.2.3 /home/www/apache scp -r root@trogdor:/mntopt/isosoftware-repository-2tmp/ServerApache/php-*config-files/conf \ root@trogdor:/mntopt/isosoftware-repository-3tmp/ServerApache/phpconfig-* /root scpfiles/logs \ root@trogdor:/mntopt/isosoftware-repository-1tmp/ServerApache/curl-7.15.5-2.el5.i386.rpmconfig-files/htdocs \ root@trogdor:/mntopt/isosoftware-repository-2tmp/ServerApache/gmp-4.1.4-10.el5.i386.rpmconfig-files/icons \ root@trogdor:/mntopt/isosoftware-repository-1tmp/ServerApache/libidn-0.6.5-1.1.i386.rpmconfig-files/man* \ root@trogdor:/mnt/iso-1/Server/pcre-6.6-1.1.i386.rpm /root
Code Block /home/www/apache chown -R www:www /home/www ln -s /etc/httpd /home/www/apache ln -s /usr/lib64/httpd/modules /home/www/apache/modules
- If this is a 32 bit RHEL 5 system, download use the native Apache and PHP installs. Link the config directories into place. Download these additional RPMs.
- If the current version of MySQL is below 5.0, remove it and install a more current version.
Remove previous version of MySQL and install current versionCode Block /etc/init.d/mysql stop
Code Block rpm -ev cyrus-sasl-sql-2.1.19-5.EL4.i386 rpm -ev dovecot-0.99.11-4.EL4.i386 rpm -ev mysql-4.1.20-1.RHEL4.1.i386 rpm -ev mysqlclient10-3.23.58-4.RHEL4.1.i386 rpm -ivh MySQL-client-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-test-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-devel-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-server-community-5.0.45-0.rhel4.i386.rpm
- Stop the MySQL server and reconfigure my.cnf. The MySQL server startups as part of the rpm install process.
Code Block /etc/init.d/mysql stop mv /var/lib/mysql /home/db chown -R db:db /home/db cd /etc/ cp /root/my.cnf . /etc/init.d/mysql start
- Be certain to use the my.cnf file from the ISDA software repository, as it sets the database user to be 'db' (and not the default 'mysql'), and put the home and data directories into /home/db.
- Install OpenSSL and setup certificates.
Code Block mkdir /home/www/tmp cd /home/www/tmp tar -xzvf /root/openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config --prefix=/home/www/ssl --openssldir=/home/www/ssl make make install
- Setup certificates
- get the mitca at http://ca.mit.edu/mitClient.crt and save it as /usr/local/ssl/certs/mitClient.crt
- convert mitCA.crt to pem format:
Code Block openssl x509 -in /home/www/ssl/certs/mitClient.crt -inform DER -outform PEM -out /home/www/ssl/certs/mitCA.pem
- Generate rsa key. This simply generates some random stuff:
Code Block ps > /tmp/foo ps -elf >> /tmp/foo cd /home/www/ssl/bin ./openssl genrsa -rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem
- Generate request for a certificatecd /home/www/ssl/bin
send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,Code Block ./openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \ >../certs/`hostname`-req.pem
- Please be aware, the organization (O) is Massachusetts Institute of Technology and the common name (CN) is the name of the server or service, including the domain name (.mit.edu). Also, some servers, such as Thalia servers, can represent an entire subdomain. These servers will need certificates issued with a wildcard in the domain name, such as *.isda-thalia-1.mit.edu.
Wiki Markup Remember, if the server is a Thalia server, if will need a wildcard certificate and DNS record for \*.\[hostname\], and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).
- To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.
Code Block cd /home/www/ssl/bin ./openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \ \-x509 \-nodes >../certs/`hostname`-temp.cert
- When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem
- to look at a request:
Code Block openssl req \-in ./req.pem \-text
- to look at the private key:
Code Block openssl rsa \-in /home/www/ssl/private/`hostname`-key.pem \-text
- to look at the server certificate:
Code Block openssl x509 \-in /home/www/ssl/certs/`hostname`-cert.pem \-text
- to look at a request:
- Install Apache. If you are using RHEL 5, skip this step.
Code Block cd /home/www/tmp tar -xzvf /root/httpd-2.2.4.tar.gz cd httpd-2.2.4 ./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \ --with-ssl=/home/www/ssl \ --enable-modules="most mod_rewrite" --enable-so make make install ln -s /home/www/apache-2.2.4 /home/www/apache
- Set up PHPIf this is a 32 bit system, build it for source to get ver 5. If you are using RHEL 5, skip this step.
Code Block cd /home/www/tmp tar -xzvf /root/php-5.2.3.tar.gz cd php-5.2.3 ./configure --with-mysql --with-kerberos=/usr/kerberos --prefix=/home/www/php-5.2.0 --with-apxs2=/home/www/apache-2.2.4/bin/apxs \ --enable-fastcgi --enable-magic-quotes --with-openssl --with-mysql-sock=/home/db/mysql/mysql.sock --with-mysqli --enable-sockets --enable-soap \ --with-openssl-dir=/home/www/ssl --with-pear=/usr/share/pear make make install ln -s php-5.2.0 php
- Configure Apache
- edit /home/www/apache/conf/httpd.conf If this is a 64 bit system, build with 64 bit libraries
- edit the following directives:
Code Block
ServerRoot "/home/www/
apache" # change to apache home directory User www # change from daemon Group www # change from daemon Include conf/extra/httpd-vhosts.conf # Uncomment Include conf/extra/httpd-ssl.conf # Uncomment
- add to /home/www/apache/conf/httpd.conf, and the bottom of the other includes:
Code Block # PHP module includes LoadModule php5_module modules/libphp5.so AddHandler php5-script .php AddType text/html .php DirectoryIndex index.php #AddType application/x-httpd-php-source .phps
- edit /home/www/apache/conf/extra/httpd-vhosts.conf to have ONLY one of the following VirtualHost blocks:
Code Block <VirtualHost *:80> RewriteEngine On RewriteRule \^/(.*) [https://finniganfen.mit.edu/$1] [L,R] </VirtualHost>
- To prevent some web pages from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
Code Block RewriteCond %{REQUEST_URI} !/WarehouseService
- To prevent some web pages from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
- edit /home/www/apache/conf/extra/httpd-ssl.conf and alter the following directives:
Code Block # points to directory for static html files DocumentRoot "/home/www/apache/htdocs" # the servername of the server ServerName gybe.mit.edu:443 # the admins of this server ServerAdmin map-support@mit.edu # error log file ErrorLog /home/www/apache/logs/error_log # access log file TransferLog /home/www/apache/logs/access_log # public server certificate SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem # private server certificate SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem #certificate path SSLCACertificatePath /usr/local/ssl/certs # certificate authority key SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem SSLVerifyClient require SSLVerifyDepth 10
- add the following after the '<Directory "/home/www/apache/cgi-bin">' block in /home/www/apache/conf/extras/httpd-ssl.conf
Code Block SSLOptions +StdEnvVars +ExportCertData
- edit /home/www/apache/conf/httpd.conf If this is a 64 bit system, build with 64 bit libraries