Versions Compared

Old Version 13

changes.mady.by.user J. Hunter Heinlen

Saved on

compared with

New Version 14

changes.mady.by.user J. Hunter Heinlen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
Note:  These directions are not complete, and may contain errors.  If you encounter an omission or error, please correct this document.

...


# Request Server Ops setup the standard system user configuration on this system.  This will include groups and system users for logs, www, and db.

...


# Download the following software from the ISDA software repository onto the system being configured:

...


{code

...

}
httpd-2.2.4.tar.gz php-5.2.3.tar.gz
MySQL/MySQL-*community-5.0.45-0.rhel4.i386.rpm
MySQL/my.cnf
mod_authz_mitgroup/mod_authz_mitgroup_rhel4.c
apache_home.sh
web

...


{code}
#* If this is a RHEL 5 system, use the native Apache and PHP installs.  Link the config directories into place.  Download these additional RPMs.
{code}
mkdir /home/www/apache-2.2.3

...

ln -s /home/www/apache-2.2.3 /home/www/apache
scp -r root@trogdor:/opt/software-repository-tmp/Apache/config-files/conf \
    root@trogdor:/opt/software-repository-tmp/Apache/config-files/logs \
    root@trogdor:/opt/software-repository-tmp/Apache/config-files/htdocs \
    root@trogdor:/opt/software-repository-tmp/Apache/config-files/icons \
    root@trogdor:/opt/software-repository-tmp/Apache/config-files/man*  \
    /home/www/apache
chown -R www:www /home/www

...

mv /etc/httpd /

...

etc/httpd.bak
ln -s /home/www/apache /etc/httpd
ln -s /usr/lib64/httpd/modules /home/www/apache/modules

...


{code}
# If the current version of MySQL is below 5.0, or if MySQL is not installed, update it to a recent version.
## Download the needed packages for RHEL 4 or 5.
##*  RHEL 5
{code}
mkdir /home/db/tmp
cd /home/db/tmp
scp root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-client-community-5.0.45-0.rhel5.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-server-community-5.0.45-0.rhel5.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-community-5.0.45-0.rhel5.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-compat-5.0.45-0.rhel5.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-test-community-5.0.45-0.rhel5.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/perl-DBI-1.52-1.fc6.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/my.cnf \
/home/db/tmp
{code}
##*  RHEL 4
{code]
mkdir /home/db/tmp
cd /home/db/tmp
scp root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-client-community-5.0.45-0.rhel4.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-server-community-5.0.45-0.rhel4.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-community-5.0.45-0.rhel4.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-compat-5.0.45-0.rhel4.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-test-community-5.0.45-0.rhel4.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/perl-DBI-1.52-1.fc6.i386.rpm \
root@trogdor:/opt/software-repository-tmp/MySQL/my.cnf \
/home/db/tmp
{code}
##  Stop the MySQL server if it is running, remove the old version, and install the new one.
##*  RHEL 4
{code}
/etc/init.d/mysql stop
rpm -ev cyrus-sasl-sql-2.1.19-5.EL4.i386
rpm -ev dovecot-0.99.11-4.EL4.i386
rpm -ev mysql-4.1.20-1.RHEL4.1.i386
rpm -ev mysqlclient10-3.23.58-4.RHEL4.1.i386
rpm -ivh MySQL-client-community-5.0.45-0.rhel4.i386.rpm
rpm -ivh MySQL-test-community-5.0.45-0.rhel4.i386.rpm
rpm -ivh MySQL-devel-community-5.0.45-0.rhel4.i386.rpm
rpm -ivh MySQL-server-community-5.0.45-0.rhel4.i386.rpm
{code}
##*  RHEL 5
{code}
/etc/init.d/mysql stop
rpm -ev cyrus-sasl-sql-2.1.19-5.EL4.i386
rpm -ev dovecot-0.99.11-4.EL4.i386
rpm -ev mysql-4.1.20-1.RHEL4.1.i386
rpm -ev mysqlclient10-3.23

...

.58-4.RHEL4.1.i386
rpm -ivh perl-DBI-1.52-1.fc6.i386.rpm
rpm -ivh MySQL-client-community-5.0.45-0.

...

rhel5.i386.rpm
rpm -ivh MySQL-test-community-5.0.45-0.

...

rhel5.i386.rpm
rpm -ivh MySQL-devel-community-5.0.45-0.

...

rhel5.i386.rpm
rpm -ivh MySQL-server-community-5.0.45-0.

...

rhel5.i386.rpm

...


{code}
# Stop the MySQL server and reconfigure my.cnf.  The MySQL server startups as part of the rpm install process.

...


{code

...

}
/etc/init.d/mysql stop
mv /var/lib/mysql /home/db
chown -R db:db /home/db
cd /etc/
cp /root/my.cnf .
/etc/init.d/mysql start

...


{code}
#* Be certain to use the my.cnf file from the ISDA software repository, as it sets the database user to be 'db' (and not the default 'mysql'), and put the home and data directories into /home/db.

...


# Install OpenSSL and setup certificates.

...


#* If the version of OpenSSL is greater the 0.9.8, skip the install step.

...


{code

...

}
openssl

...

 version
{code}
#* Install OpenSSL, if needed.

...


{code

...

}
mkdir /home/www/tmp
cd /home/www/tmp
tar -xzvf /root/openssl-0.9.8a.tar.gz
cd openssl-0.9.8a
./config --prefix=/home/www/ssl --openssldir=/home/www/ssl
make
make install

...


{code}
# Setup certificates
## get the mitca at [http://ca.mit.edu/mitClient.crt] and save it as /usr/local/ssl/certs/mitClient.crt

...


## convert mitCA.crt to pem format:

...


{code

...

}
openssl x509 -in /home/www/ssl/certs/mitClient.crt -inform DER -outform PEM -out /home/www/ssl/certs/mitCA.pem

...


{code}
## Generate rsa key.  This simply generates some random stuff:

...


{code

...

}
ps > /tmp/foo
ps -elf >> /tmp/foo
openssl genrsa -rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem

...


{code}
## Generate request for a certificatecd /home/www/ssl/bin

...


{code

...

}
openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \
   >/home/www/ssl/certs/`hostname`-req.pem
{code}

...

send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,

...


##* Please be aware, the organization (O) is _Massachusetts Institute of Technology_ and the common name (CN) is the name of the server or service, including the domain name (.mit.edu).

...

  Also, some servers, such as Thalia servers, can represent an entire subdomain.

...

  These servers will need certificates issued with a wildcard in the domain name, such as \*.isda-thalia-1.mit.edu.

...


##* Remember, if the server is a Thalia server, if will need a wildcard certificate and DNS record for \*.\[hostname\], and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).

...


## To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.

...


{code

...

}
cd /home/www/ssl/bin
openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \
\-x509 \-nodes >/home/www/ssl/certs/`hostname`-temp.cert

...


{code}
## When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem

...


##* to look at a request:

...


{code

...

}
openssl req \-in ./req.pem \-text

...


{code}
##* to look at the private key:
{code}
openssl rsa \-in /home/www/ssl/private/`hostname`-key.pem \-text

...


{code}
##* to look at the server certificate:
{code}
openssl x509 \-in /home/www/ssl/certs/`hostname`-cert.pem \-text

...


{code}
# Install Apache.  If you are using RHEL 5, skip this step.

...


{code

...

}
cd /home/www/tmp
tar -xzvf /root/httpd-2.2.4.tar.gz
cd httpd-2.2.4
./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \
   --with-ssl=/home/www/ssl \
   --enable-modules="most mod_rewrite"  --enable-so
make
make install
ln -s /home/www/apache-2.2.4 /home/www/apache

...


{code}
# Set up PHP.  If you are using RHEL 5, skip this step.

...


{code

...

}
cd /home/www/tmp
tar -xzvf /root/php-5.2.3.tar.gz
cd php-5.2.3
./configure --with-mysql --with-kerberos=/usr/kerberos --prefix=/home/www/php-5.2.0 --with-apxs2=/home/www/apache-2.2.4/bin/apxs \
    --enable-fastcgi --enable-magic-quotes --with-openssl --with-mysql-sock=/home/db/mysql/mysql.sock --with-mysqli --enable-sockets --enable-soap \
    --with-openssl-dir=/home/www/ssl --with-pear=/usr/share/pear
make
make install
ln -s php-5.2.0 php

...


{code}
# Configure Apache
## edit /home/www/apache/conf/httpd.conf

...


##* edit the following directives:

...


{code

...

}
ServerRoot "/home/www/apache"          # change to apache home directory
User www                               # change from daemon
Group www                              # change from daemon
Include conf/extra/httpd-vhosts.conf   # Uncomment
Include conf/extra/httpd-ssl.conf      # Uncomment

...


{code}
##* add to /home/www/apache/conf/httpd.conf, and the bottom of the other includes:

...


{code

...

}
# PHP module includes

LoadModule php5_module modules/libphp5.so
AddHandler php5-script .php
AddType text/html .php
DirectoryIndex index.php
#AddType application/x-httpd-php-source .phps

...


{code}
## edit /home/www/apache/conf/extra/httpd-vhosts.conf to have ONLY one of the following VirtualHost blocks:

...


{code

...

}
<VirtualHost *:80>
     RewriteEngine On

     RewriteRule ^/(.*)         https://finniganfen.mit.edu/$1 [L,R]

</VirtualHost>

...


{code}
##* To prevent some web pages from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
{code}
RewriteCond %{REQUEST_URI}       !/WarehouseService

...


{code}
## edit /home/www/apache/conf/extra/httpd-ssl.conf and alter the following directives:

...


{code

...

}
# points to directory for static html files
DocumentRoot "/home/www/apache/htdocs"
# the servername of the server
ServerName gybe.mit.edu:443
# the admins of this server
ServerAdmin map-support@mit.edu
# error log file
ErrorLog /home/www/apache/logs/error_log
# access log file
TransferLog /home/www/apache/logs/access_log
# public server certificate
SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem
# private server certificate
SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem
#certificate path
SSLCACertificatePath /usr/local/ssl/certs
# certificate authority key
SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem

SSLVerifyClient require
SSLVerifyDepth

...

 10
{code}
##* Set the allow and deny line for "<Directory />" section from "Deny from all" to "Allow from all" if you are testing the SSL configuration.

...


## add the following after the '<Directory "/home/www/apache/cgi-bin">' block in /home/www/apache/conf/extras/httpd-ssl.conf

...


{code

...

}
SSLOptions +StdEnvVars +ExportCertData

...


{code}
# Setup the home and init scripts, and link them into runlevels
{code}
cp /root/apache_home.sh /etc/profile.d/
chmod a+rx,a-w /etc/profile.d/apache_home.sh

...


{code}
## edit the variables in the top section of the web file to use the directories and binaries correct for this system
## be certain to check if apache is using a httpdctl or apachectl starter program, usually contained in /home/www/apache/bin, and set the apachectl variable accordingly

...


## set web to be executable

...


{code

...

}
chmod a+rx,a-w /etc/init.d/web

...


{code}
## link startweb and stopweb to the web program, from wherever it is located, and link start scripts in /etc/init.d:

...


{code

...

}
ln -s /etc/init.d/web /root/startweb
ln -s /etc/init.d/web /root/stopweb
ln -s /etc/init.d/web /etc/rc.d/rc1.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc2.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc3.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc4.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc5.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc6.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc2.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc3.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc4.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc5.d/S15web

...


{code}
# update paths in /etc/profile, by adding the following line in the path manipulation code block (you can find it by searching for /usr/local/sbin)

...


{code

...

}
pathmunge /usr/local/bin
        pathmunge /usr/kerberos/bin

...


{code}
# To start and stop tomcat and apache, use the initialization scripts in /etc/init.d.  Be certain to leave them running when you are finished.

...


#* starting
{code}
/etc/init.d/web start

...


{code}
#* stopping
{code}
/etc/init.d/web stop
{code}