...
Note:
...
These
...
directions
...
are
...
not
...
complete,
...
and
...
may
...
contain
...
errors.
...
If
...
you
...
encounter
...
an
...
omission
...
or
...
error,
...
please
...
correct
...
this
...
document.
...
- Request
...
- Server
...
- Ops
...
- setup
...
- the
...
- standard
...
- system
...
- user
...
- configuration
...
- on
...
- this
...
- system.
...
- This
...
- will
...
- include
...
- groups
...
- and
...
- system
...
- users
...
- for
...
- logs,
...
- www,
...
- and
...
- db.
...
- Download
...
- the
...
- following
...
- software
...
- from
...
- the
...
- ISDA
...
- software
...
- repository
...
- onto
...
- the
...
- system
...
- being
...
- configured:
...
Code Block
...
httpd-2.2.4.tar.gz php-5.2.3.tar.gz MySQL/MySQL-*community-5.0.45-0.rhel4.i386.rpm MySQL/my.cnf mod_authz_mitgroup/mod_authz_mitgroup_rhel4.c apache_home.sh web
...
- If this is a RHEL 5 system, use the native Apache and PHP installs. Link the config directories into place. Download these additional RPMs.
Code Block mkdir /home/www/apache-2.2.3 ln -s /home/www/apache-2.2.3 /home/www/apache scp -r root@trogdor:/opt/software-repository-tmp/Apache/config-files/conf \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/logs \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/htdocs \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/icons \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/man* \ /home/www/apache chown -R www:www /home/www mv /etc/httpd /etc/httpd.bak ln -s /home/www/apache /etc/httpd ln -s /usr/lib64/httpd/modules /home/www/apache/modules
- If this is a RHEL 5 system, use the native Apache and PHP installs. Link the config directories into place. Download these additional RPMs.
...
- If the current version of MySQL is below 5.0,
...
- or
...
- if
...
- MySQL
...
- is
...
- not
...
- installed,
...
- update
...
- it
...
- to
...
- a
...
- recent
...
- version.
...
- Download
...
- the
...
- needed
...
- packages
...
- for
...
- RHEL
...
- 4
...
- or
...
- 5.
...
- RHEL
...
- 5
...
Code Block
...
mkdir /home/db/tmp cd /home/db/tmp scp root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-client-community-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-server-community-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-community-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-compat-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-test-community-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/perl-DBI-1.52-1.fc6.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/my.cnf \ /home/db/tmp
...
- RHEL 4
Code Block mkdir /home/db/tmp cd /home/db/tmp scp root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-client-community-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-server-community-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-community-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-compat-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-test-community-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/perl-DBI-1.52-1.fc6.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/my.cnf \ /home/db/tmp
...
- Stop the MySQL server if it is running, remove the old version, and install the new one.
- RHEL 4
Code Block /etc/init.d/mysql stop rpm \-ev cyrus-sasl-sql-2.1.19-5.EL4.i386 rpm \-ev dovecot-0.99.11-4.EL4.i386 rpm \-ev mysql-4.1.20-1.RHEL4.1.i386 rpm \-ev mysqlclient10-3.23.58-4.RHEL4.1.i386 rpm \-ivh MySQL-client-community-5.0.45-0.rhel4.i386.rpm rpm \-ivh MySQL-test-community-5.0.45-0.rhel4.i386.rpm rpm \-ivh MySQL-devel-community-5.0.45-0.rhel4.i386.rpm rpm \-ivh MySQL-server-community-5.0.45-0.rhel4.i386.
- RHEL 4
...
rpm
- RHEL 5
Code Block /etc/init.d/mysql stop rpm \-ev cyrus-sasl-sql-2.1.19-5.EL4.i386 rpm \-ev dovecot-0.99.11-4.EL4.i386 rpm \-ev mysql-4.1.20-1.RHEL4.1.i386 rpm \-ev mysqlclient10-3.23.58-4.RHEL4.1.i386 rpm \-ivh perl-DBI-1.52-1.fc6.i386.rpm rpm \-ivh MySQL-client-community-5.0.45-0.rhel5.i386.rpm rpm \-ivh MySQL-test-community-5.0.45-0.rhel5.i386.rpm rpm \-ivh MySQL-devel-community-5.0.45-0.rhel5.i386.rpm rpm \-ivh MySQL-server-community-5.0.45-0.rhel5.i386.rpm
...
- Stop the MySQL server and reconfigure my.cnf.
...
- The
...
- MySQL
...
- server
...
- startups
...
- as
...
- part
...
- of
...
- the
...
- rpm
...
- install
...
- process.
...
Code Block
...
/etc/init.d/mysql stop mv /var/lib/mysql /home/db chown \-R db:db /home/db cd /etc/ cp /root/my.cnf . /etc/init.d/mysql start
...
- Be certain to use the my.cnf
...
- file
...
- from
...
- the
...
- ISDA
...
- software
...
- repository,
...
- as
...
- it
...
- sets
...
- the
...
- database
...
- user
...
- to
...
- be
...
- 'db'
...
- (and
...
- not
...
- the
...
- default
...
- 'mysql'),
...
- and
...
- put
...
- the
...
- home
...
- and
...
- data
...
- directories
...
- into
...
- /home/db.
...
- Install
...
- OpenSSL
...
- and
...
- setup
...
- certificates.
...
- If
...
- the
...
- version
...
- of
...
- OpenSSL
...
- is
...
- greater
...
- the
...
- 0.9.8,
...
- skip
...
- the
...
- install
...
- step.
...
Code Block
...
openssl
...
version
- Install OpenSSL,
...
- if
...
- needed.
...
Code Block
...
mkdir /home/www/tmp cd /home/www/tmp tar \-xzvf /root/openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config \--prefix=/home/www/ssl \--openssldir=/home/www/ssl make make install
...
- Setup certificates
- get the mitca at http://ca.mit.edu/mitClient.crt
...
- and
...
- save
...
- it
...
- as
...
- /usr/local/ssl/certs/mitClient.crt
...
- convert
...
- mitCA.crt
...
- to
...
- pem
...
- format:
...
Code Block
...
openssl x509 \-in /home/www/ssl/certs/mitClient.crt \-inform DER \-outform PEM \-out /home/www/ssl/certs/mitCA.pem
...
- Generate rsa key.
...
- This
...
- simply
...
- generates
...
- some
...
- random
...
- stuff:
...
Code Block
...
ps > /tmp/foo ps \-elf >> /tmp/foo openssl genrsa \-rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem
...
- Generate request for a certificatecd /home/www/ssl/bin
...
Code Block
...
openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \
...
>/home/www/ssl/certs/`hostname`-req.pem
...
send
...
- the
...
- file
...
- /usr/local/ssl/certs/`hostname`-req.pem
...
- to
...
- mitcert@mit.edu,
...
- Please
...
- be
...
- aware,
...
- the
...
- organization
...
- (O)
...
- is
...
- Massachusetts
...
- Institute
...
- of
...
- Technology
...
- and
...
- the
...
- common
...
- name
...
- (CN)
...
- is
...
- the
...
- name
...
- of
...
- the
...
- server
...
- or
...
- service,
...
- including
...
- the
...
- domain
...
- name
...
- (.mit.edu).
...
- Â Also,
...
- some
...
- servers,
...
- such
...
- as
...
- Thalia
...
- servers,
...
- can
...
- represent
...
- an
...
- entire
...
- subdomain.
...
- Â These
...
- servers
...
- will
...
- need
...
- certificates
...
- issued
...
- with
...
- a
...
- wildcard
...
- in
...
- the
...
- domain
...
- name,
...
- such
...
- as
...
- *.isda-thalia-1.mit.edu.
...
Wiki Markup Remember, if the server is a Thalia server, if will need a wildcard certificate and DNS record for \*.\[hostname\], and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).
...
- To
...
- generate
...
- a
...
- self
...
- signed
...
- temporary
...
- certificate,
...
- add
...
- the
...
- x509
...
- and
...
- nodes
...
- options
...
- to
...
- the
...
- openssl
...
- command
...
- line.
...
Code Block
...
cd /home/www/ssl/bin openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \ \-x509 \-nodes >/home/www/ssl/certs/`hostname`-temp.cert
...
- When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem
...
- to
...
- look
...
- at
...
- a
...
- request:
...
Code Block
...
openssl req \-in ./req.pem \-text
...
- to look at the private key:
Code Block openssl rsa \-in /home/www/ssl/private/`hostname`-key.pem \-text
...
- to look at the server certificate:
Code Block openssl x509 \-in /home/www/ssl/certs/`hostname`-cert.pem \-text
...
- Install Apache.
...
- If
...
- you
...
- are
...
- using
...
- RHEL
...
- 5,
...
- skip
...
- this
...
- step.
...
Code Block
...
cd /home/www/tmp tar \-xzvf /root/httpd-2.2.4.tar.gz cd httpd-2.2.4 ./configure \--prefix=/home/www/apache-2.2.4 \--enable-ssl \
...
\--with-ssl=/home/www/ssl \
...
\--enable-modules="most mod_rewrite" \--enable-so make make install ln \-s /home/www/apache-2.2.4 /home/www/apache
...
- Set up PHP.
...
- If
...
- you
...
- are
...
- using
...
- RHEL
...
- 5,
...
- skip
...
- this
...
- step.
...
Code Block
...
cd /home/www/tmp tar \-xzvf /root/php-5.2.3.tar.gz cd php-5.2.3 ./configure \--with-mysql \--with-kerberos=/usr/kerberos \--prefix=/home/www/php-5.2.0 \--with-apxs2=/home/www/apache-2.2.4/bin/apxs \
...
\--enable-fastcgi \--enable-magic-quotes \--with-openssl \--with-mysql-sock=/home/db/mysql/mysql.sock \--with-mysqli \--enable-sockets \--enable-soap \
...
\--with-openssl-dir=/home/www/ssl \--with-pear=/usr/share/pear make make install ln \-s php-5.2.0 php
...
- Configure Apache
- edit /home/www/apache/conf/httpd.conf
...
- edit
...
- the
...
- following
...
- directives:
...
Code Block
...
ServerRoot "/home/www/apache" # change to apache home directory User www # change from daemon Group www # change from daemon Include conf/extra/httpd-vhosts.conf # Uncomment Include conf/extra/httpd-ssl.conf # Uncomment
...
- add to /home/www/apache/conf/httpd.conf,
...
- and
...
- the
...
- bottom
...
- of
...
- the
...
- other
...
- includes:
...
Code Block
...
# PHP module includes LoadModule php5_module modules/libphp5.so AddHandler php5-script .php AddType text/html .php DirectoryIndex index.php \#AddType application/x-httpd-php-source .phps
...
- edit /home/www/apache/conf/extra/httpd-vhosts.conf
...
- to
...
- have
...
- ONLY
...
- one
...
- of
...
- the
...
- following
...
- VirtualHost
...
- blocks:
...
Code Block
...
<VirtualHost \*:80>
...
RewriteEngine On
...
RewriteRule \^/(.*)
...
[https://finniganfen.mit.edu/$1] [L,R] </VirtualHost>
...
- To prevent some web pages from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
Code Block RewriteCond % {REQUEST_URI}
- To prevent some web pages from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
...
\!/WarehouseService
...
- edit /home/www/apache/conf/extra/httpd-ssl.conf
...
- and
...
- alter
...
- the
...
- following
...
- directives:
...
Code Block
...
# points to directory for static html files DocumentRoot "/home/www/apache/htdocs" # the servername of the server ServerName gybe.mit.edu:443 # the admins of this server ServerAdmin map-support@mit.edu # error log file ErrorLog /home/www/apache/logs/error_log # access log file TransferLog /home/www/apache/logs/access_log # public server certificate SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem # private server certificate SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem \#certificate path SSLCACertificatePath /usr/local/ssl/certs # certificate authority key SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem SSLVerifyClient require SSLVerifyDepth 10
...
- Set the allow and deny line for "<Directory />"
...
- section
...
- from
...
- "Deny
...
- from
...
- all"
...
- to
...
- "Allow
...
- from
...
- all"
...
- if
...
- you
...
- are
...
- testing
...
- the
...
- SSL
...
- configuration.
...
- add
...
- the
...
- following
...
- after
...
- the
...
- '<Directory
...
- "/home/www/apache/cgi-bin">'
...
- block
...
- in
...
- /home/www/apache/conf/extras/httpd-ssl.conf
...
Code Block
...
SSLOptions \+StdEnvVars \+ExportCertData
...
- Setup the home and init scripts, and link them into runlevels
Code Block cp /root/apache_home.sh /etc/profile.d/ chmod a+rx,a-w /etc/profile.d/apache_home.sh
...
- edit the variables in the top section of the web file to use the directories and binaries correct for this system
- be certain to check if apache is using a httpdctl or apachectl starter program, usually contained in /home/www/apache/bin,
...
- and
...
- set
...
- the
...
- apachectl
...
- variable
...
- accordingly
...
- set
...
- web
...
- to
...
- be
...
- executable
...
Code Block
...
chmod a+rx,a-w /etc/init.d/web
...
- link startweb and stopweb to the web program, from wherever it is located, and link start scripts in /etc/init.d:
...
Code Block
...
ln \-s /etc/init.d/web /root/startweb ln \-s /etc/init.d/web /root/stopweb ln \-s /etc/init.d/web /etc/rc.d/rc1.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc2.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc3.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc4.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc5.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc6.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc2.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc3.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc4.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc5.d/S15web
...
- update paths in /etc/profile,
...
- by
...
- adding
...
- the
...
- following
...
- line
...
- in
...
- the
...
- path
...
- manipulation
...
- code
...
- block
...
- (you
...
- can
...
- find
...
- it
...
- by
...
- searching
...
- for
...
- /usr/local/sbin)
...
Code Block
...
pathmunge /usr/local/bin
...
pathmunge /usr/kerberos/bin
...
- To start and stop tomcat and apache, use the initialization scripts in /etc/init.d.
...
- Be
...
- certain
...
- to
...
- leave
...
- them
...
- running
...
- when
...
- you
...
- are
...
- finished.
...
- starting
Code Block /etc/init.d/web start
- starting
...
- stopping
Code Block /etc/init.d/web stop
Code Block |
---|