Page History

...

Note:

...

These

...

directions

...

are

...

not

...

complete,

...

and

...

may

...

contain

...

errors.

...

If

...

you

...

encounter

...

an

...

omission

...

or

...

error,

...

please

...

correct

...

this

...

document.

...

1. Request

...

1. Server

...

1. Ops

...

1. setup

...

1. the

...

1. standard

...

1. system

...

1. user

...

1. configuration

...

1. on

...

1. this

...

1. system.

...

1. This

...

1. will

...

1. include

...

1. groups

...

1. and

...

1. system

...

1. users

...

1. for

...

1. logs,

...

1. www,

...

1. and

...

1. db.

...

2. Download

...

1. the

...

1. following

...

1. software

...

1. from

...

1. the

...

1. ISDA

...

1. software

...

1. repository

...

1. onto

...

1. the

...

1. system

...

1. being

...

1. configured:

...

1. Code Block

...

1. httpd-2.2.4.tar.gz php-5.2.3.tar.gz MySQL/MySQL-*community-5.0.45-0.rhel4.i386.rpm MySQL/my.cnf mod_authz_mitgroup/mod_authz_mitgroup_rhel4.c apache_home.sh web

...

1. • If this is a RHEL 5 system, use the native Apache and PHP installs. Link the config directories into place. Download these additional RPMs.

     Code Block

     mkdir /home/www/apache-2.2.3 ln -s /home/www/apache-2.2.3 /home/www/apache scp -r root@trogdor:/opt/software-repository-tmp/Apache/config-files/conf \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/logs \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/htdocs \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/icons \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/man* \ /home/www/apache chown -R www:www /home/www mv /etc/httpd /etc/httpd.bak ln -s /home/www/apache /etc/httpd ln -s /usr/lib64/httpd/modules /home/www/apache/modules

...

2. If the current version of MySQL is below 5.0,

...

1. or

...

1. if

...

1. MySQL

...

1. is

...

1. not

...

1. installed,

...

1. update

...

1. it

...

1. to

...

1. a

...

1. recent

...

1. version.

...

1. 1. Download

...

1. 1. the

...

1. 1. needed

...

1. 1. packages

...

1. 1. for

...

1. 1. RHEL

...

1. 1. 4

...

1. 1. or

...

1. 1. 5.

...

1. 1. • RHEL

...

1. 1. • 5

...

1. 1. • Code Block

...

1. 1. • mkdir /home/db/tmp cd /home/db/tmp scp root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-client-community-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-server-community-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-community-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-compat-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-test-community-5.0.45-0.rhel5.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/perl-DBI-1.52-1.fc6.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/my.cnf \ /home/db/tmp

...

1. 1. • RHEL 4

        Code Block

        mkdir /home/db/tmp cd /home/db/tmp scp root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-client-community-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-server-community-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-community-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-shared-compat-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/MySQL-test-community-5.0.45-0.rhel4.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/perl-DBI-1.52-1.fc6.i386.rpm \ root@trogdor:/opt/software-repository-tmp/MySQL/my.cnf \ /home/db/tmp

...

1. 2. Stop the MySQL server if it is running, remove the old version, and install the new one.
      • RHEL 4

        Code Block

        /etc/init.d/mysql stop rpm \-ev cyrus-sasl-sql-2.1.19-5.EL4.i386 rpm \-ev dovecot-0.99.11-4.EL4.i386 rpm \-ev mysql-4.1.20-1.RHEL4.1.i386 rpm \-ev mysqlclient10-3.23.58-4.RHEL4.1.i386 rpm \-ivh MySQL-client-community-5.0.45-0.rhel4.i386.rpm rpm \-ivh MySQL-test-community-5.0.45-0.rhel4.i386.rpm rpm \-ivh MySQL-devel-community-5.0.45-0.rhel4.i386.rpm rpm \-ivh MySQL-server-community-5.0.45-0.rhel4.i386.

...

1. 1. • rpm

      • RHEL 5

        Code Block

        /etc/init.d/mysql stop rpm \-ev cyrus-sasl-sql-2.1.19-5.EL4.i386 rpm \-ev dovecot-0.99.11-4.EL4.i386 rpm \-ev mysql-4.1.20-1.RHEL4.1.i386 rpm \-ev mysqlclient10-3.23.58-4.RHEL4.1.i386 rpm \-ivh perl-DBI-1.52-1.fc6.i386.rpm rpm \-ivh MySQL-client-community-5.0.45-0.rhel5.i386.rpm rpm \-ivh MySQL-test-community-5.0.45-0.rhel5.i386.rpm rpm \-ivh MySQL-devel-community-5.0.45-0.rhel5.i386.rpm rpm \-ivh MySQL-server-community-5.0.45-0.rhel5.i386.rpm

...

2. Stop the MySQL server and reconfigure my.cnf.

...

1. The

...

1. MySQL

...

1. server

...

1. startups

...

1. as

...

1. part

...

1. of

...

1. the

...

1. rpm

...

1. install

...

1. process.

...

1. Code Block

...

1. /etc/init.d/mysql stop mv /var/lib/mysql /home/db chown \-R db:db /home/db cd /etc/ cp /root/my.cnf . /etc/init.d/mysql start

...

1. • Be certain to use the my.cnf

...

1. • file

...

1. • from

...

1. • the

...

1. • ISDA

...

1. • software

...

1. • repository,

...

1. • as

...

1. • it

...

1. • sets

...

1. • the

...

1. • database

...

1. • user

...

1. • to

...

1. • be

...

1. • 'db'

...

1. • (and

...

1. • not

...

1. • the

...

1. • default

...

1. • 'mysql'),

...

1. • and

...

1. • put

...

1. • the

...

1. • home

...

1. • and

...

1. • data

...

1. • directories

...

1. • into

...

1. • /home/db.

...

2. Install

...

1. OpenSSL

...

1. and

...

1. setup

...

1. certificates.

...

1. • If

...

1. • the

...

1. • version

...

1. • of

...

1. • OpenSSL

...

1. • is

...

1. • greater

...

1. • the

...

1. • 0.9.8,

...

1. • skip

...

1. • the

...

1. • install

...

1. • step.

...

1. • Code Block

...

1. • openssl

...

1. • version

   • Install OpenSSL,

...

1. • if

...

1. • needed.

...

1. • Code Block

...

1. • mkdir /home/www/tmp cd /home/www/tmp tar \-xzvf /root/openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config \--prefix=/home/www/ssl \--openssldir=/home/www/ssl make make install

...

2. Setup certificates
   1. get the mitca at http://ca.mit.edu/mitClient.crt

...

1. 1. and

...

1. 1. save

...

1. 1. it

...

1. 1. as

...

1. 1. /usr/local/ssl/certs/mitClient.crt

...

1. 2. convert

...

1. 1. mitCA.crt

...

1. 1. to

...

1. 1. pem

...

1. 1. format:

...

1. 1. Code Block

...

1. 1. openssl x509 \-in /home/www/ssl/certs/mitClient.crt \-inform DER \-outform PEM \-out /home/www/ssl/certs/mitCA.pem

...

1. 2. Generate rsa key.

...

1. 1. This

...

1. 1. simply

...

1. 1. generates

...

1. 1. some

...

1. 1. random

...

1. 1. stuff:

...

1. 1. Code Block

...

1. 1. ps > /tmp/foo ps \-elf >> /tmp/foo openssl genrsa \-rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem

...

1. 2. Generate request for a certificatecd /home/www/ssl/bin

...

1. 1. Code Block

...

1. 1. openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \

...

1. 1. >/home/www/ssl/certs/`hostname`-req.pem

...

1. 1. send

...

1. 1. the

...

1. 1. file

...

1. 1. /usr/local/ssl/certs/`hostname`-req.pem

...

1. 1. to

...

1. 1. mitcert@mit.edu,

...

1. 1. • Please

...

1. 1. • be

...

1. 1. • aware,

...

1. 1. • the

...

1. 1. • organization

...

1. 1. • (O)

...

1. 1. • is

...

1. 1. • Massachusetts

...

1. 1. • Institute

...

1. 1. • of

...

1. 1. • Technology

...

1. 1. • and

...

1. 1. • the

...

1. 1. • common

...

1. 1. • name

...

1. 1. • (CN)

...

1. 1. • is

...

1. 1. • the

...

1. 1. • name

...

1. 1. • of

...

1. 1. • the

...

1. 1. • server

...

1. 1. • or

...

1. 1. • service,

...

1. 1. • including

...

1. 1. • the

...

1. 1. • domain

...

1. 1. • name

...

1. 1. • (.mit.edu).

...

1. 1. •   Also,

...

1. 1. • some

...

1. 1. • servers,

...

1. 1. • such

...

1. 1. • as

...

1. 1. • Thalia

...

1. 1. • servers,

...

1. 1. • can

...

1. 1. • represent

...

1. 1. • an

...

1. 1. • entire

...

1. 1. • subdomain.

...

1. 1. •   These

...

1. 1. • servers

...

1. 1. • will

...

1. 1. • need

...

1. 1. • certificates

...

1. 1. • issued

...

1. 1. • with

...

1. 1. • a

...

1. 1. • wildcard

...

1. 1. • in

...

1. 1. • the

...

1. 1. • domain

...

1. 1. • name,

...

1. 1. • such

...

1. 1. • as

...

1. 1. • *.isda-thalia-1.mit.edu.

...

1. 1. • Wiki Markup
        Remember, if the server is a Thalia server, if will need a wildcard certificate and DNS record for \*.\[hostname\], and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).

...

1. 2. To

...

1. 1. generate

...

1. 1. a

...

1. 1. self

...

1. 1. signed

...

1. 1. temporary

...

1. 1. certificate,

...

1. 1. add

...

1. 1. the

...

1. 1. x509

...

1. 1. and

...

1. 1. nodes

...

1. 1. options

...

1. 1. to

...

1. 1. the

...

1. 1. openssl

...

1. 1. command

...

1. 1. line.

...

1. 1. Code Block

...

1. 1. cd /home/www/ssl/bin openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \ \-x509 \-nodes >/home/www/ssl/certs/`hostname`-temp.cert

...

1. 2. When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem

...

1. 1. • to

...

1. 1. • look

...

1. 1. • at

...

1. 1. • a

...

1. 1. • request:

...

1. 1. • Code Block

...

1. 1. • openssl req \-in ./req.pem \-text

...

1. 1. • to look at the private key:

        Code Block
        openssl rsa \-in /home/www/ssl/private/`hostname`-key.pem \-text

...

1. 1. • to look at the server certificate:

        Code Block
        openssl x509 \-in /home/www/ssl/certs/`hostname`-cert.pem \-text

...

2. Install Apache.

...

1. If

...

1. you

...

1. are

...

1. using

...

1. RHEL

...

1. 5,

...

1. skip

...

1. this

...

1. step.

...

1. Code Block

...

1. cd /home/www/tmp tar \-xzvf /root/httpd-2.2.4.tar.gz cd httpd-2.2.4 ./configure \--prefix=/home/www/apache-2.2.4 \--enable-ssl \

...

1. \--with-ssl=/home/www/ssl \

...

1. \--enable-modules="most mod_rewrite" \--enable-so make make install ln \-s /home/www/apache-2.2.4 /home/www/apache

...

2. Set up PHP.

...

1. If

...

1. you

...

1. are

...

1. using

...

1. RHEL

...

1. 5,

...

1. skip

...

1. this

...

1. step.

...

1. Code Block

...

1. cd /home/www/tmp tar \-xzvf /root/php-5.2.3.tar.gz cd php-5.2.3 ./configure \--with-mysql \--with-kerberos=/usr/kerberos \--prefix=/home/www/php-5.2.0 \--with-apxs2=/home/www/apache-2.2.4/bin/apxs \

...

1. \--enable-fastcgi \--enable-magic-quotes \--with-openssl \--with-mysql-sock=/home/db/mysql/mysql.sock \--with-mysqli \--enable-sockets \--enable-soap \

...

1. \--with-openssl-dir=/home/www/ssl \--with-pear=/usr/share/pear make make install ln \-s php-5.2.0 php

...

2. Configure Apache
   1. edit /home/www/apache/conf/httpd.conf

...

1. 1. • edit

...

1. 1. • the

...

1. 1. • following

...

1. 1. • directives:

...

1. 1. • Code Block

...

1. 1. • ServerRoot "/home/www/apache" # change to apache home directory User www # change from daemon Group www # change from daemon Include conf/extra/httpd-vhosts.conf # Uncomment Include conf/extra/httpd-ssl.conf # Uncomment

...

1. 1. • add to /home/www/apache/conf/httpd.conf,

...

1. 1. • and

...

1. 1. • the

...

1. 1. • bottom

...

1. 1. • of

...

1. 1. • the

...

1. 1. • other

...

1. 1. • includes:

...

1. 1. • Code Block

...

1. 1. • # PHP module includes LoadModule php5_module modules/libphp5.so AddHandler php5-script .php AddType text/html .php DirectoryIndex index.php \#AddType application/x-httpd-php-source .phps

...

1. 2. edit /home/www/apache/conf/extra/httpd-vhosts.conf

...

1. 1. to

...

1. 1. have

...

1. 1. ONLY

...

1. 1. one

...

1. 1. of

...

1. 1. the

...

1. 1. following

...

1. 1. VirtualHost

...

1. 1. blocks:

...

1. 1. Code Block

...

1. 1. <VirtualHost \*:80>

...

1. 1. RewriteEngine On

...

1. 1. RewriteRule \^/(.*)

...

1. 1. [https://finniganfen.mit.edu/$1] [L,R] </VirtualHost>

...

1. 1. • To prevent some web pages from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:

        Code Block
        RewriteCond % {REQUEST_URI}

...

1. 1. • \!/WarehouseService

...

1. 2. edit /home/www/apache/conf/extra/httpd-ssl.conf

...

1. 1. and

...

1. 1. alter

...

1. 1. the

...

1. 1. following

...

1. 1. directives:

...

1. 1. Code Block

...

1. 1. # points to directory for static html files DocumentRoot "/home/www/apache/htdocs" # the servername of the server ServerName gybe.mit.edu:443 # the admins of this server ServerAdmin map-support@mit.edu # error log file ErrorLog /home/www/apache/logs/error_log # access log file TransferLog /home/www/apache/logs/access_log # public server certificate SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem # private server certificate SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem \#certificate path SSLCACertificatePath /usr/local/ssl/certs # certificate authority key SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem SSLVerifyClient require SSLVerifyDepth 10

...

1. 1. • Set the allow and deny line for "<Directory />"

...

1. 1. • section

...

1. 1. • from

...

1. 1. • "Deny

...

1. 1. • from

...

1. 1. • all"

...

1. 1. • to

...

1. 1. • "Allow

...

1. 1. • from

...

1. 1. • all"

...

1. 1. • if

...

1. 1. • you

...

1. 1. • are

...

1. 1. • testing

...

1. 1. • the

...

1. 1. • SSL

...

1. 1. • configuration.

...

1. 2. add

...

1. 1. the

...

1. 1. following

...

1. 1. after

...

1. 1. the

...

1. 1. '<Directory

...

1. 1. "/home/www/apache/cgi-bin">'

...

1. 1. block

...

1. 1. in

...

1. 1. /home/www/apache/conf/extras/httpd-ssl.conf

...

1. 1. Code Block

...

1. 1. SSLOptions \+StdEnvVars \+ExportCertData

...

2. Setup the home and init scripts, and link them into runlevels

   Code Block
   cp /root/apache_home.sh /etc/profile.d/ chmod a+rx,a-w /etc/profile.d/apache_home.sh

...

1. 1. edit the variables in the top section of the web file to use the directories and binaries correct for this system
   2. be certain to check if apache is using a httpdctl or apachectl starter program, usually contained in /home/www/apache/bin,

...

1. 1. and

...

1. 1. set

...

1. 1. the

...

1. 1. apachectl

...

1. 1. variable

...

1. 1. accordingly

...

1. 2. set

...

1. 1. web

...

1. 1. to

...

1. 1. be

...

1. 1. executable

...

1. 1. Code Block

...

1. 1. chmod a+rx,a-w /etc/init.d/web

...

1. 2. link startweb and stopweb to the web program, from wherever it is located, and link start scripts in /etc/init.d:

...

1. 1. Code Block

...

1. 1. ln \-s /etc/init.d/web /root/startweb ln \-s /etc/init.d/web /root/stopweb ln \-s /etc/init.d/web /etc/rc.d/rc1.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc2.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc3.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc4.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc5.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc6.d/K15web ln \-s /etc/init.d/web /etc/rc.d/rc2.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc3.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc4.d/S15web ln \-s /etc/init.d/web /etc/rc.d/rc5.d/S15web

...

2. update paths in /etc/profile,

...

1. by

...

1. adding

...

1. the

...

1. following

...

1. line

...

1. in

...

1. the

...

1. path

...

1. manipulation

...

1. code

...

1. block

...

1. (you

...

1. can

...

1. find

...

1. it

...

1. by

...

1. searching

...

1. for

...

1. /usr/local/sbin)

...

1. Code Block

...

1. pathmunge /usr/local/bin

...

1. pathmunge /usr/kerberos/bin

...

2. To start and stop tomcat and apache, use the initialization scripts in /etc/init.d.

...

1. Be

...

1. certain

...

1. to

...

1. leave

...

1. them

...

1. running

...

1. when

...

1. you

...

1. are

...

1. finished.

...

1. • starting

     Code Block
     /etc/init.d/web start

...

1. • stopping

     Code Block
     /etc/init.d/web stop