Versions Compared

Old Version 26

changes.mady.by.user J. Hunter Heinlen

Saved on

compared with

New Version Current

changes.mady.by.user J. Hunter Heinlen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Wiki MarkupNote:    Next revision cycle, start building everything into
$HOME/\[app\]-\[version#\] and creating a symlink to $HOME/\[app\] so that there is
no question about what the current, in use, directory is.

Note: When downloading software to install in these instructions, always
download the source code, and avoid binary installers.  Binary installers tend
to make inaccurate assumptions about what libraries you have installed on your
system, as well as other problems.

1. download openssl 0.9.8a source from http://www.openssl.org/source/. follow
   the instruction in the INSTALL document, compile and install the
   binaries. the default location is /usr/local/ssl. If you want to change it,
   run config like this:

Code Block

cd /opt
tar -xzvf /root/openssl-0.9.8a.tar.gz
cd openssl-0.9.8a
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
make
make install

2. set up certificates:

  2a:  get the mitca at http://ca.mit.edu/mitClient.crt and save it as /usr/local/ssl/certs/mitClient.crt

  2b:  convert mitCA.crt to pem format:

Code Block

openssl x509 -in /usr/local/ssl/certs/mitClient.crt -inform DER -outform \
    PEM -out /usr/local/ssl/certs/mitCA.pem

  2c: Generate rsa key

      This simply generates some random stuff:

Code Block

ps > /tmp/foo
ps -elf >> /tmp/foo
cd /usr/local/ssl/bin
./openssl genrsa -rand /tmp/foo 1024 >/usr/local/ssl/private/`hostname`-key.pem

  2d: Generate request for a certificate

Code Block

cd /usr/local/ssl/bin
./openssl req -key /usr/local/ssl/private/`hostname`-key.pem -new \
   >../certs/`hostname`-req.pem

   send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,

      Please be aware, the organization (O) is:
      Massachusetts Institute of Technology
      and the common name (CN) is the name of the server or
      service, including the domain name (.mit.edu).  Also, some servers, such
      as Thalia servers, can represent an entire subdomain.  These servers
      will need certificates issued with a wildcard in the domain name, such
      as *.isda-thalia-1.mit.edu.  

Wiki Markup
   Remember, if the server is a Thalia server, if will need a wildcard
   certificate and DNS record for \*.\[hostname\], and if it is doing any type of
   authentication, it will need a joint client/server certificate to be able
   to connect to the Shibboleth server (and have end users connect to it as
   well).

   2db. To generate a self signed temporary certificate, add the x509 and
        nodes options to the openssl command line.

Code Block

cd /usr/local/ssl/bin
./openssl req -key /usr/local/ssl/private/`hostname`-key.pem -new \
     -x509 -nodes >../certs/`hostname`-temp.cert

  2e:When you receive a certificate from MIT Certificates, save it as
      /usr/local/ssl/certs/`hostname`-cert.pem

  2f:  to look at a request:

Code Block

openssl req -in ./req.pem -text

       to look at the private key:

Code Block

openssl rsa -in /usr/local/ssl/private/`hostname`-key.pem -text

       to look at the server certificate:

Code Block

openssl x509 -in /usr/localx/ssl/certs/`hostname`-cert.pem -text

3.  Setup local directory structure and users.

  3a.  Setup the www user.

Code Block

groupadd www
useradd -g www -d /home/www -m -r -s /bin/bash www

     3aa.  Set the www user directory structure and copy the config files into place.

Code Block

mkdir /home/www/weblib
mkdir /home/www/etc
cp -a /root/weblib /home/www/weblib
scp -r root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-user/etc /home/www/etc
cp /root/map-dev-ws1-new-keytab /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab
chown -R www:www /home/www/etc
chmod a-w,o-rx,u+r /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab

     3ab. Make certain that the library files are put into their correct locations.

Code Block

scp -R  root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-userweblib /home/www/weblib/

  3b.  If needed (if this system is going to hold an Alfresco instance, or something similar), setup the repository user.

Code Block

groupadd repos
useradd -g dbusr -d /home/www -m -r -s /bin/bash repos

  3c.  If needed, setup the database user.

Code Block

groupadd dbuser
useradd -g dbusr -d /home/www -m -r -s /bin/bash dbusr

4 set up apache-ssl
  4a: download Apache 2.2.4 from apache archive site at
      http://archive.apache.org/dist/httpd/

  4b: Unpack apache 2.2.4 (tar -xzvf) and do "cd httpd-2.2.4"

Code Block

cd /opt
tar -xzvf /root/httpd-2.2.4.tar.gz
cd httpd-2.2.4

  4c. compile apache following the instruction in the INSTALL file.
      To enable the SSL, do the following:

Code Block

./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \
  --with-ssl=/usr/local/ssl \
  --enable-modules="most mod_rewrite"
make
make install
ln -s /home/www/apache-2.2.4 /home/www/apache

5. set up mod-jk

  5a. download mod-jk 1.2.21 source (previous versions have a security hole
      that could allow a remote attacker to execute arbitary code) from
      http://tomcat.apache.org/connectors-doc/.

Code Block

cd /opt
tar -xzvf /root/tomcat-connectors-1.2.21-src.tar.gz
cd tomcat-connectors-1.2.21-src

  5b. build and install binaries according to BUILD.txt. apxs is at
      /home/www/apache/bin/apxs. mod_jk.so will be put at /home/www/apache/modules

Code Block

cd native
./configure --with-apxs=/home/www/apache/bin/apxs --enable-ssl
make
make install

6. install jdk 1.6 which is required by tomcat 5.5.25

   6a. download jdk 1.6 binary at
    http://java.sun.com/javase/downloads/index.jsp

   6b. You may need to set the binary file to be executable:

Code Block

chmod u+x,u-w jdk-6-linux-i586.bin

   6c. execute the binary installer as root.  If it produces a rpm file,
       use rpm -ivh to install it.  If you downloaded the straight binary
       installer, move to a directory with installed software, such as
       /usr/local.  Also, you will need to page through a licensing agreement
       and type yes to accept it.

Code Block

cd /usr/local
/root/jdk-6-linux-i586.bin

       or

Code Block

./jdk-6-linux-i586-rpm.bin
rpm -ivh jdk-6-linux-i586

   6d. create a file in /etc/profile.d named java_home.sh.  It should contain
        a line exporting a variable pointing to the Java home directory.  Then
        make this file world executable.:

Code Block

cat > /etc/profile.d/java_home.sh
export JAVA_HOME=/usr/local/jdk1.6.0
^C
chmod a+xr,a-w /etc/profile.d/java_home.sh

7. install the SASH Server   NOTE:  These instructions are written assuming version 2.0.4-BETA of the SASH Server, but this version is not officially supported.  We are waiting on version 2.0.4 to become officially supported.

   7a. download sash-server-2.0.4-BETA.tar.gz from: https://portal.sourcelabs.com/?module=downloadYou will need to register and login to the web site to be able to
         download the SASH Server.  Also, copy the sashsrv.conf mkInstance, modify-instance-file.sh and mit-worker-consolidater.sh out of the ISDA repository and onto the
         machine.

   7b. unzip and untar (gunzip , tar -xvf) into your working
       directory, such as /home

Code Block

cd /home/www
tar -xzvf /root/sash-server-2.0.4-BETA.tar.gz
ln -s sash-server-2.0.4-BETA sash-server
cd sash-server-2.0.4-BETA

...

Note: Java/JMX depends upon RPC/Portmap to manage its connections. This means that iptable firewalls need to take this into account. Port 8900-8999 should be set to only allow connections from localhost, and all high numbered ports should only accept connections from the local classful network (18.0.0.0/8 in the case of MIT).

  1. Setup local directory structure and users.
    1. Setup the www user.
      Code Block
      
groupadd www
useradd -g www -d /home/www -m -r -s /bin/bash www
    2. Add the logs user.
      Code Block
      
groupadd logs
useradd -g logs -d /home/logs -m -r -s /bin/bash logs
      • Set the www user directory structure and copy the config files into place.
        Code Block
        
mkdir /home/www/weblib
mkdir /home/www/etc
mkdir /home/www/etc/krb
cp -a /home/root/weblib /home/www/weblib
scp -r root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-user/etc /home/www/etc
cp /root/map-dev-ws1-new-keytab /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab
chown -R www:www /home/www/etc
chmod a-w,o-rx,u+r /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab
      • Make certain that the library files are put into their correct locations.
        Code Block
        
scp -r root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-user/weblib /home/www/weblib/
    3. If needed (if this system is going to hold an Alfresco instance, or something similar), setup the repository user.
      Code Block
      
groupadd repos
useradd -g repos -d /home/repos -m -r -s /bin/bash repos
    4. If needed, setup the database user.
      Code Block
      
groupadd db
useradd -g db -d /home/db -m -r -s /bin/bash db
      • The logs user is intended to allow developers access to log and configuration files without granting root access. Change the group ownership of any file that developers will need non-root access to to be owned by the logs user, and chmod those files to be group readable.
  2. Then, check the version of openssl already installed with the OS.
    Code Block
    
openssl version
    1. If the version is lower then 0.9.8a, or if it is not installed, download openssl 0.9.8a source from http://www.openssl.org/source/. follow the instruction in the INSTALL document, compile and install the binaries. the default location is /usr/local/ssl, but we need to use /home/www/ssl. If you want to change it, run config like this:
      Code Block
      
cd /home/www/tmp
tar -xzvf /home/www/tmp/openssl-0.9.8a.tar.gz
cd openssl-0.9.8a
./config --prefix=/home/www/ssl --openssldir=/home/www/ssl
make
make install
  3. Set up certificates. If using the local version of SSL, put them into /tmp/ssl, and copy them to the Apache conf directory during the config:
    1. Create the SSL directories.
      Code Block
      
mkdir /home/www/ssl
mkdir /home/www/ssl/certs
mkdir /home/www/ssl/private
chown -R www:www /home/www/ssl
    2. get the mitca at http://ca.mit.edu/mitClient.crt and save it as /home/www/ssl/certs/mitClient.crt
    3. convert mitCA.crt to pem format:
      Code Block
      
openssl x509 -in /home/www/ssl/certs/mitClient.crt -inform DER -outform \
    PEM -out /home/www/ssl/certs/mitCA.pem
    4. Generate rsa key
      • This simply generates some random stuff:
        Code Block
        
ps > /tmp/foo
ps -elf >> /tmp/foo
cd /home/www/ssl
openssl genrsa -rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem
    5. Generate request for a certificate
      Code Block
      
cd /home/www/ssl/
openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \
   >/home/www/ssl/certs/`hostname`-req.pem
      ##*send the file /home/www/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,
      Code Block
      
Please be aware, the organization (O) is:
Massachusetts Institute of Technology
and the common name (CN) is the name of the server or
service, including the domain name (.mit.edu).  Also, some servers, such
as Thalia servers, can represent an entire subdomain.  These servers
will need certificates issued with a wildcard in the domain name, such
as \*.isda-thalia-1.mit.edu.

Remember, if the server is a Thalia server, it will need a wildcard
certificate and DNS record for *.`hostname`, and if it is doing any type of
authentication, it will need a joint client/server certificate to be able
to connect to the Shibboleth server (and have end users connect to it as
well).
    6. To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.
      Code Block
      
cd /home/www/ssl
openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \
     -x509 -nodes >/home/www/ssl/certs/`hostname`-temp-cert.pem
    7. When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem
    8. Commands to view cert information:
      • to look at a request:
        Code Block
        
openssl req -in /home/www/ssl/certs/`hostname`-req.pem -text
      • to look at the private key:
        Code Block
        
openssl rsa -in /home/www/ssl/private/`hostname`-key.pem -text
      • to look at the server certificate:
        Code Block
        
openssl x509 -in /home/www/ssl/certs/`hostname`-cert.pem -text
  4. set up apache-ssl
    1. download Apache 2.2.4 from apache archive site at http://archive.apache.org/dist/httpd/
    2. Unpack apache 2.2.4 (tar -xzvf) and do "cd httpd-2.2.4"
      Code Block
      
cd /home/www/tmp
tar -xzvf /home/www/tmp/httpd-2.2.4.tar.gz
cd httpd-2.2.4
    3. compile apache following the instruction in the INSTALL file. To enable the SSL, do the following:
      Code Block
      
./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \
  --enable-modules="most mod_rewrite"
make
make install
ln -s /home/www/apache-2.2.4 /home/www/apache
  5. set up mod-jk
    1. download mod-jk 1.2.21 source (previous versions have a security hole that could allow a remote attacker to execute arbitary code) from http://tomcat.apache.org/connectors-doc/.
      Code Block
      
cd /home/www/tmp
tar -xzvf /home/www/tmp/tomcat-connectors-1.2.21-src.tar.gz
cd tomcat-connectors-1.2.21-src
    2. build and install binaries according to BUILD.txt. apxs is at /home/www/apache/bin/apxs. mod_jk.so will be put at /home/www/apache/modules
      Code Block
      
cd native
./configure --with-apxs=/home/www/apache/bin/apxs --enable-ssl
make
make install
  6. install jdk 1.6 which is required by tomcat 5.5.25
    1. download jdk 1.6 binary at http://java.sun.com/javase/downloads/index.jsp
    2. You may need to set the binary file to be executable:
      Code Block
      
chmod u+x,u-w jdk-6-linux-i586.bin
    3. execute the binary installer as root. If it produces a rpm file, use rpm -ivh to install it. If you downloaded the straight binary installer, move to a directory with installed software, such as /usr/local. Also, you will need to page through a licensing agreement and type yes to accept it.
      Code Block
      
cd /usr/local
/home/root/jdk-6-linux-i586.bin
      • or
        Code Block
        
./jdk-6-linux-i586-rpm.bin
rpm -ivh jdk-6-linux-i586
    4. create a file in /etc/profile.d named java_home.sh.  It should contain a line exporting a variable pointing to the Java home directory. Then make this file world executable.:
      Code Block
      
cat > /etc/profile.d/

...

    1. java_home.sh
export

...

    1. JAVA_HOME=/

...

    1. usr/local/

...

    1. jdk1.6.0

...

    1. 
^C
chmod a+xr,a-w

...

    1.  /etc/profile.d/

...

    1. java_home.sh

   7d.  Copy the modify instance file and the MIT worker consolidator file into the SASH server bin directory.

Code Block

cp /root/mkInstance $SASHSRV_HOME/bin
cp /root/modify-instance-file.sh $SASHSRV_HOME/bin
cp /root/mit-worker-consolidater.sh $SASHSRV_HOME/bin
chmod ug+rx,a-w $SASHSRV_HOME/bin/modify-instance-file.sh $SASHSRV_HOME/bin/mit-worker-consolidater.sh $SASHSRV_HOME/bin/mkInstance

  7e.  Copy the sash-2.0-flattened-jars.zip file onto the server and update the commons-io jar file. 

Code Block

cd ${SASHSRV_HOME}/core/server/webapps/manager/WEB-INF/lib
unzip -j /root/sash-2.0-flattened-jars.zip  sash-2.0-flattened-jars/commons-io-1.3.1-1.jar

7. Do the configuration:

  7a. SASH Server part: cd into the tomcat home directory

Code Block

cd $SASHSRV_HOME/conf/template

    7aa. enter the conf directory and create a jk directory

Code Block

cd conf
mkdir jk
cd jk

    7ab. copy the workers.properties file from /opt/tomcat-connectors-1.2.21-src/conf and put it in conf/jk.  Also copy the sashsrv.conf template into the template conf directory.

...

    7ac. make certain the following directives in workers.properties are set:

Code Block

workers.tomcat_home=%%CATALINA_BASE%%
workers.java_home=/usr/local/jdk1.6.0
ps=/
worker.list=ajp13
worker.ajp13.port=%%AJP_PORT%%
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers= ajp13

        comment out the ajp12 lines in workers.properties.
                                   
     7ad. edit conf/server.xml and add the following:

     after <Server port="%%SHUTDOWN_PORT%%" shutdown="SHUTDOWN">   add

Code Block

<Listener className="org.apache.jk.config.ApacheConfig"
      modJk="/home/www/apache/modules/mod_jk.so" jkDebug="info"
      workersConfig="%%CATALINA_BASE%%/conf/jk/workers.properties"
      jkLog="%%CATALINA_BASE%%/logs/mod_jk.log"/>

      after  <Engine name="Catalina" defaultHost="localhost">
      add

Code Block

<Listener className="org.apache.jk.config.ApacheConfig" append="true" />

     7ae. If this is going to be a Web Services servers, disable direct
          connections to the SASH Server and force communications to go through apache,
          by commenting out the http port  connector block in server.xml:

Code Block

<!--
    <Connector port="%%HTTP_PORT%%"
        maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" redirectPort="8443" acceptCount="100"
        connectionTimeout="20000" disableUploadTimeout="true" />
-->

          If this is going to be a Thalia server, skip this step.

     7af. Uncomment the AJP block in server.xml.

Code Block

<!-- An AJP Connector - uncomment if needed -->
    <Connector port="%%AJP_PORT%%"
        protocol="AJP/1.3" />

     7ag. edit tomcat_users.xml, and add the following user definition just
          above the '</tomcat-users>' line:

Code Block

<role rolename="manager"/>
       <user username="tomcat" password="*****" roles="tomcat,manager"/>

          be certain to change the password to be the password for the team the server is providing services to.  Check with your groups manager to see what the password
          standards for your group are.  Do not cut and paste this password into place, do not use "*****" as a password, etc.

     7ah.  Edit the sashsrv.conf file and add the base port information for JMX.  Add it near the bottom, between the AJP base port and the max port range.

Code Block

cd $SASHSRV_HOME/conf
vi sashsrv.conf

# The base port for the JMX handlers - MIT addition
#
JMX_BASE=9000

     7ah.  Add the JAVA_HOME location to $SASHSRV_HOME/conf/sashsrv.conf.  Also
            change the ACTIVE_PROBE_PLAN and LD_LIBRARY_PATH to have
            $SASH_HOME in their paths.  The conf file is read by the startup
            script, so putting the variables in will not work.  They must be
            fully qualified.  Also add recursion to LD_LIBRARY_PATH.

Code Block

LD_LIBRARY_PATH=/home/www/sash-server-2.0.4-BETA/lib:${LD_LIBRARY_PATH}

...

  1. install the SASH Server. NOTE: These instructions are written assuming version 2.0.4-BETA of the SASH Server, but this version is not officially supported. We are waiting on version 2.0.4 to become officially supported.
    1. If this is a server ops installed and managed RHEL 4 VM, request that they install the 32 bit NPTL threading libraries, and reboot the VM. If this is a RHEL 5 VM, check the the threading libraries are 32 bit compatible. If this is a physical server, this step can be skipped.
    2. download sash-server-2.0.4-BETA.tar.gz from: https://portal.sourcelabs.com/?module=download You will need to register and login to the web site to be able to download the SASH Server. Also, copy the sashsrv.conf mkInstance, modify-instance-file.sh, monitor.war and mit-worker-consolidater.sh out of the ISDA repository on Trogdor and onto the machine.
      Code Block
      
scp -r root@trogdor:/opt/software-repository-tmp/SASH_Server/mit-worker-consolidater.sh  \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/mkInstance \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/monitor.war \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sash-2.0-flattened-jars.zip \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sashctl \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sash_home.sh \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sash-server-2.0.4-BETA

...

    1. .tar.gz \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sashsrv.conf \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/server.xml \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/template \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/web \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/consolidator.conf  \
  root@trogdor:/opt/software-repository-tmp/common-init/apache_home.sh  \
  /home/root
    2. unzip and untar (gunzip , tar -xvf) into your working directory, such as /home
      Code Block
      
cd /home/www
tar -xzvf /home/root/sash-server-2.0.4-BETA.tar.gz
ln -s sash-server-2.0.4-BETA sash-server
cd sash-server-2.0.4-BETA
    3. Copy sash_home.sh and apache_home.sh into /etc/profile.d.
      Code Block
      
cp /home/root/sash_home.sh /home/root/apache_home.sh /etc/profile.d
chmod a+rx /etc/profile.d/sash_home.sh /etc/profile.d/apache_home.sh
source /etc/profile.d/sash_home.sh
source /etc/profile.d/apache_home.sh
    4. Copy the custom sashctl file and the MIT worker consolidator file into the SASH server bin directory.
      Code Block
      
cp -a --reply=yes /home/root/template/* $SASHSRV_HOME/conf/template
cp --reply=yes /home/root/mkInstance $SASHSRV_HOME/bin
cp --reply=yes /home/root/sashctl $SASHSRV_HOME/bin
cp --reply=yes /home/root/mit-worker-consolidater.sh $SASHSRV_HOME/bin
cp --reply=yes /home/root/monitor.war $SASHSRV_HOME/conf/template/webapps
cp --reply=yes /home/root/consolidator.conf /home/root/sashsrv.conf $SASHSRV_HOME/conf
chmod ug+rx,a-w $SASHSRV_HOME/bin/mit-worker-consolidater.sh $SASHSRV_HOME/bin/mkInstance
    5. Copy the sash-2.0-flattened-jars.zip file onto the server and update the commons-io jar file.
      Code Block
      
cd ${SASHSRV_HOME}/core/server/webapps/manager/WEB-INF/lib
unzip -j /home/root/sash-2.0-flattened-jars.zip  sash-2.0-flattened-jars/commons-io-1.3.1-1.jar
  2. Do the configuration:
    1. SASH Server part: cd into the tomcat home directory
      Code Block
      
cd $SASHSRV_HOME/conf/template
      1. enter the conf directory and create a jk directory
        Code Block
        
cd conf
mkdir jk
cd jk
      2. copy the sashsrv.conf template into the template conf directory.
        Code Block
        
cp /home/root/template/conf/sashsrv.conf /home/www/sash-server-2.0.4-BETA/conf/template/conf
      3. If this need HTTP connections to the Tomcat connectors, enable direct connections to the SASH Server, by removing the '<!-' and '->' from around the http port connector block in server.xml. Also works for https:
        Code Block
        
<Connector port="%%HTTP_PORT%%"
        maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" redirectPort="8443" acceptCount="100"
        connectionTimeout="20000" disableUploadTimeout="true" />
      4. edit tomcat_users.xml, and add the following user definition just above the '</tomcat-users>' line:
        Code Block
        
<role rolename="manager"/>
       <user username="tomcat" password="*****" roles="tomcat,manager"/>
        • be certain to change the password to be the password for the team the server is providing services to. Check with your groups manager to see what the password standards for your group are. Do not cut and paste this password into place, do not use "*****" as a password, etc.
      1. Update the www user.
        Code Block
        
chown -R www:www /home/www

...

        • And edit $SASHSRV_HOME/bin/setvars,

...

        • $SASHSRV_HOME/bin/sash-server.init, and $SASHSRV_HOME/bin/sash-server-CS2.init, and change

...

        • the SASHSRV_USER.
          Code Block

...

     7aj.  To progate the changes made to the config, delete the default
           server container, and create a new one.

...

        • cd $SASHSRV_HOME/bin
sed -i s:SASHSRV_USER=\"sashsrv\":SASHSRV_USER=\"www\":g $SASHSRV_HOME/bin/setvars

...

        • sed -

...

        • i s:SASHSRV_USER=\"sashsrv\":SASHSRV_USER=\"www\":g $SASHSRV_HOME/

...

              Also create any other server containers that may be needed.  Some of the common ones are mitid, roles, moira, sis, and misc.

     7ak.  Set up the
 

     7al.  Run the java_home.sh script and start the SASH Server

Code Block

source /etc/profile.d/java_home.sh
$SASHSRV_HOME/bin/sashctl all start

     7am.  Tomcat creates a mod_jk.conf file in ./core/conf/auto/ directory
           the first time is runs.  Correct it to point to where mod_jk.so
           resides.

       change

Code Block

LoadModule jk_module "/usr/local/apache/libexec/mod_jk.so"

       to

Code Block

LoadModule jk_module "/home/www/apache/modules/mod_jk.so"

  7b. apache side: edit /home/www/apache/conf/httpd.conf
   edit the following directives:

...

        • bin/sash-server.init
sed -i s:SASHSRV_USER=\"sashsrv\":SASHSRV_USER=\"www\":g $SASHSRV_HOME/bin/sash-server-CS2.init
      2. To progate the changes made to the config, delete the default server container, and create a new one.
        Code Block
        
cd $SASHSRV_HOME/servers
rm -rf default
cd $SASHSRV_HOME/bin
./mkInstance -N default
cd $SASHSRV_HOME/servers/default
        • Also create any other server containers that may be needed. Some of the common ones are mitid, roles, moira, sis, and misc.
      3. Set up the additional directories and files needed for JMX and the standard ISDA/MAP configuration scripts.
        Code Block
        
cd /home/www
mkdir /home/www/etc
mkdir /home/www/etc/containers
mkdir /home/www/etc/krb
mkdir /home/www/etc/jmx
touch /home/www/etc/jmx/jmxremote.password
chmod a-wx,u+r,go-r /home/www/etc/jmx/jmxremote.password
chown -R www:www /home/www
      4. Run the java_home.sh script and start the SASH Server
        Code Block
        
source /etc/profile.d/java_home.sh
$SASHSRV_HOME/bin/sashctl all start
      5. Tomcat creates a mod_jk.conf file in ./core/conf/auto/ directory the first time is runs. Correct it to point to where mod_jk.so resides.
        • change
          Code Block
          
LoadModule jk_module "/home/www/apache/libexec/mod_jk.so"
        • to
          Code Block
          
LoadModule jk_module "/home/www/apache/modules/mod_jk.so"
    2. Apache side:
      1. edit /home/www/apache/conf/httpd.conf
        • edit the following directives:
          Code Block
          
ServerRoot "/home/www/apache"          # change to apache home directory
User www

...

        •

...

        •                 # change from daemon
Group www                              # change from daemon
ServerAdmin map-support@mit.edu        # change to our group email address
Include conf/extra/httpd-vhosts.conf   # Uncomment
Include conf/extra/httpd-ssl.conf      # Uncomment

...

        • add to /home/www/apache/conf/httpd.conf, and the bottom of the other includes:
          Code Block
          
# SASH Server/mod_jk includes
Include /home/www/sash-server-2.0.4-BETA/core/conf/auto/mod_jk.conf

<IfModule \!mod_rewrite.c>
    LoadModule rewrite_module "/home/www/apache/modules/mod_rewrite.so"
</IfModule>

...

      1. edit /home/www/apache/conf/extra/httpd-vhosts.conf to have ONLY one of the

...

      1. following VirtualHost blocks:

    ...

          • Thalia:

    ...

          • Code Block
            
NameVirtualHost

    ...

          • *:80

<VirtualHost

    ...

          • *:80>
     ServerName

    ...

         7d2. Web Services - edit for correct server name:  <code><pre>

    Code Block
    
<VirtualHost \*:80>
     RewriteEngine On

     RewriteRule \^/(.*)         [https://finniganfen.mit.edu/$1] [L,R]

</VirtualHost>

        7d3.  To prevent some web applications (such as WarehouseServices) from being redirected to https, add an escape clause between "RewriteEngine On" and the
            RewriteRule: 

    Code Block
    
RewriteCond %{REQUEST_URI}       !/WarehouseService

    7e. edit /home/www/apache/conf/extra/httpd-ssl.conf and alter the following
           directives:

    Code Block
    
# points to directory with tomcat servers
DocumentRoot "/home/www/sash-server-2.0.4-BETA/servers/"
# the servername of the server
ServerName gybe.mit.edu:443
# the admins of this server
ServerAdmin dracus@mit.edu,dongq@mit.edu,dtanner@mit.edu
# error log file
ErrorLog /home/www/apache/logs/error_log
# access log file
TransferLog /home/www/apache/logs/access_log
# public server certificate
SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem
# private server certificate
SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem
#certificate path
SSLCACertificatePath /usr/local/ssl/certs
# certificate authority key
SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem

SSLVerifyClient require
SSLVerifyDepth 10

       7f. add the following after the '<Directory "/home/www/apache/cgi-bin">'
           block in /home/www/apache/conf/extras/httpd-ssl.conf

    Code Block
    
SSLOptions +StdEnvVars +ExportCertData

    8. to pass environment variables from apache to tomcat, add the following to
       the end of httpd.conf (note, the name for those environment variables might
       change between different apache versions. Apache comes with a cgi script in
       cgi-bin/printenv. Run this script in your https enabled browser to verify
       that these variables still holds).

    Code Block
    
JkEnvVar SSL_CLIENT_DN nodefault
JkEnvVar SSL_CLIENT_S_DN_CN nodefault
JkEnvVar SSL_CLIENT_S_DN_Email nodefault
JkEnvVar SSL_CLIENT_S_DN nodefault
JkEnvVar HTTP_ACCEPT_LANGUAGE nodefault
JkEnvVar SSL_CLIENT_CERT none

    9.  copy the following files to the noted locations.  They should be in the ISDA software repository.

         9a. MitIdService.jar   moves to $SASHSRV_HOME/core/shared/lib

    Code Block
    
cp /root/MitIdService.jar $SASHSRV_HOME/core/shared/lib

         9b. rolesApplicationContext.xml   moves to $SASHSRV_HOME/core/shared/classes

    Code Block
    
cp /root/rolesApplicationContext.xml $SASHSRV_HOME/core/shared/classes/

         9c. rootauth moves to /root

    10. install the web init script into /etc/init.d, and place starter links into
        the /etc/rc.d/ runlevel directories.  It should be bundled with this
        document.

      10a.  edit the variables in the top section of the web file to use the
            directories and binaries correct for this system

       10b.  be certain to check if apache is using a httpdctl or apachectl starter
            program, usually contained in /home/www/apache/bin, and set the apachectl
            variable accordingly

        10c.  set web to be executable

    Code Block
    
chmod a+rx,a-w /etc/init.d/web

         10d.  link startweb and stopweb to the web program, from wherever it is
            located, and link start scripts in /etc/init.d:

    Code Block
    
ln -s /etc/init.d/web /root/startweb
ln -s /etc/init.d/web /root/stopweb
ln -s /etc/init.d/web /etc/rc.d/rc1.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc2.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc3.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc4.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc5.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc6.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc2.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc3.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc4.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc5.d/S15web

        10e.  Copy the SASH Server init file into /etc/init.d

    Code Block
    
cp $SASHSRV_HOME/bin/sash-server.init /etc/init.d/sash-server
chmod a+rx,a-w /etc/init.d/sash-server

        10f.  Link the SASH Server init file to runlevels.

    ...

          • *.isda-thalia2.mit.edu

     RewriteEngine On

     RewriteCond %{HTTP_HOST}    !^isda-thalia2\.mit\.edu [NC]
     RewriteCond %{HTTP_HOST}    !^test\.isda-thalia2\.mit\.edu [NC]
     RewriteCond %{HTTP_HOST}    !^demo\.isda-thalia2\.mit\.edu [NC]
     RewriteCond %{HTTP_HOST}    !^hst\.isda-thalia2\.mit\.edu [NC]
     RewriteCond %{HTTP_HOST}    !^ap\.isda-thalia2\.mit\.edu [NC]

    ...

          •      RewriteRule ^/(.*)         http://isda-thalia2.mit.edu/$1 [L,R]
</VirtualHost>
          • Web Services - edit for correct server name:
            Code Block
            
<VirtualHost *:80>
     RewriteEngine On

     RewriteRule ^/(.*)         https://finniganfen.mit.edu/$1 [L,R]

</VirtualHost>
          • To prevent some web applications (such as WarehouseServices) from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
            Code Block
            
RewriteCond %{REQUEST_URI}       !/WarehouseService
        2. edit /home/www/apache/conf/extra/httpd-ssl.conf and alter the following directives:
          Code Block
          
# points to directory for static html files
DocumentRoot "/home/www/apache/htdocs"
# the servername of the server
ServerName gybe.mit.edu:443
# the admins of this server
ServerAdmin map-support@mit.edu
# error log file
ErrorLog /home/www/apache/logs/error_log
# access log file
TransferLog /home/www/apache/logs/access_log
# public server certificate
SSLCertificateFile /home/www/ssl/certs/gybe.mit.edu.pem
# private server certificate
SSLCertificateKeyFile /home/www/ssl/private/https-key.pem
#certificate path
SSLCACertificatePath /home/www/ssl/certs
# certificate authority key
SSLCACertificateFile /home/www/ssl/certs/mitCA.pem

SSLVerifyClient require
SSLVerifyDepth 10
        3. add the following after the '<Directory "/home/www/apache/cgi-bin">' block in /home/www/apache/conf/extras/httpd-ssl.conf
          Code Block
          
SSLOptions +StdEnvVars +ExportCertData
    2. copy the following files to the noted locations. They should be in the ISDA software repository.
      1. MitIdService.jar moves to $SASHSRV_HOME/core/shared/lib
        Code Block
        
cp /home/root/MitIdService.jar $SASHSRV_HOME/core/shared/lib
      2. rolesApplicationContext.xml moves to $SASHSRV_HOME/core/shared/classes
        Code Block
        
cp /home/root/rolesApplicationContext.xml $SASHSRV_HOME/core/shared/classes/
    3. install the web init script into /etc/init.d, and place starter links into the /etc/rc.d/ runlevel directories. It is in the Software Repository on Trogdor.
      1. edit the variables in the top section of the web file to use the directories and binaries correct for this system
      2. be certain to check if apache is using a httpdctl or apachectl starter program, usually contained in /home/www/apache/bin, and set the apachectl variable accordingly
      3. set web to be executable
        Code Block
        
chmod a+rx,a-w /etc/init.d/web
      4. link startweb and stopweb to the web program, from wherever it is located, and link start scripts in /etc/init.d:
        Code Block
      1. 
ln -s /etc/init.d/

    ...

      1. web

    ...

      1. /root/startweb
ln -s /etc/init.d/

    ...

      1. web /

    ...

      1. root/stopweb
ln -s /etc/init.d/

    ...

        10g.  Edit /etc/init.d/sash-server and correct the value of SASHSRV_HOME.

    11. Add line to /var/spool/cron/root to cause rootauth to run every 15 min, and
        freshen the Kerberos tickets.

    Code Block
    
cat >> /var/spool/cron/root
0,15,30,45 * * * * /root/rootauth
^C

    12. update paths in /etc/profile, by adding the following line in the path
        manipulation code block (you can find it by searching for /usr/local/sbin)

    Code Block
    
pathmunge /usr/local/bin
      pathmunge /usr/kerberos/bin

    13. If this is an upgrade on a server that had previously had a tomcat on it,
        there are additional steps to move necessay files and code to the new
        directories.

      13a.  copy the webapps from the old deploy of tomcat to the new one.  Be certain
            to restart the server if it was running previously.

    Code Block
    
cd /home/www/sash-server-2.0.4-BETA/servers/$SERVER/webapps

cp -a geows\* mapws\* mitidws\* uaws\* testcert\* TestRemoteAlfresco\* \
     /home/www/sash-server-2.0.4-BETA/servers/$SERVER/webapps

        to see the applications deployed in a container that are not part of the
        default tomcat install, get a listing of the directory:

    Code Block
    
ls -1 --hide=balancer --hide ROOT --hide=jsp-examples \
    --hide=servlets-examples --hide=tomcat-docs --hide=webdav

      13b.  Move the /home/https/weblib directory into /home/www

    Code Block
    
mv /home/https/weblib/ /home/www/weblib
ln -s /home/www/weblib /home/https/weblib

            Alternatively, if there is not /home/https/weblib, create a
            /home/www/weblib directory

    Code Block
    
mkdir /home/www/weblib

      13c.  Edit /etc/init.d/web to have the following global variable:

    Code Block
    
export LD_LIBRARY_PATH=/usr/lib:/home/www/weblib

    ...

      1. web /etc/rc.d/

    ...

      1. rc1.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc2.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc3.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc4.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc5.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc6.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc2.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc3.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc4.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc5.d/S15web
    2. update paths in /etc/profile, by adding the following line in the path manipulation code block (you can find it by searching for /usr/local/sbin)
      Code Block
      
pathmunge /usr/local/bin
        pathmunge /usr/kerberos/bin
    3. If this is an upgrade on a server that had previously had a tomcat on it, there are additional steps to move necessay files and code to the new directories.
      1. copy the webapps from the old deploy of tomcat to the new one. Be certain to restart the server if it was running previously.
        Code Block
        
cd /home/www/sash-server-2.0.4-BETA/servers/$SERVER/webapps
cp -a geows\* mapws\* mitidws\* uaws\* testcert\* TestRemoteAlfresco\* \
     /home/www/sash-server-2.0.4-BETA/servers/$SERVER/webapps
        • to see the applications deployed in a container that are not part of the default tomcat install, get a listing of the directory:
          Code Block
          
ls -1 --hide=balancer --hide ROOT --hide=jsp-examples \
    --hide=servlets-examples --hide=tomcat-docs --hide=webdav
      1. Copy the libMitIdNativeClient.so into /home/www/weblib
        Code Block
        
cp /root/libMitIdNativeClient.so /home/www/weblib

    ...

      1. Restart web services and tomcat
        Code Block
        
/etc/init.d/web

    ...

    14.  Set up kerberos daemon principle and service ACLs for the system.

    ...

      1.  restart
    2. Set up kerberos daemon principle and service ACLs for the system.
      1. Send email to accounts@mit.edu and ask for a kerberos principle in the format of daemon.[hostname].krb5.keytab.

    ...

      1. When

    ...

      1. you

    ...

      1. receive

    ...

      1. it,

    ...

      1. install

    ...

      1. it

    ...

      1. in

    ...

      1. /home/www/etc/krb

    ...

      1. as

    ...

      1. daemon.

    ...

      1. [hostname

    ...

      1. ].krb5.keytab.

    ...

      1. Send

    ...

      1. email

    ...

      1. to

    ...

      1. Mark Silis  or Jim Repa and request that the kerberos principle above (daemon/

    ...

      1. [hostname

    ...

      1. ].mit.edu@ATHENA.MIT.

    ...

      1. EDU) be added to the access control list for the databases on Illinois that the web service will be using (often mitid or roles).
    1. If this is a Web Services system, install an AFS client, or check that a client is installed.  Thalia systems do not need this.

        ...

          1. Check if an AFS client is installed by looking at the root directory.

        ...

          1. If a client is installed, the afs directory will be near the top.
            Code Block
            
ls -l /

        ...

          1. If an AFS client is not installed, download these packages from the MIT

        ...

          1. Athena or Thalia software lockers:
            Code Block
            
mit-openafs-setup-1.2-3.noarch.rpm
mit-krb-config-1.0-3.noarch.rpm
mit-openafs-package.patch

        ...

            • Unless the server is a virtual server.

        ...

            • If this is the case, email server ops to have the virtualized AFS kernel module installed.

        ...

          1. Use rpm to install these packages, installing the Kerberos

        ...

          1. configuration package first.
            Code Block
            
rpm -ivh mit-krb-config-1.0-3.noarch.rpm
rpm -ivh mit-openafs-setup-1.2-3.noarch.rpm

        ...

            • Please note: There are no paths in these commands.

        ...

            • Store them in a

        ...

            • conveinent install directory, and cd to it first.

        ...

          1. Go to the OpenAFS client binary directory and execute the setup

        ...

          1. script.

        ...

          1. It will ask if you want the AFS client to be started at boot

        ...

          1. time.

        ...

          1. Type yes.
            Code Block
            
cd /opt/mit-openafs-setup/bin
./setup

        ...

            • If system is a SMP (multiprocessor) machine, apply the SMP patch before compiling.
              Code Block
              
cd /opt/mit-openafs-setup/bin
patch < /root/mit-openafs-package.patch
./setup

        ...

        1. If this is a Web Services system, install version of moira that uses Kerberos 5.  Thalia systems do not need this.

            ...

              1. upload moira-rhel4-clients.tar.gz onto the server, and untar to

            ...

              1. /usr/local
                Code Block
                
cd /usr/local
tar -xzvf /root/moira-rhel4-clients.tar.gz

            ...

            1. To start and stop tomcat and apache, use the initialization scripts in

            ...

            1. /etc/init.d.

            ...

            1. Be certain to leave them running when you are finished.

              ...

                • starting
                  Code Block
                  
/etc/init.d/web start

              ...

                • stopping
                  Code Block
                  
/etc/init.d/web stop