Page History

...

Note:

...

revision

...

cycle,

...

start

...

building

...

everything

...

into

...

$HOME/

...

[app

...

]-

...

[version#

...

]

...

and

...

creating

...

a

...

symlink

...

to

...

$HOME/

...

[app

...

]

...

so

...

that

...

there

...

is

...

no

...

question

...

about

...

what

...

the

...

current,

...

in

...

use,

...

directory

...

is.

...

Note:

...

When

...

downloading

...

software

...

to

...

install

...

in

...

these

...

instructions,

...

always

...

download

...

the

...

source

...

code,

...

and

...

avoid

...

binary

...

installers.

...

Binary

...

installers

...

tend

...

to

...

make

...

inaccurate

...

assumptions

...

about

...

what

...

libraries

...

you

...

have

...

installed

...

on

...

your

...

system,

...

as

...

well

...

as

...

other

...

problems.

...

Note:

...

Java/JMX

...

depends

...

upon

...

RPC/Portmap

...

to

...

manage

...

its

...

connections.

...

This

...

means

...

that

...

iptable

...

firewalls

...

need

...

to

...

take

...

this

...

into

...

account.

...

Port

...

8900-8999

...

should

...

be

...

set

...

to

...

only

...

allow

...

connections

...

from

...

localhost,

...

and

...

all

...

high

...

numbered

...

ports

...

should

...

only

...

accept

...

connections

...

from

...

the

...

local

...

classful

...

network

...

(18.0.0.0/8

...

in

...

the

...

case

...

of

...

MIT).

...

Setup

...

local

...

directory

...

structure

...

and

...

users.

...

1. Setup

...

1. the

...

1. www

...

1. user.

...

1. Code Block

...


groupadd www useradd -g www -d /home/www -m -r -s /bin/bash www

...

Add the logs user.

Code Block
groupadd logs useradd -g logs -d /home/logs -m -r -s /bin/bash logs

...

Set the www user directory structure and copy the config files into place.

Code Block


mkdir /home/www/weblib
mkdir /home/www/etc
mkdir /home/www/etc/krb
cp -a /home/root/weblib /home/www/weblib
scp -r root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-user/etc /home/www/etc
cp /root/map-dev-ws1-new-keytab /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab
chown -R www:www /home/www/etc
chmod a-w,o-rx,u+r /home/www/etc/krb/daemon.map-dev-ws1.krb5.keytab

...

Make certain that the library files are put into their correct locations.

Code Block
scp -r root@trogdor.mit.edu:${REPOS_HOME}/System-configs/www-user/weblib /home/www/weblib/

...

2. If needed (if

...

1. this

...

1. system

...

1. is

...

1. going

...

1. to

...

1. hold

...

1. an

...

1. Alfresco

...

1. instance,

...

1. or

...

1. something

...

1. similar),

...

1. setup

...

1. the

...

1. repository

...

1. user.

...

1. Code Block

...


groupadd repos useradd -g repos -d /home/repos -m -r -s /bin/bash repos

...

2. If needed,

...

1. setup

...

1. the

...

1. database

...

1. user.

...

1. Code Block

...


groupadd db useradd -g db -d /home/db -m -r -s /bin/bash db

...

1. - The logs user is intended to allow developers access to log and configuration files without granting root access. Change the group ownership of any file that developers will need non-root access to to be owned by the logs user, and chmod those files to be group readable.
Then, check the version of openssl already installed with the OS.
Code Block
openssl version
1. If the version is lower then 0.9.8a,

...

1. or

...

1. if

...

1. it

...

1. is

...

1. not

...

1. installed,

...

1. download

...

1. openssl

...

1. 0.9.8a

...

1. source

...

1. from

...

1. http://www.openssl.org/source/

...

1. .

...

1. follow

...

1. the

...

1. instruction

...

1. in

...

1. the

...

1. INSTALL

...

1. document,

...

1. compile

...

1. and

...

1. install

...

1. the

...

1. binaries.

...

1. the

...

1. default

...

1. location

...

1. is

...

1. /usr/local/ssl,

...

1. but

...

1. we

...

1. need

...

1. to

...

1. use

...

1. /home/www/ssl.

...

1. If

...

1. you

...

1. want

...

1. to

...

1. change

...

1. it,

...

1. run

...

1. config

...

1. like

...

1. this:

...

1. Code Block

...


cd /home/www/tmp tar -xzvf /home/www/tmp/openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config --prefix=/home/www/ssl --openssldir=/home/www/ssl

...

1. make

...

1. make install
Set up certificates. If using the local version of SSL, put them into /tmp/ssl,

...

and

...

copy

...

them

...

to

...

the

...

Apache

...

conf

...

directory

...

during

...

the

...

config:

...

1. Create

...

1. the

...

1. SSL

...

1. directories.

...

1. Code Block

...


mkdir /home/www/ssl mkdir /home/www/ssl/certs mkdir /home/www/ssl/private chown -R www:www /home/www/ssl

...

2. get the mitca at http://ca.mit.edu/mitClient.crt

...

1. and

...

1. save

...

1. it

...

1. as

...

1. /home/www/ssl/certs/mitClient.crt

...

2. convert

...

1. mitCA.crt

...

1. to

...

1. pem

...

1. format:

...

1. Code Block

...


openssl x509 -in /home/www/ssl/certs/mitClient.crt -inform DER -outform \ PEM -out /home/www/ssl/certs/mitCA.pem

...

Generate rsa key

This simply generates some random stuff:

Code Block
ps > /tmp/foo ps -elf >> /tmp/foo cd /home/www/ssl openssl genrsa -rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem

...

Generate request for a certificate

Code Block
cd /home/www/ssl/ openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \ >/home/www/ssl/certs/`hostname`-req.pem

...

1. ##*send

...

1. the

...

1. file

...

1. /home/www/ssl/certs/`hostname`-req.pem

...

1. to

...

1. mitcert@mit.edu,

...

1. Code Block

...


Please be aware, the organization (O) is:
Massachusetts Institute of Technology
and the common name (CN) is the name of the server or
service, including the domain name (.mit.edu).  Also, some servers, such
as Thalia servers, can represent an entire subdomain.  These servers
will need certificates issued with a wildcard in the domain name, such
as \*.isda-thalia-1.mit.edu.

Remember, if the server is a Thalia server, it will need a wildcard
certificate and DNS record for *.`hostname`, and if it is doing any type of
authentication, it will need a joint client/server certificate to be able
to connect to the Shibboleth server (and have end users connect to it as
well).

...

To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.

Code Block
cd /home/www/ssl openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \ -x509 -nodes >/home/www/ssl/certs/`hostname`-temp-cert.pem

...

2. When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem

...

2. Commands

...

1. to

...

1. view

...

1. cert

...

1. information:

...

1. - to

...

1. - look

...

1. - at

...

1. - a

...

1. - request:

...

1. - Code Block

...


openssl req -in /home/www/ssl/certs/`hostname`-req.pem -text

...

to look at the private key:

Code Block
openssl rsa -in /home/www/ssl/private/`hostname`-key.pem -text

...

to look at the server certificate:

Code Block
openssl x509 -in /home/www/ssl/certs/`hostname`-cert.pem -text

...

set up apache-ssl

...

1. download

...

1. Apache

...

1. 2.2.4

...

1. from

...

1. apache

...

1. archive

...

1. site

...

1. at

...

1. http://archive.apache.org/dist/httpd/

...

2. Unpack

...

1. apache

...

1. 2.2.4

...

1. (tar

...

1. -xzvf)

...

1. and

...

1. do

...

1. "cd

...

1. httpd-2.2.4"

...

1. Code Block

...


cd /home/www/tmp tar -xzvf /home/www/tmp/httpd-2.2.4.tar.gz cd httpd-2.2.4

...

compile apache following the instruction in the INSTALL file. To enable the SSL, do the following:

Code Block
./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \ --enable-modules="most mod_rewrite" make make install ln -s /home/www/apache-2.2.4 /home/www/apache

...

set up mod-jk

...

1. download

...

1. mod-jk

...

1. 1.2.21

...

1. source

...

1. (previous

...

1. versions

...

1. have

...

1. a

...

1. security

...

1. hole

...

1. that

...

1. could

...

1. allow

...

1. a

...

1. remote

...

1. attacker

...

1. to

...

1. execute

...

1. arbitary

...

1. code)

...

1. from

...

1. http://tomcat.apache.org/connectors-doc/

...

1. .

...

1. Code Block

...


cd /home/www/tmp tar -xzvf /home/www/tmp/tomcat-connectors-1.2.21-src.tar.gz cd tomcat-connectors-1.2.21-src

...

2. build and install binaries according to BUILD.txt.

...

1. apxs

...

1. is

...

1. at

...

1. /home/www/apache/bin/apxs.

...

1. mod_jk.so

...

1. will

...

1. be

...

1. put

...

1. at

...

1. /home/www/apache/modules

...

1. Code Block

...


cd native ./configure --with-apxs=/home/www/apache/bin/apxs --enable-ssl make make install

...

install jdk 1.6

...

which

...

is

...

required

...

by

...

tomcat

...

5.5.25

...

1. download

...

1. jdk

...

1. 1.6

...

1. binary

...

1. at

...

1. http://java.sun.com/javase/downloads/index.jsp

...

2. You

...

1. may

...

1. need

...

1. to

...

1. set

...

1. the

...

1. binary

...

1. file

...

1. to

...

1. be

...

1. executable:

...

1. Code Block

...

1. chmod u+x,u-w jdk-6-linux-i586.bin

...

2. execute the binary installer as root. If it produces a rpm file, use rpm -ivh to install it. If you downloaded the straight binary installer, move to a directory with installed software, such as /usr/local.

...

1. Also,

...

1. you

...

1. will

...

1. need

...

1. to

...

1. page

...

1. through

...

1. a

...

1. licensing

...

1. agreement

...

1. and

...

1. type

...

1. yes

...

1. to

...

1. accept

...

1. it.

...

1. Code Block

...


cd /usr/local /home/root/jdk-6-linux-i586.bin

...

or

Code Block
./jdk-6-linux-i586-rpm.bin rpm -ivh jdk-6-linux-i586

...

2. create a file in /etc/profile.d

...

1. named

...

1. java_home.sh.

...

1. It

...

1. should

...

1. contain

...

1. a

...

1. line

...

1. exporting

...

1. a

...

1. variable

...

1. pointing

...

1. to

...

1. the

...

1. Java

...

1. home

...

1. directory.

...

1. Then

...

1. make

...

1. this

...

1. file

...

1. world

...

1. executable.:

...

1. Code Block

...


cat > /etc/profile.d/java_home.sh export JAVA_HOME=/usr/local/jdk1.6.0 ^C chmod a+xr,a-w /etc/profile.d/java_home.sh

...

install the SASH Server. NOTE: These instructions are written assuming version 2.0.4-BETA

...

of

...

the

...

SASH

...

Server,

...

but

...

this

...

version

...

is

...

not

...

officially

...

supported.

...

We

...

are

...

waiting

...

on

...

version

...

2.0.4

...

to

...

become

...

officially

...

supported.

...

1. If

...

1. this

...

1. is

...

1. a

...

1. server

...

1. ops

...

1. installed

...

1. and

...

1. managed

...

1. RHEL

...

1. 4

...

1. VM,

...

1. request

...

1. that

...

1. they

...

1. install

...

1. the

...

1. 32

...

1. bit

...

1. NPTL

...

1. threading

...

1. libraries,

...

1. and

...

1. reboot

...

1. the

...

1. VM.

...

1. If

...

1. this

...

1. is

...

1. a

...

1. RHEL

...

1. 5

...

1. VM,

...

1. check

...

1. the

...

1. the

...

1. threading

...

1. libraries

...

1. are

...

1. 32

...

1. bit

...

1. compatible.

...

1. If

...

1. this

...

1. is

...

1. a

...

1. physical

...

1. server,

...

1. this

...

1. step

...

1. can

...

1. be

...

1. skipped.

...

2. download

...

1. sash-server-2.0.4-BETA.tar.gz

...

1. from:

...

1. https://portal.sourcelabs.com/?module=download

...

1. You

...

1. will

...

1. need

...

1. to

...

1. register

...

1. and

...

1. login

...

1. to

...

1. the

...

1. web

...

1. site

...

1. to

...

1. be

...

1. able

...

1. to

...

1. download

...

1. the

...

1. SASH

...

1. Server.

...

1. Also,

...

1. copy

...

1. the

...

1. sashsrv.conf

...

1. mkInstance,

...

1. modify-instance-file.sh,

...

1. monitor.war

...

1. and

...

1. mit-worker-consolidater.sh

...

1. out

...

1. of

...

1. the

...

1. ISDA

...

1. repository

...

1. on

...

1. Trogdor

...

1. and

...

1. onto

...

1. the

...

1. machine.

...

1. Code Block

...


scp -r root@trogdor:/opt/software-repository-tmp/SASH_Server/mit-worker-consolidater.sh  \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/mkInstance \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/monitor.war \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sash-2.0-flattened-jars.zip \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sashctl \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sash_home.sh \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sash-server-2.0.4-BETA.tar.gz \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/sashsrv.conf \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/server.xml \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/template \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/web \
  root@trogdor:/opt/software-repository-tmp/SASH_Server/consolidator.conf  \
  root@trogdor:/opt/software-repository-tmp/common-init/apache_home.sh  \
  /home/root

...

2. unzip and untar (gunzip

...

1. ,

...

1. tar

...

1. -xvf)

...

1. into

...

1. your

...

1. working

...

1. directory,

...

1. such

...

1. as

...

1. /home

...

1. Code Block

...


cd /home/www tar -xzvf /home/root/sash-server-2.0.4-BETA.tar.gz ln -s sash-server-2.0.4-BETA sash-server cd sash-server-2.0.4-BETA

...

2. Copy sash_home.sh

...

1. and

...

1. apache_home.sh

...

1. into

...

1. /etc/profile.d.

...

1. Code Block

...


cp /home/root/sash_home.sh /home/root/apache_home.sh /etc/profile.d
chmod a+rx /etc/profile.d/sash_home.sh /etc/profile.d/apache_home.sh
source /etc/profile.d/sash_home.sh
source /etc/profile.d/apache_home.sh

...

Copy the custom sashctl file and the MIT worker consolidator file into the SASH server bin directory.

Code Block


cp -a --reply=yes /home/root/template/* $SASHSRV_HOME/conf/template
cp --reply=yes /home/root/mkInstance $SASHSRV_HOME/bin
cp --reply=yes /home/root/sashctl $SASHSRV_HOME/bin
cp --reply=yes /home/root/mit-worker-consolidater.sh $SASHSRV_HOME/bin
cp --reply=yes /home/root/monitor.war $SASHSRV_HOME/conf/template/webapps
cp --reply=yes /home/root/consolidator.conf /home/root/sashsrv.conf $SASHSRV_HOME/conf
chmod ug+rx,a-w $SASHSRV_HOME/bin/mit-worker-consolidater.sh $SASHSRV_HOME/bin/mkInstance

...

2. Copy the sash-2.0-flattened-jars.zip

...

1. file

...

1. onto

...

1. the

...

1. server

...

1. and

...

1. update

...

1. the

...

1. commons-io

...

1. jar

...

1. file.

...

1. Code Block

...


cd ${SASHSRV_HOME}/core/server/webapps/manager/WEB-INF/lib unzip -j /home/root/sash-2.0-flattened-jars.zip sash-2.0-flattened-jars/commons-io-1.3.1-1.jar

...

Do the configuration:
1. SASH Server part: cd into the tomcat home directory
  Code Block
  cd $SASHSRV_HOME/conf/template

...

1. 1. enter the conf directory and create a jk directory
    Code Block
    cd conf mkdir jk cd jk

...

1. 2. copy the sashsrv.conf

...

1. 1. template

...

1. 1. into

...

1. 1. the

...

1. 1. template

...

1. 1. conf

...

1. 1. directory.

...

1. 1. Code Block

...


cp /home/root/template/conf/sashsrv.conf /home/www/sash-server-2.0.4-BETA/conf/template/conf

...

If this need HTTP connections to the Tomcat connectors, enable direct connections to the SASH Server, by removing the '<!-' and '->' from around the http port connector block in server.xml. Also works for https:

Code Block


<Connector port="%%HTTP_PORT%%"
        maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" redirectPort="8443" acceptCount="100"
        connectionTimeout="20000" disableUploadTimeout="true" />

...

1. 2. edit tomcat_users.xml,

...

1. 1. and

...

1. 1. add

...

1. 1. the

...

1. 1. following

...

1. 1. user

...

1. 1. definition

...

1. 1. just

...

1. 1. above

...

1. 1. the

...

1. 1. '</tomcat-users>'

...

1. 1. line:

...

1. 1. Code Block

...


<role rolename="manager"/> <user username="tomcat" password="*****" roles="tomcat,manager"/>

...

1. 1. - be certain to change the password to be the password for the team the server is providing services to. Check with your groups manager to see what the password standards for your group are. Do not cut and paste this password into place, do not use "*****"

...

1. 1. - as

...

1. 1. - a

...

1. 1. - password,

...

1. 1. - etc.

...

1. 2. Update

...

1. 1. the

...

1. 1. www

...

1. 1. user.

...

1. 1. Code Block

...

1. 1. chown -R www:www /home/www

...

1. 1. - And edit $SASHSRV_HOME/bin/setvars,

...

1. 1. - $SASHSRV_HOME/bin/sash-server.init,

...

1. 1. - and

...

1. 1. - $SASHSRV_HOME/bin/sash-server-CS2.init,

...

1. 1. - and

...

1. 1. - change

...

1. 1. - the

...

1. 1. - SASHSRV_USER.

...

1. 1. - Code Block

...


cd $SASHSRV_HOME/bin
sed -i s:SASHSRV_USER=\"sashsrv\":SASHSRV_USER=\"www\":g $SASHSRV_HOME/bin/setvars
sed -i s:SASHSRV_USER=\"sashsrv\":SASHSRV_USER=\"www\":g $SASHSRV_HOME/bin/sash-server.init
sed -i s:SASHSRV_USER=\"sashsrv\":SASHSRV_USER=\"www\":g $SASHSRV_HOME/bin/sash-server-CS2.init

...

To progate the changes made to the config, delete the default server container, and create a new one.

Code Block
cd $SASHSRV_HOME/servers rm -rf default cd $SASHSRV_HOME/bin ./mkInstance -N default cd $SASHSRV_HOME/servers/default

...

- Also create any other server containers that may be needed. Some of the common ones are mitid, roles, moira, sis, and misc.

Set up the additional directories and files needed for JMX and the standard ISDA/MAP configuration scripts.

Code Block


cd /home/www
mkdir /home/www/etc
mkdir /home/www/etc/containers
mkdir /home/www/etc/krb
mkdir /home/www/etc/jmx
touch /home/www/etc/jmx/jmxremote.password
chmod a-wx,u+r,go-r /home/www/etc/jmx/jmxremote.password
chown -R www:www /home/www

...

1. 2. Run the java_home.sh

...

1. 1. script

...

1. 1. and

...

1. 1. start

...

1. 1. the

...

1. 1. SASH

...

1. 1. Server

...

1. 1. Code Block

...


source /etc/profile.d/java_home.sh $SASHSRV_HOME/bin/sashctl all start

...

1. 2. Tomcat creates a mod_jk.conf

...

1. 1. file

...

1. 1. in

...

1. 1. ./core/conf/auto/

...

1. 1. directory

...

1. 1. the

...

1. 1. first

...

1. 1. time

...

1. 1. is

...

1. 1. runs.

...

1. 1. Correct

...

1. 1. it

...

1. 1. to

...

1. 1. point

...

1. 1. to

...

1. 1. where

...

1. 1. mod_jk.so

...

1. 1. resides.

...

change

Code Block
LoadModule jk_module "/home/www/apache/libexec/mod_jk.so"

...

to

Code Block
LoadModule jk_module "/home/www/apache/modules/mod_jk.so"

...

2. Apache side:

...

1. 1. edit

...

1. 1. /home/www/apache/conf/httpd.conf

...

1. 1. - edit

...

1. 1. - the

...

1. 1. - following

...

1. 1. - directives:

...

1. 1. - Code Block

...


ServerRoot "/home/www/apache"          # change to apache home directory
User www                               # change from daemon
Group www                              # change from daemon
ServerAdmin map-support@mit.edu        # change to our group email address
Include conf/extra/httpd-vhosts.conf   # Uncomment
Include conf/extra/httpd-ssl.conf      # Uncomment

...

1. 1. - add to /home/www/apache/conf/httpd.conf,

...

1. 1. - and

...

1. 1. - the

...

1. 1. - bottom

...

1. 1. - of

...

1. 1. - the

...

1. 1. - other

...

1. 1. - includes:

...

1. 1. - Code Block

...


# SASH Server/mod_jk includes
Include /home/www/sash-server-2.0.4-BETA/core/conf/auto/mod_jk.conf

<IfModule \!mod_rewrite.c>
    LoadModule rewrite_module "/home/www/apache/modules/mod_rewrite.so"
</IfModule>

...

1. 2. edit /home/www/apache/conf/extra/httpd-vhosts.conf

...

1. 1. to

...

1. 1. have

...

1. 1. ONLY

...

1. 1. one

...

1. 1. of

...

1. 1. the

...

1. 1. following

...

1. 1. VirtualHost

...

1. 1. blocks:
    - Thalia:

...

1. 1. - Code Block

...


NameVirtualHost *:80

<VirtualHost *:80>
     ServerName *.isda-thalia2.mit.edu

     RewriteEngine On

     RewriteCond %{HTTP_HOST}    !^isda-thalia2\.mit\.edu [NC]
     RewriteCond %{HTTP_HOST}    !^test\.isda-thalia2\.mit\.edu [NC]
     RewriteCond %{HTTP_HOST}    !^demo\.isda-thalia2\.mit\.edu [NC]
     RewriteCond %{HTTP_HOST}    !^hst\.isda-thalia2\.mit\.edu [NC]
     RewriteCond %{HTTP_HOST}    !^ap\.isda-thalia2\.mit\.edu [NC]
     RewriteRule ^/(.*)         http://isda-thalia2.mit.edu/$1 [L,R]
</VirtualHost>

...

Web Services - edit for correct server name:

Code Block
<VirtualHost :80> RewriteEngine On RewriteRule ^/(.) https://finniganfen.mit.edu/$1 [L,R] </VirtualHost>

...

1. 1. - To prevent some web applications (such as WarehouseServices) from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
      Code Block
      RewriteCond %{REQUEST_URI} !/WarehouseService

...

1. 2. edit /home/www/apache/conf/extra/httpd-ssl.conf

...

1. 1. and

...

1. 1. alter

...

1. 1. the

...

1. 1. following

...

1. 1. directives:

...

1. 1. Code Block

...


# points to directory for static html files
DocumentRoot "/home/www/apache/htdocs"
# the servername of the server
ServerName gybe.mit.edu:443
# the admins of this server
ServerAdmin map-support@mit.edu
# error log file
ErrorLog /home/www/apache/logs/error_log
# access log file
TransferLog /home/www/apache/logs/access_log
# public server certificate
SSLCertificateFile /home/www/ssl/certs/gybe.mit.edu.pem
# private server certificate
SSLCertificateKeyFile /home/www/ssl/private/https-key.pem
#certificate path
SSLCACertificatePath /home/www/ssl/certs
# certificate authority key
SSLCACertificateFile /home/www/ssl/certs/mitCA.pem

SSLVerifyClient require
SSLVerifyDepth 10

...

1. 2. add the following after the '<Directory "/home/www/apache/cgi-bin">'

...

1. 1. block

...

1. 1. in

...

1. 1. /home/www/apache/conf/extras/httpd-ssl.conf

...

1. 1. Code Block

...


SSLOptions +StdEnvVars +ExportCertData

...

copy the following files to the noted locations. They should be in the ISDA software repository.
1. MitIdService.jar moves to $SASHSRV_HOME/core/shared/lib

...

1. Code Block

...


cp /home/root/MitIdService.jar $SASHSRV_HOME/core/shared/lib

...

2. rolesApplicationContext.xml

...

1. moves

...

1. to

...

1. $SASHSRV_HOME/core/shared/classes

...

1. Code Block

...


cp /home/root/rolesApplicationContext.xml $SASHSRV_HOME/core/shared/classes/

...

install the web init script into /etc/init.d,

...

and

...

place

...

starter

...

links

...

into

...

the

...

/etc/rc.d/

...

runlevel

...

directories.

...

It

...

is

...

in

...

the

...

Software

...

Repository

...

on

...

Trogdor.

...

1. edit

...

1. the

...

1. variables

...

1. in

...

1. the

...

1. top

...

1. section

...

1. of

...

1. the

...

1. web

...

1. file

...

1. to

...

1. use

...

1. the

...

1. directories

...

1. and

...

1. binaries

...

1. correct

...

1. for

...

1. this

...

1. system

...

2. be

...

1. certain

...

1. to

...

1. check

...

1. if

...

1. apache

...

1. is

...

1. using

...

1. a

...

1. httpdctl

...

1. or

...

1. apachectl

...

1. starter

...

1. program,

...

1. usually

...

1. contained

...

1. in

...

1. /home/www/apache/bin,

...

1. and

...

1. set

...

1. the

...

1. apachectl

...

1. variable

...

1. accordingly

...

2. set

...

1. web

...

1. to

...

1. be

...

1. executable

...

1. Code Block

...

1. chmod a+rx,a-w /etc/init.d/web

...

2. link startweb and stopweb to the web program, from wherever it is located, and link start scripts in /etc/init.d:

...

1. Code Block

...


ln -s /etc/init.d/web /root/startweb
ln -s /etc/init.d/web /root/stopweb
ln -s /etc/init.d/web /etc/rc.d/rc1.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc2.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc3.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc4.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc5.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc6.d/K15web
ln -s /etc/init.d/web /etc/rc.d/rc2.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc3.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc4.d/S15web
ln -s /etc/init.d/web /etc/rc.d/rc5.d/S15web

...

update paths in /etc/profile,

...

by

...

adding

...

the

...

following

...

line

...

in

...

the

...

path

...

manipulation

...

code

...

block

...

(you

...

can

...

find

...

it

...

by

...

searching

...

for

...

/usr/local/sbin)

...

Code Block

...


pathmunge /usr/local/bin pathmunge /usr/kerberos/bin

...

If this is an upgrade on a server that had previously had a tomcat on it, there are additional steps to move necessay files and code to the new directories.

copy the webapps from the old deploy of tomcat to the new one. Be certain to restart the server if it was running previously.

Code Block
cd /home/www/sash-server-2.0.4-BETA/servers/$SERVER/webapps cp -a geows\* mapws\* mitidws\* uaws\* testcert\* TestRemoteAlfresco\* \ /home/www/sash-server-2.0.4-BETA/servers/$SERVER/webapps

...

1. - to see the applications deployed in a container that are not part of the default tomcat install, get a listing of the directory:
    Code Block
    ls -1 --hide=balancer --hide ROOT --hide=jsp-examples \ --hide=servlets-examples --hide=tomcat-docs --hide=webdav

...

2. Copy the libMitIdNativeClient.so

...

1. into

...

1. /home/www/weblib

...

1. Code Block

...


cp /root/libMitIdNativeClient.so /home/www/weblib

...

2. Restart web services and tomcat
  Code Block
  /etc/init.d/web restart

...

Set up kerberos daemon principle and service ACLs for the system.
1. Send email to accounts@mit.edu and ask for a kerberos principle in the format of daemon.[hostname].krb5.keytab.

...

1. When

...

1. you

...

1. receive

...

1. it,

...

1. install

...

1. it

...

1. in

...

1. /home/www/etc/krb

...

1. as

...

1. daemon.

...

1. [hostname

...

1. ].krb5.keytab.

...

2. Send

...

1. email

...

1. to

...

1. Mark Silis or Jim Repa and request that the kerberos principle above (daemon/

...

1. [hostname

...

1. ].mit.edu@ATHENA.MIT.EDU)

...

1. be

...

1. added

...

1. to

...

1. the

...

1. access

...

1. control

...

1. list

...

1. for

...

1. the

...

1. databases

...

1. on

...

1. Illinois

...

1. that

...

1. the

...

1. web

...

1. service

...

1. will

...

1. be

...

1. using

...

1. (often

...

1. mitid

...

1. or

...

1. roles).

...

If

...

this

...

is

...

a

...

Web

...

Services

...

system,

...

install

...

an

...

AFS

...

client,

...

or

...

check

...

that

...

a

...

client

...

is

...

installed.

...

Thalia

...

systems

...

do

...

not

...

need

...

this.

...

1. Check

...

1. if

...

1. an

...

1. AFS

...

1. client

...

1. is

...

1. installed

...

1. by

...

1. looking

...

1. at

...

1. the

...

1. root

...

1. directory.

...

1. If

...

1. a

...

1. client

...

1. is

...

1. installed,

...

1. the

...

1. afs

...

1. directory

...

1. will

...

1. be

...

1. near

...

1. the

...

1. top.

...

1. Code Block

...

1. ls -l /

...

2. If an AFS client is not installed, download these packages from the MIT Athena or Thalia software lockers:
  Code Block
  mit-openafs-setup-1.2-3.noarch.rpm mit-krb-config-1.0-3.noarch.rpm mit-openafs-package.patch

...

1. - Unless the server is a virtual server. If this is the case, email server ops to have the virtualized AFS kernel module installed.
2. Use rpm to install these packages, installing the Kerberos configuration package first.
  Code Block
  rpm -ivh mit-krb-config-1.0-3.noarch.rpm rpm -ivh mit-openafs-setup-1.2-3.noarch.rpm

...

1. - Please note:

...

1. - There

...

1. - are

...

1. - no

...

1. - paths

...

1. - in

...

1. - these

...

1. - commands.

...

1. - Store

...

1. - them

...

1. - in

...

1. - a

...

1. - conveinent

...

1. - install

...

1. - directory,

...

1. - and

...

1. - cd

...

1. - to

...

1. - it

...

1. - first.

...

2. Go

...

1. to

...

1. the

...

1. OpenAFS

...

1. client

...

1. binary

...

1. directory

...

1. and

...

1. execute

...

1. the

...

1. setup

...

1. script.

...

1. It

...

1. will

...

1. ask

...

1. if

...

1. you

...

1. want

...

1. the

...

1. AFS

...

1. client

...

1. to

...

1. be

...

1. started

...

1. at

...

1. boot

...

1. time.

...

1. Type

...

1. yes.

...

1. Code Block

...

1. cd /opt/mit-openafs-setup/bin ./setup

...

1. - If system is a SMP (multiprocessor)

...

1. - machine,

...

1. - apply

...

1. - the

...

1. - SMP

...

1. - patch

...

1. - before

...

1. - compiling.

...

1. - Code Block

...


cd /opt/mit-openafs-setup/bin patch < /root/mit-openafs-package.patch ./setup

...

If this is a Web Services system, install version of moira that uses Kerberos 5. Thalia systems do not need this.
1. upload moira-rhel4-clients.tar.gz

...

1. onto

...

1. the

...

1. server,

...

1. and

...

1. untar

...

1. to

...

1. /usr/local

...

1. Code Block

...


cd /usr/local tar -xzvf /root/moira-rhel4-clients.tar.gz

...

To start and stop tomcat and apache, use the initialization scripts in /etc/init.d.

...

Be

...

certain

...

to

...

leave

...

them

...

running

...

when

...

you

...

are

...

finished.

...

- starting
  Code Block
  /etc/init.d/web start

...

- stopping
  Code Block
  /etc/init.d/web stop

...

Child pages

Versions Compared

Old Version 60

New Version Current

Key