1. Request Server Ops setup the standard system user configuration on this system. This will include groups and system users for logs, www, and db.
2. Download the following software from the ISDA software repository onto the system being configured:
httpd-2.2.4.tar.gz php-5.2.3.tar.gz MySQL/MySQL-*community-5.0.45-0.rhel4.i386.rpm MySQL/my.cnf mod_authz_mitgroup/mod_authz_mitgroup_rhel4.c
3. Remove previous version of MySQL and install current version
rpm -ev cyrus-sasl-sql-2.1.19-5.EL4.i386 rpm -ev dovecot-0.99.11-4.EL4.i386 rpm -ev mysql-4.1.20-1.RHEL4.1.i386 rpm -ev mysqlclient10-3.23.58-4.RHEL4.1.i386 rpm -ivh MySQL-client-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-test-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-devel-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-server-community-5.0.45-0.rhel4.i386.rpm
4. Stop the MySQL server and reconfigure my.cnf. The MySQL server startups as part of the rpm install process.
/etc/init.d/mysql stop mv /var/lib/mysql /home/db chown -R db:db /home/db cd /etc/ cp /root/my.cnf . /etc/init.d/mysql start
Be certain to use the my.cnf file from the ISDA software repository, as it sets the database user to be 'db' (and not the default 'mysql'), and put the home and data
directories into /home/db.
5. Install OpenSSL and setup certificates.
mkdir /home/www/tmp cd /home/www/tmp tar -xzvf /root/openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config --prefix=/home/www/ssl --openssldir=/home/www/ssl make make install
6. Setup certificates
6a: get the mitca at http://ca.mit.edu/mitClient.crt and save it as /usr/local/ssl/certs/mitClient.crt
6b: convert mitCA.crt to pem format:
openssl x509 -in /home/www/ssl/certs/mitClient.crt -inform DER -outform PEM -out /home/www/ssl/certs/mitCA.pem
6c. Generate rsa key. This simply generates some random stuff:
ps > /tmp/foo ps -elf >> /tmp/foo cd /home/www/ssl/bin ./openssl genrsa -rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem
6d. Generate request for a certificatecd /home/www/ssl/bin
./openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \ >../certs/`hostname`-req.pem
send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,
Please be aware, the organization (O) is:
Massachusetts Institute of Technology
and the common name (CN) is the name of the server or
service, including the domain name (.mit.edu). Also, some servers, such
as Thalia servers, can represent an entire subdomain. These servers
will need certificates issued with a wildcard in the domain name, such
as *.isda-thalia-1.mit.edu.
Remember, if the server is a Thalia server, if will need a wildcard
certificate and DNS record for *.[hostname], and if it is doing any type of
authentication, it will need a joint client/server certificate to be able
to connect to the Shibboleth server (and have end users connect to it as
well).
6e.. To generate a self signed temporary certificate, add the x509 and
nodes options to the openssl command line.cd /home/www/ssl/bin
./openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \
-x509 -nodes >../certs/`hostname`-temp.cert
6f. When you receive a certificate from MIT Certificates, save it as
/home/www/ssl/certs/`hostname`-cert.pem
6g. to look at a request:openssl req -in ./req.pem -text
to look at the private key:openssl rsa -in /home/www/ssl/private/`hostname`-key.pem -text
to look at the server certificate:openssl x509 -in /home/www/ssl/certs/`hostname`-cert.pem -text
7. Install Apache
cd /home/www/tmp tar -xzvf /root/httpd-2.2.4.tar.gz cd httpd-2.2.4 ./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \ --with-ssl=/home/www/ssl \ --enable-modules="most mod_rewrite" make make install ln -s /home/www/apache-2.2.4 /home/www/apache
8. Set up PHP
cd /home/www/tmp
tar -xzvf /root/php-5.2.3.tar.gz
./configure --with-mysql --with-kerberos=/usr/kerberos --prefix=/home/www/php-5.2.0 --with-apxs2=/home/www/apache-2.2.4/bin/apxs \
--enable-fastcgi --enable-magic-quotes --with-openssl --with-mysql-sock=/home/db/mysql/mysql.sock --with-mysqli --enable-sockets --enable-soap \
--with-openssl-dir=/home/www/ssl --with-pear=/usr/share/pear
make
make install
9. Configure Apache