You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Note: These directions are not complete, and may contain errors. If you encounter an omission or error, please correct this document.

  1. Request Server Ops setup the standard system user configuration on this system. This will include groups and system users for logs, www, and db.
  2. Download the following software from the ISDA software repository onto the system being configured: 
    httpd-2.2.4.tar.gz php-5.2.3.tar.gz
MySQL/MySQL-*community-5.0.45-0.rhel4.i386.rpm
MySQL/my.cnf
mod_authz_mitgroup/mod_authz_mitgroup_rhel4.c
    • If this is a 32 bit RHEL 5 system, download these additional RPMs. 
      scp root@trogdor:/mnt/iso-2/Server/php-* root@trogdor:/mnt/iso-3/Server/php-* /root
scp root@trogdor:/mnt/iso-1/Server/curl-7.15.5-2.el5.i386.rpm \
   root@trogdor:/mnt/iso-2/Server/gmp-4.1.4-10.el5.i386.rpm \
   root@trogdor:/mnt/iso-1/Server/libidn-0.6.5-1.1.i386.rpm \
   root@trogdor:/mnt/iso-1/Server/pcre-6.6-1.1.i386.rpm /root
    • If this is a 64 bit RHEL system, download these additional RPMs.
  3. Remove previous version of MySQL and install current version 
    rpm -ev cyrus-sasl-sql-2.1.19-5.EL4.i386
rpm -ev dovecot-0.99.11-4.EL4.i386
rpm -ev mysql-4.1.20-1.RHEL4.1.i386
rpm -ev mysqlclient10-3.23.58-4.RHEL4.1.i386
rpm -ivh MySQL-client-community-5.0.45-0.rhel4.i386.rpm
rpm -ivh MySQL-test-community-5.0.45-0.rhel4.i386.rpm
rpm -ivh MySQL-devel-community-5.0.45-0.rhel4.i386.rpm
rpm -ivh MySQL-server-community-5.0.45-0.rhel4.i386.rpm
  4. Stop the MySQL server and reconfigure my.cnf. The MySQL server startups as part of the rpm install process. 
    /etc/init.d/mysql stop
mv /var/lib/mysql /home/db
chown -R db:db /home/db
cd /etc/
cp /root/my.cnf .
/etc/init.d/mysql start
    • Be certain to use the my.cnf file from the ISDA software repository, as it sets the database user to be 'db' (and not the default 'mysql'), and put the home and data directories into /home/db.
  5. Install OpenSSL and setup certificates. 
    mkdir /home/www/tmp
cd /home/www/tmp
tar -xzvf /root/openssl-0.9.8a.tar.gz
cd openssl-0.9.8a
./config --prefix=/home/www/ssl --openssldir=/home/www/ssl
make
make install
  6. Setup certificates
    1. get the mitca at http://ca.mit.edu/mitClient.crt and save it as /usr/local/ssl/certs/mitClient.crt
    2. convert mitCA.crt to pem format: 
      openssl x509 -in /home/www/ssl/certs/mitClient.crt -inform DER -outform PEM -out /home/www/ssl/certs/mitCA.pem
    3. Generate rsa key.  This simply generates some random stuff: 
      ps > /tmp/foo
ps -elf >> /tmp/foo
cd /home/www/ssl/bin
./openssl genrsa -rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem
    4. Generate request for a certificatecd /home/www/ssl/bin 
      ./openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \
   >../certs/`hostname`-req.pem
      send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,
      • Please be aware, the organization (O) is Massachusetts Institute of Technology and the common name (CN) is the name of the server or service, including the domain name (.mit.edu).  Also, some servers, such as Thalia servers, can represent an entire subdomain.  These servers will need certificates issued with a wildcard in the domain name, such as *.isda-thalia-1.mit.edu.

      • Remember, if the server is a Thalia server, if will need a wildcard certificate and DNS record for *.[hostname], and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).

    5. To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line. 
      cd /home/www/ssl/bin
./openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \
\-x509 \-nodes >../certs/`hostname`-temp.cert
    6. When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem
      • to look at a request: 
        openssl req \-in ./req.pem \-text
      • to look at the private key: 
        openssl rsa \-in /home/www/ssl/private/`hostname`-key.pem \-text
      • to look at the server certificate: 
        openssl x509 \-in /home/www/ssl/certs/`hostname`-cert.pem \-text
  7. Install Apache 
    cd /home/www/tmp
tar -xzvf /root/httpd-2.2.4.tar.gz
cd httpd-2.2.4
./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \
   --with-ssl=/home/www/ssl \
   --enable-modules="most mod_rewrite"  --enable-so
make
make install
ln -s /home/www/apache-2.2.4 /home/www/apache
  8. Set up PHP
    1. If this is a 32 bit system, build it for source to get ver 5. 
      cd /home/www/tmp
tar -xzvf /root/php-5.2.3.tar.gz
cd php-5.2.3
./configure --with-mysql --with-kerberos=/usr/kerberos --prefix=/home/www/php-5.2.0 --with-apxs2=/home/www/apache-2.2.4/bin/apxs \
    --enable-fastcgi --enable-magic-quotes --with-openssl --with-mysql-sock=/home/db/mysql/mysql.sock --with-mysqli --enable-sockets --enable-soap \
    --with-openssl-dir=/home/www/ssl --with-pear=/usr/share/pear
make
make install
ln -s php-5.2.0 php
    2. If this is a 64 bit system, build with 64 bit libraries 
      cd /home/www/tmp
tar -xzvf /root/php-5.2.3.tar.gz
cd php-5.2.3
./configure --with-mysql --with-kerberos=/usr/kerberos --prefix=/home/www/php-5.2.0 \
    --with-apxs2=/home/www/apache-2.2.4/bin/apxs --with-libxml2-dir=/usr/lib64 \
    --enable-fastcgi --enable-magic-quotes --with-openssl --with-mysql-sock=/home/db/mysql/mysql.sock \
    --with-mysqli --enable-sockets --enable-soap \
    --with-openssl-dir=/home/www/ssl
make
make install
ln -s php-5.2.0 php
  9. Configure Apache
  • No labels