Note:  Next revision cycle, start building everything into
$HOME/\[app\]-\[version#\] and creating a symlink to $HOME/\[app\] so that there is
no question about what the current, in use, directory is.

Note: When downloading software to install in these instructions, always
download the source code, and avoid binary installers.  Binary installers tend
to make inaccurate assumptions about what libraries you have installed on your
system, as well as other problems.

1. download openssl 0.9.8a source from [http://www.openssl.org/source/]. follow
   the instruction in the INSTALL document, compile and install the
   binaries. the default location is /usr/local/ssl. If you want to change it,
   run config like this:
{code}
cd /opt
tar -xzvf /root/openssl-0.9.8a.tar.gz
cd openssl-0.9.8a
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
make
make install
{code}
2. set up certificates:

  2a:  get the mitca at [http://ca.mit.edu/mitClient.crt] and save it as
       /usr/local/ssl/certs/mitClient.crt

  2b:  convert mitCA.crt to pem format:
{code}
openssl x509 -in /usr/local/ssl/certs/mitClient.crt -inform DER -outform \
PEM -out /usr/local/ssl/certs/mitCA.pem
{code}
  2c: Generate rsa key

      This simply generates some random stuff:
{code}
ps > /tmp/foo
ps -elf >> /tmp/foo
cd /usr/local/ssl/bin
./openssl genrsa -rand /tmp/foo 1024 >/usr/local/ssl/private/`hostname`-key.pem
{code}
  2d: Generate request for a certificate 
{code}
cd /usr/local/ssl/bin
./openssl req -key /usr/local/ssl/private/`hostname`-key.pem -new >../certs/`hostname`-req.pem
{code}
   send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,

      Please be aware, the organization (O) is:
      Massachusetts Institute of Technology
      and the common name (CN) is the name of the server or
      service, including the domain name (.mit.edu).  Also, some servers, such
      as Thalia servers, can represent an entire subdomain.  These servers
      will need certificates issued with a wildcard in the domain name, such
      as \*.isda-thalia-1.mit.edu.  

   Remember, if the server is a Thalia server, if will need a wildcard
   certificate and DNS record for \*.\[hostname\], and if it is doing any type of
   authentication, it will need a joint client/server certificate to be able
   to connect to the Shibboleth server (and have end users connect to it as
   well).

   2db. To generate a self signed temporary certificate, add the x509 and
        nodes options to the openssl command line.
{code}
cd /usr/local/ssl/bin
./openssl req -key /usr/local/ssl/private/`hostname`-key.pem -new -x509 -nodes >../certs/`hostname`-temp.cert
{code}
  2e:When you receive a certificate from MIT Certificates, save it as  /usr/local/ssl/certs/`hostname`-cert.pem

  2f:  to look at a request:     
{code}
openssl req -in ./req.pem -text
{code}
      to look at the private key:   
{code}
openssl rsa -in /usr/local/ssl/private/`hostname`-key.pem -text
{code}
      to look at the server certificate:   
{code}
openssl x509 -in /usr/localx/ssl/certs/`hostname`-cert.pem -text
{code}
3 set up apache-ssl
  3a: download Apache 2.2.4 from apache archive site at
      [http://archive.apache.org/dist/httpd/]

  3b: Unpack apache 2.2.4 (tar \-xzvf) and do "cd httpd-2.2.4"
{code}
cd /opt
tar -xzvf /root/httpd-2.2.4.tar.gz
cd httpd-2.2.4
{code}
  3c. compile apache following the instruction in the INSTALL file.
      To enable the SSL, do the following:
{code}
./configure --prefix=/home/apache --enable-ssl \
    --with-ssl=/usr/local/ssl \
    --enable-modules="most mod_rewrite"
make
make install
{code}
4. set up mod-jk

  4a. download mod-jk 1.2.21 source (previous versions have a security hole
      that could allow a remote attacker to execute arbitary code) from
      [http://tomcat.apache.org/connectors-doc/].
{code}
cd /opt
tar -xzvf /root/tomcat-connectors-1.2.21-src.tar.gz
cd tomcat-connectors-1.2.21-src
{code}
  4b. build and install binaries according to BUILD.txt. apxs is at
      /home/apache/bin/apxs. mod_jk.so will be put at /home/apache/modules
{code}
cd native
./configure --with-apxs=/home/apache/bin/apxs --enable-ssl
make
make install
{code}
5. install jdk 1.6 which is required by tomcat 5.5.25

   5a. download jdk 1.6 binary at  [http://java.sun.com/javase/downloads/index.jsp]

   5b. You may need to set the binary file to be executable:
{code}
chmod u+x,u-w jdk-6-linux-i586.bin
{code}
5c. execute the binary installer as root.  If it produces a rpm file,
use rpm \-ivh to install it.  If you downloaded the straight binary
installer, move to a directory with installed software, such as
/usr/local.  Also, you will need to page through a licensing agreement
and type yes to accept it.
{code}
cd /usr/local
/root/jdk-6-linux-i586.bin
{code}
       or
{code}
./jdk-6-linux-i586-rpm.bin
rpm \-ivh jdk-6-linux-i586
{code}
   5d. create a file in /etc/profile.d named java_home.sh.  It should contain
        a line exporting a variable pointing to the Java home directory.  Then
        make this file world executable.:
{code}
cat > /etc/profile.d/java_home.sh
export JAVA_HOME=/usr/local/jdk1.6.0
^C
chmod a+xr,a-w /etc/profile.d/java_home.sh
{code}
6. install tomcat

   6a. download apache-tomcat-5.5.25.tar.gz from:   [http://tomcat.apache.org/download-55.cgi]

   6b. unzip and untar (gunzip , tar \-xvf) into your working  directory, such as /home
{code}
cd /home
tar -xzvf /root/apache-tomcat-5.5.25.tar.gz
cd apache-tomcat-5.5.25
{code}
8. Do the configuration:
  8a. Tomcat part: cd into the tomcat home directory
{code}
cd /home/apache-tomcat-5.5.25
{code}
  8aa. enter the conf directory and create a jk directory
{code}
cd conf
mkdir jk
cd jk
{code}
    8ab. copy the workers.properties file from  /opt/tomcat-connectors-1.2.21-src/conf and put it in conf/jk
{code}
cp /opt/tomcat-connectors-1.2.21-src/conf/workers.properties /home/apache-tomcat-5.5.25/conf/jk
{code}
    8ac. make certain the following directives in workers.properties are set:
{code}
workers.tomcat_home=/home/apache-tomcat-5.5.25
workers.java_home=/usr/local/jdk1.6.0
ps=/
worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers= ajp13
{code}
    8aa. enter the conf directory and create a jk directory

      after
{code}
<Server port="8005" shutdown="SHUTDOWN">
{code}
add
{code}
<Listener className="org.apache.jk.config.ApacheConfig"
      modJk="/home/apache/modules/mod_jk.so" jkDebug="info"
      workersConfig="/home/apache-tomcat-5.5.25/conf/jk/workers.properties"
      jkLog="/home/apache-tomcat-5.5.25/logs/mod_jk.log"/>
{code}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; after
{code}
<Engine name="Catalina" defaultHost="localhost">
{code}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add
{code}
<Listener className="org.apache.jk.config.ApacheConfig" append="true" />
{code}
&nbsp;&nbsp;&nbsp;&nbsp; 8ae. If this is going to be a Web Services servers, disable direct
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; connections to tomcat and force communications to go through apache,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; by commenting out the port 8080 connector block in server.xml:
{code}
<\!-\-
     <Connector port="8080" maxHttpHeaderSize="8192"
            maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
            enableLookups="false" redirectPort="8443" acceptCount="100"
            connectionTimeout="20000" disableUploadTimeout="true" />
\-->
{code}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; If this is going to be a Thalia server, skip this step.

&nbsp;&nbsp;&nbsp;&nbsp; 8af. edit tomcat_users.xml, and add the following user definition just above the '</tomcat-users>' line:
{code}
<role rolename="manager"/>
         <user username="tomcat" password="*****" roles="tomcat,manager"/>
{code}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; be certain to change the password to be the password for the team the server is providing services to.&nbsp; Check with your groups manager to see what the password
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; standards for your group are.&nbsp; Do not cut and paste this password into place, do not use "*****" as a password, etc.
&nbsp;&nbsp;&nbsp; &nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; 8ag. Run the java_home.sh script and start tomcat
{code}
source /etc/profile.d/java_home.sh
/home/apache-tomcat-5.5.25/bin/startup.sh
{code}
&nbsp;&nbsp;&nbsp;&nbsp; 8ah. Tomcat creates a mod_jk.conf file in conf/auto directory the first
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; time is runs.&nbsp; Correct it to point to where mod_jk.so resides

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; change
{code}
LoadModule jk_module "/usr/local/apache/libexec/mod_jk.so"
{code}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; to
{code}
LoadModule jk_module "/home/apache/modules/mod_jk.so"
{code}
&nbsp; 8b. apache side: edit /home/apache/conf/httpd.conf
&nbsp;&nbsp; edit the following directives:
{code}
ServerRoot "/home/apache" # change to apache home directory
User apache # change from daemon
Group apache # change from daemon
Include conf/extra/httpd-vhosts.conf # Uncomment
Include conf/extra/httpd-ssl.conf # Uncomment
{code}
&nbsp; 8c. add to /home/apache/conf/httpd.conf, near the end of the file,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; above the 'Include conf/extra/httpd-ssl.conf' directive:
{code}
<IfModule \!mod_rewrite.c>
LoadModule rewrite_module modules/mod_rewrite.so
</IfModule>

<IfModule \!mod_jk.c>
LoadModule jk_module "/home/apache/modules/mod_jk.so"
</IfModule>

JkWorkersFile "/home/apache-tomcat-5.5.25/conf/jk/workers.properties"
JkLogFile "/home/apache-tomcat-5.5.25/logs/mod_jk.log"

JkLogLevel info
{code}
&nbsp; 8d. edit /home/apache/conf/extra/httpd-vhosts.conf to have ONLY one of the
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; following VirtualHost blocks:

&nbsp;&nbsp;&nbsp;&nbsp; 8d1. Thalia:
{code}
NameVirtualHost \*:80

<VirtualHost \*:80>
ServerName \*.isda-thalia2.mit.edu

RewriteEngine On

RewriteCond %{HTTP_HOST}   !^isda-thalia2\.mit\.edu [NC]
RewriteCond %{HTTP_HOST}   !^test\.isda-thalia2\.mit\.edu [NC]
RewriteCond %{HTTP_HOST}   !^demo\.isda-thalia2\.mit\.edu [NC]
RewriteCond %{HTTP_HOST}   !^hst\.isda-thalia2\.mit\.edu [NC]
RewriteCond %{HTTP_HOST}   !^ap\.isda-thalia2\.mit\.edu [NC]
RewriteRule ^/(.*)         [http://isda-thalia2.mit.edu/$1] [L,R]
</VirtualHost>
{code}
&nbsp;&nbsp;&nbsp;&nbsp; 8d2. Web Services:
{code}
<VirtualHost \*:80>
RedirectPermanent [https://isda-ws2.mit.edu/]
</VirtualHost>
{code}
&nbsp; 8e. edit /home/apache/conf/extra/httpd-ssl.conf and alter the following
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; directives:
{code}
# points to directory for static html files
DocumentRoot "/home/apache/htdocs"

# the servername of the server
ServerName isda-ws2.mit.edu:443

# the admins of this server
ServerAdmin dracus@mit.edu,dongq@mit.edu,dtanner@mit.edu

# error log file
ErrorLog /home/apache/logs/error_log

# access log file
TransferLog /home/apache/logs/access_log

# public server certificate
SSLCertificateFile /usr/local/ssl/certs/isda-ws2.pem

# private server certificate
SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem

#certificate path
SSLCACertificatePath /usr/local/ssl/certs

# certificate authority key
SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem

SSLVerifyClient require
SSLVerifyDepth&nbsp; 10
{code}
&nbsp;&nbsp; 8f. add the following after the '<Directory "/home/apache/cgi-bin">'
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; block in /home/apache/conf/extras/httpd-ssl.conf
{code}
SSLOptions \+StdEnvVars \+ExportCertData
{code}
&nbsp;&nbsp; 8g. add the following at the end of /home/apache/conf/extra/httpd-ssl.conf:
{code}
JKMount / ajp13
JKMount /* ajp13

JkMount /manager ajp13
JkMount /manager/* ajp13

JkMount /uaws ajp13
JkMount /uaws/* ajp13

JkMount /webdav ajp13
JkMount /webdav/* ajp13

JkMount /geows ajp13
JkMount /geows/* ajp13

JkMount /servlets-examples ajp13
JkMount /servlets-examples/* ajp13
JkMount /tomcat-docs ajp13
JkMount /tomcat-docs/* ajp13
JkMount /host-manager ajp13
JkMount /host-manager/* ajp13

JkMount /jsp-examples ajp13
JkMount /jsp-examples/* ajp13

JkMount /balancer ajp13
JkMount /balancer/* ajp13

JkMount /mitidws ajp13
JkMount /mitidws/* ajp13
{code}
9. to pass environment variables from apache to tomcat, add the following to
&nbsp;&nbsp; the end of httpd.conf (note, the name for those environment variables might
&nbsp;&nbsp; change between different apache versions. Apache comes with a cgi script in
&nbsp;&nbsp; cgi-bin/printenv. Run this script in your https enabled browser to verify
&nbsp;&nbsp; that these variables still holds).
{code}
JkEnvVar SSL_CLIENT_DN nodefault
JkEnvVar SSL_CLIENT_S_DN_CN nodefault
JkEnvVar SSL_CLIENT_S_DN_Email nodefault
JkEnvVar SSL_CLIENT_S_DN nodefault
JkEnvVar HTTP_ACCEPT_LANGUAGE nodefault
JkEnvVar SSL_CLIENT_CERT none
{code}
10. copy the following files to the noted locations.&nbsp; They should be bundled
&nbsp;&nbsp; with this document:

&nbsp;&nbsp;&nbsp;&nbsp; MitIdService.jar&nbsp;&nbsp; moves to:
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /home/apache-tomcat-5.5.25/shared/lib

&nbsp;&nbsp;&nbsp;&nbsp; rolesApplicationContext.xml&nbsp;&nbsp; moves to:
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /home/apache-tomcat-5.5.25/shared/classes

&nbsp;&nbsp;&nbsp;&nbsp; rootauth&nbsp; moves to
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /root

11. install the web init script into /etc/init.d, and place starter links into
&nbsp;&nbsp;&nbsp; the /etc/rc.d/ runlevel directories.&nbsp; It should be bundled with this
&nbsp;&nbsp;&nbsp; document.

&nbsp; 11a.&nbsp; edit the variables in the top section of the web file to use the
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; directories and binaries correct for this system

&nbsp; 11b.&nbsp; be certain to check if apache is using a httpdctl or apachectl starter
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; program, usually contained in /home/apache/bin, and set the apachectl
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; variable accordingly

&nbsp; 11c.&nbsp; set web to be executable
{code}
chmod a+rx,a-w /etc/init.d/web
{code}
&nbsp; 11d.&nbsp; link startweb and stopweb to the web program, from wherever it is
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; located, and link start scripts in /etc/init.d:
{code}
ln \-s /etc/init.d/web /root/startweb
ln \-s /etc/init.d/web /root/stopweb
ln \-s /etc/init.d/web /etc/rc.d/rc1.d/K15web
ln \-s /etc/init.d/web /etc/rc.d/rc2.d/K15web
ln \-s /etc/init.d/web /etc/rc.d/rc3.d/K15web
ln \-s /etc/init.d/web /etc/rc.d/rc4.d/K15web
ln \-s /etc/init.d/web /etc/rc.d/rc5.d/K15web
ln \-s /etc/init.d/web /etc/rc.d/rc6.d/K15web
ln \-s /etc/init.d/web /etc/rc.d/rc2.d/S15web
ln \-s /etc/init.d/web /etc/rc.d/rc3.d/S15web
ln \-s /etc/init.d/web /etc/rc.d/rc4.d/S15web
ln \-s /etc/init.d/web /etc/rc.d/rc5.d/S15web
{code}
12. Add line to /var/spool/cron/root to cause rootauth to run every 15 min, and
&nbsp;&nbsp;&nbsp; freshen the Kerberos tickets.
{code}
cat >> /var/spool/cron/root
0,15,30,45 * * * * /root/rootauth
\^C
{code}
13. update paths in /etc/profile, by adding the following line in the path
&nbsp;&nbsp;&nbsp; manipulation code block (you can find it by searching for /usr/local/sbin)
{code}
pathmunge /usr/local/bin
pathmunge /usr/kerberos/bin
{code}
14. If this is an upgrade on a server that had previously had a tomcat on it,
&nbsp;&nbsp;&nbsp; there are additional steps to move necessay files and code to the new
&nbsp;&nbsp;&nbsp; directories.

&nbsp; 14a.&nbsp; copy the webapps from the old deploy of tomcat to the new one.&nbsp; Be certain
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; to restart the server if it was running previously.
{code}
cd /home/apache-tomcat-5.5.25
cp \-a geows\* mapws\* mitidws\* uaws\* testcert\* TestRemoteAlfresco\* /home/apache-tomcat-5.5.25/webapps/
{code}
&nbsp;&nbsp;&nbsp; to see the applications deployed on a server that are not part of the
&nbsp;&nbsp;&nbsp; default tomcat install, get a listing of the directory:
{code}
ls \-1 \--hide=balancer \--hide ROOT \--hide=jsp-examples \--hide=servlets-examples \--hide=tomcat-docs \--hide=webdav
{code}
&nbsp; 14b.&nbsp; Move the /home/https/weblib directory into /home
{code}
mv /home/https/weblib/ /home/weblib
ln \-s /home/weblib /home/https/weblib
{code}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alternatively, if there is not /home/https/weblib, create a /home/weblib directory
{code}
mkdir /home/weblib
{code}
&nbsp; 14c.&nbsp; Edit /etc/init.d/web to have the following global variable:
{code}
export LD_LIBRARY_PATH=/usr/lib:/home/weblib
{code}
&nbsp; 14d.&nbsp; Restart web services and tomcat
{code}
/etc/init.d/web restart
{code}
15. Install an AFS client, or check that a client is installed.

&nbsp; 15a. Check if an AFS client is installed by looking at the root directory.
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; If a client is installed, the afs directory will be near the top.
{code}
ls \-l /
{code}
&nbsp; 15b. If an AFS client is not installed, download these packages from the MIT
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Athena or Thalia software lockers:
{code}
mit-openafs-setup-1.2-3.noarch.rpm
mit-krb-config-1.0-3.noarch.rpm
mit-openafs-package.patch
{code}
&nbsp; 15c. Use rpm to install these packages, installing the Kerberos
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; configuration package first.
{code}
rpm \-ivh mit-krb-config-1.0-3.noarch.rpm
rpm \-ivh mit-openafs-setup-1.2-3.noarch.rpm
{code}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Please note: There are no paths in these commands.&nbsp; Store them in a
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; conveinent install directory, and cd to it first.

&nbsp; 15d. Go to the OpenAFS client binary directory and execute the setup It will ask if you want the AFS client to be started at boot time.&nbsp; Type yes.
{code}
cd /opt/mit-openafs-setup/bin
./setup
{code}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; If system is a SMP (multiprocessor) machine, apply the SMP patch before compiling.
{code}
patch /root/mit-openafs-package.patch
cd /opt/mit-openafs-setup/bin
./setup
{code}
16. Install version of moira that uses Kerberos 5

&nbsp; 16a. upload moira-rhel4-clients.tar.gz onto the server, and untar to /usr/local
{code}
cd /usr/local
tar \-xzvf /root/moira-rhel4-clients.tar.gz
{code}
17. To start and stop tomcat and apache, use the initialization scripts in
&nbsp;&nbsp;&nbsp; /etc/init.d.&nbsp; Be certain to leave them running when you are finished.

&nbsp;&nbsp; starting
{code}
/etc/init.d/web start
{code}
&nbsp;&nbsp; stopping
{code}
/etc/init.d/web stop
{code}