Note: These directions are not complete, and may contain errors. If you encounter an omission or error, please correct this document.
- Request Server Ops setup the standard system user configuration on this system. This will include groups and system users for logs, www, and db.
- Download the following software from the ISDA software repository onto the system being configured:
httpd-2.2.4.tar.gz php-5.2.3.tar.gz MySQL/MySQL-*community-5.0.45-0.rhel4.i386.rpm MySQL/my.cnf mod_authz_mitgroup/mod_authz_mitgroup_rhel4.c
- If this is a RHEL 5 system, use the native Apache and PHP installs. Link the config directories into place. Download these additional RPMs.
mkdir /home/www/apache-2.2.3 ls -s /home/www/apache-2.2.3 /home/www/apache scp -r root@trogdor:/opt/software-repository-tmp/Apache/config-files/conf \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/logs \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/htdocs \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/icons \ root@trogdor:/opt/software-repository-tmp/Apache/config-files/man* \ /home/www/apache chown -R www:www /home/www ln -s /etc/httpd /home/www/apache ln -s /usr/lib64/httpd/modules /home/www/apache/modules
- If this is a RHEL 5 system, use the native Apache and PHP installs. Link the config directories into place. Download these additional RPMs.
- If the current version of MySQL is below 5.0, remove it and install a more current version.
/etc/init.d/mysql stop rpm -ev cyrus-sasl-sql-2.1.19-5.EL4.i386 rpm -ev dovecot-0.99.11-4.EL4.i386 rpm -ev mysql-4.1.20-1.RHEL4.1.i386 rpm -ev mysqlclient10-3.23.58-4.RHEL4.1.i386 rpm -ivh MySQL-client-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-test-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-devel-community-5.0.45-0.rhel4.i386.rpm rpm -ivh MySQL-server-community-5.0.45-0.rhel4.i386.rpm
- Stop the MySQL server and reconfigure my.cnf. The MySQL server startups as part of the rpm install process.
/etc/init.d/mysql stop mv /var/lib/mysql /home/db chown -R db:db /home/db cd /etc/ cp /root/my.cnf . /etc/init.d/mysql start
- Be certain to use the my.cnf file from the ISDA software repository, as it sets the database user to be 'db' (and not the default 'mysql'), and put the home and data directories into /home/db.
- Install OpenSSL and setup certificates.
mkdir /home/www/tmp cd /home/www/tmp tar -xzvf /root/openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config --prefix=/home/www/ssl --openssldir=/home/www/ssl make make install
- Setup certificates
- get the mitca at http://ca.mit.edu/mitClient.crt and save it as /usr/local/ssl/certs/mitClient.crt
- convert mitCA.crt to pem format:
openssl x509 -in /home/www/ssl/certs/mitClient.crt -inform DER -outform PEM -out /home/www/ssl/certs/mitCA.pem
- Generate rsa key. This simply generates some random stuff:
ps > /tmp/foo ps -elf >> /tmp/foo cd /home/www/ssl/bin ./openssl genrsa -rand /tmp/foo 1024 >/home/www/ssl/private/`hostname`-key.pem
- Generate request for a certificatecd /home/www/ssl/bin
send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,
./openssl req -key /home/www/ssl/private/`hostname`-key.pem -new \ >../certs/`hostname`-req.pem
- Please be aware, the organization (O) is Massachusetts Institute of Technology and the common name (CN) is the name of the server or service, including the domain name (.mit.edu). Also, some servers, such as Thalia servers, can represent an entire subdomain. These servers will need certificates issued with a wildcard in the domain name, such as *.isda-thalia-1.mit.edu.
Remember, if the server is a Thalia server, if will need a wildcard certificate and DNS record for *.[hostname], and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).
- To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.
cd /home/www/ssl/bin ./openssl req \-key /home/www/ssl/private/`hostname`-key.pem \-new \ \-x509 \-nodes >../certs/`hostname`-temp.cert
- When you receive a certificate from MIT Certificates, save it as /home/www/ssl/certs/`hostname`-cert.pem
- to look at a request:
openssl req \-in ./req.pem \-text
- to look at the private key:
openssl rsa \-in /home/www/ssl/private/`hostname`-key.pem \-text
- to look at the server certificate:
openssl x509 \-in /home/www/ssl/certs/`hostname`-cert.pem \-text
- to look at a request:
- Install Apache. If you are using RHEL 5, skip this step.
cd /home/www/tmp tar -xzvf /root/httpd-2.2.4.tar.gz cd httpd-2.2.4 ./configure --prefix=/home/www/apache-2.2.4 --enable-ssl \ --with-ssl=/home/www/ssl \ --enable-modules="most mod_rewrite" --enable-so make make install ln -s /home/www/apache-2.2.4 /home/www/apache
- Set up PHP. If you are using RHEL 5, skip this step.
cd /home/www/tmp tar -xzvf /root/php-5.2.3.tar.gz cd php-5.2.3 ./configure --with-mysql --with-kerberos=/usr/kerberos --prefix=/home/www/php-5.2.0 --with-apxs2=/home/www/apache-2.2.4/bin/apxs \ --enable-fastcgi --enable-magic-quotes --with-openssl --with-mysql-sock=/home/db/mysql/mysql.sock --with-mysqli --enable-sockets --enable-soap \ --with-openssl-dir=/home/www/ssl --with-pear=/usr/share/pear make make install ln -s php-5.2.0 php
- Configure Apache
- edit /home/www/apache/conf/httpd.conf
- edit the following directives:
ServerRoot "/home/www/apache" # change to apache home directory User www # change from daemon Group www # change from daemon Include conf/extra/httpd-vhosts.conf # Uncomment Include conf/extra/httpd-ssl.conf # Uncomment
- add to /home/www/apache/conf/httpd.conf, and the bottom of the other includes:
# PHP module includes LoadModule php5_module modules/libphp5.so AddHandler php5-script .php AddType text/html .php DirectoryIndex index.php #AddType application/x-httpd-php-source .phps
- edit the following directives:
- edit /home/www/apache/conf/extra/httpd-vhosts.conf to have ONLY one of the following VirtualHost blocks:
<VirtualHost *:80> RewriteEngine On RewriteRule \^/(.*) [https://finniganfen.mit.edu/$1] [L,R] </VirtualHost>
- To prevent some web pages from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
RewriteCond %{REQUEST_URI} !/WarehouseService
- To prevent some web pages from being redirected to https, add an escape clause between "RewriteEngine On" and the RewriteRule:
- edit /home/www/apache/conf/extra/httpd-ssl.conf and alter the following directives:
# points to directory for static html files DocumentRoot "/home/www/apache/htdocs" # the servername of the server ServerName gybe.mit.edu:443 # the admins of this server ServerAdmin map-support@mit.edu # error log file ErrorLog /home/www/apache/logs/error_log # access log file TransferLog /home/www/apache/logs/access_log # public server certificate SSLCertificateFile /usr/local/ssl/certs/gybe.mit.edu.pem # private server certificate SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem #certificate path SSLCACertificatePath /usr/local/ssl/certs # certificate authority key SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem SSLVerifyClient require SSLVerifyDepth 10
- add the following after the '<Directory "/home/www/apache/cgi-bin">' block in /home/www/apache/conf/extras/httpd-ssl.conf
SSLOptions +StdEnvVars +ExportCertData
- edit /home/www/apache/conf/httpd.conf