generic web server setup

Note: Next revision cycle, start building everything into
$HOME/[app]-[version#] and creating a symlink to $HOME/[app] so that there is
no question about what the current, in use, directory is.

Note: When downloading software to install in these instructions, always
download the source code, and avoid binary installers. Binary installers tend
to make inaccurate assumptions about what libraries you have installed on your
system, as well as other problems.

1. download openssl 0.9.8a source from http://www.openssl.org/source/. follow
   the instruction in the INSTALL document, compile and install the
   binaries. the default location is /usr/local/ssl. If you want to change it,
   run config like this:

   cd /opt
   tar -xzvf /root/openssl-0.9.8a.tar.gz
   cd openssl-0.9.8a
   ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
   make
   make install

2. set up certificates:

2a: get the mitca at http://mv.ezproxy.com.ezproxyberklee.flo.org/mitClient.crt and save it as
/usr/local/ssl/certs/mitClient.crt

2b: convert mitCA.crt to pem format:

openssl x509 -in /usr/local/ssl/certs/mitClient.crt -inform DER -outform \
PEM -out /usr/local/ssl/certs/mitCA.pem

2c: Generate rsa key

This simply generates some random stuff:

    ps > /tmp/foo
    ps -elf >> /tmp/foo
    cd /usr/local/ssl/bin
    ./openssl genrsa -rand /tmp/foo 1024 >/usr/local/ssl/private/`hostname`-key.pem

2d: Generate request for a certificate
---------------------------------

    cd /usr/local/ssl/bin
    ./openssl req -key /usr/local/ssl/private/`hostname`-key.pem -new \
        >../certs/`hostname`-req.pem

send the file /usr/local/ssl/certs/`hostname`-req.pem to mitcert@mit.edu,

      Please be aware, the organization (O) is Massachusetts Institute of
      Technology and the common name (CN) is the name of the server or
      service, including the domain name (.mit.edu). Also, some servers, such
      as Thalia servers, can represent an entire subdomain. These servers
      will need certificates issued with a wildcard in the domain name, such
      as *.isda-thalia-1.mit.edu.

   Remember, if the server is a Thalia server, if will need a wildcard
   certificate and DNS record for *.[hostname], and if it is doing any type of
   authentication, it will need a joint client/server certificate to be able
   to connect to the Shibboleth server (and have end users connect to it as
   well).

2db. To generate a self signed temporary certificate, add the x509 and
nodes options to the openssl command line.

     cd /usr/local/ssl/bin
     ./openssl req -key /usr/local/ssl/private/`hostname`-key.pem -new \
       -x509 -nodes >../certs/`hostname`-temp.cert

2e:When you receive a certificate from MIT Certificates, save it as
/usr/local/ssl/certs/`hostname`-cert.pem

2f: to look at a request:
openssl req -in ./req.pem -text
to look at the private key:
openssl rsa -in /usr/local/ssl/private/`hostname`-key.pem -text
to look at the server certificate:
openssl x509 -in /usr/localx/ssl/certs/`hostname`-cert.pem -text

3 set up apache-ssl
3a: download Apache 2.2.4 from apache archive site at
http://archive.apache.org/dist/httpd/

3b: Unpack apache 2.2.4 (tar -xzvf) and do "cd httpd-2.2.4"

      cd /opt
      tar -xzvf /root/httpd-2.2.4.tar.gz
      cd httpd-2.2.4

3c. compile apache following the instruction in the INSTALL file.
To enable the SSL, do the following:

      ./configure --prefix=/home/apache --enable-ssl \
       --with-ssl=/usr/local/ssl \
       --enable-modules="most mod_rewrite"
      make
      make install

3d. create logfile directory

mkdir /var/log/apache
chown apache:apache /var/log/apache

4. set up mod-jk

4a. download mod-jk 1.2.21 source (previous versions have a security hole
that could allow a remote attacker to execute arbitary code) from
http://tomcat.apache.org/connectors-doc/.

      cd /opt
      tar -xzvf /root/tomcat-connectors-1.2.21-src.tar.gz
      cd tomcat-connectors-1.2.21-src

4b. build and install binaries according to BUILD.txt. apxs is at
/home/apache/bin/apxs. mod_jk.so will be put at /home/apache/modules

      cd native
      ./configure --with-apxs=/home/apache/bin/apxs --enable-ssl
      make
      make install

5. install jdk 1.6 which is required by tomcat 5.5.23

5a. download jdk 1.6 binary at
http://java.sun.com/javase/downloads/index.jsp

5b. You may need to set the binary file to be executable:

chmod u+x,u-w jdk-6-linux-i586.bin

   5c. execute the binary installer as root. If it produces a rpm file,
       use rpm -ivh to install it. If you downloaded the straight binary
       installer, move to a directory with installed software, such as
       /usr/local. Also, you will need to page through a licensing agreement
       and type yes to accept it.

       cd /usr/local
       /root/jdk-6-linux-i586.bin

or

./jdk-6-linux-i586-rpm.bin
rpm -ivh jdk-6-linux-i586

   5d. create a file in /etc/profile.d named java_home.sh. It should contain
        a line exporting a variable pointing to the Java home directory. Then
        make this file world executable.:

       cat > /etc/profile.d/java_home.sh
       export JAVA_HOME=/usr/local/jdk1.6.0
       ^C
       chmod a+xr,a-w /etc/profile.d/java_home.sh

6. install tomcat

6a. download apache-tomcat-5.5.23.tar.gz from:
http://tomcat.apache.org/download-55.cgi

6b. unzip and untar (gunzip , tar -xvf) into your working
directory, such as /home

       cd /home
       tar -xzvf /root/apache-tomcat-5.5.23.tar.gz
       cd apache-tomcat-5.5.23

7. If this server is going to authenticate users to a Shibboleth server (does
WebSSO authentication), then download and install the software needed for
Shibboleth from http://shibboleth.internet2.edu/downloads/:

7a. http://shibboleth.internet2.edu/downloads/log4cpp-0.3.5rc1.tar.gz
      http://shibboleth.internet2.edu/downloads/opensaml-1.1.tar.gz
      http://shibboleth.internet2.edu/downloads/shibboleth-sp-1.3.tar.gz
      http://shibboleth.internet2.edu/downloads/xerces-c-src_2_6_1.tar.gz
      http://xml.apache.org/security/dist/c-library/xml-security-c-1.3.1.tar.gz
      http://curl.haxx.se/download/curl-7.16.2.tar.gz

7b. Set up cURL:

      cd /opt
      tar -xzvf /root/curl-7.16.2.tar.gz
      cd curl-7.16.2/

./configure --disable-static --without-ca-bundle --enable-thread \
--prefix=/home/shibboleth-sp

make
make install

7b. Set up log4Cpp (a logger simialr to log4j):

      cd /opt
      tar -xzvf /root/log4cpp-0.3.5rc1.tar.gz
      cd log4cpp-0.3.5rc1

./configure --disable-static --disable-doxygen \
--prefix=/home/shibboleth-sp

make
make install

7c. Set up XercesC:

      cd /opt
      tar -xzvf /root/xerces-c-src_2_6_1.tar.gz
      cd xerces-c-src_2_6_1

      cat > /etc/profile.d/xerces_home.sh
      export XERCESCROOT=/opt/xerces-c-src_2_6_1
      ^C

chmod a+x,a-w /etc/profile.d/xerces_home.sh
. /etc/profile.d/xerces_home.sh

cd $XERCESCROOT/src/xercesc
autoconf

      ./runConfigure -p linux -c gcc -x g++ -r pthread -b 32 -P /home/shibboleth-sp
      make
      make install

7d. Set up XmlSecurityC:

      cd /opt
      tar -xzvf /root/xml-security-c-1.3.1.tar.gz
      cd xml-security-c-1.3.1

      ./configure --prefix=/home/shibboleth-sp --without-xalan
      make
      make install

7e. Set up OpenSAML:

      cd /opt
      tar -xvzf /root/opensaml-1.1.tar.gz
      cd cd opensaml-1.1

./configure --with-curl=/home/shibboleth-sp \
--with-log4cpp=/home/shibboleth-sp --prefix=/home/shibboleth-sp -C

make
make install

7f. Set up Shibboleth:

      cd /opt
      tar -xzvf /root/shibboleth-sp-1.3.tar.gz
      cd shibboleth-1.3

      ./configure --with-saml=/home/shibboleth-sp \
        --with-log4cpp=/home/shibboleth-sp --enable-apache-22 \
        --with-apxs22=/home/apache/bin/apxs --prefix=/home/shibboleth-sp -C \
        --with-apr1=/home/apache/bin/apr-1-config

make
make install

7g. Additional information about shibboleth at MIT is available at:

https://wikis-mit-edu.ezproxyberklee.flo.org/confluence/display/ZEST/Building+Shibboleth+SP+on+Linux

8. Do the configuration:

8a. Tomcat part: cd into the tomcat home directory

cd /home/apache-tomcat-5.5.23

8aa. enter the conf directory and create a jk directory

         cd conf
         mkdir jk
         cd jk

8ab. copy the workers.properties file from
/opt/tomcat-connectors-1.2.21-src/conf and put it in conf/jk

cp /opt/tomcat-connectors-1.2.21-src/conf/workers.properties \
/home/apache-tomcat-5.5.23/conf/jk

8ac. make certain the following directives in workers.properties are set:

workers.tomcat_home=/home/apache-tomcat-5.5.23
workers.java_home=/usr/local/jdk1.6.0
ps=/
worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers= ajp13

     8ad. edit conf/server.xml and add the following:

after <Server port="8005" shutdown="SHUTDOWN">
add

after <Engine name="Catalina" defaultHost="localhost">
add

     8ae. If this is going to be a Web Services servers, disable direct
          connections to tomcat and force communications to go through apache,
          by commenting out the port 8080 connector block in server.xml:

If this is going to be a Thalia server, skip this step.

8af. edit tomcat_users.xml, and add the following user definition just
above the '</tomcat-users>' line:

be certain to change the password to be the password for the team
the server is providing services to.

8ag. Run the java_home.sh script and start tomcat

source /etc/profile.d/java_home.sh
/home/apache-tomcat-5.5.23/bin/startup.sh

8ah. Tomcat creates a mod_jk.conf file in conf/auto directory the first
time is runs. Correct it to point to where mod_jk.so resides

       change
           LoadModule jk_module "/usr/local/apache/libexec/mod_jk.so"

       to
           LoadModule jk_module "/home/apache/modules/mod_jk.so"

8b. apache side: edit /home/apache/conf/httpd.conf
edit the following directives:

   ServerRoot "/home/apache"     # change to apache home directory
   User apache         # change from daemon
   Group apache        # change from daemon
   Include conf/extra/httpd-vhosts.conf     # Uncomment
   Include conf/extra/httpd-ssl.conf        # Uncomment

8c. add to /home/apache/conf/httpd.conf, near the end of the file,
above the 'Include conf/extra/httpd-ssl.conf' directive:

     <IfModule !mod_rewrite.c>
        LoadModule rewrite_module modules/mod_rewrite.so
     </IfModule>

     <IfModule !mod_jk.c>
        LoadModule jk_module "/home/apache/modules/mod_jk.so"
     </IfModule>

JkWorkersFile "/home/apache-tomcat-5.5.23/conf/jk/workers.properties"
JkLogFile "/var/log/apache/mod_jk.log"

JkLogLevel info

8d. edit /home/apache/conf/extra/httpd-vhosts.conf to have ONLY one of the
following VirtualHost blocks:

8d1. Thalia:

NameVirtualHost *:80

<VirtualHost *:80>
ServerName *.isda-thalia2.mit.edu

RewriteEngine On

RewriteCond %

Unknown macro: {HTTP_HOST}

!^isda-thalia2\.mit\.edu [NC]
RewriteCond %

!^test\.isda-thalia2\.mit\.edu [NC]
RewriteCond %

Unknown macro: {HTTP_HOST}

!^demo\.isda-thalia2\.mit\.edu [NC]
RewriteCond %

!^hst\.isda-thalia2\.mit\.edu [NC]
RewriteCond %

Unknown macro: {HTTP_HOST}

!^ap\.isda-thalia2\.mit\.edu [NC]
RewriteRule ^/(.*) http://mv.ezproxy.com.ezproxyberklee.flo.org/$1 [L,R]

</VirtualHost>

8d2. Web Services:

       <VirtualHost *:80>
         RedirectPermanent   /    https://mv-ezproxy-com.ezproxyberklee.flo.org/
       </VirtualHost>

8e. edit /home/apache/conf/extra/httpd-ssl.conf and alter the following
directives:

         DocumentRoot "/home/apache-tomcat-5.5.23/webapps"
                   # points to directory with tomcat webapps
         ServerName isda-ws2.mit.edu:443
                   # the servername of the server
         ServerAdmin dracus@mit.edu,dongq@mit.edu,dtanner@mit.edu
                   # the admins of this server
         ErrorLog /var/log/apache/error_log
                   # error log file
         TransferLog /var/log/apache/access_log
                   # access log file
         SSLCertificateFile /usr/local/ssl/certs/isda-ws2.pem
                   # public server certificate
         SSLCertificateKeyFile /usr/local/ssl/private/https-key.pem
                   # private server certificate
         SSLCACertificatePath /usr/local/ssl/certs
                   #certificate path
         SSLCACertificateFile /usr/local/ssl/certs/mitCA.pem
                   # certificate authority key
         SSLVerifyClient require
         SSLVerifyDepth 10

8f. add the following after the '<Directory "/home/apache/cgi-bin">'
block in /home/apache/conf/extras/httpd-ssl.conf

SSLOptions +StdEnvVars +ExportCertData

   8g. add the following at the end of
    /home/apache/conf/extra/httpd-ssl.conf:

     JKMount / ajp13
     JKMount /* ajp13

JkMount /manager ajp13
JkMount /manager/* ajp13

JkMount /uaws ajp13
JkMount /uaws/* ajp13

JkMount /webdav ajp13
JkMount /webdav/* ajp13

JkMount /geows ajp13
JkMount /geows/* ajp13

JkMount /servlets-examples ajp13
JkMount /servlets-examples/* ajp13

JkMount /tomcat-docs ajp13
JkMount /tomcat-docs/* ajp13

JkMount /host-manager ajp13
JkMount /host-manager/* ajp13

JkMount /jsp-examples ajp13
JkMount /jsp-examples/* ajp13

JkMount /balancer ajp13
JkMount /balancer/* ajp13

JkMount /mitidws ajp13
JkMount /mitidws/* ajp13

9. to pass environment variables from apache to tomcat, add the following to
   the end of httpd.conf (note, the name for those environment variables might
   change between different apache versions. Apache comes with a cgi script in
   cgi-bin/printenv. Run this script in your https enabled browser to verify
   that these variables still holds).

JkEnvVar SSL_CLIENT_DN nodefault
JkEnvVar SSL_CLIENT_S_DN_CN nodefault
JkEnvVar SSL_CLIENT_S_DN_Email nodefault
JkEnvVar SSL_CLIENT_S_DN nodefault
JkEnvVar HTTP_ACCEPT_LANGUAGE nodefault
        JkEnvVar SSL_CLIENT_CERT none

10. copy the following files to the noted locations. They should be bundled
with this document:

MitIdService.jar moves to:
/home/apache-tomcat-5.5.23/shared/lib

rolesApplicationContext.xml moves to:
/home/apache-tomcat-5.5.23/shared/classes

rootauth moves to
/root

11. install the web init script into /etc/init.d, and place starter links into
the /etc/rc.d/ runlevel directories. It should be bundled with this
document.

11a. edit the variables in the top section of the web file to use the
directories and binaries correct for this system

11b. be certain to check if apache is using a httpdctl or apachectl starter
program, usually contained in /home/apache/bin, and set the apachectl
variable accordingly

11c. set web to be executable

chmod a+rx,a-w /etc/init.d/web

11d. link startweb and stopweb to the web program, from wherever it is
located, and link start scripts in /etc/init.d:

        ln -s /etc/init.d/web /root/startweb
        ln -s /etc/init.d/web /root/stopweb
        ln -s /etc/init.d/web /etc/rc.d/rc1.d/K15web
        ln -s /etc/init.d/web /etc/rc.d/rc2.d/K15web
        ln -s /etc/init.d/web /etc/rc.d/rc3.d/K15web
        ln -s /etc/init.d/web /etc/rc.d/rc4.d/K15web
        ln -s /etc/init.d/web /etc/rc.d/rc5.d/K15web
        ln -s /etc/init.d/web /etc/rc.d/rc6.d/K15web
        ln -s /etc/init.d/web /etc/rc.d/rc2.d/S15web
        ln -s /etc/init.d/web /etc/rc.d/rc3.d/S15web
        ln -s /etc/init.d/web /etc/rc.d/rc4.d/S15web
        ln -s /etc/init.d/web /etc/rc.d/rc5.d/S15web

12. Add line to /var/spool/cron/root to cause rootauth to run every 15 min, and
freshen the Kerberos tickets.

    cat >> /var/spool/cron/root
    0,15,30,45 * * * * /root/rootauth
    ^C

13. update paths in /etc/profile, by adding the following line in the path
manipulation code block (you can find it by searching for /usr/local/sbin)

pathmunge /usr/local/bin

14. If this is an upgrade on a server that had previously had a tomcat on it,
there are additional steps to move necessay files and code to the new
directories.

14a. copy the webapps from the old deploy of tomcat to the new one. Be certain
to restart the server if it was running previously.

cd /home/apache-tomcat-5.5.20

cp -a geows* mapws* mitidws* uaws* testcert* TestRemoteAlfresco* \
/home/apache-tomcat-5.5.23/webapps/

to see the applications deployed on a server that are not part of the
default tomcat install, get a listing of the directory:

ls -1 --hide=balancer --hide ROOT --hide=jsp-examples \
--hide=servlets-examples --hide=tomcat-docs --hide=webdav

14b. Move the /home/https/weblib directory into /home

mv /home/https/weblib/ /home/weblib
ln -s /home/weblib /home/https/weblib

Alternatively, if there is not /home/https/weblib, create a
/home/weblib directory

mkdir /home/weblib

14c. Edit /etc/init.d/web to have the following global variable:

export LD_LIBRARY_PATH=/usr/lib:/home/weblib

14d. Restart web services and tomcat

/etc/init.d/web restart

15. Install an AFS client, or check that a client is installed.

15a. Check if an AFS client is installed by looking at the root directory.
If a client is installed, the afs directory will be near the top.

ls -l /

15b. If an AFS client is not installed, download these packages from the MIT
Athena or Thalia software lockers:

mit-openafs-setup-1.2-3.noarch.rpm
mit-krb-config-1.0-3.noarch.rpm

15c. Use rpm to install these packages, installing the Kerberos
configuration package first.

rpm -ivh mit-krb-config-1.0-3.noarch.rpm
rpm -ivh mit-openafs-setup-1.2-3.noarch.rpm

Please note: There are no paths in these commands. Store them in a
conveinent install directory, and cd to it first.

15d. Go to the OpenAFS client binary directory and execute the setup
script. It will ask if you want the AFS client to be started at boot
time. Type yes.

cd /opt/mit-openafs-setup/bin
./setup

16. Install version of moira that uses Kerberos 5

16a. upload moira-rhel4-clients.tar.gz onto the server, and untar to
/usr/local

cp /usr/local
tar -xzvf /root/moira-rhel4-clients.tar.gz

17. To start and stop tomcat and apache, use the initialization scripts in
/etc/init.d. Be certain to leave them running when you are finished.

starting
/etc/init.d/web start

stopping
/etc/init.d/web stop

Child pages

generic web server setup