...
- In /etc/httpd/conf.d/ssl.conf, set the
SSLRandomSeedoptions:
within theNo Format SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024
VirtualHostblock, set the ServerName:
set the SSL cipher suite:No Format ServerName idp.mit.edu:443
Install the server certificate, key, and CA files inNo Format SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
/etc/pki/tls/certs/and/etc/pki/tls/private/, as appropriate, and set the paths inssl.conf:
set the SSL options:No Format SSLCertificateFile /etc/pki/tls/certs/idp-staging.mit.edu-cert.pem SSLCertificateKeyFile /etc/pki/tls/private/idp-staging.mit.edu-key.pem SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
configure custom logging:No Format SSLOptions +StrictRequire
ensure that all access is via SSL:No Format CustomLog logs/ssl_request_log \ "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
ensure that all rewrite rules are inherited:No Format <Directory /> SSLRequireSSL </Directory>No Format RewriteEngine On RewriteOptions inherit
- Install an HTTP keytab in /etc/httpd/conf/keytab; it must be readable by (only) the apache user. This is used for authentication by HTTP/SPNEGO, as configured in /etc/httpd/conf.d/auth_kerb.conf; install this .conf file from the touchstone locker, /mit/touchstone/config/idp2-core/auth_kerb.con.
- Disable the stock "Welcome" page, by commenting out the lines in
/etc/httpd/conf.d/welcome.conf - Install our standard
robots.txtandfavicon.icofiles in/var/www/html. The robots.txt should disallow all access:
Current versions of these files may be found in the touchstone locker, inNo Format User-agent: * Disallow: /
/mit/touchstone/config/htdocs/. - Make sure httpd is started at boot time:
No Format # chkconfig httpd on
...