Versions Compared

Old Version 51

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 52

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current versions of the various httpd configuration files can be obtained in the touchstone locker, in /mit/touchstone/config/idp2-core/httpd/. The changes to the standard stock versions include:

  • Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and make sure the paths are correct in ssl.conf, cert-authn.conf, and idp-attr-query.conf. The key file should be readable by only the tomcat user, as the idp webapp also uses it.
  • In /etc/httpd/conf/httpd.conf, set ServerName:
    No Format
    ServerName idp.mit.edu:80
    and set the UseCanonicalName option to On:
    No Format
    UseCanonicalName On
  • Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf
  • In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options:
    No Format
    SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
    within the VirtualHost block, set the ServerName:
    No Format
    ServerName idp.mit.edu:443
    set the SSL cipher suite:
    No Format
    SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf:
    No Format
    SSLCertificateFile /etc/pki/tls/certs/idp.mit.edu-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.mit.edu-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
    set the SSL options:
    No Format
    SSLOptions +StrictRequire
    configure custom logging:
    No Format
     CustomLog logs/ssl_request_log \
          "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
    ensure that all access is via SSL:
    No Format
    <Directory />
    SSLRequireSSL
</Directory>
    ensure that all rewrite rules are inherited:
    No Format
    RewriteEngine On
RewriteOptions inherit
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and make sure the paths are correct in ssl.conf, cert-authn.conf, and idp-attr-query.conf.
  • Install an HTTP keytab in /etc/httpd/conf/keytab; it must be readable by (only) the apache user. This is used for authentication by HTTP/SPNEGO, as configured in /etc/httpd/conf.d/auth_kerb.conf.
  • Install the server's InCommon certificate and key files in /usr/local/shibboleth-idp/credentials/ – these are used for back-channel attribute queries by InCommon SPs, and are referenced in /etc/httpd/conf.d/idp-attr-query.conf. Make sure that they are readable by tomcat, as the idp webapp also accesses them. Also install the InCommon CA file in /etc/pki/tls/certs.
  • Install these additional conf files from the touchstone locker (/mit/touchstone/config/idp2-core/httpd) in /etc/httpd/conf.d: 
    • auth_kerb.conf
      This configures authentication by HTTP/SPNEGO (replaces version installed by mod_auth_kerb).
    • cert-authn.conf
      This sets up the separate virtual hosts for certificate authentication on ports 446 and 447 (for certificate optional and required, respectively).
    • idp-attr-query.conf
      This sets up the vhosts for back-channel attribute queries on ports 8443 and 8444 (from MIT and InCommon SPs, respectively).
    • idp-rewrite.conf
      This adds various rewrite rules for compatibility, etc.
    • proxy_ajp.conf
      Configures the AJP proxy module for the idp webapp (replaces version installed by httpd).
    • ssl.conf (see above)
    • welcome.conf (see above)
  • SELinux context mappings must be added for the non-standard ports configured for certificate authentication and attribute query, so that httpd can use them: 
     No Format
    # semanage port -a -t http_port_t -p tcp 446
# semanage port -a -t http_port_t -p tcp 447
# semanage port -a -t http_port_t -p tcp 8444

  • Install our standard robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access: 
     No Format
    User-agent: *
Disallow: /

     Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/.
  • Make sure httpd is started at boot time: 
     No Format
    # chkconfig httpd on

...