Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and make sure the paths are correct in ssl.conf and idp-attr-query.conf (see below). The key file should be readable by only the tomcat user, as the idp webapp also uses it.
  • In /etc/httpd/conf/httpd.conf, set ServerName:
    No Format
    ServerName idp.touchstonenetwork.net:80
    
    and set the UseCanonicalName option to On:
    No Format
    UseCanonicalName On
    
  • Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf
  • In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options:
    No Format
    SSLRandomSeed startup file:/dev/urandom 1024
    SSLRandomSeed connect file:/dev/urandom 1024
    
    within the VirtualHost block, set the ServerName:
    No Format
    ServerName idp.touchstonenetwork.net:443
    
    set the SSL cipher suite:
    No Format
    SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
    
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf:
    No Format
    SSLCertificateFile /etc/pki/tls/certs/idp.touchstonenetwork.net-cert.pem
    SSLCertificateKeyFile /etc/pki/tls/private/idp.touchstonenetwork.net-key.pem
    SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
    SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
    
    set the SSL options:
    No Format
    SSLOptions +StrictRequire
    
    configure custom logging:
    No Format
    CustomLog logs/ssl_request_log \
        "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
    
    ensure that all access is via SSL:
    No Format
    <Directory />
        SSLRequireSSL
    </Directory>
    
    ensure that all rewrite rules are inherited:
    No Format
    RewriteEngine On
    RewriteOptions inherit
    
  • Install these additional conf files from the touchstone locker (/mit/touchstone/config/idp2-cams/httpd) in /etc/httpd/conf.d:
    • cams.conf
      This adds configuration to protect Cams application resources appropriately.
    • idp-attr-query.conf
      This sets up the vhosts for back-channel attribute queries on port 8443.
    • idp-rewrite.conf
      This adds various rewrite rules for compatibility, etc.
    • proxy_ajp.conf
      Configures the AJP proxy module for the idp and cams webapps (replaces version installed by httpd).
    • ssl.conf (see above)
    • welcome.conf (see above)
  • Install our standard robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access:
    No Format
    
    User-agent: *
    Disallow: /
    
    Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/.
  • Make sure httpd is started at boot time:
    No Format
    
    # chkconfig httpd on
    
  • Add the following settings to the stock /etc/logrotate.d/httpd configuration file:
    No Format
    
    daily
    rotate 100
    compress
    delaycompress
    
    This will cause the httpd log files in /var/log/httpd/ to be rotated daily and compressed, saving 100 days of old logs (in case we need them for quarterly metrics).

Install JDK and enhanced JCE

  • The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number):
    No Format
    # rpm -Uvh jdk-6uNN-linux-amd64.rpm
    

...