You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This page is under construction

Executive Summary

Install and configure Apache httpd

Install needed RPMs
  • Use stock httpd RPM install (standard NIST install)
  • Install mod_ssl and mod_auth_kerb RPMs: 
    # yum install mod_ssl
Configure

Install JDK and enhanced JCE

  • The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number): 
    # rpm -Uvh jdk-6uNN-linux-amd64.rpm
  • To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). For example: 
    # cd /usr/java/latest/jre/lib/ext
# cp /path/to/bcprov-jdk16-145.jar .
    (Replace the file version number as needed).
    Add it as a provider in in the JRE's lib/security/java.security, e.g.: 
    security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
    (Replace 9 with the next sequential provider number as needed).
  • To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM). 
    # cd /tmp
# unzip /path/to/jce_policy-6.zip
# cd jce
# cp *.jar /usr/java/latest/jre/lib/security/
  • The MIT CA certificates must be added to the certificate trust store. This can be done by downloading and adding them explicitly to the JRE cacerts trust store, as follows: 
    # wget 'http://mv.ezproxy.com.ezproxyberklee.flo.org/mitca.crt'
# wget 'http://mv.ezproxy.com.ezproxyberklee.flo.org/mitClient.crt'
# setenv JAVA_HOME /usr/java/latest
# cd $JAVA_HOME/jre/lib/security
# cp -p cacerts cacerts.orig
# $JAVA_HOME/bin/keytool -import -keystore cacerts -alias mitca -file /path/to/mitca.crt
# $JAVA_HOME/bin/keytool -import -keystore cacerts -alias mitclientca -file /path/to/mitClient.crt
    The password for the trust store is "changeit". Answer "yes" to the "Trust this certificate?" prompt

An already-updated cacerts store is available in the touchstone locker, in /mit/touchstone/config/java.

  • For convenience, install shell profile scripts in /etc/profile.d that define JAVA_HOME, e.g. java.csh: 
    setenv JAVA_HOME /usr/java/default
if ( "${path}" !~ *${JAVA_HOME}/bin* ) then
    set path = ( ${JAVA_HOME}/bin $path )
endif
    java.sh: 
    export JAVA_HOME=/usr/java/default
if ! echo $PATH | grep -q ${JAVA_HOME}/bin ; then
    export PATH=${JAVA_HOME}/bin:$PATH
fi
  • No labels