You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

This page is under construction

Executive Summary

Install and configure Apache httpd

Install needed RPMs
  • Use stock httpd RPM install (standard NIST install)
  • Install mod_ssl and mod_auth_kerb RPMs: 
    # yum install mod_ssl
Configure

Current versions of the various httpd configuration files can be obtained in the touchstone locker, in /mit/touchstone/config/idp2-cams/httpd/.

  • Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and make sure the paths are correct in ssl.conf and idp-attr-query.conf (see below). The key file should be readable by only the tomcat user, as the idp webapp also uses it.
  • In /etc/httpd/conf/httpd.conf, set ServerName: 
    ServerName idp.touchstonenetwork.net:80
    and set the UseCanonicalName option to On: 
    UseCanonicalName On
  • Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf
  • In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options: 
    SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
    within the VirtualHost block, set the ServerName: 
    ServerName idp.touchstonenetwork.net:443
    set the SSL cipher suite: 
    SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf: 
    SSLCertificateFile /etc/pki/tls/certs/idp.touchstonenetwork.net-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.touchstonenetwork.net-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
    set the SSL options: 
    SSLOptions +StrictRequire
    configure custom logging: 
    CustomLog logs/ssl_request_log \
    "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
    ensure that all access is via SSL: 
    <Directory />
    SSLRequireSSL
</Directory>
    ensure that all rewrite rules are inherited: 
    RewriteEngine On
RewriteOptions inherit
  • Install these additional conf files from the touchstone locker (/mit/touchstone/config/idp2-cams/httpd) in /etc/httpd/conf.d:
    • cams.conf
      This adds configuration to protect Cams application resources appropriately.
    • idp-attr-query.conf
      This sets up the vhosts for back-channel attribute queries on port 8443.
    • idp-rewrite.conf
      This adds various rewrite rules for compatibility, etc.
    • proxy_ajp.conf
      Configures the AJP proxy module for the idp and cams webapps (replaces version installed by httpd).
    • ssl.conf (see above)
    • welcome.conf (see above)
  • Install our standard robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access: 
    User-agent: *
Disallow: /
    Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/.
  • Make sure httpd is started at boot time: 
    # chkconfig httpd on
  • Add the following settings to the stock /etc/logrotate.d/httpd configuration file: 
    daily
rotate 100
compress
delaycompress
    This will cause the httpd log files in /var/log/httpd/ to be rotated daily and compressed, saving 100 days of old logs (in case we need them for quarterly metrics).

Install JDK and enhanced JCE

  • The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number): 
    # rpm -Uvh jdk-6uNN-linux-amd64.rpm
  • To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). For example: 
    # cd /usr/java/latest/jre/lib/ext
# cp /path/to/bcprov-jdk16-145.jar .
    (Replace the file version number as needed).
    Add it as a provider in in the JRE's lib/security/java.security, e.g.: 
    security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
    (Replace 9 with the next sequential provider number as needed).
  • To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM). 
    # cd /tmp
# unzip /path/to/jce_policy-6.zip
# cd jce
# cp *.jar /usr/java/latest/jre/lib/security/
  • For convenience, install shell profile scripts in /etc/profile.d that define JAVA_HOME, e.g. java.csh: 
    setenv JAVA_HOME /usr/java/default
if ( "${path}" !~ *${JAVA_HOME}/bin* ) then
    set path = ( ${JAVA_HOME}/bin $path )
endif
    java.sh: 
    export JAVA_HOME=/usr/java/default
if ! echo $PATH | grep -q ${JAVA_HOME}/bin ; then
    export PATH=${JAVA_HOME}/bin:$PATH
fi

Install Tomcat

  • Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in /mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz, and install under /usr/local: 
    # cd /usr/local
# tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
# rm -f tomcat
# ln -s apache-tomcat-6.0.20.tar.gz tomcat
  • Create the tomcat user, and change the ownership of the tomcat tree: 
    # groupadd -g 52 tomcat
# useradd -u 52 -g tomcat -c "Tomcat User" -d /usr/local/tomcat -M -s /sbin/nologin tomcat
# chown -R tomcat:tomcat /usr/local/apache-tomcat-6.0.20
  • Install our version of conf/server.xml (from /mit/touchstone/config/idp2-core/tomcat), which properly configures the AJP connector on port 8009, and disables the HTTP connector on port 8080.
  • Install the tomcat init script in /etc/init.d/, and make sure tomcat is started at boot time: 
    # chkconfig --add tomcat
  • No labels