CAMS 2.x IdP run book

This page is under construction

Executive Summary

Install and configure Apache httpd

Install needed RPMs

Use stock httpd RPM install (standard NIST install)
Install mod_ssl and mod_auth_kerb RPMs:
```
# yum install mod_ssl
```

Configure

Current versions of the various httpd configuration files can be obtained in the touchstone locker, in /mit/touchstone/config/idp2-cams/httpd/.

Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and make sure the paths are correct in ssl.conf and idp-attr-query.conf (see below). The key file should be readable by only the tomcat user, as the idp webapp also uses it.
In /etc/httpd/conf/httpd.conf, set ServerName:
```
ServerName idp.touchstonenetwork.net:80
```
and set the UseCanonicalName option to On:
```
UseCanonicalName On
```
Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf

In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options:

SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

within the VirtualHost block, set the ServerName:

ServerName idp.touchstonenetwork.net:443

set the SSL cipher suite:

SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP

Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf:

SSLCertificateFile /etc/pki/tls/certs/idp.touchstonenetwork.net-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.touchstonenetwork.net-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem

set the SSL options:

SSLOptions +StrictRequire

configure custom logging:

CustomLog logs/ssl_request_log \
    "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

ensure that all access is via SSL:

<Directory />
    SSLRequireSSL
</Directory>

ensure that all rewrite rules are inherited:

RewriteEngine On
RewriteOptions inherit

Install these additional conf files from the touchstone locker (/mit/touchstone/config/idp2-cams/httpd) in /etc/httpd/conf.d:
- cams.conf
  This adds configuration to protect Cams application resources appropriately.
- idp-attr-query.conf
  This sets up the vhosts for back-channel attribute queries on port 8443.
- idp-rewrite.conf
  This adds various rewrite rules for compatibility, etc.
- proxy_ajp.conf
  Configures the AJP proxy module for the idp and cams webapps (replaces version installed by httpd).
- ssl.conf (see above)
- welcome.conf (see above)
Install our standard robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access:
```
User-agent: *
Disallow: /
```
Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/.
Make sure httpd is started at boot time:
```
# chkconfig httpd on
```
Add the following settings to the stock /etc/logrotate.d/httpd configuration file:
```
daily
rotate 100
compress
delaycompress
```
This will cause the httpd log files in /var/log/httpd/ to be rotated daily and compressed, saving 100 days of old logs (in case we need them for quarterly metrics).

Install JDK and enhanced JCE

The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number):
```
# rpm -Uvh jdk-6uNN-linux-amd64.rpm
```

To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). For example:
```
# cd /usr/java/latest/jre/lib/ext
# cp /path/to/bcprov-jdk16-145.jar .
```
(Replace the file version number as needed).
Add it as a provider in in the JRE's lib/security/java.security, e.g.:
```
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
```
(Replace 9 with the next sequential provider number as needed).

To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM).
```
# cd /tmp
# unzip /path/to/jce_policy-6.zip
# cd jce
# cp *.jar /usr/java/latest/jre/lib/security/
```

For convenience, install shell profile scripts in /etc/profile.d that define JAVA_HOME, e.g. java.csh:

setenv JAVA_HOME /usr/java/default
if ( "${path}" !~ *${JAVA_HOME}/bin* ) then
    set path = ( ${JAVA_HOME}/bin $path )
endif

java.sh:

export JAVA_HOME=/usr/java/default
if ! echo $PATH | grep -q ${JAVA_HOME}/bin ; then
    export PATH=${JAVA_HOME}/bin:$PATH
fi

Install Tomcat

Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in /mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz, and install under /usr/local:
```
# cd /usr/local
# tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
# rm -f tomcat
# ln -s apache-tomcat-6.0.20.tar.gz tomcat
```

Create the tomcat user, and change the ownership of the tomcat tree:

# groupadd -g 52 tomcat
# useradd -u 52 -g tomcat -c "Tomcat User" -d /usr/local/tomcat -M -s /sbin/nologin tomcat
# chown -R tomcat:tomcat /usr/local/apache-tomcat-6.0.20

Install our version of conf/server.xml (from /mit/touchstone/config/idp2-core/tomcat), which properly configures the AJP connector on port 8009, and disables the HTTP connector on port 8080.

Install the tomcat init script in /etc/init.d/, and make sure tomcat is started at boot time:
```
# chkconfig --add tomcat
```

Child pages