Leopard Server Install

From cosign wiki

(Difference between revisions)
Jump to: navigation, search
Current revision (13:26, 4 November 2011) (edit) (undo)
 
(19 intermediate revisions not shown.)
Line 1: Line 1:
-
==Changes from before that I got hung up on:==
+
==Build and Install the cosign Filter==
-
------------------------------------------------------
+
[[Building and Installing on Mac OS X]]
-
* Web directory changed from /etc/httpd to /etc/apache2
+
-
* Had to modify a Makefile in the Cosign distribution to build it (details below)
+
-
==Full procedure I used (in chicken-scratch format):==
+
==Generate Certificate Signing Request (optional)==
-
------------------------------------------------------
+
Depending on your environment, you may need to generate a Certificate Signing Request (CSR) to get a certificate for your HTTPS and cosign installation.
* In Server Admin, select the hostname of the server
* In Server Admin, select the hostname of the server
* Click the Certificates tab
* Click the Certificates tab
* Click the + button
* Click the + button
-
  Common Name: lsa-mac-dev1.lsait.lsa.umich.edu
+
  Common Name: [Hostname of server]
-
  Org: University of Michigan
+
  Org: [Your Organization, e.g., University of Insightful Examples]
-
  OU: LSA IT
+
  OU: [Organization Unit, e.g., ALAS IT]
-
  City: Ann Arbor
+
  City: [Your city]
-
  State: Michigan
+
  State: [Your State]
  (leave the others as defaults)
  (leave the others as defaults)
* Click Save
* Click Save
-
 
-
Open a web-browser to here:
 
-
https://webservices.itcs.umich.edu/
 
-
and choose the Request an SSL certificate option (you'll be filling it out momentarily)
 
-
Back in Server Admin:
 
* Select the cert you just created
* Select the cert you just created
* Under the gearwheel menu, choose Generate CSR
* Under the gearwheel menu, choose Generate CSR
-
* Drag the certificate icon to the webpage's CSR box
+
* Submit your CSR to your certificate provider
-
* Fill out the form, being sure to choose umwebCA as the signer
+
** UMich web admins should use [https://webservices.itcs.umich.edu/ WASUP] to request a certificate. Drag and drop the CSR you generated to the '''Certificate Signing Request''' field. Your certificate signer will be '''umwebCA''' unless you want a commercial certificate.
 +
When you get the signed certificate back from your certificate provider, return to Server Admin and:
 +
* Select the self-signed cert in Server Admin you created earlier
 +
* Under the gearwheel menu, choose 'Add Signed or Renewed Certificate from Certificate Authority' and add the signed certificate you received.
-
In Server Admin, start the Web Service
+
==Create and Edit the Cosign Configuration==
-
* Click the Sites button, and select the default site (*)
+
In the Terminal, create a folder for your cosign configuration.
-
* On the Options tab, allow 'CGI Execution'
+
<pre>
-
* On the Logging tab, set both the access and error logs to archive every 7 days
+
bash$ sudo mkdir /etc/apache2/cosign
-
* Click Save
+
</pre>
-
* cd /etc/apache2
+
In a good editor, like '''vi''' or '''BBEdit''', both of which can be used to edit files owned by root, open '''/etc/apache2/cosign/site_conf''', copying and pasting the configuration lines below. Your [[weblogin]] administrators will be able to provide you with the actual values you should use. Have those values in hand as you edit the '''site_conf''' file.
-
* sudo mkdir cosign
+
<pre>
-
* cd cosign
+
CosignHostname weblogin.example.edu
-
* sudo vi site_conf
+
CosignRedirect https://weblogin.example.edu/
 +
CosignPostErrorRedirect http://weblogin.example.edu/post_error.html
 +
CosignService some-service.example.edu
 +
CosignCrypto /etc/certificates/some-service.example.edu.crtkey /etc/certificates/some-service.example.edu.crtkey  /etc/certificates/CAcerts
 +
# for cosign 3:
 +
CosignValidReference              ^https?:\/\/.*\.example\.edu(\/.*)?
 +
CosignValidationErrorRedirect      http://weblogin.example.edu/cosign/validation_error.html
 +
<Location /cosign/valid>
 +
    SetHandler          cosign
 +
    CosignProtected    Off
 +
    Allow from all
 +
    Satisfy any
 +
</Location>
-
BEGINNING OF FILE
+
# uncomment this line if your site allows access over HTTP.
-
CosignHostname weblogin.umich.edu
+
# note: CosignHttpOnly means that anyone can sniff and
-
CosignRedirect https://weblogin.umich.edu/
+
# steal your service cookie, making it trivial to pose as
-
CosignPostErrorRedirect https://weblogin.umich.edu/post_error.html
+
# different users of your service.
-
CosignService lsa-hpc
+
#
-
CosignCrypto /etc/certificates/lsa-mac-dev1.lsait.lsa.umich.edu.crtkey /etc/certificates/lsa-mac-dev1.lsait.lsa.umich.edu.crtkey  /etc/apache2/cosign/CAcerts
+
#CosignHttpOnly on
-
CosignHttpOnly on ### Our site is HTTP - if yours is HTTPS, remove this line
+
<Location />
-
<Location />
+
CosignProtected on
-
CosignProtected on
+
</Location>
-
</Location>
+
<Location /unprotected>
-
<Location /unprotected>
+
CosignProtected off
-
CosignProtected off
+
</Location>
-
</Location>
+
</pre>
-
END OF FILE
+
-
* cd /etc/apache2/sites
+
Now edit your virtual host configuration in '''/etc/apache2/sites'''. Add this line to your site, anywhere inside the <VirtualHost> block:
-
* Add this line to your site, anywhere inside the <VirtualHost> block
+
<pre>
-
**      Include "/etc/apache2/cosign/site_conf"
+
Include "/etc/apache2/cosign/site_conf"
 +
</pre>
-
=== Build and install cosign:===
+
In Server Admin, start the Web Service
-
* Download the latest version from http://weblogin.org/
+
* Click the '''Sites''' button, and select the default site (*)
-
* setenv CFLAGS "-arch x86_64"  # Be sure to use your correct arch here
+
* On the '''Options''' tab, allow 'CGI Execution' if you intend to offer CGI support on your site.
-
* setenv LDFLAGS "-Wl,-arch -Wl,x86_64"  # Be sure to use your correct arch here
+
* Select the '''Logging''' tab to configure log rotation and archiving.
-
* ./configure --enable-apache2=/usr/sbin/apxs
+
* Click '''Save'''
-
* Modify filters/apache2/Makefile and add the following to the end of the CFLAGS line:
+
-
**    -Wc,-arch -Wc,x86_64
+
-
* make
+
-
* sudo cp -R CAcerts /etc/apache2/cosign
+
-
* cd filters/apache2/
+
-
* sudo /usr/sbin/apxs -i -a -n 'cosign' mod_cosign.la
+
-
 
+
-
* sudo mkdir -p /var/cosign/filter
+
-
* sudo chown www /var/cosign/filter
+
-
* cd /etc/apache2/cosign/CAcerts
+
-
* sudo c_rehash .
+
-
 
+
-
=== Background info on the Makefile change:===
+
-
When I just did a straight "configure, then make", the module built with only one architecture, i386.  The problem is, that Leopard is now 64-bit aware across the board, and Apache (httpd) is built with 4 architectures (ppc7400, ppc64, i386, x86_64).  Since httpd was running on 64-bit hardware, it was running using the x86_64 arch, and since the cosign module built with the i386 arch, it wouldn't load the module.  I worked around this primarily with the CFLAGS and LDFLAGS environment modules shown above, but found that some of the .o files that make up the final module were still just getting compiled as i386, so I had to modify the Makefile to force those into x86_64 as well.  It's quite possible there's a better way to do it, but this worked, so I wanted to share it.
+

Current revision

[edit] Build and Install the cosign Filter

Building and Installing on Mac OS X

[edit] Generate Certificate Signing Request (optional)

Depending on your environment, you may need to generate a Certificate Signing Request (CSR) to get a certificate for your HTTPS and cosign installation.

  • In Server Admin, select the hostname of the server
  • Click the Certificates tab
  • Click the + button
Common Name: [Hostname of server]
Org: [Your Organization, e.g., University of Insightful Examples]
OU: [Organization Unit, e.g., ALAS IT]
City: [Your city]
State: [Your State]
(leave the others as defaults)
  • Click Save
  • Select the cert you just created
  • Under the gearwheel menu, choose Generate CSR
  • Submit your CSR to your certificate provider
    • UMich web admins should use WASUP to request a certificate. Drag and drop the CSR you generated to the Certificate Signing Request field. Your certificate signer will be umwebCA unless you want a commercial certificate.

When you get the signed certificate back from your certificate provider, return to Server Admin and:

  • Select the self-signed cert in Server Admin you created earlier
  • Under the gearwheel menu, choose 'Add Signed or Renewed Certificate from Certificate Authority' and add the signed certificate you received.

[edit] Create and Edit the Cosign Configuration

In the Terminal, create a folder for your cosign configuration.

bash$ sudo mkdir /etc/apache2/cosign

In a good editor, like vi or BBEdit, both of which can be used to edit files owned by root, open /etc/apache2/cosign/site_conf, copying and pasting the configuration lines below. Your weblogin administrators will be able to provide you with the actual values you should use. Have those values in hand as you edit the site_conf file.

CosignHostname weblogin.example.edu
CosignRedirect https://weblogin.example.edu/
CosignPostErrorRedirect http://weblogin.example.edu/post_error.html
CosignService some-service.example.edu
CosignCrypto /etc/certificates/some-service.example.edu.crtkey /etc/certificates/some-service.example.edu.crtkey   /etc/certificates/CAcerts
# for cosign 3:
CosignValidReference              ^https?:\/\/.*\.example\.edu(\/.*)?
CosignValidationErrorRedirect      http://weblogin.example.edu/cosign/validation_error.html
<Location /cosign/valid>
     SetHandler          cosign
     CosignProtected     Off
     Allow from all
     Satisfy any
</Location>

# uncomment this line if your site allows access over HTTP.
# note: CosignHttpOnly means that anyone can sniff and
# steal your service cookie, making it trivial to pose as
# different users of your service.
#
#CosignHttpOnly on
<Location />
CosignProtected on
</Location>
<Location /unprotected>
CosignProtected off
</Location>

Now edit your virtual host configuration in /etc/apache2/sites. Add this line to your site, anywhere inside the <VirtualHost> block:

Include "/etc/apache2/cosign/site_conf"

In Server Admin, start the Web Service

  • Click the Sites button, and select the default site (*)
  • On the Options tab, allow 'CGI Execution' if you intend to offer CGI support on your site.
  • Select the Logging tab to configure log rotation and archiving.
  • Click Save
Personal tools