Leopard Server Install
From cosign wiki
(20 intermediate revisions not shown.) | |||
Line 1: | Line 1: | ||
- | + | ==Build and Install the cosign Filter== | |
- | + | [[Building and Installing on Mac OS X]] | |
- | + | ||
- | + | ||
- | + | ==Generate Certificate Signing Request (optional)== | |
- | + | Depending on your environment, you may need to generate a Certificate Signing Request (CSR) to get a certificate for your HTTPS and cosign installation. | |
- | In Server Admin, select the hostname of the server | + | * In Server Admin, select the hostname of the server |
- | Click the Certificates tab | + | * Click the Certificates tab |
- | Click the + button | + | * Click the + button |
- | Common Name: | + | Common Name: [Hostname of server] |
- | Org: University of | + | Org: [Your Organization, e.g., University of Insightful Examples] |
- | OU: | + | OU: [Organization Unit, e.g., ALAS IT] |
- | City: | + | City: [Your city] |
- | State: | + | State: [Your State] |
(leave the others as defaults) | (leave the others as defaults) | ||
- | Click Save | + | * Click Save |
+ | * Select the cert you just created | ||
+ | * Under the gearwheel menu, choose Generate CSR | ||
+ | * Submit your CSR to your certificate provider | ||
+ | ** UMich web admins should use [https://webservices.itcs.umich.edu/ WASUP] to request a certificate. Drag and drop the CSR you generated to the '''Certificate Signing Request''' field. Your certificate signer will be '''umwebCA''' unless you want a commercial certificate. | ||
- | + | When you get the signed certificate back from your certificate provider, return to Server Admin and: | |
- | + | * Select the self-signed cert in Server Admin you created earlier | |
- | + | * Under the gearwheel menu, choose 'Add Signed or Renewed Certificate from Certificate Authority' and add the signed certificate you received. | |
- | + | ||
- | Select the cert you | + | |
- | Under the gearwheel menu, choose | + | |
- | + | ||
- | + | ||
+ | ==Create and Edit the Cosign Configuration== | ||
+ | In the Terminal, create a folder for your cosign configuration. | ||
+ | <pre> | ||
+ | bash$ sudo mkdir /etc/apache2/cosign | ||
+ | </pre> | ||
- | In | + | In a good editor, like '''vi''' or '''BBEdit''', both of which can be used to edit files owned by root, open '''/etc/apache2/cosign/site_conf''', copying and pasting the configuration lines below. Your [[weblogin]] administrators will be able to provide you with the actual values you should use. Have those values in hand as you edit the '''site_conf''' file. |
- | + | <pre> | |
- | + | CosignHostname weblogin.example.edu | |
- | - | + | CosignRedirect https://weblogin.example.edu/ |
- | + | CosignPostErrorRedirect http://weblogin.example.edu/post_error.html | |
+ | CosignService some-service.example.edu | ||
+ | CosignCrypto /etc/certificates/some-service.example.edu.crtkey /etc/certificates/some-service.example.edu.crtkey /etc/certificates/CAcerts | ||
+ | # for cosign 3: | ||
+ | CosignValidReference ^https?:\/\/.*\.example\.edu(\/.*)? | ||
+ | CosignValidationErrorRedirect http://weblogin.example.edu/cosign/validation_error.html | ||
+ | <Location /cosign/valid> | ||
+ | SetHandler cosign | ||
+ | CosignProtected Off | ||
+ | Allow from all | ||
+ | Satisfy any | ||
+ | </Location> | ||
- | + | # uncomment this line if your site allows access over HTTP. | |
- | + | # note: CosignHttpOnly means that anyone can sniff and | |
- | + | # steal your service cookie, making it trivial to pose as | |
- | + | # different users of your service. | |
+ | # | ||
+ | #CosignHttpOnly on | ||
+ | <Location /> | ||
+ | CosignProtected on | ||
+ | </Location> | ||
+ | <Location /unprotected> | ||
+ | CosignProtected off | ||
+ | </Location> | ||
+ | </pre> | ||
- | + | Now edit your virtual host configuration in '''/etc/apache2/sites'''. Add this line to your site, anywhere inside the <VirtualHost> block: | |
- | + | <pre> | |
- | + | Include "/etc/apache2/cosign/site_conf" | |
- | + | </pre> | |
- | + | ||
- | + | ||
- | + | ||
- | + | In Server Admin, start the Web Service | |
- | + | * Click the '''Sites''' button, and select the default site (*) | |
- | + | * On the '''Options''' tab, allow 'CGI Execution' if you intend to offer CGI support on your site. | |
- | + | * Select the '''Logging''' tab to configure log rotation and archiving. | |
- | + | * Click '''Save''' | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | . | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + |
Current revision
[edit] Build and Install the cosign Filter
Building and Installing on Mac OS X
[edit] Generate Certificate Signing Request (optional)
Depending on your environment, you may need to generate a Certificate Signing Request (CSR) to get a certificate for your HTTPS and cosign installation.
- In Server Admin, select the hostname of the server
- Click the Certificates tab
- Click the + button
Common Name: [Hostname of server] Org: [Your Organization, e.g., University of Insightful Examples] OU: [Organization Unit, e.g., ALAS IT] City: [Your city] State: [Your State] (leave the others as defaults)
- Click Save
- Select the cert you just created
- Under the gearwheel menu, choose Generate CSR
- Submit your CSR to your certificate provider
- UMich web admins should use WASUP to request a certificate. Drag and drop the CSR you generated to the Certificate Signing Request field. Your certificate signer will be umwebCA unless you want a commercial certificate.
When you get the signed certificate back from your certificate provider, return to Server Admin and:
- Select the self-signed cert in Server Admin you created earlier
- Under the gearwheel menu, choose 'Add Signed or Renewed Certificate from Certificate Authority' and add the signed certificate you received.
[edit] Create and Edit the Cosign Configuration
In the Terminal, create a folder for your cosign configuration.
bash$ sudo mkdir /etc/apache2/cosign
In a good editor, like vi or BBEdit, both of which can be used to edit files owned by root, open /etc/apache2/cosign/site_conf, copying and pasting the configuration lines below. Your weblogin administrators will be able to provide you with the actual values you should use. Have those values in hand as you edit the site_conf file.
CosignHostname weblogin.example.edu CosignRedirect https://weblogin.example.edu/ CosignPostErrorRedirect http://weblogin.example.edu/post_error.html CosignService some-service.example.edu CosignCrypto /etc/certificates/some-service.example.edu.crtkey /etc/certificates/some-service.example.edu.crtkey /etc/certificates/CAcerts # for cosign 3: CosignValidReference ^https?:\/\/.*\.example\.edu(\/.*)? CosignValidationErrorRedirect http://weblogin.example.edu/cosign/validation_error.html <Location /cosign/valid> SetHandler cosign CosignProtected Off Allow from all Satisfy any </Location> # uncomment this line if your site allows access over HTTP. # note: CosignHttpOnly means that anyone can sniff and # steal your service cookie, making it trivial to pose as # different users of your service. # #CosignHttpOnly on <Location /> CosignProtected on </Location> <Location /unprotected> CosignProtected off </Location>
Now edit your virtual host configuration in /etc/apache2/sites. Add this line to your site, anywhere inside the <VirtualHost> block:
Include "/etc/apache2/cosign/site_conf"
In Server Admin, start the Web Service
- Click the Sites button, and select the default site (*)
- On the Options tab, allow 'CGI Execution' if you intend to offer CGI support on your site.
- Select the Logging tab to configure log rotation and archiving.
- Click Save