Leopard Server Install

From cosign wiki

(Difference between revisions)
Jump to: navigation, search
(Changes from before that I got hung up on:)
(Full procedure I used (in chicken-scratch format):)
Line 4: Line 4:
* Edits made Mar 09 to reflect what to do with the signed certificate and instructions to update the umwebCA.pem file
* Edits made Mar 09 to reflect what to do with the signed certificate and instructions to update the umwebCA.pem file
-
==Full procedure I used (in chicken-scratch format):==
+
==Generate Certificate Signing Request (optional)==
-
------------------------------------------------------
+
Depending on your environment, you may need to generate a Certificate Signing Request (CSR) to get a certificate for your HTTPS and cosign installation.
* In Server Admin, select the hostname of the server
* In Server Admin, select the hostname of the server
* Click the Certificates tab
* Click the Certificates tab
* Click the + button
* Click the + button
-
  Common Name: lsa-mac-dev1.lsait.lsa.umich.edu
+
  Common Name: [Host name of server]
-
  Org: University of Michigan
+
  Org: [Your Organization, e.g., University of Insightful Examples]
-
  OU: LSA IT
+
  OU: [Organization Unit, e.g., ALAS IT]
-
  City: Ann Arbor
+
  City: [Your city]
-
  State: Michigan
+
  State: [Your State]
  (leave the others as defaults)
  (leave the others as defaults)
* Click Save
* Click Save
-
 
-
Open a web-browser to here:
 
-
https://webservices.itcs.umich.edu/
 
-
and choose the Request an SSL certificate option (you'll be filling it out momentarily)
 
-
Back in Server Admin:
 
* Select the cert you just created
* Select the cert you just created
* Under the gearwheel menu, choose Generate CSR
* Under the gearwheel menu, choose Generate CSR
-
* Drag the certificate icon to the webpage's CSR box
+
* Submit your CSR to your certificate provider
-
* Fill out the form, being sure to choose umwebCA as the signer
+
-
 
+
When you get the signed certificate back from your certificate provider, return to Server Admin and:  
-
When you get the signed certificate back from the UMWeb Certificate Authority, return to Server Admin and:  
+
* Select the self-signed cert in Server Admin you created earlier
* Select the self-signed cert in Server Admin you created earlier
-
* Under the gearwheel menu, choose 'Add Signed or Renewed Certificate from Certificate Authority' and add the signed certificate you received
+
* Under the gearwheel menu, choose 'Add Signed or Renewed Certificate from Certificate Authority' and add the signed certificate you received.
 +
In the Terminal:
 +
<pre>
 +
bash$ sudo -s
 +
Password:
 +
root# mkdir /etc/apache2/cosign
 +
</pre>
-
In Server Admin, start the Web Service
+
In a good editor, like '''vi''' or '''BBEdit''', both of which can be used to edit files owned by root, open '''/etc/apache2/cosign/site_conf''', copying and pasting the configuration lines below. Your [[weblogin]] administrators will be able to provide you with the actual values you should use. Have those values in hand as you edit the '''site_conf''' file.
-
* Click the Sites button, and select the default site (*)
+
<pre>
-
* On the Options tab, allow 'CGI Execution'
+
CosignHostname weblogin.example.edu
-
* On the Logging tab, set both the access and error logs to archive every 7 days
+
CosignRedirect https://weblogin.example.edu/
-
* Click Save
+
CosignPostErrorRedirect http://weblogin.example.edu/post_error.html
 +
CosignService some-service.example.edu
 +
CosignCrypto /etc/certificates/some-service.example.edu.crtkey /etc/certificates/some-service.example.edu.crtkey  /etc/certificates/CAcerts
-
* cd /etc/apache2
+
# uncomment this line if your site allows access over HTTP.
-
* sudo mkdir cosign
+
# note: CosignHttpOnly means that anyone can sniff and
-
* cd cosign
+
# steal your service cookie, making it trivial to pose as
-
* sudo vi site_conf
+
# different users of your service.
 +
#
 +
#CosignHttpOnly on
 +
<Location />
 +
CosignProtected on
 +
</Location>
 +
<Location /unprotected>
 +
CosignProtected off
 +
</Location>
 +
</pre>
-
BEGINNING OF FILE
+
* Edit your virtual host configuration in '''/etc/apache2/sites'''. Add this line to your site, anywhere inside the <VirtualHost> block:
-
CosignHostname weblogin.umich.edu
+
<pre>
-
CosignRedirect https://weblogin.umich.edu/
+
Include "/etc/apache2/cosign/site_conf"
-
CosignPostErrorRedirect https://weblogin.umich.edu/post_error.html
+
</pre>
-
CosignService lsa-hpc
+
-
CosignCrypto /etc/certificates/lsa-mac-dev1.lsait.lsa.umich.edu.crtkey /etc/certificates/lsa-mac-dev1.lsait.lsa.umich.edu.crtkey  /etc/apache2/cosign/CAcerts
+
-
CosignHttpOnly on  ### Our site is HTTP - if yours is HTTPS, remove this line
+
-
<Location />
+
-
CosignProtected on
+
-
</Location>
+
-
<Location /unprotected>
+
-
CosignProtected off
+
-
</Location>
+
-
END OF FILE
+
-
* cd /etc/apache2/sites
+
In Server Admin, start the Web Service
-
* Add this line to your site, anywhere inside the <VirtualHost> block
+
* Click the '''Sites''' button, and select the default site (*)
-
**      Include "/etc/apache2/cosign/site_conf"
+
* On the '''Options''' tab, allow 'CGI Execution' if you intend to offer CGI support on your site.
-
 
+
* Select the '''Logging''' tab to configure log rotation and archiving.
-
=== Build and install cosign:===
+
* Click '''Save'''
-
[[Building and Installing on Mac OS X]]
+

Revision as of 16:37, 30 March 2009

Changes from before that I got hung up on:


  • Web directory changed from /etc/httpd to /etc/apache2
  • Edits made Mar 09 to reflect what to do with the signed certificate and instructions to update the umwebCA.pem file

Generate Certificate Signing Request (optional)

Depending on your environment, you may need to generate a Certificate Signing Request (CSR) to get a certificate for your HTTPS and cosign installation.

  • In Server Admin, select the hostname of the server
  • Click the Certificates tab
  • Click the + button
Common Name: [Host name of server]
Org: [Your Organization, e.g., University of Insightful Examples]
OU: [Organization Unit, e.g., ALAS IT]
City: [Your city]
State: [Your State]
(leave the others as defaults)
  • Click Save
  • Select the cert you just created
  • Under the gearwheel menu, choose Generate CSR
  • Submit your CSR to your certificate provider

When you get the signed certificate back from your certificate provider, return to Server Admin and:

  • Select the self-signed cert in Server Admin you created earlier
  • Under the gearwheel menu, choose 'Add Signed or Renewed Certificate from Certificate Authority' and add the signed certificate you received.

In the Terminal:

bash$ sudo -s
Password:
root# mkdir /etc/apache2/cosign

In a good editor, like vi or BBEdit, both of which can be used to edit files owned by root, open /etc/apache2/cosign/site_conf, copying and pasting the configuration lines below. Your weblogin administrators will be able to provide you with the actual values you should use. Have those values in hand as you edit the site_conf file.

CosignHostname weblogin.example.edu
CosignRedirect https://weblogin.example.edu/
CosignPostErrorRedirect http://weblogin.example.edu/post_error.html
CosignService some-service.example.edu
CosignCrypto /etc/certificates/some-service.example.edu.crtkey /etc/certificates/some-service.example.edu.crtkey   /etc/certificates/CAcerts

# uncomment this line if your site allows access over HTTP.
# note: CosignHttpOnly means that anyone can sniff and
# steal your service cookie, making it trivial to pose as
# different users of your service.
#
#CosignHttpOnly on
<Location />
CosignProtected on
</Location>
<Location /unprotected>
CosignProtected off
</Location>
  • Edit your virtual host configuration in /etc/apache2/sites. Add this line to your site, anywhere inside the <VirtualHost> block:
Include "/etc/apache2/cosign/site_conf"

In Server Admin, start the Web Service

  • Click the Sites button, and select the default site (*)
  • On the Options tab, allow 'CGI Execution' if you intend to offer CGI support on your site.
  • Select the Logging tab to configure log rotation and archiving.
  • Click Save
Personal tools