...
- In /etc/httpd/conf.d/ssl.conf, set the
SSLRandomSeedoptions:
within theNo Format SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024
VirtualHostblock, set the ServerName:
set the SSL cipher suite:No Format ServerName idp.mit.edu:443
Install the server certificate, key, and CA files inNo Format SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
/etc/pki/tls/certs/and/etc/pki/tls/private/, as appropriate, and set the paths inssl.conf:
set the SSL options:No Format SSLCertificateFile /etc/pki/tls/certs/idp-staging.mit.edu-cert.pem SSLCertificateKeyFile /etc/pki/tls/private/idp-staging.mit.edu-key.pem SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
configure custom logging:No Format SSLOptions +StrictRequire
ensure that all access is via SSL:No Format CustomLog logs/ssl_request_log \ "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
ensure that all rewrite rules are inherited:No Format <Directory /> SSLRequireSSL </Directory>No Format RewriteEngine On RewriteOptions inherit
- Disable the stock "Welcome" page, by commenting out the lines in
/etc/httpd/conf.d/welcome.conf - Install our standard
robots.txtandfavicon.icofiles in/var/www/html. The robots.txt should disallow all access:No Format User-agent: * Disallow: /
Install Tomcat
- Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in
/mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz. - cd /usr/local
- tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
- rm -f tomcat
- ln -s apache-tomcat-6.0.20.tar.gz tomcat
- Create the tomcat user, and change the ownership of the tomcat tree:
No Format # groupadd -g 52 tomcat # useradd -u 52 -g tomcat -c "Tomcat User" -d /usr/local/tomcat tomcat # chown -R tomcat:tomcat /usr/local/apache-tomcat-6.0.20