Versions Compared

Old Version 9

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 10

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options:
    No Format
    SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
    within the VirtualHost block, set the ServerName:
    No Format
    ServerName idp.mit.edu:443
    set the SSL cipher suite:
    No Format
    SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf:
    No Format
    SSLCertificateFile /etc/pki/tls/certs/idp-staging.mit.edu-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp-staging.mit.edu-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
    set the SSL options:
    No Format
    SSLOptions +StrictRequire
    configure custom logging:
    No Format
     CustomLog logs/ssl_request_log \
          "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
    ensure that all access is via SSL:
    No Format
    <Directory />
    SSLRequireSSL
</Directory>
    ensure that all rewrite rules are inherited:
    No Format
    RewriteEngine On
RewriteOptions inherit
  • Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf
  • Install our standard robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access:
    No Format
    User-agent: *
Disallow: /
    Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/.
  • Make sure httpd is started at boot time:
    No Format
    # chkconfig httpd on

Install JDK and enhanced JCE

The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number). To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). Add it as a provider in in the JRE's lib/security/java.security, e.g.:

No Format

security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider

(Replace 9 with the next sequential provider number as needed).

To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jspImage Added, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM).

Install Tomcat

  • Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in /mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz.
  • cd /usr/local
  • tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
  • rm -f tomcat
  • ln -s apache-tomcat-6.0.20.tar.gz tomcat
  • Create the tomcat user, and change the ownership of the tomcat tree:
    No Format
    # groupadd \-g 52 tomcat
# useradd \-u 52 \-g tomcat \-c "Tomcat User" \-d /usr/local/tomcat tomcat
# chown \-R tomcat:tomcat /usr/local/apache-tomcat-6.0.20
    No Format