Versions Compared

Old Version 30

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 31

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Install JDK and enhanced JCE

  • The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number):
    No Format
    
# rpm -Uvh jdk-6uNN-linux-amd64.rpm
  • To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). Add it as a provider in in the JRE's lib/security/java.security, e.g.:
    No Format
    
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
    (Replace 9 with the next sequential provider number as needed).
  • To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM).

...

  • The MIT CA certificates must be added to the certificate trust store. This can be done by downloading and adding them explicitly to the JRE cacerts trust store, as follows:
    No Format
    
# wget 'http://ca.mit.edu.ezproxy.canberra.edu.au/mitca.crt'
# wget 'http://ca.mit.edu.ezproxy.canberra.edu.au/mitClient.crt'
# setenv JAVA_HOME /usr/java/latest
# cd $JAVA_HOME/jre/lib/security
# cp -p cacerts cacerts.orig
# $JAVA_HOME/bin/keytool -import -keystore cacerts -alias mitca -file /path/to/mitca.crt
# $JAVA_HOME/bin/keytool -import -keystore cacerts -alias mitclientca -file /path/to/mitClient.crt
    The password for the trust store is "changeit". Answer "yes" to the "Trust this certificate?" prompt

An already-updated cacerts store is available in the touchstone locker, in /mit/touchstone/config/java.

  • For convenience, install shell profile scripts in /etc/profile.d that define JAVA_HOME, e.g. java.csh:
    No Format
    
setenv JAVA_HOME /usr/java/default
if ( "${path}" !~ *${JAVA_HOME}/bin* ) then
    set path = ( ${JAVA_HOME}/bin $path )
endif
    java.sh:
    No Format
    
export JAVA_HOME=/usr/java/default
if ! echo $PATH | grep -q ${JAVA_HOME}/bin ; then
    export PATH=${JAVA_HOME}/bin:$PATH
fi

Install Tomcat

  • Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in /mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz, and install under /usr/local:
    No Format
    # cd /usr/local
# tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
# rm -f tomcat
# ln -s apache-tomcat-6.0.20.tar.gz tomcat
  • Create the tomcat user, and change the ownership of the tomcat tree:
    No Format
    # groupadd -g 52 tomcat
# useradd -u 52 -g tomcat -c "Tomcat User" -d /usr/local/tomcat tomcat
# chown -R tomcat:tomcat /usr/local/apache-tomcat-6.0.20
    Install the tomcat init script in /etc/init.d/, and make sure tomcat is started at boot time:
    No Format
    # chkconfig --add tomcat

...