Versions Compared

Old Version 41

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 42

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options:
    No Format
    SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
    within the VirtualHost block, set the ServerName:
    No Format
    ServerName idp.mit.edu:443
    set the SSL cipher suite:
    No Format
    SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf:
    No Format
    SSLCertificateFile /etc/pki/tls/certs/idp-staging.mit.edu-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp-staging.mit.edu-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
    set the SSL options:
    No Format
    SSLOptions +StrictRequire
    configure custom logging:
    No Format
     CustomLog logs/ssl_request_log \
          "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
    ensure that all access is via SSL:
    No Format
    <Directory />
    SSLRequireSSL
</Directory>
    ensure that all rewrite rules are inherited:
    No Format
    RewriteEngine On
RewriteOptions inherit
  • Install an HTTP keytab in /etc/httpd/conf/keytab; it must be readable by (only) the apache user. This is used for authentication by HTTP/SPNEGO, as configured in /etc/httpd/conf.d/auth_kerb.conf; install this .conf file auth_kerb.con.
  • Install cert-authn.conf from the touchstone locker (XXX), which sets :
  • Install these additional conf files from the touchstone locker (/mit/touchstone/config/idp2-core/) in /etc/httpd/conf.d:
    • auth_kerb.
    con
    • conf
      This configures authentication by HTTP/SPNEGO (replaces version installed by mod_auth_kerb).
    Install
    • cert-authn.conf
      This sets up the separate virtual hosts for certificate authentication on ports 446 and 447 (for certificate optional and required, respectively).
    • idp-attr-query.conf
      This sets up the vhosts for back-channel attribute queries on ports 8443 and 8444.
    • idp-rewrite.conf
      This adds various rewrite rules for compatibility, etc.
    • proxy_ajp.conf
      Configures the AJP proxy module for the idp webapp (replaces version installed by httpd).
    • ssl.conf
    • welcome.conf
  • from the touchstone locker (XXX), which sets up the separate virtual hosts for certificate authentication on ports 446 and 447 (for certificate optional and required, respectively). SELinux context mappings must be added for these portsthe non-standard ports configured for certificate authentication and attribute query, so that httpd can use them, e.g.:
    No Format
    # semanage port -a -t http_port_t -p tcp 446
# semanage port -a -t http_port_t -p tcp 447
XXX # semanage port -a -t http_port_t -p tcp 8444

...