...
- Install the server certificate, key, and CA files in
/etc/pki/tls/certs/and/etc/pki/tls/private/, as appropriate, and make sure the paths are correct inssl.conf,cert-authn.conf, andidp-attr-query.conf(see below). The key file should be readable by only the tomcat user, as the idp webapp also uses it. - In /etc/httpd/conf/httpd.conf, set
ServerName:
and set theNo Format ServerName idp.mit.edu:80
UseCanonicalNameoption toOn:No Format UseCanonicalName On
- Disable the stock "Welcome" page, by commenting out the lines in
/etc/httpd/conf.d/welcome.conf - In /etc/httpd/conf.d/ssl.conf, set the
SSLRandomSeedoptions:
within theNo Format SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024
VirtualHostblock, set the ServerName:
set the SSL cipher suite:No Format ServerName idp.mit.edu:443
Install the server certificate, key, and CA files inNo Format SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
/etc/pki/tls/certs/and/etc/pki/tls/private/, as appropriate, and set the paths inssl.conf:
set the SSL options:No Format SSLCertificateFile /etc/pki/tls/certs/idp.mit.edu-cert.pem SSLCertificateKeyFile /etc/pki/tls/private/idp.mit.edu-key.pem SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
configure custom logging:No Format SSLOptions +StrictRequire
ensure that all access is via SSL:No Format CustomLog logs/ssl_request_log \ "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
ensure that all rewrite rules are inherited:No Format <Directory /> SSLRequireSSL </Directory>No Format RewriteEngine On RewriteOptions inherit
- Install an HTTP keytab in /etc/httpd/conf/keytab; it must be readable by (only) the apache user. This is used for authentication by HTTP/SPNEGO, as configured in /etc/httpd/conf.d/auth_kerb.conf.
- Install the server's InCommon certificate and key files in /usr/local/shibboleth-idp/credentials/ – these are used for back-channel attribute queries by InCommon SPs, and are referenced in /etc/httpd/conf.d/idp-attr-query.conf. Make sure that they are readable by tomcat, as the idp webapp also accesses them. Also install the InCommon CA file in /etc/pki/tls/certs.
- Install these additional conf files from the touchstone locker (/mit/touchstone/config/idp2-core/httpd) in /etc/httpd/conf.d:
- auth_kerb.conf
This configures authentication by HTTP/SPNEGO (replaces version installed by mod_auth_kerb). - cert-authn.conf
This sets up the separate virtual hosts for certificate authentication on ports 446 and 447 (for certificate optional and required, respectively). - idp-attr-query.conf
This sets up the vhosts for back-channel attribute queries on ports 8443 and 8444 (from MIT and InCommon SPs, respectively). - idp-rewrite.conf
This adds various rewrite rules for compatibility, etc. - proxy_ajp.conf
Configures the AJP proxy module for the idp webapp (replaces version installed by httpd). - ssl.conf (see above)
- welcome.conf (see above)
- auth_kerb.conf
- SELinux context mappings must be added for the non-standard ports configured for certificate authentication and attribute query, so that httpd can use them:
No Format # semanage port -a -t http_port_t -p tcp 446 # semanage port -a -t http_port_t -p tcp 447 # semanage port -a -t http_port_t -p tcp 8444
- Install our standard
robots.txtandfavicon.icofiles in/var/www/html. The robots.txt should disallow all access:
Current versions of these files may be found in the touchstone locker, inNo Format User-agent: * Disallow: /
/mit/touchstone/config/htdocs/. - Make sure httpd is started at boot time:
No Format # chkconfig httpd on
- Add the following settings to the stock /etc/logrotate.d/httpd configuration file:
This will cause the httpd log files inNo Format daily rotate 100 compress delaycompress
/var/log/httpd/to be rotated daily and compressed, saving 100 days of old logs (in case we need them for quarterly metrics).Install JDK and enhanced JCE
...