/[dtapublic]/to_be_filed/webprojs/pamc/gen_a/docs/manual/man_a/c_ist0/c_ist0.tex
ViewVC logotype

Contents of /to_be_filed/webprojs/pamc/gen_a/docs/manual/man_a/c_ist0/c_ist0.tex

Parent Directory Parent Directory | Revision Log Revision Log


Revision 19 - (show annotations) (download) (as text)
Sat Oct 8 04:30:47 2016 UTC (7 years, 9 months ago) by dashley
File MIME type: application/x-tex
File size: 27425 byte(s)
Initial commit.
1 %$Header: /home/dashley/cvsrep/e3ft_gpl01/e3ft_gpl01/webprojs/pamc/gen_a/docs/manual/man_a/c_ist0/c_ist0.tex,v 1.9 2009/11/04 16:50:19 dashley Exp $
2
3 \chapter{Installation of \emph{\productbasename{}-\productversion{}}}
4
5 \label{cist0}
6
7 \beginchapterquote{``A distributed system is one in which the failure of
8 a computer you didn't even know existed can render
9 your own computer unusable.''}
10 {Les Lamport, as quoted in newsgroup post by Richard Heylen}
11
12
13 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
14 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
15 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
16 \section{Introduction}
17 %Section tag: INT0
18 \label{cist0:sint0}
19
20 This chapter provides instructions for installing
21 \emph{\productbasename{}-\productversion{}}.
22
23
24 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
25 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
26 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
27 \section{System Requirements}
28 %Section tag: srq0
29 \label{cist0:ssrq0}
30
31 \index{system requirements}In order to install
32 \emph{\productbasename{}-\productversion{}}, the
33 server must meet the following requirements:
34
35 \begin{itemize}
36 \item Virtually any\footnote{\emph{Any} because
37 \emph{\productbasename{}-\productversion{}} is a very ordinary
38 database application and does not make use of any special
39 features of the operating system or \emph{MySQL}.}
40 version of a *nix (\emph{Linux}, \emph{FreeBSD},
41 \emph{Solaris}, etc.).
42 \item \index{apache@\emph{apache}}\emph{apache}, any modern version.
43 \item \index{PHP@\emph{PHP}}\emph{PHP}, version 4.X or above.
44 \item \index{MySQL@\emph{MySQL}}\emph{MySQL}, version 4.X or above.
45 \item Any sane processor and processor speed.
46 \item Any sane amount of RAM.
47 \item Adequate system permissions to inject e-mail from \emph{PHP} via \emph{PHP}'s
48 \index{mail()@\emph{mail($\cdot{}$)}}\emph{mail($\cdot{}$)} function.
49 \item Adequate system permissions to set up a directory, with
50 read/write/create permissions
51 for the UID/GID of the \emph{apache} server, to contain the file repository.
52 The file repository must not be directly in the logical web space served
53 directly by \emph{apache}.
54 \item Adequate system permissions to set up a \emph{cron} job that runs
55 at least once every several minutes and runs under the same UID/GID as the
56 \emph{Apache} server.\footnote{Because this \emph{cron} job performs
57 some CPU-intensive tasks (such as verifying file signatures of files in the
58 file repository), it would violate
59 the terms of most shared hosting services. A dedicated server is
60 almost certainly required; and if not that then a server that is not
61 too heavily loaded.}
62 \item Adequate system permissions to set up a location for the PHP library
63 that is accessible to the \emph{apache} UID/GID but not in the
64 logical web space served directly by \emph{apache}.
65 \end{itemize}
66
67
68 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
69 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
70 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
71 \section{Installation Checklist}
72 %Section tag: ICK0
73 \label{cist0:sick0}
74
75 This section provides an enumerated overview of the steps required to
76 install \emph{\productbasename{}-\productversion{}}. The steps are explained
77 in detail in the indicated sections.
78
79 \begin{enumerate}
80 \item Selection of unpack directory, web root directory,
81 PHP library directory, and file repository directory
82 (\S{}\ref{cist0:sdse0}).
83 \item Unpacking of \emph{\productbasename{}-\productversion{}}
84 \emph{tar.gz} file (\S{}\ref{cist0:sutz0}).
85 \item Customization of \emph{PHP} include path (\S{}\ref{cist0:scpi0}).
86 \item Creation of site hash key (\S{}\ref{cist0:scsh0}).
87 \item Creation of \emph{MySQL} database (\S{}\ref{cist0:scmd0}).
88 \item Setup of \emph{apache} to serve web content (\S{}\ref{cist0:ssap0}).
89 \item Copying of web content files (\S{}\ref{cist0:swcf0}).
90 \item Copying of \emph{PHP} library files (\S{}\ref{cist0:scph0}).
91 \item Initialization of database (\S{}\ref{cist0:sdiz0}).
92 \item Initial testing (\S{}\ref{cist0:sits0}).
93 \end{enumerate}
94
95
96 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
97 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
98 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
99 \section{Directory Selection}
100 %Section tag: dse0
101 \label{cist0:sdse0}
102
103 TBD.
104
105
106 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
107 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
108 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
109 \section{Unpacking of \emph{tar.gz} File}
110 %Section tag: utz0
111 \label{cist0:sutz0}
112
113 TBD.
114
115
116 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
117 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
118 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
119 \section{Customizaton of \emph{PHP} Include Path}
120 %Section tag: cpi0
121 \label{cist0:scpi0}
122
123 TBD.
124
125
126 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
127 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
128 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
129 \section{Creation of Site Hash Key}
130 %Section tag: csh0
131 \label{cist0:scsh0}
132
133 The site hash key is best created using the
134 \index{hashkeygen@\emph{hashkeygen}} program. The specific steps are:
135
136 \begin{enumerate}
137 \item Change directory to the directory containing the script using
138 the command ``\texttt{cd cd sw/standalone}'' or similar.
139 \item Ensure that the file \emph{hashkeygen.php} has the
140 ``\texttt{x}'' bit set. The command ``\texttt{chmod +x hashkeygen.php}''
141 will accomplish this in most circumstances.
142 \item Run the program using the command ``\texttt{./hashkeygen.php}''.
143 \end{enumerate}
144
145 \begin{figure}
146 \begin{footnotesize}
147 \begin{verbatim}
148 [dashley@pamc standalone]$ ./hashkeygen.php
149 The key char set size is 89.
150 To maintain a purely random distribution, the maximum value of a
151 random character that can be used is 177.
152 Target key length is 204 characters.
153 Open of "/dev/random" was successful. Will now generate hash key. This may
154 take up to several minutes, as the device may block. Each character from
155 "/dev/random" that can be used is denoted with a ".", and each character
156 that cannot be used is denoted with a "/".
157 .../../../.././/../././....///..../............/././../.....
158 /////.//./////.....//./././.././/.../.../.../...//.../././/.
159 /...../..../....../......../.............//...../../..././..
160 ///./....//......//.//....////../..../......../....//.../../
161 /./././/..//./......./......///..././/......../..../.......
162 Key generation complete.
163 \end{verbatim}
164 \end{footnotesize}
165 \caption{Typical Output of \emph{hashkeygen}}
166 \label{fig:cist0:scsh0:00}
167 \end{figure}
168
169 \begin{figure}
170 \begin{scriptsize}
171 \begin{verbatim}
172 <?php
173 //hashkey.inc -- Definition of hash key for PAMC.
174 //--------------------------------------------------------------------------------
175 //This file is automatically generated by the hashkeygen.php program. Because
176 //this is a data file that should, for security reasons, be different for each
177 //deployment of the system, it is not kept under version control. However, the
178 //hashkeygen.php program that generated this file has this version control
179 //information associated with it:
180 //$Source: /home/dashley/cvsrep/e3ft_gpl01/e3ft_gpl01/webprojs/pamc/gen_a/docs/manual/man_a/c_ist0/c_ist0.tex,v $
181 //$Revision: 1.9 $
182 //$Date: 2009/11/04 16:50:19 $
183 //$Author: dashley $
184 //$State: Exp $
185 //--------------------------------------------------------------------------------
186 $config_hard["hash"]["key"] = "z)Jckkr?}6UC+GN8A{#VL{&DEdH=[Neu-X u4OONN+<7i)@t"
187 . "BZ_0LoD]8.@aYBrr[D6c(RV(vg3JdDIe^gW1?I2}5-[Imj5h"
188 . ">f{X]19R()i/)&;S1&A3^Wj_-Xjr!Vv(5VR]{ h9bFeWMXD "
189 . "+3@6W+/ _I *4yZ7umMa[o)!!J 43,OJmJBDpaRkzdr.;a2x"
190 . "%tXn&9a!QXa|";
191 //--------------------------------------------------------------------------------
192 ?>
193 \end{verbatim}
194 \end{scriptsize}
195 \caption{Typical Hash Key Generated by \emph{hashkeygen}}
196 \label{fig:cist0:scsh0:01}
197 \end{figure}
198
199 Sample typical output of the \emph{hashkeygen} program is shown in
200 Fig. \ref{fig:cist0:scsh0:00}. A typical key
201 generated is shown in
202 Fig. \ref{fig:cist0:scsh0:01}.
203
204 Note that the \emph{hashkeygen} program writes its output to the file\\\\
205 ``\texttt{../phplib/hash/hashkey.inc}''.\\\\ Later in the installation,
206 this file will be copied to the final location for the \emph{PHP} library.
207
208 It is naturally important that each deployment of
209 \emph{\productbasename{}-\productversion{}} have a hash key that is
210 unknown to a potential attacker. Although the \emph{hashkeygen} program is
211 the most effective way to generate a random hash key, the key can also
212 be created or edited manually (although this is not recommended).
213
214
215 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
216 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
217 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
218 \section{Creation of \emph{MySQL} Database}
219 %Section tag: cmd0
220 \label{cist0:scmd0}
221
222 Setup of
223 \index{MySQL@\emph{MySQL}!Setup for \productbasename{}-\productversion{}@Setup for \emph{\productbasename{}-\productversion{}}}%
224 \emph{MySQL} involves obtaining a database name,
225 userid, and password. (This is the only information
226 required to set up \emph{\productbasename{}}---creation of
227 database tables is handled by a script.)
228
229 The steps to set up \emph{MySQL} depend on how the software
230 is hosted.
231
232 \begin{itemize}
233 \item If the software is hosted by a hosting company, the
234 \emph{MySQL} database name, userid, and password will probably
235 be assigned by the hosting company.
236 \item If the software is hosted on an owned or dedicated server,
237 the setup must be performed by the individual
238 installing \emph{\productbasename{}}.
239 \end{itemize}
240
241 If the software is hosted on an owned or dedicated server,
242 the following steps should be used to set up \emph{MySQL}:
243
244 \begin{enumerate}
245 \item Choose a database name, userid, and password
246 for use with \emph{MySQL}. In subsequent description, these
247 are denoted \emph{dbname}, \emph{userid},
248 and \emph{password}.
249 \item Log into \emph{MySQL} as the root user.\footnote{Note that the
250 \emph{root} password for \emph{MySQL} is not the same
251 thing as the \emph{root} user password for \emph{Linux}.}
252 The command to do this is:
253
254 \texttt{mysql --user=root -p}
255 \item Create the database. The \emph{MySQL} command to do this is:
256
257 \texttt{create database \emph{dbname};}
258 \item Grant the user \emph{userid} all privileges on database
259 \emph{dbname} using password \emph{password} when connecting
260 from \emph{localhost}.\footnote{The normal arrangement is that the
261 \emph{MySQL} daemon runs on the same server as \emph{Apache}, hence
262 the connection from \emph{localhost}.} The command to do this is:
263
264 \texttt{grant all on \emph{dbname}.* to \emph{userid}@localhost\\identified by '\emph{password}';}
265 \item Log out of \emph{MySQL} (Control-D).
266 \item Test the permissions created by running
267
268 \texttt{mysql --user=\emph{userid} -p}
269
270 and entering the \emph{password} chosen. Issue the command:
271
272 \texttt{use \emph{dbname};}
273
274 to verify permission to access \emph{dbname}.
275 \item Log out of \emph{MySQL} (Control-D).
276 \end{enumerate}
277
278
279 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
280 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
281 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
282 \section{Creation of Network Interface Aliases (Some Installations Only)}
283 %Section tag: cna0
284 \label{cist0:scna0}
285
286 For greater security, \emph{\productbasename{}-\productversion{}} may be
287 served via \emph{https} rather than \emph{http}. Because
288 each domain served by \emph{https} must have its own IP address, in some
289 installations additional IP addresses will need to be bound to the same
290 network interface.
291
292 The procedure for assigning additional IP addresses to a network
293 interface involves creating an additional file in the
294 \texttt{/etc/sysconfig/network-scripts} directory.
295 The most common scenario is to create a file with a \emph{:0} suffix.
296 The files below illustrate adding the IP address 208.81.180.179 to
297 an interface already bound to the IP address 208.81.180.178.
298
299 \begin{small}
300 \begin{verbatim}
301 [dashley@pamc ~]$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
302 # Broadcom Corporation NetXtreme BCM5722 Gigabit Ethernet PCI Express
303 DEVICE=eth0
304 BOOTPROTO=none
305 BROADCAST=208.81.180.255
306 HWADDR=00:1e:c9:51:a6:b9
307 IPADDR=208.81.180.178
308 NETMASK=255.255.255.128
309 NETWORK=208.81.180.128
310 ONBOOT=yes
311 GATEWAY=208.81.180.129
312 TYPE=Ethernet
313 [dashley@pamc ~]$ cat /etc/sysconfig/network-scripts/ifcfg-eth0:0
314 # Broadcom Corporation NetXtreme BCM5722 Gigabit Ethernet PCI Express
315 DEVICE=eth0:0
316 BOOTPROTO=none
317 BROADCAST=208.81.180.255
318 HWADDR=00:1e:c9:51:a6:b9
319 IPADDR=208.81.180.179
320 NETMASK=255.255.255.128
321 NETWORK=208.81.180.128
322 ONBOOT=yes
323 GATEWAY=208.81.180.129
324 TYPE=Ethernet
325 \end{verbatim}
326 \end{small}
327
328 Once the additional file is created, the \texttt{ifup} command can
329 used to activate the interface without rebooting the system, i.e.
330 \texttt{ifup eth0:0}. When the system is rebooted, the interface will
331 be activated automatically if \texttt{ONBOOT=yes} is specified.
332
333 The network to which the server is connected must be configured to
334 accept the additional IP addresses. More information can be found
335 in various \emph{Linux} networking tutorials on the Internet.
336
337
338 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
339 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
340 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
341 \section{Creation of Multiple Instances of \emph{apache}}
342 %Section tag: cmi0
343 \label{cist0:scmi0}
344
345 A single instance of \emph{apache}, running under a single UID/GID,
346 can be configured to listen on multiple IP addresses and
347 serve multiple domains via \emph{https}. In some server deployments,
348 this will work well.
349
350 However, in some server deployments, it is desirable to serve multiple
351 domains from the same server, and using a single instance
352 of \emph{apache} may raise security issues if not
353 all of the web scripts are under the control of the same individual
354 or organization. It would be possible for one author of web content
355 to write a script that compromises private files of another author---files
356 containing hash keys, cryptographic keys, or database passwords, for example.
357
358 Running multiple instances of \emph{apache}, each running under a different
359 UID/GID and listening on a different IP address or port, can alleviate
360 security concerns. For example, in some server deployments it would be
361 possible to run \emph{\productbasename{}-\productversion{}} using a second
362 instance of \emph{apache} and a separate UID/GID, thus securing it against
363 attacks launched from the UID/GID of other instance(s).
364
365 A naming schema should be chosen for the multiple
366 instances of \emph{apache}. One naming schema would be to designate
367 the IP addresses as \emph{a}, \emph{b}, etc. so that the
368 instance of \emph{apache} listening on port 80 on the first interface
369 would be named \emph{httpd80a}.
370
371 The startup scripts in \texttt{/etc/rc.d/init.d} should be copied and modified
372 so that there is one startup script per instance of \emph{apache},
373 appropriately named to coincide with the naming schema chosen.
374 The difference listing below indicates how to modify each startup
375 script. Note that some modifications (the first ones in the listing)
376 are to comments and are unnecessary.
377
378 \begin{small}
379 \begin{verbatim}
380 [dashley@pamc ~]$ diff /etc/rc.d/init.d/httpd /etc/rc.d/init.d/httpd80a
381 3c3
382 < # httpd Startup script for the Apache HTTP Server
383 ---
384 > # httpd80a Startup script for the Apache HTTP Server
385 8,11c8,11
386 < # processname: httpd
387 < # config: /etc/httpd/conf/httpd.conf
388 < # config: /etc/sysconfig/httpd
389 < # pidfile: /var/run/httpd.pid
390 ---
391 > # processname: httpd80a
392 > # config: /etc/httpd/conf/httpd80a.conf
393 > # config: /etc/sysconfig/httpd80a
394 > # pidfile: /var/run/httpd80a.pid
395 16,17c16,17
396 < if [ -f /etc/sysconfig/httpd ]; then
397 < . /etc/sysconfig/httpd
398 ---
399 > if [ -f /etc/sysconfig/httpd80a ]; then
400 > . /etc/sysconfig/httpd80a
401 33,36c33,36
402 < httpd=${HTTPD-/usr/sbin/httpd}
403 < prog=httpd
404 < pidfile=${PIDFILE-/var/run/httpd.pid}
405 < lockfile=${LOCKFILE-/var/lock/subsys/httpd}
406 ---
407 > httpd=${HTTPD-/usr/sbin/httpd80a}
408 > prog=httpd80a
409 > pidfile=${PIDFILE-/var/run/httpd80a.pid}
410 > lockfile=${LOCKFILE-/var/lock/subsys/httpd80a}
411 41c41
412 < CONFFILE=/etc/httpd/conf/httpd.conf
413 ---
414 > CONFFILE=/etc/httpd/conf/httpd80a.conf
415 \end{verbatim}
416 \end{small}
417
418 The executable files in \texttt{/sbin} should
419 be copied so that \texttt{httpd}, \texttt{httpd.worker}, and
420 \texttt{httpd.event} each have appropriately named copies corresponding
421 to the naming schema chosen. The listing below shows the files
422 in a typical server.
423
424 \begin{small}
425 \begin{verbatim}
426 [dashley@pamc ~]$ ls -al /usr/sbin/http*
427 -rwxr-xr-x 1 root root 315284 Jul 15 09:04 /usr/sbin/httpd
428 -rwxr-xr-x 1 root root 315284 Oct 4 01:29 /usr/sbin/httpd443a
429 -rwxr-xr-x 1 root root 327708 Oct 4 01:29 /usr/sbin/httpd443a.event
430 -rwxr-xr-x 1 root root 327708 Oct 4 01:30 /usr/sbin/httpd443a.worker
431 -rwxr-xr-x 1 root root 315284 Nov 1 23:20 /usr/sbin/httpd443b
432 -rwxr-xr-x 1 root root 327708 Nov 1 23:20 /usr/sbin/httpd443b.event
433 -rwxr-xr-x 1 root root 327708 Nov 1 23:20 /usr/sbin/httpd443b.worker
434 -rwxr-xr-x 1 root root 315284 Oct 4 01:29 /usr/sbin/httpd80a
435 -rwxr-xr-x 1 root root 327708 Oct 4 01:29 /usr/sbin/httpd80a.event
436 -rwxr-xr-x 1 root root 327708 Oct 4 01:30 /usr/sbin/httpd80a.worker
437 -rwxr-xr-x 1 root root 315284 Nov 1 23:19 /usr/sbin/httpd80b
438 -rwxr-xr-x 1 root root 327708 Nov 1 23:20 /usr/sbin/httpd80b.event
439 -rwxr-xr-x 1 root root 327708 Nov 1 23:20 /usr/sbin/httpd80b.worker
440 -rwxr-xr-x 1 root root 327708 Jul 15 09:04 /usr/sbin/httpd.event
441 -rwxr-xr-x 1 root root 327708 Jul 15 09:04 /usr/sbin/httpd.worker
442 \end{verbatim}
443 \end{small}
444
445 The runlevel links can then be modified. Need to add information about this.
446
447 \emph{Dave Ashley note:}
448 When attempting to use four instances of \emph{apache} to listen on two
449 IP addresses, ran into an issue with port binding to 0:0:0:0. Need to
450 resolve this issue definitively. For now, am using two instances of
451 \emph{apache}, one listening on two IP addresses on port 80, and the other
452 listening on two IP addresses on port 443. I should be able, however, to use
453 four instances.
454
455
456 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
457 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
458 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
459 \section{Generation of an SSL Certificate for \emph{apache}}
460 %Section tag: gsl0
461 \label{cist0:sgsl0}
462
463 An SSL certificate allows a browser (when using \emph{https}) to verify that
464 the site connected to is the actual site rather the result of intercepted
465 transmission.
466
467 An SSL certificate is required to serve \emph{\productbasename{}-\productversion{}}
468 via \emph{https}.
469
470 There are two types of SSL certificates that may used:
471
472 \begin{itemize}
473 \item \textbf{A purchased certificate (\S\ref{cist0:sgsl0:spsl0})\@.}
474 A purchased certificate typically costs around \$30 (for a 1-year
475 certificate), but is traceable to a certification authority already
476 accepted by browsers and so introduces no complexity in configuring
477 a browser to accept the certificate.
478 \item \textbf{A self-signed certificate (\S\ref{cist0:sgsl0:sgss0})\@.}
479 A self-signed certificate is free, but introduces complexity in
480 configuring a browser to accept the certificate without nags or
481 perhaps to accept the certificate at all.
482 \end{itemize}
483
484
485 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
486 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
487 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
488 \subsection{Purchase of an SSL Certificate}
489 %Subsection tag: psl0
490 \label{cist0:sgsl0:spsl0}
491
492 TBD.
493
494
495 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
496 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
497 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
498 \subsection{Generating a Self-Signed SSL Certificate}
499 %Subsection tag: gss0
500 \label{cist0:sgsl0:sgss0}
501
502 TBD.
503
504
505 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
506 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
507 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
508 \section{Setup of \emph{apache} to Serve Web Content}
509 %Section tag: sap0
510 \label{cist0:ssap0}
511
512 TBD.
513
514
515 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
516 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
517 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
518 \section{Installation of the \emph{cc\_kt1\_auth\_php} Program}
519 %Section tag: ipg0
520 \label{cist0:sipg0}
521
522 The \emph{cc\_kt1\_auth\_php} program is called from \emph{PHP} scripts to
523 authenticate the \emph{CryptoCard} KT-1 token.
524
525 The \emph{cc\_kt1\_auth\_php} program operates in the following way:
526
527 \begin{itemize}
528 \item A \emph{PHP} script invokes the \emph{cc\_kt1\_auth\_php} program,
529 opening two pipes\footnote{Pipes (more precisely, anonymous pipes) are used because a pipe provides
530 secure communication between processes. Passing sensitive information
531 (such as token keys) as a command-line parameter is not secure, as
532 command-line parameters are world-visible on a \emph{Linux} system.}
533 to communicate bidirectionally with the program.
534 \item The \emph{cc\_kt1\_auth\_php} accepts all of the data provided
535 by the \emph{PHP} script via a pipe. The data includes
536 a token key, token state, and other parameters.
537 \item The \emph{cc\_kt1\_auth\_php} calls a library provided by
538 \emph{CryptoCard} to predict what a token should display.
539 \item The \emph{cc\_kt1\_auth\_php} returns this information to
540 the \emph{PHP} script via a pipe.
541 \item The \emph{cc\_kt1\_auth\_php} terminates.
542 \item The \emph{PHP} script uses the information provided by the
543 \emph{cc\_kt1\_auth\_php} program to authenticate a token.
544 \end{itemize}
545
546 The \emph{cc\_kt1\_auth\_php} can be installed using the following steps:
547
548 \begin{enumerate}
549 \item Obtain the \emph{AuthEngine SDK} product from \emph{CryptoCard}.
550 \item Install the shared libraries (\texttt{libAuthentication.so}
551 \texttt{libAuthentication.a}) in the recommended location for
552 the target system,\footnote{On a standard \emph{Linux} system,
553 the appropriate location is \texttt{/usr/lib}.}
554 and set ownership and permissions appropriately.
555 \item Place the program file (\texttt{cc\_kt1\_auth\_php.c}) and
556 the header file from \emph{CryptoCard} (\texttt{Authentication.h})
557 in a directory for compilation.
558 \item Compile the program using the instructions contained in the source
559 code. The source code also contains a description of steps to
560 take if \texttt{libcrypto.so.4} is missing.
561 \item Copy the executable to a location suitable for the target system and
562 set ownership and permissions appropriately (this is described
563 in the source code).
564 \end{enumerate}
565
566
567 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
568 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
569 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
570 \section{Copying of \emph{PHP} Web Content Files}
571 %Section tag: wcf0
572 \label{cist0:swcf0}
573
574 TBD.
575
576
577 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
578 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
579 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
580 \section{Copying of \emph{PHP} Library Files}
581 %Section tag: CPH0
582 \label{cist0:scph0}
583
584 TBD.
585
586
587 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
588 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
589 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
590 \section{Database Initialization}
591 %Section tag: DIZ0
592 \label{cist0:sdiz0}
593
594 TBD.
595
596
597 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
598 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
599 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
600 \section{Initial Testing}
601 %Section tag: ITS0
602 \label{cist0:sits0}
603
604 TBD.
605
606
607 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
608 \noindent\begin{figure}[!b]
609 \noindent\rule[-0.25in]{\textwidth}{1pt}
610 \begin{tiny}
611 \begin{verbatim}
612 $RCSfile: c_ist0.tex,v $
613 $Source: /home/dashley/cvsrep/e3ft_gpl01/e3ft_gpl01/webprojs/pamc/gen_a/docs/manual/man_a/c_ist0/c_ist0.tex,v $
614 $Revision: 1.9 $
615 $Author: dashley $
616 $Date: 2009/11/04 16:50:19 $
617 \end{verbatim}
618 \end{tiny}
619 \noindent\rule[0.25in]{\textwidth}{1pt}
620 \end{figure}
621
622 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
623 %$Log: c_ist0.tex,v $
624 %Revision 1.9 2009/11/04 16:50:19 dashley
625 %Edits.
626 %
627 %Revision 1.8 2009/11/02 04:53:28 dashley
628 %Edits.
629 %
630 %Revision 1.7 2009/11/02 02:00:04 dashley
631 %Edits.
632 %
633 %Revision 1.6 2007/06/24 21:19:24 dashley
634 %Minor extra word (that won't work) for MySQL command removed.
635 %
636 %Revision 1.5 2007/06/12 02:47:17 dashley
637 %Edits.
638 %
639 %Revision 1.4 2007/06/10 18:03:20 dashley
640 %Edits.
641 %
642 %Revision 1.3 2007/06/06 02:23:58 dashley
643 %Edits.
644 %
645 %Revision 1.2 2007/06/04 03:26:55 dashley
646 %Edits.
647 %
648 %Revision 1.1 2007/06/04 00:12:03 dashley
649 %Initial checkin.
650 %
651 %End of $RCSfile: c_ist0.tex,v $.

dashley@gmail.com
ViewVC Help
Powered by ViewVC 1.1.25