1 |
%$Header: /home/dashley/cvsrep/e3ft_gpl01/e3ft_gpl01/webprojs/pamc/gen_a/docs/manual/man_a/c_ist0/c_ist0.tex,v 1.9 2009/11/04 16:50:19 dashley Exp $
|
2 |
|
3 |
\chapter{Installation of \emph{\productbasename{}-\productversion{}}}
|
4 |
|
5 |
\label{cist0}
|
6 |
|
7 |
\beginchapterquote{``A distributed system is one in which the failure of
|
8 |
a computer you didn't even know existed can render
|
9 |
your own computer unusable.''}
|
10 |
{Les Lamport, as quoted in newsgroup post by Richard Heylen}
|
11 |
|
12 |
|
13 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
14 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
15 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
16 |
\section{Introduction}
|
17 |
%Section tag: INT0
|
18 |
\label{cist0:sint0}
|
19 |
|
20 |
This chapter provides instructions for installing
|
21 |
\emph{\productbasename{}-\productversion{}}.
|
22 |
|
23 |
|
24 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
25 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
26 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
27 |
\section{System Requirements}
|
28 |
%Section tag: srq0
|
29 |
\label{cist0:ssrq0}
|
30 |
|
31 |
\index{system requirements}In order to install
|
32 |
\emph{\productbasename{}-\productversion{}}, the
|
33 |
server must meet the following requirements:
|
34 |
|
35 |
\begin{itemize}
|
36 |
\item Virtually any\footnote{\emph{Any} because
|
37 |
\emph{\productbasename{}-\productversion{}} is a very ordinary
|
38 |
database application and does not make use of any special
|
39 |
features of the operating system or \emph{MySQL}.}
|
40 |
version of a *nix (\emph{Linux}, \emph{FreeBSD},
|
41 |
\emph{Solaris}, etc.).
|
42 |
\item \index{apache@\emph{apache}}\emph{apache}, any modern version.
|
43 |
\item \index{PHP@\emph{PHP}}\emph{PHP}, version 4.X or above.
|
44 |
\item \index{MySQL@\emph{MySQL}}\emph{MySQL}, version 4.X or above.
|
45 |
\item Any sane processor and processor speed.
|
46 |
\item Any sane amount of RAM.
|
47 |
\item Adequate system permissions to inject e-mail from \emph{PHP} via \emph{PHP}'s
|
48 |
\index{mail()@\emph{mail($\cdot{}$)}}\emph{mail($\cdot{}$)} function.
|
49 |
\item Adequate system permissions to set up a directory, with
|
50 |
read/write/create permissions
|
51 |
for the UID/GID of the \emph{apache} server, to contain the file repository.
|
52 |
The file repository must not be directly in the logical web space served
|
53 |
directly by \emph{apache}.
|
54 |
\item Adequate system permissions to set up a \emph{cron} job that runs
|
55 |
at least once every several minutes and runs under the same UID/GID as the
|
56 |
\emph{Apache} server.\footnote{Because this \emph{cron} job performs
|
57 |
some CPU-intensive tasks (such as verifying file signatures of files in the
|
58 |
file repository), it would violate
|
59 |
the terms of most shared hosting services. A dedicated server is
|
60 |
almost certainly required; and if not that then a server that is not
|
61 |
too heavily loaded.}
|
62 |
\item Adequate system permissions to set up a location for the PHP library
|
63 |
that is accessible to the \emph{apache} UID/GID but not in the
|
64 |
logical web space served directly by \emph{apache}.
|
65 |
\end{itemize}
|
66 |
|
67 |
|
68 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
69 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
70 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
71 |
\section{Installation Checklist}
|
72 |
%Section tag: ICK0
|
73 |
\label{cist0:sick0}
|
74 |
|
75 |
This section provides an enumerated overview of the steps required to
|
76 |
install \emph{\productbasename{}-\productversion{}}. The steps are explained
|
77 |
in detail in the indicated sections.
|
78 |
|
79 |
\begin{enumerate}
|
80 |
\item Selection of unpack directory, web root directory,
|
81 |
PHP library directory, and file repository directory
|
82 |
(\S{}\ref{cist0:sdse0}).
|
83 |
\item Unpacking of \emph{\productbasename{}-\productversion{}}
|
84 |
\emph{tar.gz} file (\S{}\ref{cist0:sutz0}).
|
85 |
\item Customization of \emph{PHP} include path (\S{}\ref{cist0:scpi0}).
|
86 |
\item Creation of site hash key (\S{}\ref{cist0:scsh0}).
|
87 |
\item Creation of \emph{MySQL} database (\S{}\ref{cist0:scmd0}).
|
88 |
\item Setup of \emph{apache} to serve web content (\S{}\ref{cist0:ssap0}).
|
89 |
\item Copying of web content files (\S{}\ref{cist0:swcf0}).
|
90 |
\item Copying of \emph{PHP} library files (\S{}\ref{cist0:scph0}).
|
91 |
\item Initialization of database (\S{}\ref{cist0:sdiz0}).
|
92 |
\item Initial testing (\S{}\ref{cist0:sits0}).
|
93 |
\end{enumerate}
|
94 |
|
95 |
|
96 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
97 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
98 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
99 |
\section{Directory Selection}
|
100 |
%Section tag: dse0
|
101 |
\label{cist0:sdse0}
|
102 |
|
103 |
TBD.
|
104 |
|
105 |
|
106 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
107 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
108 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
109 |
\section{Unpacking of \emph{tar.gz} File}
|
110 |
%Section tag: utz0
|
111 |
\label{cist0:sutz0}
|
112 |
|
113 |
TBD.
|
114 |
|
115 |
|
116 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
117 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
118 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
119 |
\section{Customizaton of \emph{PHP} Include Path}
|
120 |
%Section tag: cpi0
|
121 |
\label{cist0:scpi0}
|
122 |
|
123 |
TBD.
|
124 |
|
125 |
|
126 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
127 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
128 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
129 |
\section{Creation of Site Hash Key}
|
130 |
%Section tag: csh0
|
131 |
\label{cist0:scsh0}
|
132 |
|
133 |
The site hash key is best created using the
|
134 |
\index{hashkeygen@\emph{hashkeygen}} program. The specific steps are:
|
135 |
|
136 |
\begin{enumerate}
|
137 |
\item Change directory to the directory containing the script using
|
138 |
the command ``\texttt{cd cd sw/standalone}'' or similar.
|
139 |
\item Ensure that the file \emph{hashkeygen.php} has the
|
140 |
``\texttt{x}'' bit set. The command ``\texttt{chmod +x hashkeygen.php}''
|
141 |
will accomplish this in most circumstances.
|
142 |
\item Run the program using the command ``\texttt{./hashkeygen.php}''.
|
143 |
\end{enumerate}
|
144 |
|
145 |
\begin{figure}
|
146 |
\begin{footnotesize}
|
147 |
\begin{verbatim}
|
148 |
[dashley@pamc standalone]$ ./hashkeygen.php
|
149 |
The key char set size is 89.
|
150 |
To maintain a purely random distribution, the maximum value of a
|
151 |
random character that can be used is 177.
|
152 |
Target key length is 204 characters.
|
153 |
Open of "/dev/random" was successful. Will now generate hash key. This may
|
154 |
take up to several minutes, as the device may block. Each character from
|
155 |
"/dev/random" that can be used is denoted with a ".", and each character
|
156 |
that cannot be used is denoted with a "/".
|
157 |
.../../../.././/../././....///..../............/././../.....
|
158 |
/////.//./////.....//./././.././/.../.../.../...//.../././/.
|
159 |
/...../..../....../......../.............//...../../..././..
|
160 |
///./....//......//.//....////../..../......../....//.../../
|
161 |
/./././/..//./......./......///..././/......../..../.......
|
162 |
Key generation complete.
|
163 |
\end{verbatim}
|
164 |
\end{footnotesize}
|
165 |
\caption{Typical Output of \emph{hashkeygen}}
|
166 |
\label{fig:cist0:scsh0:00}
|
167 |
\end{figure}
|
168 |
|
169 |
\begin{figure}
|
170 |
\begin{scriptsize}
|
171 |
\begin{verbatim}
|
172 |
<?php
|
173 |
//hashkey.inc -- Definition of hash key for PAMC.
|
174 |
//--------------------------------------------------------------------------------
|
175 |
//This file is automatically generated by the hashkeygen.php program. Because
|
176 |
//this is a data file that should, for security reasons, be different for each
|
177 |
//deployment of the system, it is not kept under version control. However, the
|
178 |
//hashkeygen.php program that generated this file has this version control
|
179 |
//information associated with it:
|
180 |
//$Source: /home/dashley/cvsrep/e3ft_gpl01/e3ft_gpl01/webprojs/pamc/gen_a/docs/manual/man_a/c_ist0/c_ist0.tex,v $
|
181 |
//$Revision: 1.9 $
|
182 |
//$Date: 2009/11/04 16:50:19 $
|
183 |
//$Author: dashley $
|
184 |
//$State: Exp $
|
185 |
//--------------------------------------------------------------------------------
|
186 |
$config_hard["hash"]["key"] = "z)Jckkr?}6UC+GN8A{#VL{&DEdH=[Neu-X u4OONN+<7i)@t"
|
187 |
. "BZ_0LoD]8.@aYBrr[D6c(RV(vg3JdDIe^gW1?I2}5-[Imj5h"
|
188 |
. ">f{X]19R()i/)&;S1&A3^Wj_-Xjr!Vv(5VR]{ h9bFeWMXD "
|
189 |
. "+3@6W+/ _I *4yZ7umMa[o)!!J 43,OJmJBDpaRkzdr.;a2x"
|
190 |
. "%tXn&9a!QXa|";
|
191 |
//--------------------------------------------------------------------------------
|
192 |
?>
|
193 |
\end{verbatim}
|
194 |
\end{scriptsize}
|
195 |
\caption{Typical Hash Key Generated by \emph{hashkeygen}}
|
196 |
\label{fig:cist0:scsh0:01}
|
197 |
\end{figure}
|
198 |
|
199 |
Sample typical output of the \emph{hashkeygen} program is shown in
|
200 |
Fig. \ref{fig:cist0:scsh0:00}. A typical key
|
201 |
generated is shown in
|
202 |
Fig. \ref{fig:cist0:scsh0:01}.
|
203 |
|
204 |
Note that the \emph{hashkeygen} program writes its output to the file\\\\
|
205 |
``\texttt{../phplib/hash/hashkey.inc}''.\\\\ Later in the installation,
|
206 |
this file will be copied to the final location for the \emph{PHP} library.
|
207 |
|
208 |
It is naturally important that each deployment of
|
209 |
\emph{\productbasename{}-\productversion{}} have a hash key that is
|
210 |
unknown to a potential attacker. Although the \emph{hashkeygen} program is
|
211 |
the most effective way to generate a random hash key, the key can also
|
212 |
be created or edited manually (although this is not recommended).
|
213 |
|
214 |
|
215 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
216 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
217 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
218 |
\section{Creation of \emph{MySQL} Database}
|
219 |
%Section tag: cmd0
|
220 |
\label{cist0:scmd0}
|
221 |
|
222 |
Setup of
|
223 |
\index{MySQL@\emph{MySQL}!Setup for \productbasename{}-\productversion{}@Setup for \emph{\productbasename{}-\productversion{}}}%
|
224 |
\emph{MySQL} involves obtaining a database name,
|
225 |
userid, and password. (This is the only information
|
226 |
required to set up \emph{\productbasename{}}---creation of
|
227 |
database tables is handled by a script.)
|
228 |
|
229 |
The steps to set up \emph{MySQL} depend on how the software
|
230 |
is hosted.
|
231 |
|
232 |
\begin{itemize}
|
233 |
\item If the software is hosted by a hosting company, the
|
234 |
\emph{MySQL} database name, userid, and password will probably
|
235 |
be assigned by the hosting company.
|
236 |
\item If the software is hosted on an owned or dedicated server,
|
237 |
the setup must be performed by the individual
|
238 |
installing \emph{\productbasename{}}.
|
239 |
\end{itemize}
|
240 |
|
241 |
If the software is hosted on an owned or dedicated server,
|
242 |
the following steps should be used to set up \emph{MySQL}:
|
243 |
|
244 |
\begin{enumerate}
|
245 |
\item Choose a database name, userid, and password
|
246 |
for use with \emph{MySQL}. In subsequent description, these
|
247 |
are denoted \emph{dbname}, \emph{userid},
|
248 |
and \emph{password}.
|
249 |
\item Log into \emph{MySQL} as the root user.\footnote{Note that the
|
250 |
\emph{root} password for \emph{MySQL} is not the same
|
251 |
thing as the \emph{root} user password for \emph{Linux}.}
|
252 |
The command to do this is:
|
253 |
|
254 |
\texttt{mysql --user=root -p}
|
255 |
\item Create the database. The \emph{MySQL} command to do this is:
|
256 |
|
257 |
\texttt{create database \emph{dbname};}
|
258 |
\item Grant the user \emph{userid} all privileges on database
|
259 |
\emph{dbname} using password \emph{password} when connecting
|
260 |
from \emph{localhost}.\footnote{The normal arrangement is that the
|
261 |
\emph{MySQL} daemon runs on the same server as \emph{Apache}, hence
|
262 |
the connection from \emph{localhost}.} The command to do this is:
|
263 |
|
264 |
\texttt{grant all on \emph{dbname}.* to \emph{userid}@localhost\\identified by '\emph{password}';}
|
265 |
\item Log out of \emph{MySQL} (Control-D).
|
266 |
\item Test the permissions created by running
|
267 |
|
268 |
\texttt{mysql --user=\emph{userid} -p}
|
269 |
|
270 |
and entering the \emph{password} chosen. Issue the command:
|
271 |
|
272 |
\texttt{use \emph{dbname};}
|
273 |
|
274 |
to verify permission to access \emph{dbname}.
|
275 |
\item Log out of \emph{MySQL} (Control-D).
|
276 |
\end{enumerate}
|
277 |
|
278 |
|
279 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
280 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
281 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
282 |
\section{Creation of Network Interface Aliases (Some Installations Only)}
|
283 |
%Section tag: cna0
|
284 |
\label{cist0:scna0}
|
285 |
|
286 |
For greater security, \emph{\productbasename{}-\productversion{}} may be
|
287 |
served via \emph{https} rather than \emph{http}. Because
|
288 |
each domain served by \emph{https} must have its own IP address, in some
|
289 |
installations additional IP addresses will need to be bound to the same
|
290 |
network interface.
|
291 |
|
292 |
The procedure for assigning additional IP addresses to a network
|
293 |
interface involves creating an additional file in the
|
294 |
\texttt{/etc/sysconfig/network-scripts} directory.
|
295 |
The most common scenario is to create a file with a \emph{:0} suffix.
|
296 |
The files below illustrate adding the IP address 208.81.180.179 to
|
297 |
an interface already bound to the IP address 208.81.180.178.
|
298 |
|
299 |
\begin{small}
|
300 |
\begin{verbatim}
|
301 |
[dashley@pamc ~]$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
|
302 |
# Broadcom Corporation NetXtreme BCM5722 Gigabit Ethernet PCI Express
|
303 |
DEVICE=eth0
|
304 |
BOOTPROTO=none
|
305 |
BROADCAST=208.81.180.255
|
306 |
HWADDR=00:1e:c9:51:a6:b9
|
307 |
IPADDR=208.81.180.178
|
308 |
NETMASK=255.255.255.128
|
309 |
NETWORK=208.81.180.128
|
310 |
ONBOOT=yes
|
311 |
GATEWAY=208.81.180.129
|
312 |
TYPE=Ethernet
|
313 |
[dashley@pamc ~]$ cat /etc/sysconfig/network-scripts/ifcfg-eth0:0
|
314 |
# Broadcom Corporation NetXtreme BCM5722 Gigabit Ethernet PCI Express
|
315 |
DEVICE=eth0:0
|
316 |
BOOTPROTO=none
|
317 |
BROADCAST=208.81.180.255
|
318 |
HWADDR=00:1e:c9:51:a6:b9
|
319 |
IPADDR=208.81.180.179
|
320 |
NETMASK=255.255.255.128
|
321 |
NETWORK=208.81.180.128
|
322 |
ONBOOT=yes
|
323 |
GATEWAY=208.81.180.129
|
324 |
TYPE=Ethernet
|
325 |
\end{verbatim}
|
326 |
\end{small}
|
327 |
|
328 |
Once the additional file is created, the \texttt{ifup} command can
|
329 |
used to activate the interface without rebooting the system, i.e.
|
330 |
\texttt{ifup eth0:0}. When the system is rebooted, the interface will
|
331 |
be activated automatically if \texttt{ONBOOT=yes} is specified.
|
332 |
|
333 |
The network to which the server is connected must be configured to
|
334 |
accept the additional IP addresses. More information can be found
|
335 |
in various \emph{Linux} networking tutorials on the Internet.
|
336 |
|
337 |
|
338 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
339 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
340 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
341 |
\section{Creation of Multiple Instances of \emph{apache}}
|
342 |
%Section tag: cmi0
|
343 |
\label{cist0:scmi0}
|
344 |
|
345 |
A single instance of \emph{apache}, running under a single UID/GID,
|
346 |
can be configured to listen on multiple IP addresses and
|
347 |
serve multiple domains via \emph{https}. In some server deployments,
|
348 |
this will work well.
|
349 |
|
350 |
However, in some server deployments, it is desirable to serve multiple
|
351 |
domains from the same server, and using a single instance
|
352 |
of \emph{apache} may raise security issues if not
|
353 |
all of the web scripts are under the control of the same individual
|
354 |
or organization. It would be possible for one author of web content
|
355 |
to write a script that compromises private files of another author---files
|
356 |
containing hash keys, cryptographic keys, or database passwords, for example.
|
357 |
|
358 |
Running multiple instances of \emph{apache}, each running under a different
|
359 |
UID/GID and listening on a different IP address or port, can alleviate
|
360 |
security concerns. For example, in some server deployments it would be
|
361 |
possible to run \emph{\productbasename{}-\productversion{}} using a second
|
362 |
instance of \emph{apache} and a separate UID/GID, thus securing it against
|
363 |
attacks launched from the UID/GID of other instance(s).
|
364 |
|
365 |
A naming schema should be chosen for the multiple
|
366 |
instances of \emph{apache}. One naming schema would be to designate
|
367 |
the IP addresses as \emph{a}, \emph{b}, etc. so that the
|
368 |
instance of \emph{apache} listening on port 80 on the first interface
|
369 |
would be named \emph{httpd80a}.
|
370 |
|
371 |
The startup scripts in \texttt{/etc/rc.d/init.d} should be copied and modified
|
372 |
so that there is one startup script per instance of \emph{apache},
|
373 |
appropriately named to coincide with the naming schema chosen.
|
374 |
The difference listing below indicates how to modify each startup
|
375 |
script. Note that some modifications (the first ones in the listing)
|
376 |
are to comments and are unnecessary.
|
377 |
|
378 |
\begin{small}
|
379 |
\begin{verbatim}
|
380 |
[dashley@pamc ~]$ diff /etc/rc.d/init.d/httpd /etc/rc.d/init.d/httpd80a
|
381 |
3c3
|
382 |
< # httpd Startup script for the Apache HTTP Server
|
383 |
---
|
384 |
> # httpd80a Startup script for the Apache HTTP Server
|
385 |
8,11c8,11
|
386 |
< # processname: httpd
|
387 |
< # config: /etc/httpd/conf/httpd.conf
|
388 |
< # config: /etc/sysconfig/httpd
|
389 |
< # pidfile: /var/run/httpd.pid
|
390 |
---
|
391 |
> # processname: httpd80a
|
392 |
> # config: /etc/httpd/conf/httpd80a.conf
|
393 |
> # config: /etc/sysconfig/httpd80a
|
394 |
> # pidfile: /var/run/httpd80a.pid
|
395 |
16,17c16,17
|
396 |
< if [ -f /etc/sysconfig/httpd ]; then
|
397 |
< . /etc/sysconfig/httpd
|
398 |
---
|
399 |
> if [ -f /etc/sysconfig/httpd80a ]; then
|
400 |
> . /etc/sysconfig/httpd80a
|
401 |
33,36c33,36
|
402 |
< httpd=${HTTPD-/usr/sbin/httpd}
|
403 |
< prog=httpd
|
404 |
< pidfile=${PIDFILE-/var/run/httpd.pid}
|
405 |
< lockfile=${LOCKFILE-/var/lock/subsys/httpd}
|
406 |
---
|
407 |
> httpd=${HTTPD-/usr/sbin/httpd80a}
|
408 |
> prog=httpd80a
|
409 |
> pidfile=${PIDFILE-/var/run/httpd80a.pid}
|
410 |
> lockfile=${LOCKFILE-/var/lock/subsys/httpd80a}
|
411 |
41c41
|
412 |
< CONFFILE=/etc/httpd/conf/httpd.conf
|
413 |
---
|
414 |
> CONFFILE=/etc/httpd/conf/httpd80a.conf
|
415 |
\end{verbatim}
|
416 |
\end{small}
|
417 |
|
418 |
The executable files in \texttt{/sbin} should
|
419 |
be copied so that \texttt{httpd}, \texttt{httpd.worker}, and
|
420 |
\texttt{httpd.event} each have appropriately named copies corresponding
|
421 |
to the naming schema chosen. The listing below shows the files
|
422 |
in a typical server.
|
423 |
|
424 |
\begin{small}
|
425 |
\begin{verbatim}
|
426 |
[dashley@pamc ~]$ ls -al /usr/sbin/http*
|
427 |
-rwxr-xr-x 1 root root 315284 Jul 15 09:04 /usr/sbin/httpd
|
428 |
-rwxr-xr-x 1 root root 315284 Oct 4 01:29 /usr/sbin/httpd443a
|
429 |
-rwxr-xr-x 1 root root 327708 Oct 4 01:29 /usr/sbin/httpd443a.event
|
430 |
-rwxr-xr-x 1 root root 327708 Oct 4 01:30 /usr/sbin/httpd443a.worker
|
431 |
-rwxr-xr-x 1 root root 315284 Nov 1 23:20 /usr/sbin/httpd443b
|
432 |
-rwxr-xr-x 1 root root 327708 Nov 1 23:20 /usr/sbin/httpd443b.event
|
433 |
-rwxr-xr-x 1 root root 327708 Nov 1 23:20 /usr/sbin/httpd443b.worker
|
434 |
-rwxr-xr-x 1 root root 315284 Oct 4 01:29 /usr/sbin/httpd80a
|
435 |
-rwxr-xr-x 1 root root 327708 Oct 4 01:29 /usr/sbin/httpd80a.event
|
436 |
-rwxr-xr-x 1 root root 327708 Oct 4 01:30 /usr/sbin/httpd80a.worker
|
437 |
-rwxr-xr-x 1 root root 315284 Nov 1 23:19 /usr/sbin/httpd80b
|
438 |
-rwxr-xr-x 1 root root 327708 Nov 1 23:20 /usr/sbin/httpd80b.event
|
439 |
-rwxr-xr-x 1 root root 327708 Nov 1 23:20 /usr/sbin/httpd80b.worker
|
440 |
-rwxr-xr-x 1 root root 327708 Jul 15 09:04 /usr/sbin/httpd.event
|
441 |
-rwxr-xr-x 1 root root 327708 Jul 15 09:04 /usr/sbin/httpd.worker
|
442 |
\end{verbatim}
|
443 |
\end{small}
|
444 |
|
445 |
The runlevel links can then be modified. Need to add information about this.
|
446 |
|
447 |
\emph{Dave Ashley note:}
|
448 |
When attempting to use four instances of \emph{apache} to listen on two
|
449 |
IP addresses, ran into an issue with port binding to 0:0:0:0. Need to
|
450 |
resolve this issue definitively. For now, am using two instances of
|
451 |
\emph{apache}, one listening on two IP addresses on port 80, and the other
|
452 |
listening on two IP addresses on port 443. I should be able, however, to use
|
453 |
four instances.
|
454 |
|
455 |
|
456 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
457 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
458 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
459 |
\section{Generation of an SSL Certificate for \emph{apache}}
|
460 |
%Section tag: gsl0
|
461 |
\label{cist0:sgsl0}
|
462 |
|
463 |
An SSL certificate allows a browser (when using \emph{https}) to verify that
|
464 |
the site connected to is the actual site rather the result of intercepted
|
465 |
transmission.
|
466 |
|
467 |
An SSL certificate is required to serve \emph{\productbasename{}-\productversion{}}
|
468 |
via \emph{https}.
|
469 |
|
470 |
There are two types of SSL certificates that may used:
|
471 |
|
472 |
\begin{itemize}
|
473 |
\item \textbf{A purchased certificate (\S\ref{cist0:sgsl0:spsl0})\@.}
|
474 |
A purchased certificate typically costs around \$30 (for a 1-year
|
475 |
certificate), but is traceable to a certification authority already
|
476 |
accepted by browsers and so introduces no complexity in configuring
|
477 |
a browser to accept the certificate.
|
478 |
\item \textbf{A self-signed certificate (\S\ref{cist0:sgsl0:sgss0})\@.}
|
479 |
A self-signed certificate is free, but introduces complexity in
|
480 |
configuring a browser to accept the certificate without nags or
|
481 |
perhaps to accept the certificate at all.
|
482 |
\end{itemize}
|
483 |
|
484 |
|
485 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
486 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
487 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
488 |
\subsection{Purchase of an SSL Certificate}
|
489 |
%Subsection tag: psl0
|
490 |
\label{cist0:sgsl0:spsl0}
|
491 |
|
492 |
TBD.
|
493 |
|
494 |
|
495 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
496 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
497 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
498 |
\subsection{Generating a Self-Signed SSL Certificate}
|
499 |
%Subsection tag: gss0
|
500 |
\label{cist0:sgsl0:sgss0}
|
501 |
|
502 |
TBD.
|
503 |
|
504 |
|
505 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
506 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
507 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
508 |
\section{Setup of \emph{apache} to Serve Web Content}
|
509 |
%Section tag: sap0
|
510 |
\label{cist0:ssap0}
|
511 |
|
512 |
TBD.
|
513 |
|
514 |
|
515 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
516 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
517 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
518 |
\section{Installation of the \emph{cc\_kt1\_auth\_php} Program}
|
519 |
%Section tag: ipg0
|
520 |
\label{cist0:sipg0}
|
521 |
|
522 |
The \emph{cc\_kt1\_auth\_php} program is called from \emph{PHP} scripts to
|
523 |
authenticate the \emph{CryptoCard} KT-1 token.
|
524 |
|
525 |
The \emph{cc\_kt1\_auth\_php} program operates in the following way:
|
526 |
|
527 |
\begin{itemize}
|
528 |
\item A \emph{PHP} script invokes the \emph{cc\_kt1\_auth\_php} program,
|
529 |
opening two pipes\footnote{Pipes (more precisely, anonymous pipes) are used because a pipe provides
|
530 |
secure communication between processes. Passing sensitive information
|
531 |
(such as token keys) as a command-line parameter is not secure, as
|
532 |
command-line parameters are world-visible on a \emph{Linux} system.}
|
533 |
to communicate bidirectionally with the program.
|
534 |
\item The \emph{cc\_kt1\_auth\_php} accepts all of the data provided
|
535 |
by the \emph{PHP} script via a pipe. The data includes
|
536 |
a token key, token state, and other parameters.
|
537 |
\item The \emph{cc\_kt1\_auth\_php} calls a library provided by
|
538 |
\emph{CryptoCard} to predict what a token should display.
|
539 |
\item The \emph{cc\_kt1\_auth\_php} returns this information to
|
540 |
the \emph{PHP} script via a pipe.
|
541 |
\item The \emph{cc\_kt1\_auth\_php} terminates.
|
542 |
\item The \emph{PHP} script uses the information provided by the
|
543 |
\emph{cc\_kt1\_auth\_php} program to authenticate a token.
|
544 |
\end{itemize}
|
545 |
|
546 |
The \emph{cc\_kt1\_auth\_php} can be installed using the following steps:
|
547 |
|
548 |
\begin{enumerate}
|
549 |
\item Obtain the \emph{AuthEngine SDK} product from \emph{CryptoCard}.
|
550 |
\item Install the shared libraries (\texttt{libAuthentication.so}
|
551 |
\texttt{libAuthentication.a}) in the recommended location for
|
552 |
the target system,\footnote{On a standard \emph{Linux} system,
|
553 |
the appropriate location is \texttt{/usr/lib}.}
|
554 |
and set ownership and permissions appropriately.
|
555 |
\item Place the program file (\texttt{cc\_kt1\_auth\_php.c}) and
|
556 |
the header file from \emph{CryptoCard} (\texttt{Authentication.h})
|
557 |
in a directory for compilation.
|
558 |
\item Compile the program using the instructions contained in the source
|
559 |
code. The source code also contains a description of steps to
|
560 |
take if \texttt{libcrypto.so.4} is missing.
|
561 |
\item Copy the executable to a location suitable for the target system and
|
562 |
set ownership and permissions appropriately (this is described
|
563 |
in the source code).
|
564 |
\end{enumerate}
|
565 |
|
566 |
|
567 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
568 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
569 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
570 |
\section{Copying of \emph{PHP} Web Content Files}
|
571 |
%Section tag: wcf0
|
572 |
\label{cist0:swcf0}
|
573 |
|
574 |
TBD.
|
575 |
|
576 |
|
577 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
578 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
579 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
580 |
\section{Copying of \emph{PHP} Library Files}
|
581 |
%Section tag: CPH0
|
582 |
\label{cist0:scph0}
|
583 |
|
584 |
TBD.
|
585 |
|
586 |
|
587 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
588 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
589 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
590 |
\section{Database Initialization}
|
591 |
%Section tag: DIZ0
|
592 |
\label{cist0:sdiz0}
|
593 |
|
594 |
TBD.
|
595 |
|
596 |
|
597 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
598 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
599 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
600 |
\section{Initial Testing}
|
601 |
%Section tag: ITS0
|
602 |
\label{cist0:sits0}
|
603 |
|
604 |
TBD.
|
605 |
|
606 |
|
607 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
608 |
\noindent\begin{figure}[!b]
|
609 |
\noindent\rule[-0.25in]{\textwidth}{1pt}
|
610 |
\begin{tiny}
|
611 |
\begin{verbatim}
|
612 |
$RCSfile: c_ist0.tex,v $
|
613 |
$Source: /home/dashley/cvsrep/e3ft_gpl01/e3ft_gpl01/webprojs/pamc/gen_a/docs/manual/man_a/c_ist0/c_ist0.tex,v $
|
614 |
$Revision: 1.9 $
|
615 |
$Author: dashley $
|
616 |
$Date: 2009/11/04 16:50:19 $
|
617 |
\end{verbatim}
|
618 |
\end{tiny}
|
619 |
\noindent\rule[0.25in]{\textwidth}{1pt}
|
620 |
\end{figure}
|
621 |
|
622 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
623 |
%$Log: c_ist0.tex,v $
|
624 |
%Revision 1.9 2009/11/04 16:50:19 dashley
|
625 |
%Edits.
|
626 |
%
|
627 |
%Revision 1.8 2009/11/02 04:53:28 dashley
|
628 |
%Edits.
|
629 |
%
|
630 |
%Revision 1.7 2009/11/02 02:00:04 dashley
|
631 |
%Edits.
|
632 |
%
|
633 |
%Revision 1.6 2007/06/24 21:19:24 dashley
|
634 |
%Minor extra word (that won't work) for MySQL command removed.
|
635 |
%
|
636 |
%Revision 1.5 2007/06/12 02:47:17 dashley
|
637 |
%Edits.
|
638 |
%
|
639 |
%Revision 1.4 2007/06/10 18:03:20 dashley
|
640 |
%Edits.
|
641 |
%
|
642 |
%Revision 1.3 2007/06/06 02:23:58 dashley
|
643 |
%Edits.
|
644 |
%
|
645 |
%Revision 1.2 2007/06/04 03:26:55 dashley
|
646 |
%Edits.
|
647 |
%
|
648 |
%Revision 1.1 2007/06/04 00:12:03 dashley
|
649 |
%Initial checkin.
|
650 |
%
|
651 |
%End of $RCSfile: c_ist0.tex,v $.
|