Using the tarfiles (which include source, documentation, binaries and example configuration files)

NOTE: These instructions are intended for readers with a basic familiarity of Unix utilities and web server setup. If you are not familiar with these, please do not even bother to read further.

INITIAL SETUP AND INSTALLATION
==============================

Do some initial setup on the system on which you will be installing the apache-ssl server. Basically, you create a directory for 'ssl', and a directory for 'https', and you create the user and group that will be associated with the apache-ssl server. We typically put the directories where they will not be affected by operating system updates and so on. We make the webserver run as the user 'www', but we make only the minimal number of files necessary owned by the user 'www'. We add the user 'www' to the group 'www', and make as few things writeable by group 'www' or user 'www' as possible. You can make the directories wherever you like, and use whatever user and group you like for the webserver. Here are the commmands we use in the MIT Athena environment:
As root:
# hesinfo www passwd >> /etc/passwd.local
# hesinfo www group >> /etc/group.local
then, edit /etc/group.local to add the user 'www' to group 'www' on next reboot, the passwd.local and group.local files will overwrite the passwd and group files; or you can copy them yourself also, verify that the /etc/athena/rc.conf file is set appropriately, as you probably want PUBLIC=false and AUTOUPDATE=false
# mkdir /var/ssl
# mkdir /var/https
# chmod 755 /var/https
# chmod 755 /var/ssl
Download the tar files , putting the 'ssl' one in the directory you created, and the 'https' one in the directory you created. Be sure you get the appropriate tarfiles for the system you are using, as they contain platform-specific files.
Extract the contents of the tarfiles. If the filenames end with ".gz", run 'gunzip' first; if they end with ".Z", run 'uncompress' first. When the files are in tar format, use the following commands to extract the contents:
# cd /var/ssl
# tar xvf var.ssl.tar
# cd /var/https
# tar xvf var.https.jserv.tar
you can delete the tar files after the contents have been extracted
# rm /var/ssl/var.ssl.tar
# rm /var/https/var.https.jserv.tar

At this point you may wish to reboot your system just to verify that everything still works as it used to. Up to this point, you've done nothing but add some entries in the passwd and group files, and put some files in the two new directories you created, but it is prudent to make sure the system is in good shape before proceeding.

QUICK TEST THAT THE INSTALLATION IS SUCCESSFUL
==============================================

If you need an Apache Webserver without ssl, to test that your installation works run :
sh /var/https/bin/httpdctl start
Now you should be able to access your Webserver at the URL :
http://"server name".mit.edu/
If you want to run an Apache SSL server (an Apache Webserver with SSL enabled), to test that it works :
- You can get a temporary test key and certificate for checking your setup, by running /var/ssl/util/getself :
  cd /var/ssl/util
  ./getself
  (for this to succeed you need to have a random seed in the $HOME directory $HOME/.rnd containing at least 128 bytes of random data; you also need to have symlinks from /usr/local/ssl to /var/ssl)
  when you are prompted for information, answer:
  Country Name (2 letter code) [US]:
  State or Province Name (full name) [Massachusetts]:
  Locality Name (eg, city) [Cambridge]:
  Organization Name (eg, company) [Massachusetts Institute of Technology]:
  Organizational Unit Name (eg, section) [Information Systems]:
  Common Name (eg, YOUR name) []:"name of the server".mit.edu
  Email Address []:
- At this time you could start Apache SSL :
  sh /var/https/bin/httpsdctl start
  Now you should be able to access your Webserver at the URL :
  https://"server name".mit.edu/

HTTP SERVER CONFIGURATION
=========================
There are sample httpsd configuration files in /var/https/conf which contain explanatory comments. Basically, you can choose to run one or more daemons, use ssl or not, require certificates or not, and so on. These configuration files are intended to illustrate basic configuration ideas. If you are planning to run a production webserver, you should be sure to use a configuration file that is appropriate for your needs.

CERTIFICATION
=============

To get a key and a matching certificate for the machine:
  a. Follow the instructions in the README.certificate
  b. Your 'machine'.pem should be stored in /var/ssl/certs/. For example,
  on the host 'lava-lamp.mit.edu':
  lava-lamp.mit.edu# ls -l /var/ssl/certs/lava-lamp.pem
  -rw-------   1 root     www         2950 Aug  7 14:52 /var/ssl/certs/lava-lamp.pem
  c. Your https-key.pem should be stored in /var/ssl/private/. For example,
  on the host 'lava-lamp.mit.edu':
  lava-lamp.mit.edu# ls -l /var/ssl/private/https-key.pem
  -rw-------   1 root     other        891 Aug  6 16:40 /var/ssl/private/https-key.pem

VERIFY
======

You can get a temporary test key and certificate for checking your setup, by running /var/ssl/util/getself and using /var/https/conf/httpd.conf.test for starting httpsd.
athena% cd /var/ssl/util
athena% ./getself
Using configuration from /var/ssl/lib/ssleay.cnf unable to load 'random state' What this means is that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in.
Generating a 1024 bit RSA private key
...............................................+++++
.....+++++
writing new private key to '/var/ssl/private/test.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Massachusetts]:
Locality Name (eg, city) [Cambridge]:
Organization Name (eg, company) [Massachusetts Institute of Technology]:
Organizational Unit Name (eg, section) [Information Systems]:
Common Name (eg, YOUR name) []:vegematic.mit.edu
Email Address []:
athena% cd ..
athena% ./util/checkcert test
read RSA private key
Cert test.cert matches key test.key
If you're running an ssl server, check it by aiming a browser running on another system at:
https://your-webserver.what.ever/cgi-bin/printenv
If you're running a non-ssl server, check it by aiming a browser running on another system at:
http://your-webserver.what.ever/cgi-bin/printenv
CLEANUP AND SECURE
==================
You can delete the tarfiles you used in the installation, unless you want to save them for archival purposes.
You should remove all the scripts that came in cgi-bin or fcgi-bin directories unless you know what they do and want them there. They may be used in exploits against the system.
Check that the /var/https/conf/httpd.conf file you're using is appropriate for your needs.
If you're not familiar with host-based unix security, consult a good book on the subject.
You may want to write a script to start up the http server(s) automatically at boottime.
Check the MIT 'apache-ssl' locker from time to time for news about MIT's apache-ssl webserver.
Last revised: Thu Jan 31 12:24:20 EDT 2002