In Stellar 2.0, we switched to Apache httpd 2.2.x from 1.3.x and added PHP support.
Shibboleth was added for Touchstone login for Fall 2007.
We use java, apache, openssl, tomcat, and php. Each of these operates largely independent of one another, and minor updates should be possible independently. We put directories into /var/local, since that's safe space on Athena installations and a generally reasonable place to put local modifications.
Within /var/local we use symbolic links from the general release to the point version, e.g. /var/local/ssl is always the latest version of openssl.
Versions for Stellar system release 2.1.0, August 2007:
These are available from
In a directory /var/local/stellar-builds build the C software.
Compile httpd-2.2.4, openssl-0.9.8e, php-5.2.3, libxml2-2.6.29.
Openssl compiles fine on athena solaris 9.4 now.
./Configure shared solaris-sparcv9-gcc --prefix=/var/local/ssl-0.9.8e \
--openssldir=/var/local/ssl-0.9.8e
make
make test
make install
rm /var/local/ssl
ln -s /var/local/ssl-0.9.8e /var/local/ssl
Next compile httpd-2.2.4 using that openssl.
./configure --prefix=/var/local/httpd-2.2.4 --enable-dav --enable-so \ --enable-headers --enable-usertrack --enable-rewrite --enable-proxy \ --enable-ssl --with-ssl=/var/local/ssl \ --enable-info make make install rm /var/local/httpd ln -s /var/local/httpd-2.2.4 /var/local/httpd
On MacOS X 10.4, omit --with-ssl and use the default openssl.
To compile php-5.2.3 using that httpd-2.2.4, first install libxml2:
./configure --prefix=/var/local/libxml2-2.6.29 make make install rm /var/local/libxml2 ln -s /var/local/libxml2-2.6.29 /var/local/libxml2
Then go to the php directory and do:
./configure --with-apxs2=/var/local/httpd-2.2.4/bin/apxs \ --with-config-file-path=/var/local/httpd-2.2.4/conf/php.ini \ --with-libxml-dir=/var/local/libxml2 \ --prefix=/var/local/php5-5.2.3 make make install rm /var/local/php5 ln -s /var/local/php5-5.2.3 /var/local/php5
Get the compiled shibboleth, and install
mkdir /var/local/shibboleth/ cd /var/local/shibboleth/ gtar -xvzf ~webauth/shibboleth/shibboleth-solaris10-apache22-openssl0.9.8.tgz cd /var/local/shibboleth/etc/shibboleth cp ~webauth/shibboleth/config/shibboleth-sp/* . chmod 755 ./gen-shib.sh ./gen-shib.sh chmod 755 /var/local/shibboleth/etc/shibboleth/shibd
Further modification of /var/local/shibboleth/etc/shibboleth/shibboleth.xml may be needed, be sure that the SessionInitiator ids used in httpd.conf are set.
The OpenSSL library directory is /var/local/ssl/lib The server certificate file is e.g. /var/local/ssl-0.9.8e/certs/stellar-test.mit.edu-cert.pem private key /var/local/ssl-0.9.8e/private/https-key.pem mit CA /var/local/ssl-0.9.8e/certs/mitCA.pem Be sure handlerSSL is "true" in the resulting shibboleth.xml file.
Binary files compiled as above are in tar files in the stellar-dist locker in the 2.0.0 directory, and may be used as the starting point rather than doing new compiles for Athena 9.4 and 9.3 and these versions.
Full httpd configurations are here, in subversion at stellar/2.0/trunk/src/site/resources/apache2. All these files should be copied to /var/local/httpd/conf/.
Edit:
The MaxClients setting in httpd-mpm.conf is 250; to support more simultaneous connections than 256, both MaxClients and ServerLimit need to be increased. However, maxThreads in the Tomcat configuration would also have to be increased, as well as the number of simultaneous database connections supported.
mod_proxy configuration example follows, from ./stellar2-ajp-proxy.conf. We may want to add min, max, smax, ttl, timeout, acquire, retry.
<Location /S>
ProxyPass ajp://amps-prog-5.mit.edu:8559/S
ProxyPassReverse ajp://amps-prog-5.mit.edu:8559/S
</Location>
<Location /SRSS>
ProxyPass ajp://amps-prog-4.mit.edu:8559/SRSS
ProxyPassReverse ajp://amps-prog-4.mit.edu:8559/SRSS
</Location>
<Location /imagetool>
ProxyPass ajp://amps-prog-5.mit.edu:8119/S
ProxyPassReverse ajp://amps-prog-5.mit.edu:8119/S
</Location>
RewriteRule ^/S/(.*)/sdemo/(.*) /imagetool/$1/sdemo/$2 [P]
MIT certs:
cp /afs/athena.mit.edu/software/apache-ssl/certificates/mitCA*.pem /var/local/ssl/certs/ cp /mit/stellar/components/customizations/openssl.cnf /var/local/ssl/ cd /var/local/ssl/certs/ ln -s mitCA.pem `/var/local/ssl/bin/openssl x509 -noout -hash < mitCA.pem`.0 ln -s mitCAclient.pem `/var/local/ssl/bin/openssl x509 -noout -hash < mitCAclient.pem`.0
For a self-signed testing certificate:
cd /var/local/ssl/certs/ /var/local/ssl/bin/openssl req -new -x509 -nodes -out \ /var/local/ssl/certs/test.cert \ -keyout /var/local/ssl/private/test.key -days 365 ln -s test.cert `/var/local/ssl/bin/openssl x509 -noout -hash < test.cert`.0
To request a certificate:
cd /var/local/ssl/certs/ ps > /tmp/foo ps -elf >> /tmp/foo /var/local/ssl/bin/openssl genrsa -rand /tmp/foo 1024 > /var/local/ssl/private/https-key.pem /var/local/ssl/bin/openssl req -key /var/local/ssl/private/https-key.pem -new >/var/local/ssl/certs/req.pem
Use inputs;
US
Massachusetts
Cambridge
Massachusetts Institute of Technology
YOUR organizational unit at MIT (e.g. Information Services & Technology)
YOUR name = name of the server (machine.mit.edu)
email address =
challenge passwd (anything you choose) (you should remember in case
jis challenges you)
Find the file /var/ssl/certs/req.pem and send this to mitcert@mit.edu, including the BEGIN and END line
In return, you will receive a certificate (between BEGIN and END). Save it under /var/ssl/certs/servername.pem, where servername is the name of your machine.
ln -s /var/local/httpd/bin/apachectl /etc/init.d ln -s /etc/init.d/apachectl /etc/rc0.d/K01httpd ln -s /etc/init.d/apachectl /etc/rc2.d/S99httpd ln -s /var/local/shibboleth/etc/shibboleth/shibd /etc/init.d ln -s /etc/init.d/shibd /etc/rc0.d/K01shibd ln -s /etc/init.d/shibd /etc/rc2.d/S99shibd