Cooking with UNIX/Linux

	Cooking with UNIX/Linux
	Comm. with a T68i using IrDA
	Compiling Perl and modules
	Compiling MySQL
	MySQL backup
	Network File System (NFS)
	PostgreSQL backup
	Enabling your digicam
	nvidia drivers
	Wireless (OLD - linux-wlan-ng)
	Wireless cards / access points
	Gnu Privacy Guard (GPG)
	Getting started with CVS
	Compiling PHP with modules
	Courier Mail Server Suite
	Courier-ClamAV-Amavis combo
	SpamAssassin with Courier
	Building Debian kernel pkgs
	Trying out Bochs
	Rebuilding Debian packages
	Apache, mod_ssl, Tomcat

Cooking with UNIX/Linux > Apache, mod_ssl, Tomcat

Apache, mod_ssl, Tomcat

APACHE MOD_SSL TOMCAT RECIPE (Solaris 8 SPARC) by Frederik Dannemare

1) Prior to doing any compiling, you should install these GNU tools from www.sunfreeware.com (or a mirror):
- gcc, binutils, make, tar, bc, flex

Your PATH should look something like this:
PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

2) Configure, build and install OpenSSL

tar zxvf openssl-0.9.7b.tar.gz
cd openssl-0.9.7b
./Configure solaris-sparcv9-gcc -fPIC \
--prefix=/usr/local/openssl \
--openssldir=/usr/local/openssl no-threads shared
make
make test
make install

cd / && tar zcvf /data/packages/openssl-0.9.7b-sol8sparc.tgz ./usr/local/openssl

3) Configure, build and install mm (shared memory library)

tar zxvf mm-1.3.0.tar.gz
cd mm-1.3.0
###./configure --disable-shared
./configure --prefix=/usr/local/mm --enable-shared
make
make install

cd / && tar zcvf /data/packages/mm-1.3.0-sol8sparc.tgz ./usr/local/mm

4) Configure mod_ssl

tar zxvf mod_ssl-2.8.14-1.3.27.tar.gz
tar zxvf apache_1.3.27.tar.gz
cd mod_ssl-2.8.14-1.3.27
./configure \
--with-apache=../apache_1.3.27 \
--with-mm=../mm-1.3.0 \
--with-ssl=../openssl-0.9.7b \
--enable-shared=ssl

4b) How to upgrade mod_ssl at a later time...
Apache built with mod_ssl as a DSO (libssl.so) allows you to easily upgrade the
DSO as long as the Extended API (EAPI) hasn't changed and OpenSSL is installed.

LD_LIBRARY_PATH="/usr/local/openssl/lib:/usr/local/mm/lib" ./configure \
--with-mm=/usr/local/mm \
--with-apxs=/usr/local/apache/bin/apxs \
--with-ssl=/usr/local/openssl
make

This will build libssl.so locally inside the pkg.sslmod/ directory.
Now copy it manually ('make install' will do the same) to apache/libexec/ dir.

5) Configure, build, and install Apache

cd apache_1.3.27
CPPFLAGS="-I/usr/local/mm/include -I/usr/local/openssl/include/openssl" \
LDFLAGS="-L/usr/local/mm/lib -R/usr/local/mm/lib -L/usr/local/openssl/lib -R/usr/local/openssl/lib" \
SSL_BASE=/usr/local/openssl \
EAPI_MM=/usr/local/mm \
./configure \
--prefix=/usr/local/apache \
--enable-rule=SHARED_CORE \
--enable-module=most \
--enable-shared=max
make
make install

6) Install Tomcat # NOTE: This Tomcat HOWTO stuff is getting quite outdated...

cd /usr/local
tar zxvf /data/packages/jakarta-tomcat-3.2.3.tar.gz

Tomcat is now installed in /usr/local/jakarta-tomcat-3.2.3

7) Configure and build mod_jk

tar zxvf jakarta-tomcat-3.2.3-src.tar.gz
cd jakarta-tomcat-3.2.3-src/src/native/apache1.3

Notice: Before building the mod_jk module, you'll need to replace fdatasync() with fsync() in jk_util.c.

Now execute:
/usr/local/apache/bin/apxs -o mod_jk.so \
-DSOLARIS -DEAPI -I../jk -I/usr/java1.2/include \
-I/usr/java1.2/include/solaris -c *.c ../jk/*.c

Finally, copy mod_jk.so to its destination:
cp mod_jk.so /usr/local/apache/libexec/

8) Configure Apache to support integration of Tomcat

Insert into /usr/local/apache/conf/httpd.conf:
Include /usr/local/jakarta-tomcat-3.2.3/conf/mod_jk.conf-auto

9) Initial configuration of Tomcat

Define <path-to-tomcat> in /usr/local/jakarta-tomcat-3.2.3/conf/mod_jk.conf

Replace
LoadModule jk_module modules/mod_jk.dll
with
LoadModule jk_module /usr/local/apache/libexec/mod_jk.so

cp /usr/local/jakarta-tomcat-3.2.3/conf/mod_jk.conf \
/usr/local/jakarta-tomcat-3.2.3/conf/mod_jk.conf-auto

Edit /usr/local/jakarta-tomcat-3.2.3/conf/workers.properties:
- define these four lines (maybe they already exist):
workers.tomcat_home=/usr/local/jakarta-tomcat-3.2.3
workers.java_home=/usr/java1.2
ps=/
worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)lib$(ps)sparc$(ps)libjvm.so

The below is from the mod_ssl FAQ, but simplified/modified somewhat:

10) Create CSR (Certificate Signing Request)

Create a RSA private key for your Apache server (will be Triple-DES encrypted and
PEM formatted):
openssl genrsa -des3 -out server.key 1024

Create a Certificate Signing Request (CSR) with the server RSA private key (output
will be PEM formatted):
openssl req -new -days 365 -key server.key -out server.csr

Make sure you enter the FQDN (Fully Qualified Domain Name) of the web server,
when you are being prompted you for the "Common Name" during generating your CSR.
I.e. for a website which will later be accessed via https://www.foo.com/,
enter "www.foo.com" here.

Now send this Certificate Signing Request (CSR) to a Certifying Authority (CA) (e.g.
VeriSign) for signing. The result is then a real Certificate which can be used
for Apache.

Finally, when you have both a server.key and a server.crt, do:
cp server.crt /usr/local/apache/conf/ssl.crt/server.crt
cp server.key /usr/local/apache/conf/ssl.key/server.key

and make sure Apache is using these two files in its httpd.conf:
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

Apache may now be started with 'apachectl startssl'.

I) How to change the pass-phrase on the private key file

You simply have to read it with the old pass-phrase and write it again by
specifying the new pass-phrase. You can accomplish this with the following commands:

openssl rsa -des3 -in server.key -out server.key.new
mv server.key.new server.key

Here you're asked two times for a PEM pass-phrase. At the first prompt enter the
old pass-phrase and at the second prompt enter the new pass-phrase.

II) Getting rid of the pass-phrase dialog at Apache startup time

The reason why this dialog pops up at startup and every re-start is that the
RSA private key inside your server.key file is stored in encrypted format for
security reasons. The pass-phrase is needed to be able to read and parse this file.
When you can be sure that your server is secure enough you perform two steps:

Remove the encryption from the RSA private key (while preserving the original file):
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

Make sure the server.key file is now only readable by root:
chmod 400 server.key

Now server.key will contain an unencrypted copy of the key. If you point your server
at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this
key they will be able to impersonate you on the net. PLEASE make sure that the
permissions on that file are really such that only root or the web server user can
read it (preferably get your web server to start as root but run as another server,
and have the key readable only by root).

III) How can I create and use my own Certificate Authority (CA)?

Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):
openssl genrsa -des3 -out ca.key 1024

Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

For signing use the script named 'sign.sh' which is distributed with the mod_ssl distribution (subdir pkg.contrib/).
./sign.sh server.csr

This signs the server CSR and results in a server.crt file.

TOP