Search


DASWG LAL Doxygen

Docs

How-To's
Technical
Software Docs
Minutes

Download

Browse CVS, Git, or SVN
Software Repositories
OS Security Updates
LIGO software virtual machine
VMware SL6 Install

Participate

SCCB - Software Change Control Board
Edit these pages
Sub-committees
Mailing List
Telecon

Projects

DMT
DQSEGDB
Glue
GraceDB
gstlal
LALSuite
LDAS Tools
LDG Client/Server
LDR
ligoDV
LIGOtools
LVAlert Administration
LVAlert
MatApps
Metaio
NDS Client
PyLAL
LSCSOFT VM

Legacy Projects

geopp
LDAS
LDM
LIGOtools
LSCGIS
Onasys
OSG-LIGO

Reference Server Machines

Table of contents

  1. Audience
  2. Requirements
  3. Installing RedHat FC3
  4. Post-Install RedHat FC3 Setup
  5. Enabling and Configuring Apache
  6. Installing the LSCDataGrid Client and Server
  7. Configuring Apache 1.3 as Secure Server
  8. Setting up dsorun

Audience

The intended audience is a person experienced in Linux installations.  Parts of the procedure that should be obvious to such a person will not be explained in great detail.  For example, it will be left up to the reader to decide for his- or herself if he or she wishes to check his or her install media.

Note also that many aspects of these install instructions are necessarily site specific, for example, NIS settings, user home-directory setups (local disks, NFS mounted, automounted?), and so on.  The following instructions will result in a working system, but will certainly need to be customized by a knowledgeable system administrator.

Requirements

You will need:

Installing RedHat FC3

  1. Proceed with the initial steps of a standard FC3 install:
    • Check or not your install media.
    • Select your desired language.
    • Select your desired keyboard.
    • Select a fresh install (these instructions do not consider the case of upgrading an existing RedHat install).
  2. Installation Type.  Select "Custom".
  3. Disk Partitioning Setup.  Perform whatever partitioning is appropriate for the box.  One option is to:
    • Select "Automatically partition".
    • Automatic Partitioning:
      • Select "Remove all partitions on this system".
      • Uncheck "Review (and modify if needed) the partitions created".
    • Select "Yes, I'm sure".
    • Boot Loader Configuration:
      • Don't change anything.
  4. Network Configuration.  Perform whatever network setup is appropriate for the box.  One option is to:
    • Network Devices --> Edit:
      • Uncheck "Configure with DHCP".
      • Enter IP address and netmask.
    • Hostname:
      • Enter fully-qualified domain name.
    • Miscellaneous settings:
      • Enter gateway, and up to three name servers.
  5. Firewall Configuration:
    • Disable firewall (otherwise you will need to manually enable access to the MySQL listening port later, a procedure which is not covered by these instructions).
    • Disable SELinux (I have no experience with this, so I don't know what consequences enabling it will have).
    • Click "Next" and say "Yes, you want to do this".
  6. Additional Language Support.  Do whatever is appropriate for your needs
  7. Time Zone Selection.  Select whatever is appropriate for your needs
  8. Set Root Password.  Pick one.
  9. Package Group Selection.  You can select whichever additional packages you want, but in addition to the defaults the following groups must be added:
    • Editors (group defaults OK)
    • Engineering and Scientific (group defaults OK)
    • Authoring and Publishing (group defaults OK)
    • Web Server (group defaults OK)
    • Development Tools (group defaults OK)
  10. Proceed with package installation.

Post-Install RedHat FC3 Setup

  1. Agree to the license
  2. Date and Time.  Set this as you wish.  One option is:
    • Set the date and time from your watch
    • Select enable network time protocol
    • Add "ntp.pool.org" to the list of time servers
  3. Display.  Set this as you wish.  One option is:
    • Select the highest resolution in the list
    • Select the highest colour depth in the list
  4. Create users:
    • Create non-root user(s) as needed
    • Configure network-based user authentication as needed
  5. Sound card.  Configure as you wish, or skip.
  6. Additional CDs.  Skip.
  7. Proceed through to the end of the setup.

Enabling and Configuring Apache

  1. Log in as a standard user.
  2. Applications --> System Settings --> Server Settings --> Services:
    • Enable httpd.
    • Click Restart.
    • Select File --> Quit, then agree to save the settings.

Installing the LSCDataGrid Client and Server

Follow directions at LSC page

Configuring Apache 1.3 as Secure Server

Note, not all browsers have supports for apache. Some browsers may not handle ssl authentications and certificates correctly with apache.

List of known browsers that work with the following configuration.

List of know browsers that do not work with the following configuration.

List of know browsers that have yet to be tested.


  1. Locate httpd.conf (usually it is found in):
    • /etc/httpd/conf/httpd.conf
    • /usr/local/apache/conf/httpd.conf
  2. Set the root directory from which web pages will be served out for http.
    DocumentRoot "/usr/local/apache/htdocs"
    
  3. Set the server name and server admin email. (optional)
    ServerAdmin jpan@weyl.phys.uwm.edu
    ServerName www.weyl.phys.uwm.edu
    
  4. Setup configurations for ssl.
    < IfModule mod_ssl.c>
    
    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog  builtin
    
    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism 
    #   to use and second the expiring timeout (in seconds).
    SSLSessionCacheTimeout  300
    
    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization. 
    SSLMutex  file:logs/ssl_mutex
    
    #   Pseudo Random Number Generator (PRNG):
    #   Configure one or more sources to seed the PRNG of the 
    #   SSL library. The seed data should be of good random quality.
    #   WARNING! On some platforms /dev/random blocks if not enough entropy
    #   is available. This means you then cannot use the /dev/random device
    #   because it would lead to very long connection times (as long as
    #   it requires to make more entropy available). But usually those
    #   platforms additionally provide a /dev/urandom device which doesn't
    #   block. So, if available, use this one instead. Read the mod_ssl User
    #   Manual for more details.
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    
    
    #   Logging:
    #   The home of the dedicated SSL protocol logfile. Errors are
    #   additionally duplicated in the general error log file.  Put
    #   this somewhere where it cannot be used for symlink attacks on
    #   a real server (i.e. somewhere where only root can write).
    #   Log levels are (ascending order: higher ones include lower ones):
    #   none, error, warn, info, trace, debug.
    SSLLog      logs/ssl_engine_log
    SSLLogLevel error
    
    < /IfModule>
    
  5. Setup virtual host for https with preferably differnt doument root directory (do not copy and past). Important lines have comments in brown.Sample httpd.conf for weyl.phys.uwm.edu.
    ##
    ## SSL Virtual Host Context
    ##
    
    < VirtualHost *:443>
    
    #  General setup for the virtual host
    DocumentRoot /usr/local/apache/htdocs/secure	//sets document root for https
      
    < Directory />
        Options All
        AllowOverride All
    < /Directory>   
       
    < Location /test>
    SSLVerifyClient optional	//optional here means either with valid certificate credentials or 
    //username and password authentication
    SSLVerifyDepth 5 SSLOptions +StdEnvVars +FakeBasicAuth //FakeBasicAuth is what we used by appending "xxj31ZMTZzkVA"
    //to each DN entries
    SSLRequireSSL //use ssl to authenticate AuthType Basic //sets up username and password AuthName "By Invitation Only" AuthUserFile /people/jpan/test/pass2 //password file containing encrypted password and DN entries
    // for certificates
    require valid-user //any valid user can have access < /Location> < Location /test2> //similar configuration to test SSLVerifyClient optional SSLVerifyDepth 5 SSLOptions +FakeBasicAuth SSLRequireSSL AuthName "Snake Oil Authentication" AuthType Basic AuthUserFile /people/jpan/test/pass2 require valid-user < /Location> < Location /work> //explicitly give access to only users with DN entries listed below SSLRequire ( %{SSL_CLIENT_S_DN} in {"/DC=org/DC=doegrids/OU=People/CN=Jackson Pan 35545",
    "/DC=org/DC=doegrids/OU=People/CN=Scott Koranda 43845",
    "/DC=org/DC=doegrids/OU=People/CN=Patrick Brady 650602",
    "/DC=org/DC=doegrids/OU=People/CN=Warren G Anderson 620767"}) SSLVerifyClient require //verification is required, not optional! SSLVerifyDepth 2 < /Location> #ServerName new.host.name #ServerAdmin you@your.address ErrorLog logs/error_log //log file for errors TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on //enables ssl # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt //this points to either self-made server certificate or a signed or trusted server certificate
    // of the localhost
    # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key //this points to either self-made server key or a signed or trusted server key of the localhost # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. SSLCACertificateFile /usr/local/apache/conf/ssl.crt/DOEbundle.crt //this points to an appended file containing CA certificate and the SuperCA certificate # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/httpd/conf/ssl.crl #SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o CompatEnvVars: # This exports obsolete environment variables for backward compatibility # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this # to provide compatibility to existing CGI scripts. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire < Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars < /Files> < Directory "/usr/local/apache/cgi-bin"> SSLOptions +StdEnvVars < /Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" < /VirtualHost> < /IfDefine>
  6. Start apache with ssl.
    • /usr/local/apachectl startssl

Setting up dsorun

Get dsorun through cvs

  1. Login as root, set the global variable and change group to apache.
    • export HTMLROOT=/var/www/html
    • chgrp apache /var/www/html
    • chmod g+w /var/www/html
    • cd $HTMLROOT
  2. Edit password file and su to apache
    • vi /etc/passwd and replace shell from /sbin/nologin to /bin/bash.
    • su apache
  3. Grab dsorun using cvs. (use lalwrapper for password)
    • cvs -d :pserver:anonymous@gravity.phys.uwm.edu:2402/usr/local/cvs/lscsoft login
    • cvs -d :pserver:anonymous@gravity.phys.uwm.edu:2402/usr/local/cvs/lscsoft co dsorun
    • cvs -d :pserver:anonymous@gravity.phys.uwm.edu:2402/usr/local/cvs/lscsoft logout
    Notice that you should switch to user apache when doing this; the cgi-script must be owned by apache to execute correctly.
  4. Put identifier for ldas in file ldasname.
    • echo "ldas-uwm" > /etc/ldasname
  5. Edit cgi script
    • cd $HTML/dsorun/cgi-bin
    • vi index.cgi
    Search for "get_ldas_location" and make sure that your ldas is properly identified to your location. If you were configuring the on-line monitoring tool to run at UWM, edit the line
        /uwm/ && return qw(ldas.ligo-wa.caltech.edu LHO Hanford);
    
    to contain the correct machine name, a three letter identifier, and a longer one-word description.
        /uwm/ && return qw(ldas.phys.uwm.edu UWM Milwaukee);
    
    
    Save the file.
  6. Still as user apache, install ligotools. Follow the instructions on the ligotools web page and choose to install the packages LDASJob and dataflow.
  7. As root, change ownership and give Apache write permission
    • chown --recursive apache.apache $HTMLROOT/dsorun
    • chmod --recursive g+rw $HTMLROOT/dsorun
  8. Open Apache configuration file /etc/httpd/conf/httpd.conf and add the following lines:
        <Directory $HTMLROOT/dsorun/cgi-bin>
            Options +ExecCGI
        </Directory>
    
    Uncomment the line:
        AddHandler cgi-script .cgi
    
  9. Obtain Perl module Tie::IxHash. As root type:
    • perl -MCPAN -e "shell"
    Answer "no" to the questions about configuring. CPAN tools will autoconfigure and will go into the CPAN shell. Next type:
    • install 'Tie::IxHash'
    Wait for the download and the installation to finish. Then log out by typing:
    • quit
  10. Finally, restart the web server by typing
    • service httpd restart
  11. Your should now be able to go to the web page using URL:
    • http://Host_Name/dsorun/cgi-bin/index.cgi
    Instructions(2002) about using the system can be found in:
    • http://Host_Name/dsorun/doc/index.html
$Id$