Readying a Variations3 server for Variations-Web - 5.0.7
This page describes the steps that need to be taken in order to run any part of Variations-Web including the web player and the access manager. These instructions assume that you will be installing Variations-Web on the the same system where the Variations server and its various components (e.g. Perl, Apache, etc.) are already running.
Contents
Apache
Configure SSL for Apache
HTTPS using SSL authentication is needed in order to protect private information including user profiles and group/course membership information.
- Find the DNS hostname that refers to Apache
- You can find the IP apache is using by looking at the Listen statement in the Apache conf file: /etc/httpd/conf/httpd.conf.
- Ensure that the SSL certificate for Apache is valid by making sure that the Subject Common Name (CN) is the same as the full hostname HTTPS requests will be coming to
- You can see the CN using:
openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -noout -text
- If it is not valid create a new one (follow the process at your institution or create a self-signed certificate)
- You can create a self-signed certificate by deleting the one that exists at /etc/httpd/conf/ssl.crt/server.crt then running
make testcert
in /etc/httpd/conf/ . When prompted for the Common Name, fill in the DNS hostname.
- You can create a self-signed certificate by deleting the one that exists at /etc/httpd/conf/ssl.crt/server.crt then running
- You can see the CN using:
Install mod_jk
For Tomcat to be accessed on normal HTTP ports (80 and 443), mod_jk needs to be installed. mod_jk passes all requests on given paths to Tomcat along with SSL credentials if present. Using mod_jk allows a single entry point for all HTTP requests and avoids running Tomcat on higher ports.
- Install apxs:
up2date httpd-devel
- Download latest mod_jk sources from http://tomcat.apache.org/download-connectors.cgi
- Untar the sources and cd into native:
tar xvzf tomcat-connectors-1.2.30-src.tar.gz; cd tomcat-connectors-1.2.30-src/native
- Compile and install mod_jk:
CFLAGS="-O2 -g -Wall -fno-strict-aliasing" ./configure --with-apxs=/usr/sbin/apxs --disable-trace --enable-flock make sudo make install
Configure mod_jk
- Create /etc/httpd/conf.d/jk.conf
######################################### # Mod_jk stuff ######################################### LoadModule jk_module modules/mod_jk.so JkWorkersFile /etc/httpd/conf.d/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel warn JkMountCopy All JkMount /variations-ws-server/* default JkMount /variations-ui-web/* default JkMount /variations-mgmt-web/* default
- Create /etc/httpd/conf.d/workers.properties
worker.list=default worker.default.port=8009 worker.default.host=localhost worker.default.type=ajp13
Restart Apache
After installing and configuring mod_jk, you will need to restart apache: sudo /etc/init.d/httpd restart
Tomcat
Install JDK
Do the following steps as root to install a newer JDK (1.5 or 1.6):
1.5 JDK
- Download the most recent 1.5 JDK from http://java.sun.com/javase/downloads/index_jdk5.jsp. Select the appropriate architecture and download the .bin version.
- Make it runnable:
chmod +x jdk-1_5_0_*.bin
- Run the bin file:
sh jdk-1_5_0_*.bin
and answer "yes" to the EULA
1.6 JDK
- Download the most recent 1.6 JDK from http://java.sun.com/javase/downloads/index.jsp. Select the appropriate architecture and download the .bin version.
- Make it runnable:
chmod +x jdk-6*.bin
- Run the bin file:
sh jdk-6*.bin
and answer "yes" to the EULA
Install SSL Certificate
If your SSL certificate is self-signed, then in order for the Web UI and Access Manager connect to the Web Services you will need to add it to the trusted certificates of the newly installed JDK. Run the following as root, adjusting the JDK path (both the keytool program and keystore) if necessary:
/usr/java/jdk1.5.0_18/bin/keytool -import -trustcacerts -alias apacheLocalhostCA \ -file /etc/httpd/conf/ssl.crt/server.crt -keystore /usr/java/jdk1.5.0_18/jre/lib/security/cacerts \ -storepass changeit -keypass changeit
Install Tomcat
Do the following steps as root, adjusting tomcat's filename if necessary:
- Download the most recent 5.5 tomcat core from http://tomcat.apache.org/download-55.cgi.
- Copy it to /usr/local:
cp apache-tomcat-5.5.28.tar.gz /usr/local
- Untar it:
cd /usr/local; tar xvfz apache-tomcat-5.5.28.tar.gz
- Create a general symlink to it:
ln -s apache-tomcat-5.5.28 tomcat
- As root, create the tomcat user and change ownership of the tomcat installation to tomcat:
- useradd tomcat -d /usr/local/tomcat
- chown -R tomcat:tomcat apache-tomcat-5.5.28/
- Become the new tomcat user:
su - tomcat
- Create .bash_profile with the following contents (adjusting the jdk path if necessary):
export JAVA_HOME=/usr/java/jdk1.5.0_18 export PATH=$JAVA_HOME/bin:$PATH export JAVA_OPTS="-Xmx1024m -Dcom.sun.management.jmxremote -XX:MaxPermSize=256m"
- Logout and log back in to make sure the new settings take hold by checking the version reported by java (it should be the JDK installed earlier):
exit su - tomcat echo $JAVA_HOME java -version
Configure Tomcat
- Edit conf/server.xml
- Change the redirectPort attributes in the 8080 connector tags to 443.
- For Variations webapps to connect to the Variations Web Services, you need to create a user with role "wsconsumer" by adding the following lines to conf/tomcat-users.xml (replace client_auth_username and actual_password with your own values, which you will later also put in Variations webapp config files):
<role rolename="wsconsumer"/> <user username="client_auth_username" password="actual_password" roles="wsconsumer"/>
Variations Server Access for Webapps
The Variations Web Services need to connect to the Variations server to access metadata and user profiles. The Web Services require a superuser connection to Variations. Access control to this information is handled by the Variations server access policy file and an access policy file bundled with the Web Services.
- Create an account that can access your Variations server by making a service or guest account through your institution. Do not use a personal account. If your institution does not provide this capability, then you can create a system account on the Variations server and implement JPAM authentication in Variations.
- Add the user to the Variations server Administrators group using the varGroup.sh command.