Personal tools
Navigation
 
Document Actions

Service Installation Manual (all services)

Note: This is the print view with all the Reference Manual pages on one page. The paginated version is available here, if you prefer that.

This guide contains the core installation instructions that are common to all GRIA services. Topics covered include installing Java and Tomcat, war file deployment and firewall configuration.

1. Introduction

Installing the prerequisites

GRIA services are distributed in war files. This guide assumes you have already downloaded and unpacked one of the GRIA packages. Inside it you will find the war file.

Once the pre-requisites have been set-up and the war file has been deployed to Tomcat, the web-based administration interface will guide you through the rest of the installation process.

Prerequisites

Currently, we provide documented instructions for installation on the following:

  • SuSE 9.3 - 10.2
  • Fedora Core 3, 4, and 5
  • Windows XP and Windows 2003 Server

GRIA has also been installed on Red Hat, Debian, Ubuntu and Mandriva with minor changes to the installation/configuration instructions (please contact GRIA support if you require assistance with these or other operating systems). However, our recommended platform to use is SuSE - this Linux distribution contains all of the prerequisites required for GRIA, is straightforward to maintain and patch, and is the platform that this software has undergone the most amount of testing with.

Whichever operating system you install on, the software prerequisites are:

2. Preparing the Operating System

How to install the prerequisites on various platforms.

2.1. Windows

Preparing Windows XP and Windows 2003 Server

Installing Windows

Before installing the GRIA package on a Windows system, you will require the following:

  • The Windows installation CD, Service Packs, etc.
  • User with administrator privileges to install GRIA.

N.B. There are several ways to install and configure Windows, so you are advised to consult your system manager and set-up the system according to your needs.

This page explains how to install and configure all Windows prerequisites and how to configure the firewall.

Software Pre-requisites

The Windows distribution CD does not include several of the necessary packages. These are Java 1.5.x (5.0) and Tomcat 5.5.x which must be installed separately. In addition if you are installing the GRIA Basic Application Services then Perl is a pre-requisite and, optionally, if you wish to use the demo applications, ImageMagick e.g. version later than 6.0.x. The following sections describe how to install and configure these packages for Windows

Java Installation

Download the JDK 5.0 Update for the Windows platform from Sun (the file will have the form jdk-1_5_x__xx-i586-p.exe). Double-click on the downloaded binary to run the installer, and during installation use the default values.

Tomcat installation

Download version 5.5.20 or higher of the Windows Service Installer Package.

Install Tomcat by double-clicking on the downloaded package e.g. apache-tomcat-5.5.20.exe. During installation use the default values, ensuring that:

  • the path for JVM points to the SDK directory and NOT the JRE, e.g. C:\Program Files\Java\j2sdk1.5.0_05
  • a password for the Tomcat admin account is provided.

Configuring the Firewall

The deployed GRIA war (or webapp) should be hosted behind a firewall to ensure that your server can only be accessed on certain ports. You should consult with your systems administrator to determine if you need to run a firewall on the GRIA server machine.

Windows XP by default runs a firewall which blocks ports 8080, and 8443. However, Windows 2003 Server by default does not run a firewall. If you decide to run a firewall on the machine hosting the GRIA services, you will need to open port 8080 and 8443 during installation. The firewall can be configured by: choosing the Windows Firewall from the Control Panel, then click on Exceptions -> Add Port and enter name and number:

  • Tomcat, 8080 and leave transport protocol as TCP
  • Tomcat (secure), 8443 and leave transport protocol as TCP

When you've finished setting up GRIA you can block port 8080 again.

Configuring NTP

In order to provide some synchronisation between the clocks on machines that the various GRIA packages are installed on, it is recommended to run an NTP client service that will synchronise your system with an Internet time server.

There are several NTP client implementations available, e.g. Meinberg's NTP client. If you decide to use this one, then during installation select the default options except for the "Configuration File Settings" dialogue. Here you should select an NTP server from the "Want to use predefined public NTP servers" drop-down list that is geographically located closest to you.

Starting Tomcat

The easiest way to control Tomcat on Windows is to use the Tomcat Monitor tool. This is available by selecting Start -> All Programs-> Apache Tomcat 5.5 -> Monitor Tomcat. Once it is started you will notice a new icon on your taskbar. Right-click on the icon to start and stop the tomcat service. If you want the tomcat service to automatically start on boot-up right-click on the icon and select "Configure". Then change startup type to "Automatic".

2.2. Fedora

Preparing Fedora

2.2.1. Fedora Core 3

Fedora Core 3

Installing the Fedora Core 3 Operating System

If you feel confident in installing the server installation of Fedora Core 3, you may skip this section but make sure to install the pre-requisites otherwise GRIA war will fail to function correctly.

N.B. There are several ways to install and configure Fedora, so you are advised to consult your system manager and set up the system according to your needs. The following notes describe a simple way to install and configure a headless Fedora system for deployment of a GRIA war.

Having satisfied the above, the installation process is as follows:

  1. Place the Fedora Core 3 CD1 into the CD-ROM drive and boot the system from the CD, pressing enter at the boot prompt (install in graphical mode).
  2. Test the CD media (optional).
  3. Click Next on the Welcome to Fedora Core screen.
  4. Choose language (e.g. English) on the Language Selection screen.
  5. On the Keyboard Configuration screen choose keyboard, e.g. United Kingdom.
  6. On Upgrade/Install Examine screen choose Install Fedora Core.
  7. On the Installation Type screen choose Server.
  8. According to your needs and system settings, choose automatic or manual configuration for the Disk Partitioning Setup screen. Then follow the instructions accordingly, e.g. for the Disk Setup and Boot Loader Configuration screens.
  9. Enter the appropriate settings for the Network Configuration screen. If you do not have a DHCP server, enter the hostname, etc manually.
  10. On the Firewall Configuration screen, select Enable firewall and choose SSH and Web Server services. You may want to disable SELinux by selecting this option in the drop down menu.
  11. In the Additional Language Support screen, add any additional language support you require e.g. "English (Great Britain)" and set your preferred default language.
  12. Set the correct time zone in the Time Zone Selection screen.
  13. Set the root password in Set Root Password screen.
  14. The machine will reboot at the end of the installation.

After the installation from CD is complete, we recommend updating the system with the latest patches. This may be done using the yum command:

  1. First (as root) import the Fedora public key (for checking package integrity): 
    # rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora
  2. Update your system (this may take some time): 
    # yum update

This completes the installation of the operating system.

Installing the Software Pre-requisites

Having installed the operating system, the following lists the pre-requisites which must be installed if the GRIA war is to function correctly. It is important to install any dependencies which may also required by these software pre-requisites:

  • Sun Java JDK v1.5.0 or higher
  • Jakarta Tomcat v5.5.x
  • Apache HTTP server v2.0 (an optional package to provide secure access)
    • httpd-2.0.xx.x
  • Perl v5.6 or higher (only required for the GRIA Basic Application Services package)
  • A sample, test application: ImageMagick(only required for the GRIA Basic Application Services package)
  • An Internet browser, e.g. Mozilla Firefox (which may be installed on a different machine)
  • Optional utility packages:
    • zip and unzip
    • tar, etc.

If you have followed the installation instructions above then your system already has Apache and Perl installed. You must now download and install the Sun Java JDK and Tomcat.

First, download the Java binary JDK selecting the "Linux self-extracting file" (e.g. jdk-1_5_0_05-linux-i586.bin) and Tomcat packages and place them into /tmp directory on the Fedora Core 3 machine. You may find it easiest to do this by downloading the packages to your desktop machine and copying them to the server. Finally, log in to the server machine as the root user ready to install the software.

Install Java

In order to install Java in the /opt directory the following must be done (adjusting the version number to your particular package):

  1. Move to /opt: 
    # cd /opt
  2. Unpack the binary from the temporary directory: 
    # sh /tmp/jdk-1_5_x_xx-linux-i586.bin
  3. Create a symbolic link within this directory: 
    # ln -s jdk1.5.x_xx java

Install Tomcat

The following must be done in order to install Tomcat successfully (adjusting the version number to your particular package):

  1. Tomcat will be installed under the /opt directory, therefore move to this directory with: 
    # cd /opt
  2. Unpack the Tomcat tarball from the temporary directory: 
    # tar xvfz /tmp/apache-tomcat-5.5.20.tar.gz
  3. Create a symbolic link for Tomcat 
    # ln -s apache-tomcat-5.5.20 tomcat
  4. Tomcat will be most secure if it is not run by root, therefore create a user for the tomcat server to run as e.g. "tomcat" with the user's home directory set to /opt/tomcat: 
    # useradd -d /opt/tomcat tomcat
  5. Alter the ownership of the directory to the tomcat user created above: 
    # chown -R tomcat:tomcat tomcat
  6. Configure tomcat to use Sun Java by editting /opt/tomcat/bin/catalina.sh. Open the file (e.g. in vi) and add the line JAVA_HOME=/opt/java to the top of the file after the file header, e.g.: 
    # system class path used to start Tomcat.
    #
    # CATALINA_PID (Optional) Path of the file which should contains the pid
    # of catalina startup java process, when start (fork) is used
    #
    # $Id: fc3-pre.htm 3715 2006-04-10 14:01:19Z ajw $
    # -----------------------------------------------------------------------------

    JAVA_HOME=/opt/java

    # OS specific support. $var _must_ be set to either true or false.
    cygwin=false

Install Sample Application

The GRIA Basic Application Services package uses demo applications which require the ImageMagick package. You may already have ImageMagick installed. To test for it, log in as root and type:

# rpm -qi ImageMagick

If you see "package ImageMagick is not installed" then the package must be installed, either from the CDs or by using yum:

  1. First import the Fedora public key (for checking package integrity) if you have not already done so: 
    # rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora
  2. Install ImageMagick (and any dependencies): 
    # yum install ImageMagick

Setting the System Clock

In order to provide some synchronisation between the clocks on machines that the various GRIA packages are installed on, it is recommended to run an NTP client service that will synchronise your system with an Internet time server. Fedora comes with an NTP package which is installed by default in the server installation. To see if NTP is installed, log in as root and type:

# rpm -qi ntp

If you see "package ntp is not installed" then install NTP either from the CDs or by using yum:

# yum install ntp

The NTP daemon must be configured using the file /etc/ntp.conf. If you are using DHCP then your DHCP server may automatically configure this file. Further instructions regarding NTP are beyond the scope of this manual.

Setting Up Tomcat Users

In order to deploy the war file, the Tomcat Manager for application deployment will be used. The Tomcat manager functions are disabled by default.

o enable Tomcat administration and management we must add a role and a tomcat user to the tomcat-users.xml file. 
  1. Open the $CATALINA_HOME/conf/tomcat-users.xml file with a suitable editor and add this element after the last 'role' element: 
    <role rolename="manager"/>
    <role rolename="admin"/>

  2. Add this line after the last 'user' element, replacing TOMCAT_PASSWORD with an appropriate password: 
    <user username="tomcat" password="TOMCAT_PASSWORD" roles="admin,manager"/>
  3. Save the file

Configuring the Firewall

The deployed GRIA war (or webapp) should be hosted behind a firewall to ensure that your server can only be accessed on certain ports. You should consult with your systems administrator to determine if you need to run a firewall. If so, configure the firewall as follows:

  1. As root, run: 
    # system-config-securitylevel
  2. Enable firewall and continue with Customize (use the TAB key to move fields and the SPACEBAR key to select)
  3. Do not select any "Trusted Devices", e.g. eth0
  4. Allow incoming connections for "SSH" and "WWW (HTTP)"
  5. In the "Other ports" box type: "https:tcp 8080:tcp" to permit secure access to Apache and temporarily enable insecure access to Tomcat
  6. Finish firewall configuration by selecting "OK"

Configuring SELinux

SELinux is an option during the installation process. It provides better security than standard linux installations. If you are not sure whether SELinux is installed, then type (as root):

# setsebool

If you get "Command not found" then SELinux is not installed and no configuration is necessary. Otherwise, if you chose to install SELinux then it must be configured to let the Apache web server communicate with the Tomcat web server. To do this, enter the following command as root:

# setsebool -P httpd_can_network_connect=1

Starting Services

There are two services that need to be started: Tomcat and NTP. NTP is easily managed by the system and may be started with this command:

# service ntpd start

As mentioned above, Tomcat should not be run as root, therefore first switch form being the root user to the tomcat user and then start tomcat:

# su tomcat
$ cd /opt/tomcat/bin
$ ./startup.sh

It is useful to have the NTP daemon start automatically when the server is rebooted. This can be done by typing the following as the root user:

# chkconfig ntpd on

2.2.2. Fedora Core 4

Preparing Fedora Core 4

Preparing Fedora Core 4

Installing the Fedora Core 4 Operating System

If you feel confident in installing the server installation of Fedora Core 4, you may skip this section but make sure to install the pre-requisites otherwise GRIA war will fail to function correctly.

N.B. There are several ways to install and configure Fedora, so you are advised to consult your system manager and set up the system according to your needs. The following notes describe a simple way to install and configure a headless Fedora system for GRIA war.

Having satisfied the above, the installation process is as follows:

  1. Place the Fedora Core 4 CD1 into the CD-ROM drive and boot the system from the CD, pressing enter at the boot prompt (install in graphical mode).
  2. Test the CD media (optional).
  3. Click Next on the Welcome to Fedora Core screen.
  4. Choose language (e.g. English) on the Language Selection screen.
  5. On the Keyboard Configuration screen choose keyboard, e.g. United Kingdom.
  6. On Upgrade/Install Examine screen choose Install Fedora Core.
  7. On the Installation Type screen choose Server.
  8. According to your needs and system settings, choose automatic or manual configuration for the Disk Partitioning Setup screen. Then follow the instructions accordingly, e.g. for the Disk Setup and Boot Loader Configuration screens.
  9. Enter the appropriate settings for the Network Configuration screen. If you do not have a DHCP server, enter the hostname, etc manually.
  10. On the Firewall Configuration screen, select Enable firewall and choose SSH and Web Server services. You may want to disable SELinux by selecting this option in the drop down menu.
  11. Set the correct time zone in the Time Zone Selection screen.
  12. Set the root password in Set Root Password screen.
  13. The machine will reboot at the end of the installation.

After the installation from CD is complete, we recommend updating the system with the latest patches. This may be done using the yum command (this may take some time):

# yum update

This completes the installation of the operating system.

Installing the Software Pre-requisites

Having installed the operating system, the following lists the pre-requisites which must be installed if GRIA war is to function correctly. It is important to install any dependencies which may also required by these software pre-requisites:

  • Sun Java JDK v1.5.0 or higher
  • Jakarta Tomcat v5.5.x
  • Apache HTTP server v2.0 (an optional package to provide secure access)
    • httpd-2.0.xx.x
  • Perl v5.6 or higher (only required for the GRIA Basic Application Services package)
  • A sample, test application: ImageMagick(only required for the GRIA Basic Application Services package)
  • An Internet browser, e.g. Mozilla Firefox (which may be installed on a different machine)
  • Optional utility packages:
    • zip and unzip
    • tar, etc.

If you have followed the installation instructions above then your system already has Apache and Perl installed. The Fedora Core 4 distribution CDs include RPM packages for Tomcat and for GNU Java. However, to use GRIA you must install Sun Java. Unfortunately, it is very difficult to configure the pre-packaged Tomcat to use Sun Java, so Tomcat must also be manually installed by following the instructions below.

First, download the Java binary JDK selecting the "Linux self-extracting file" (e.g. jdk-1_5_0_05-linux-i586.bin) and Tomcat packages and place them into /tmp directory on the Fedora Core 4 machine. You may find it easiest to do this by downloading the packages to your desktop machine and copying them to the server. Finally, log in to the server machine as the root user ready to install the software.

Install Java

In order to install Java in the /opt directory the following must be done (adjusting the version number to your particular package):

  1. Move to /opt: 
    # cd /opt
  2. Unpack the binary from the temporary directory: 
    # sh /tmp/jdk-1_5_x_xx-linux-i586.bin
  3. Create a symbolic link within this directory: 
    # ln -s jdk1.5.x_xx java

Install Tomcat

The following must be done in order to install Tomcat successfully (adjusting the version number to your particular package):

  1. Tomcat will be installed under the /opt directory, therefore move to this directory with: 
    # cd /opt
  2. Unpack the Tomcat tarball from the temporary directory: 
    # tar xvfz /tmp/apache-tomcat-5.5.20.tar.gz
  3. Create a symbolic link for Tomcat 
    # ln -s apache-tomcat-5.5.20 tomcat
  4. Tomcat will be most secure if it is not run by root, therefore create a user for the tomcat server to run as e.g. "tomcat" with the user's home directory set to /opt/tomcat: 
    # useradd -d /opt/tomcat tomcat
  5. Alter the ownership of the directory to the tomcat user created above: 
    # chown -R tomcat:tomcat tomcat
  6. Configure tomcat to use Sun Java by editting /opt/tomcat/bin/catalina.sh. Open the file (e.g. in vi) and add the line JAVA_HOME=/opt/java to the top of the file after the file header, e.g.: 
    # system class path used to start Tomcat.
    #
    # CATALINA_PID (Optional) Path of the file which should contains the pid
    # of catalina startup java process, when start (fork) is used
    #
    # $Id: fc4-pre.htm 3715 2006-04-10 14:01:19Z ajw $
    # -----------------------------------------------------------------------------

    JAVA_HOME=/opt/java

    # OS specific support. $var _must_ be set to either true or false.
    cygwin=false

Install Sample Application

The GRIA Basic Application Services package uses demo applications which require the ImageMagick package. You may already have ImageMagick installed. To test for it, log in as root and type:

# rpm -qi ImageMagick

If you see "package ImageMagick is not installed" then the package must be installed, either from the CDs or by using yum:

# yum install ImageMagick

Setting the System Clock

In order to provide some synchronisation between the clocks on machines that the various GRIA packages are installed on, it is recommended to run an NTP client service that will synchronise your system with an Internet time server.. Fedora comes with an NTP package which is installed by default in the server installation. To see if NTP is installed, log in as root and type:

# rpm -qi ntp

If you see "package ntp is not installed" then install NTP either from the CDs or by using yum:

# yum install ntp

The NTP daemon must be configured using the file /etc/ntp.conf. If you are using DHCP then your DHCP server may automatically configure this file. Further instructions regarding NTP are beyond the scope of this manual.

Configuring the Firewall

The deployed GRIA war (or webapp) should be hosted behind a firewall to ensure that your server can only be accessed on certain ports. You should consult with your systems administrator to determine if you need to run a firewall on the GRIA server machine. If so, configure the firewall as follows:

  1. As root, run: 
    # system-config-securitylevel
  2. Enable firewall and continue with Customize (use the TAB key to move fields and the SPACEBAR key to select)
  3. Do not select any "Trusted Devices", e.g. eth0
  4. Allow incoming connections for "SSH", "WWW (HTTP)" and "Secure WWW (HTTPS)"
  5. In the "Other ports" box type: "8080:tcp" to temporarily enable insecure access to Tomcat
  6. Finish firewall configuration by selecting "OK"

Configuring SELinux

SELinux is an option during the installation process. It provides better security than standard linux installations. If you are not sure whether SELinux is installed, then type (as root):

# setsebool

If you get "Command not found" then SELinux is not installed and no configuration is necessary. Otherwise, if you chose to install SELinux then it must be configured to let the Apache web server communicate with the Tomcat web server. To do this, enter the following command as root:

# setsebool -P httpd_can_network_connect=1
May need to set another bool to enable httpd to communicate with the terminal (needed for cert handling)

Setting Up Tomcat Users

In order to deploy the war file, the Tomcat Manager for application deployment will be used. The Tomcat manager functions are disabled by default.

o enable Tomcat administration and management we must add a role and a tomcat user to the tomcat-users.xml file. 
  1. Open the $CATALINA_HOME/conf/tomcat-users.xml file with a suitable editor and add this element after the last 'role' element: 
    <role rolename="manager"/>
    <role rolename="admin"/>

  2. Add this line after the last 'user' element, replacing ADMIN_PASSWORD and GRIA_PASSWORD with appropriate passwords: 
    <user username="tomcat" password="TOMCAT_PASSWORD" roles="admin,manager"/>
  3. Save the file

Starting Services

There are two services that need to be started: Tomcat and NTP. NTP is easily managed by the system and may be started with this command:

# service ntpd start

As mentioned above, Tomcat should not be run as root, therefore first switch form being the root user to the tomcat user and then start tomcat:

# su tomcat
$ cd /opt/tomcat/bin
$ ./startup.sh

It is useful to have the NTP daemon start automatically when the server is rebooted. This can be done by typing the following as the root user:

# chkconfig ntpd on

2.2.3. Fedora Core 5

Preparing Fedora Core 5

Installing the Fedora Core 5 Operating System

If you feel confident in installing the server installation of Fedora Core 5, you may skip this section but make sure to install the pre-requisites, as well as the initial configuration otherwise GRIA war will fail to function correctly.

N.B. There are several ways to install and configure Fedora, so you are advised to consult your system manager and setup the system according to your needs. The following notes describe a simple way to install and configure a headless Fedora system for GRIA war.

Having satisfied the above, the installation process is as follows:

Note: The following describes how to install FC5 using a network installation and booting the system with an FC5 boot.iso CD.

  1. Boot the system with the FC5 boot.iso CD and press Enter on the Welcome to Fedora Core screen.
  2. Choose language (e.g. English) on the Language Selection screen.
  3. On the Keyboard Configuration screen choose keyboard, e.g. United Kingdom.
  4. Choose the installation method, e.g. in our case select HTTP.
  5. Enter the appropriate settings for the Network Configuration screen. If you do not have a DHCP server, enter the hostname, etc manually.
  6. HTTP Setup section, you need to provide the HTTP server and the Fedora Core 5 path, e.g. www.mirrorservice.org, sites/download.fedora.redhat.com/pub/fedora/linux/core/5/i386/os. You might have to find a suitable mirror service to speed up installation.
  7. According to your needs and system settings, choose automatic or manual configuration for the Disk Partitioning Setup screen. Then follow the instructions accordingly, e.g. for the Disk Setup and Boot Loader Configuration screens.
  8. Follow the installation screens in order to complete the system installation.
  9. The machine will reboot at the end of the installation. After rebooting it will prompt to configure some of its basic services.

Initial system Configuration

When the system reboots will prompt to configure its basic services such as Firewall, SELinux, system users, to complete the installation.

Click yes on the license agreement and go into the Firewall configuration.

Firewall Configuration

In this section ensure that the Firewall setting is enabled and check the following predefined ports: WWW, and Secure WWW. Additionally you need to add the following ports 8080 and 8443.

Click on other ports (section to expand) and use the add button to add new ports, type 8080 for the port number and select the protocol type as tcp. Repeat the same steps to add port 8443.

Click next and say yes to overwrite system settings.

You can always change your Firewall settings later, using the following commnad as root:

# system-config-securitylevel

SELinux Configuration

SELinux configuration: leave the default settings to Enforcing, then from the Modify SELinux Policy expand the HTTP Service Section and click on Allow HTTPD scripts and modules to connect to the network.

Date and Time

Click next to the Date and Time section. Choose the Network Time Protocol tab and click on the Enable Network Time Protocol button.

Configure the remaining sections according to your needs.

After the installation is complete, we recommend updating the system with the latest patches. This may be done using the yum command (this may take some time):

# yum update

This completes the installation of the operating system.

Installing the Software Pre-requisites

Having installed the operating system, the following lists the pre-requisites which must be installed if GRIA war is to function correctly. It is important to install any dependencies which may also required by these software pre-requisites:

  • Sun Java JDK v1.5.0 or higher
  • Jakarta Tomcat v5.5.x
  • Apache HTTP server v2.0 (an optional package to provide secure access)
    • httpd-2.0.xx.x
  • Perl v5.6 or higher (only required for the GRIA Basic Application Services package)
  • A sample, test application: ImageMagick(only required for the GRIA Basic Application Services package)
  • An Internet browser, e.g. Mozilla Firefox (which may be installed on a different machine)
  • Optional utility packages:
    • zip and unzip
    • tar, etc.

If you have followed the installation instructions above then your system already has Apache and Perl installed. The Fedora Core 5 distribution include RPM packages for Tomcat and for GNU Java. However, to use GRIA you must install Sun Java. Unfortunately, it is very difficult to configure the pre-packaged Tomcat to use Sun Java, so Tomcat must also be manually installed by following the instructions below.

First, download the Java binary JDK selecting the "Linux self-extracting file" (e.g. jdk-1_5_0_05-linux-i586.bin) and Tomcat packages and place them into /tmp directory on the Fedora Core 5 machine. You may find it easiest to do this by downloading the packages to your desktop machine and copying them to the server. Finally, log in to the server machine as the root user ready to install the software.

Install Java

In order to install Java the following must be done (adjusting the version number to your particular package):

  1. Move to /opt: 
    # cd /opt
  2. Unpack the binary from the temporary directory: 
    # sh /tmp/jdk-1_5_x_xx-linux-i586.bin
  3. Create a symbolic link within this directory: 
    # ln -s /usr/java/jdk1.5.x_xx java

Install Tomcat

The following must be done in order to install Tomcat successfully (adjusting the version number to your particular package):

  1. Tomcat will be installed under the /opt directory, therefore move to this directory with: 
    # cd /opt
  2. Unpack the Tomcat tarball from the temporary directory: 
    # tar xvfz /tmp/apache-tomcat-5.5.20.tar.gz
  3. Create a symbolic link for Tomcat 
    # ln -s apache-tomcat-5.5.20 tomcat
  4. Tomcat will be most secure if it is not run by root, therefore create a user for the tomcat server to run as e.g. "tomcat" with the user's home directory set to /opt/tomcat: 
    # useradd -d /opt/tomcat tomcat
  5. Alter the ownership of the directory to the tomcat user created above: 
    # chown -HR tomcat:tomcat tomcat
  6. Configure tomcat to use Sun Java by editting /opt/tomcat/bin/catalina.sh. Open the file (e.g. in vi) and add the line JAVA_HOME=/opt/java to the top of the file after the file header, e.g.: 
    # system class path used to start Tomcat.
    #
    # CATALINA_PID (Optional) Path of the file which should contains the pid
    # of catalina startup java process, when start (fork) is used
    #
    # $Id: fc4-pre.htm 3715 2006-04-10 14:01:19Z ajw $
    # -----------------------------------------------------------------------------

    JAVA_HOME=/opt/java

    # OS specific support. $var _must_ be set to either true or false.
    cygwin=false

Install Sample Application

The GRIA Basic Application Services package uses demo applications which require the ImageMagick package. You may already have ImageMagick installed. To test for it, log in as root and type:

# rpm -qi ImageMagick

If you see "package ImageMagick is not installed" then the package must be installed, either from the CDs or by using yum:

# yum install ImageMagick

Setting Up Tomcat Users

In order to deploy the war file, the Tomcat Manager for application deployment will be used. The Tomcat manager functions are disabled by default.

To enable Tomcat administration and management we must add a user with appropriate roles to the tomcat-users.xml file. Do this by adding the line: 

<user username="tomcat" password="TOMCAT_PASSWORD" roles="admin,manager"/>
replacing TOMCAT_PASSWORD with a suitable password.

Starting Services

As mentioned above, Tomcat should not be run as root, therefore first switch form being the root user to the tomcat user and then start tomcat:

# su tomcat
$ cd /opt/tomcat/bin
$ ./startup.sh

2.3. SuSE

Preparing SuSE

2.3.1. SuSE 9.2

Preparing SuSE 9.2

Introduction

This page explains how to install and configure all SuSE 9.2 pre-requisites, configure a firewall and set-up Tomcat for deployment of a GRIA war.

Software Pre-requisites

This page describes the pre-requisites for the SuSE 9.2 Professional operating system, all of which can be installed using the YaST2 systems configuration tool. They are as follows:

  • The Java SDK v1.5.0 (5.0) or higher
    • java-1_5_0-sun
    • java-1_5_0-sun-devel
  • Jakarta Tomcat 5
    • tomcat5
    • tomcat5-admin-webapps
    • tomcat5-webapps
  • Apache Server v2.0 (an optional package to provide secure access)
    • apache2
    • apache2-prefork
    • mod_jk-ap20
  • A web browser, such as Firefox (can be installed on a different machine)
    • MozillaFirefox
  • A sample application (only required for the GRIA Basic Application Services package)
    • ImageMagick

In order to provide some synchronisation between the clocks on machines that the various GRIA packages are installed on, it is recommended to run an NTP client service that will synchronise your system with an Internet time server. Having installed the Linux base platform, configure the Network Services to use an NTP server. For SuSe 9.2 this is done as follows:

  1. Run YaST2 and select 'Network Services'
  2. From here, choose 'NTP Client' and select an NTP server, setting it to start on boot up. If you don't have an NTP server available on your local network then select a public one e.g. a.ntp.alphazed.net in Great Britain.

Having configured the machine to use NTP, the system should then be restarted to ensure the changes made during the installation of the above pre-requisites are applied.

This completes the installation of the pre-requisites under SuSE 9.2 Professional.

Configuring the Firewall

The deployed GRIA war (or webapp) should be hosted behind a firewall to ensure that your server can only be accessed on certain ports. You should consult with your systems administrator to determine if you need to run a firewall on the machine hosting the GRIA webapp. If so, configure the firewall as follows:

  1. Run YaST2 (as root).
  2. Click on Security and Users.
  3. Click on Firewall.
  4. Select interface settings appropriate for your network. In most cases, you can set the External Interface to any. The Internal Interface can be left as (none).
  5. On the next page, ensure that only HTTP with SSL (https) is selected. If you require SSH access to the machine then select Secure Shell (ssh).
  6. On the next page, you can leave the default settings for the Firewall Features.
  7. Click on Finish to put the settings into effect.

Set-up Tomcat Users

In order to deploy the war file, the Tomcat Manager for application deployment will be used. The Tomcat manager functions are disabled by default.

To enable Tomcat administration and management we must add a role and a tomcat user to the tomcat-users.xml file.

  1. Open the $CATALINA_HOME/conf/tomcat-users.xml file with a suitable editor and add this element after the last 'role' element: 
    <role rolename="manager"/>
    <role rolename="admin"/>
  2. Add this line after the last 'user' element, replacing ADMIN_PASSWORD and GRIA_PASSWORD with appropriate passwords: 
    <user username="tomcat" password="TOMCAT_PASSWORD" roles="admin,manager"/>
  3. Save the file

Start Tomcat

Having installed and configured the pre-requisites, the next step it to start Tomcat. The following commands assume that the pre-packaged version of Tomcat has been installed with SuSE.

To start Tomcat:

$ su
# rctomcat5 start

To stop Tomcat:

$ su
# rctomcat5 stop

To restart Tomcat:

$ su
# rctomcat5 start

To get the status of Tomcat:

$ su
# rctomcat5 status

Test it with your browser by pointing to your machine URL, i.e. http://<host IP>:8080, you should be able to access your Tomcat server home page.

2.3.2. SuSE 9.3 - 10.2

Preparing SuSE 9.3 - 10.2

Introduction

This page explains how to install and configure all pre-requisites for SuSE 9.3 - 10.1, configure a firewall on the GRIA server machine and set-up Tomcat for or deployment of a GRIA war.

Software Prerequisites

This page describes how the prerequisites for SuSE can be installed using the YaST2 systems configuration tool. They are as follows:

  • The Java SDK v1.5.0 (5.0) or higher
    • java-1_5_0-sun
    • java-1_5_0-sun-devel
  • Jakarta Tomcat 5
  • Apache Server v2.0 (an optional package to provide secure access)
    • apache2
    • apache2-prefork
    • mod_jk-ap20
  • A web browser, such as Firefox (can be installed on a different machine)
    • MozillaFirefox
  • A sample application (only required for the GRIA Basic Application Services package)
    • ImageMagick

You can use either Tomcat or Apache to provide secure access. If you are unsure then choose Tomcat as it is easier to set up.

In order to provide some synchronisation between the clocks on machines that the various GRIA packages are installed on, it is recommended that you run an NTP client that will synchronise your system with an Internet time server. Having installed the Linux base platform, configure the Network Services to use an NTP server. This is done as follows:

  1. Run YaST2 and select 'Network Services'
  2. From here, choose 'NTP Client' (or 'NTP Configuration') and select an NTP server, setting it to start on boot up. If you don't have an NTP server available on your local network then select a public one e.g. a.ntp.alphazed.net in Great Britain.

Having configured the machine to use NTP, the system should then be restarted to ensure the changes made during the installation of the above pre-requisites are applied.

This completes the installation of the GRIA software prerequisites.

Configuring the Firewall

The deployed GRIA war (or webapp) should be hosted behind a firewall to ensure that your server can only be accessed on certain ports. You should consult with your systems administrator to determine if you need to run a firewall on the machine hosting the GRIA webapp. If so, configure the firewall as follows:

  1. Run YaST2 (as root).
  2. Click on Security and Users.
  3. Click on Firewall.
  4. Select Interfaces from the menu and set interfaces appropriate to you network. You may need to discuss this with your systems administrator.
  5. Select Allowed Services from the menu, then:
    • add a HTTPS server.
    • add a HTTP server.
    • Use the Advanced button to add TCP port 8080. If you intend to use Tomcat for secure access then also add port the 8443.
    • if you require Secure Shell access then also add SSH.
  6. Click on Next and then Accept to finalise the settings.
  7. Start the firewall.

Set-up Tomcat Users

In order to deploy the war file, the Tomcat Manager for application deployment will be used. The Tomcat manager functions are disabled by default.

To enable Tomcat administration and management we must add a role and a tomcat user to the tomcat-users.xml file.

  1. Open the $CATALINA_HOME/conf/tomcat-users.xml file with a suitable editor and add this element after the last 'role' element: 
    <role rolename="manager"/>
    <role rolename="admin"/>
  2. Add this line after the last 'user' element, replacing ADMIN_PASSWORD with an appropriate password: 
    <user username="admin" password="ADMIN_PASSWORD" roles="admin,manager"/>
  3. Save the file

Start Tomcat

Having installed and configured the pre-requisites, the next step it to start Tomcat. The following commands assume that the pre-packaged version of Tomcat has been installed with SuSE.


To start Tomcat:

$ su
# rctomcat5 start

To stop Tomcat:

$ su
# rctomcat5 stop

To restart Tomcat:

$ su
# rctomcat5 start

To get the status of Tomcat:

$ su
# rctomcat5 status

Test it with your browser by pointing to your machine URL ( http://<host IP>:8080). You should be able to access your Tomcat server home page.

2.3.3. Running YaST2

Using the YaST 2 configuration tool

The main systems configuration tool for SuSE is called YaST. This may be launched in the following ways:

Using graphical display (KDE)

Simply click the SuSE icon at the bottom left of your graphical display, to bring up the System menu, then select the YaST icon.

Command line (with graphical display)

Log onto your machine as root, open a window then type the following command:

# yast2

Command line (non-graphical display)

Log onto your machine as root, open a window then type the following command:

# yast

2.4. Installing GRIA on Ubuntu/Debian

This document describes how to install GRIA on Ubuntu 6.06.1 (dapper) server. The installation procedure should very similar for Ubuntu desktop and Debian systems too.

In order to install Java and Tomcat in your system you need to configure your source.list to include universe and multiverse repositories.

As root edit /etc/apt/sources.list to include universe and multiverse repositories, e.g. sudo vi /etc/apt/sources.list Then make sure your sources.list includes a line similar to the following:

deb http://[xx].archive.ubuntu.com/ubuntu dapper main restricted universe multiverse

where xx is a country code, e.g. gb, us, de, etc. For Debian systems add non-free at the end of your current entry, e.g.

deb http://ftp.uk.debian.org/debian/ etch main non-free

Then update the system repository e.g. sudo apt-get update

Installing Java

Run the following command to install sun-java5-jdk packages: sudo apt-get install sun-java5-jdk

The system will prompt you to accept the DJK license, reply yes. You can test the installed java version in your system executing the following command:

$ java -version
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode, sharing)

Installing tomcat5

Run the following command to install tomcat5.5 packages:

$ sudo apt-get install tomcat5.5 tomcat5.5-admin tomcat5.5-webapps

Edit /etc/default/tomcat5 to:

  • define JAVA_HOME, e.g.
    JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun
  • replace line TOMCAT_SECURITY=yes with the following:
    TOMCAT_SECURITY=no

Edit /var/lib/tomcat5/conf/tomcat-users.xml file to add a manager role, e.g.

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
   ...
   <role rolename="manager"/>
   <role username="manager" password="xxxxxx" roles="manager"/>
   ...
   </tomcat-users>

At this point refer to the GRIA documentation e.g. GRIA user guide, Deploying the Services to Tomcat.

NOTE: the default port of the tomcat server page is on 8180 NOT 8080, e.g. http://<servername>:8180


Setting the system clock

In order to provide some synchronisation between the clocks on machines that the various GRIA packages are installed on, it is recommended that you run an NTP client service that will synchronise your system with an Internet time server. On Debian and Ubuntu systems, this can be done using the ntpdate or ntp packages.

If the time difference between the client and server clocks is greater than a few minutes, messages may be rejected.

3. Upgrading

Upgrading an existing installation to a newer version

In general, upgrading is supported only within the same major version of the services. For example, you can upgrade from version 5.0 to 5.1, but not from 3.1 to 5.0 (for which you will have to do a full new installation).

Upgrading can be done via the Tomcat Web Application Manager using the following procedure:

  1. Start up Tomcat and select "Tomcat Manager" from the Administration menu.
  2. Locate the package from the Applications sections.
  3. Select undeploy from the Commands column.
  4. On Windows XP (only) you should now stop and then restart tomcat.
  5. Scroll down to the WAR file to deploy subsection, within the Deploy section. Beside the "Select WAR file to upload" box, click the browse icon and select the WAR file from the unpacked distribution.
  6. Click the Deploy button. An OK message at the top of the page indicates that the WAR has been successfully deployed to Tomcat.

Having successfully deployed the war file, you can invoke it by just clicking on the link in the Applications section.

After deploying a new version and returning to the administration page in your browser, the system will lead you through any remaining upgrade tasks:

  1. You will be asked to select a configuration directory. To upgrade ensure that you select the configuration directory used in the previous installation.
  2. You will be asked to restart tomcat.
  3. You may be informed that your access control policies are out-of-date. Go to the access control page and undeploy the highlighted policies.
    update-pbac.png

    Upgrading access control policies

    When you return to the main administration page, the new default policies will be installed. If you have modified any policies then you will need to merge your changes into the new version.

4. Deploying the services to Tomcat

Deploying the war file containing the services into the Tomcat container.

Deployment of the war file is based on the standard procedure which should already be familiar to Tomcat users. If, however, this is not the case then this section can be used as a guide on how to deploy and invoke the the web application. The home directory of Tomcat is denoted by <TOMCAT_HOME>

The next steps require the use of a web browser to complete the war file deployment.

  1. Using a web browser, load the main Tomcat server page (e.g. http://<servername>:8080) and select the "Tomcat Manager" link.

    N.B. "<servername>" should be replaced with the IP address or fully qualified hostname of the computer running the Tomcat server.

    You will be prompted for a username and password to be entered before displaying the manager page. Use "admin" as the username and enter the password that selected either by using the Tomcat installer (WinXP) or by editing the <TOMCAT_HOME>/conf/tomcat-users.xml (Linux) .

  2. The page which loads once login has been successful presents the following sections:
    • Manager - lists the command controls and help functions
    • Applications - lists the applications currently deployed within Tomcat
    • Deploy - options for deploying applications to Tomcat
    • Server Information - lists specific information on Tomcat and the base platform it was installed to

    Scroll down to the WAR file to deploy subsection, within the Deploy section. Beside the "Select WAR file to upload" box, click the browse icon and select the war file, before clicking the "Deploy" button:

  3. An "OK" message at the top of the page indicates that the war has been successfully deployed to Tomcat.

The new webapp should now also be listed within the Applications section. Note here in the last column is where individual applications may be started, stopped, reloaded or if desired undeployed completely from within Tomcat.

This completes the first part of the installation and deployment of the GRIA services.

Having successfully deployed the war file, you can invoke it by just clicking on the webapp's name in the Applications section.

If you get an error page with a message related to the JAVA_HOME environment variable, then this probably means that the Java compiler isn't working. The usual cause of this is trying to run tomcat immediately after installing Java. You must log out and log in again to ensure the JAVA_HOME environment variable is set to the correct location. If you click on the Admin link in the top menu when having this problem you will also get a 401 Not Authorized error without being prompted to log in (check for errors in the catalina.out log file).

5. Service Administration

Describing how to navigate the web portal and perform the initial general configuration.

The Service Administration Page

The GRIA main administation page gives access to the administration pages of the individual services within the same .war file as well as providing configuration, status reporting and logging control for all services.

You can find the administration page by clicking on the web application's link in the Tomcat manager and then clicking on the "Admin" link in the navigation bar at the top of the web application.

Initial Configuration

When first accessed, the services will be greyed out and the system will lead you to provide the required general configuration information, which is:

  • The location of a configuration directory in which to store the service configuration. This is not stored inside the webapp so that it will not be lost when upgrading.
  • A keystore containing the service's private key. This allows clients to check that they are really using the service they think they are.
  • A location for the database files. GRIA uses hibernate, which allows it to be configured to use a range of database backends. However, the default is to store everything locally in a few files, which saves the need to configure a separate database server.
  • The endpoint address for the service. The default offered should be used in most cases. When users create a new resource, this is the address that the service will tell them to use to access it. If your service is fronted by Apache on another machine, for example, you should give the address of the machine running Apache here.

The Navigation Menu

The navigation menu along the top of the window provides access to various useful pages:

Main
Return to the public page.
Admin
The main administration page.
Check Axis
Check that requires libraries are available for the underlying Axis system.
View logs
View the service log file and edit the logging configuration.
Access control
View the resources and resource types managed by the access control system.
List of services
View the list of services and their operations and WSDL interfaces.
Atom feed
Subscribe to this feed to get notifications of issues or problems with the services.
Send support request
If you have problems or suggestions, please send us a support request.

Service Status Feeds

Each service reports its current status and other important information. Each item is displayed on the main page under the service reporting it. You can also get this information from the Atom feed. This is useful if you have many services to administer, since you can get your news aggregator to subscribe to each one and check them for you.

After the general configuration is done, each service will report that it requires configuration too. Click on any item for more information.

6. Configuring Transport Layer Security

How to configure Tomcat and Apache to use TLS (HTTPS)

6.1. Introduction

What is transport layer security and how to configure it

Transport layer security (TLS) is the term used for encrypting the packets of information sent between the server and the client (and client and server).  It is also used to allow one side to verify the identity of the other party.  In a normal installation it is only the client who verifies the server's identity so that the client is sure that they are communicating with the service they intended to.

In a simple installation, a GRIA service is installed in Tomcat and Tomcat is configured to use TLS.  For extra flexibility and robustness many people want to use the Apache web server as a front end and pass requests on to Tomcat behind.  In this scenario Apache handles the encryption at the transport layer, but will pass requests on to Tomcat for processing.

6.2. Tomcat

General instructions for configuring HTTPS in Tomcat

For full details, see http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html.

Edit your Tomcat's conf/server.xml and add the following section (or uncomment and edit the existing one):

<Connector port="8443"
		keystoreFile="/your/location/here/service-keystore.ks"
		keystorePass="your_keystore_password"
		keystoreType="JKS"
		minProcessors="5" maxProcessors="75"
		enableLookups="true" disableUploadTimeout="true"
		acceptCount="100" debug="0" scheme="https" secure="true"
		clientAuth="false" sslProtocol="TLS"/>

Then restart Tomcat.

6.3. Apache

How to configure Apache to use HTTPS

6.3.1. Exporting Certificates From Tomcat

How to export the certificates from Tomcat's keystore for use in securing Apache

Java stores keys and certificates in a keystore file, whose format is Java-specific. Apache also needs access to the same items, but cannot read the Java keystore format. Therefore, the key and the certificates must be exported to separate files. It is simplest to store the exported files in the configuration directory along with the keystore.

You should have already created a keystore during the configuration of your service. Begin by opening service-keystore.ks in KeyToolGUI (available for download here).

Exporting certificates

To export the server's certificate:

  1. Right click on the server's key (NOT the Certificate Authority's certificate!).
  2. Choose Export from the menu.
  3. Select Head Certificate and PEM Encoded when exporting.
  4. Save with a .crt extension (eg, as server.crt in your configuration directory).

To export the Certificate Authority's own certificate:

  1. Right click on the Certificate Authority's certificate.
  2. Choose Export from the menu.
  3. Select Head Certificate and PEM Encoded when exporting.
  4. Save with a .crt extension (eg: CA.crt).

Exporting the private key

  1. Right click on the server's key.
  2. Choose Export from the menu.
  3. Select Private Key and Certificates and PKCS #12 and click OK.
  4. Enter the keystore password when prompted (use the same password for the exported key).
  5. Save with a .p12 extension (eg: private-key.p12).
  6. Convert from PKCS#12 format to PEM: 
    $ openssl pkcs12 -in private-key.p12 -out private-key.pem -nodes

Once you have the three files (server.crt, CA.crt and private-key.pem) and the crl.pem file (which should be obtained from your Certificate Authority), you are ready to continue with the instructions specifi to your Apache version and operating system.

6.3.2. Firewalls

How to configure firewalls for Apache

Ensure that your GRIA server firewall allows access to Apache HTTPS port, for more information see the section "Configure the Firewall" in the GRIA installation documentation relevant to your package and operating system.

Tomcat's own port (8080) should not be accessible from anywhere except for the machine running Apache. Make sure that it is firewalled by attempting to connect to it from another machine.


6.3.3. Apache 2

How to configure Apache 2 to use HTTPS

6.3.3.1. Debian 3.x and Ubuntu 6.xx

This section describes how to configure Apache 2.0 for Debian and Ubuntu systems to provide transport layer security for GRIA services.

Firstly install the necessary apache2 packages, e.g. $ sudo apt-get install apache2 libapache2-mod-jk.

Prepare certificate entries for Apache:

Download the sample gria-services.conf file and edit it accordingly, e.g. provide valid entries for the following file which you should have prepared in the previous page:

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCACerticateFile
  • SSLCARevocationFile

Note: do not uncomment any of the ProxyPass lines!

Copy gria-services.conf into /etc/apache2/sites-available.

Edit /etc/apache2/ports.conf, and add the line:

Listen 443

Now you need to enable the new 'site' with the Apache2 enable-site utility, and the SSL and JK2 modules:

  • a2ensite gria-services.conf
  • a2enmod ssl
  • a2enmod jk

NOTE: you may prompted to reload apache for each of these steps e.g.

/etc/init.d/apache2 reload.

Configure apache to forward all HTTPS requests to tomcat:

configuring Apache to use mod_jk you need to edit /etc/apache2/mods-available/jk.load to include the following:

LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile /etc/apache2/workers.properties
# Where to put jk logs
JkLogFile     /var/log/apache2/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel    info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions     +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat     "%w %V %T"
# Send everything for context /examples to worker named worker1 (ajp13)
JkMount /gria-basic-app-services worker1
JkMount /gria-basic-app-services/* worker1
JkMount /gria-client-mgt worker1
JkMount /gria-client-mgt/* worker1
JkMount /gria-service-provider-mgt worker1
JkMount /gria-service-provider-mgt/* worker1

To complete the configuration you need to create a workers.properties file in /etc/apache2 with the following contents:

# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=50
worker.worker1.cachesize=10
worker.worker1.cache_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.reclycle_timeout=300

Restart Apache

You can now access the GRIA admin pages through HTTPS, e.g. https://localhost/gria-basic-app-services

6.3.3.2. Fedora

How to configure Apache on Fedora to use HTTPS

6.3.3.2.1. Fedora Core 3 and 4

How to configure Apache to use HTTPS on Fedora Core 3 and 4

Apache2 RPM Packages

Make sure the following packages are installed:

  • httpd-manual-2.0.52-3
  • httpd-suexec-2.0.52-3
  • system-config-httpd-1.3.1-1
  • httpd-2.0.52-3
  • mod_ssl-2.0.52-3

e.g. check installed packages using:

# rpm -qa | grep "httpd\|mod_ssl"

Connecting Tomcat with Apache

Install the Apache mod_jk Module

The mod_jk package comes with the Fedora Core 4 operating system. To install it, log in as root and execute this command:

# yum install mod_jk

For Fedora Core 3, the mod_jk module may be obtained from the jpackage site. The required package is called "mod_jk-ap20". The easiest way to download and install the package is to execute the following commands as root:

# cd /tmp
# wget http://mirrors.dotsrc.org/jpackage/1.6/fedora-3/RPMS.free/mod_jk-ap20-1.2.8-1jpp.i386.rpm
# rpm --import http://www.jpackage.org/jpackage.asc
# yum localinstall mod_jk-ap20-1.2.8-1jpp.i386.rpm

wget downloads the file from the primary jpackage mirror site. The rpm command installs the jpackage public key for package verification, and the yum command performs the installation.

Configuring Apache to use mod_jk

To cause Apache to load and use mod_jk, you must create a file in /etc/httpd/conf.d. The file should be called jk.conf and should be similar (if not the same) to this:

# Load mod_jk module
LoadModule    jk_module  /etc/httpd/modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile /etc/httpd/conf/workers.properties
# Where to put jk logs
JkLogFile     /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel    info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE, 
JkOptions     +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format 
JkRequestLogFormat     "%w %V %T"
# Send everything for context /examples to worker named worker1 (ajp13)
JkMount /gria-basic-app-services worker1 
JkMount /gria-basic-app-services/* worker1
JkMount /gria-client-mgt worker1 
JkMount /gria-client-mgt/* worker1
JkMount /gria-service-provider-mgt worker1
JkMount /gria-service-provider-mgt/* worker1

As well as configuring the mod_jk module, this also instructs Apache to pass on requests for GRIA to "worker1".

Configuring the Tomcat Worker

To complete the configuration, another file must be created. This is the workers.properties file referenced in the last section. Create the file /etc/httpd/conf/workers.properties with the following contents:

# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=50
worker.worker1.cachesize=10
worker.worker1.cache_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.reclycle_timeout=300

This configuration instructs "worker1" to pass on requests to port 8009 using the ajp13 protocol. The default Tomcat installation will already be listening for this sort of communication and as a result, request for the GRIA web application will be passed on to Tomcat.

Securing Apache

Add gria-services.conf File in conf.d

Download the gria-services.conf sample file and place it in /etc/httpd/conf.d.

Edit gria-services.conf so that the file locations of the following settings give the locations of the files you exported from your keystore in the previous page.

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCACertificateFile
  • SSLCARevocationFile

In addition, replace apache2 by httpd in the ErrorLog and TransferLog lines, i.e.

     ...
     ErrorLog /var/log/httpd/grid-error.log
     ...
     TransferLog /var/log/httpd/grid-access.log
     ...

Edit /etc/httpd/conf.d/ssl.conf

Edit /etc/httpd/conf.d/ssl.conf to contain the following directives only

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

Start Apache

Start Apache using the command below. Entering this command may also prompt you for the private key password if it was encrypted:

# service httpd restart

You may also want to configure your system to start Apache if it is rebooted:

# chkconfig httpd on

N.B. Apache will not be able to start automatically if your server's private key is encrypted, as it cannot start without the password being entered.

You can now access the GRIA admin pages through HTTPS, e.g. https://localhost/GRIA.

6.3.3.2.2. Fedora Core 5

How to configure Apache to use HTTPS on Fedora Core 5

Apache2.2 RPM Packages

Make sure the following packages are installed:

  • system-config-httpd-1.3.3-1
  • httpd-2.2.0-5.1.2
  • mod_ssl-2.2.0-5.1.2

e.g. check installed packages using:

# rpm -qa | grep "httpd\|mod_ssl"

Connecting and Securing Tomcat with Apache

There is no need to install extra Apache modules since Apache 2.2 in Fedora Core 5 includes module mod_proxy_ajp.

<VirtualHost *.:443> section

Edit the <VirtualHost *.:443> section of /etc/httpd/conf.d/ssl.conf so that you can specify the locations of the files you exported from your keystore in the previous section.

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCACertificateFile
  • SSLCARevocationFile (if you have one)
For example: 
SSLCertificateFile /etc/gria/server.crt
SSLCertificateKeyFile  /etc/gria/private-key.pem
SSLCACertificateFile /etc/gria/CA.crt
SSLCARevocationFile /etc/gria/crl.pem

Also uncomment and set the SSLVerifyDepth to 1: 

SSLVerifyDepth 1

According to the GRIA package(s) you are installing, also add the appropriate line(s) below

ProxyPass /gria-basic-app-services ajp://localhost:8009/gria-basic-app-services
ProxyPass /gria-client-mgt ajp://localhost:8009/gria-client-mgt
ProxyPass /gria-service-provider-mgt ajp://localhost:8009/gria-service-provider-mgt

Start Apache

Start Apache using the command below. Entering this command may also prompt you for the private key password if it was encrypted:

# service httpd restart

You may also want to configure your system to start Apache if it is rebooted:

# chkconfig httpd on

N.B. Apache will not be able to start automatically if your server's private key is encrypted, as it cannot start without the password being entered.

You can now access the GRIA admin pages through HTTPS, e.g. https://localhost/GRIA.

6.3.3.3. SUSE 9.2-10

Configuring Apache2 for HTTPS in SUSE versions 9.2-10

The goal here is to successfully secure Tomcat with Apache by integrating Tomcat's abilities into an existing Apache installation using the mod_jk and Ajp13Connector.

  1. Download the gria-services.conf sample file and place it in /etc/apache2/vhosts.d
  2. Edit gria-services.conf so that the file locations of the following settings give the locations of the files you exported from your keystore on the previous page.
    • SSLCertificateFile
    • SSLCertificateKeyFile
    • SSLCACertificateFile
    • SSLCARevocationFile
  3. Edit the /etc/sysconfig/apache2 file and do the following:
    • Add "-D SSL" to the APACHE_SERVER_FLAGS variable to allow SSL to be enabled when the Apache Sever is started: 
      APACHE_SERVER_FLAGS="-D SSL"
    • Set a reasonable value for the time required to enter the password when starting apache: 
      APACHE_START_TIMEOUT="30"
    • Include the module "jk" to the list of apache2 modules within the APACHE_MODULES variable, e.g.: 
      APACHE_MODULES="access actions alias auth auth_dbm dir env expires include log_config mime negotiation setenvif ssl jk"
  4. Copy the file /usr/share/doc/packages/mod_jk-ap20/jk.conf to /etc/apache2/conf.d: 
    # cp /usr/share/doc/packages/mod_jk-ap20/jk.conf /etc/apache2/conf.d
  5. Copy the file /usr/share/doc/packages/mod_jk-ap20/workers.properties to /etc/tomcat5/base: 
    # cp /usr/share/doc/packages/mod_jk-ap20/workers.properties /etc/tomcat5/base
  6. The apache2 configuration must then be updated using the following command: 
    # SuSEconfig --module apache2
  7. Stop the Tomcat server with the following command: 
    # rctomcat5 stop
  8. Edit the file /etc/apache2/conf.d/jk.conf and add the following pieces of code to the file within the <IfModule> tag:
    • For GRIA Basic App Services add the following section: 
      # The following line mounts /GRIA basic app services/ uri (and all files) to tomcat
      JkMount /gria-basic-app-services/* ajp13
	
      Alias /gria-basic-app-services "/srv/www/tomcat5/base/webapps/gria-basic-app-services"
      <Directory "/srv/www/tomcat5/base/webapps/gria-basic-app-services">
       Options Indexes FollowSymLinks
       allow from all
      </Directory>
      #To prevent users from listing contents
      <Location "/gria-basic-app-services/WEB-INF/">
       AllowOverride None
       deny from all
      </Location>
    • For GRIA Service Provider Management add the following section: 
      # The following line mounts /GRIA service provider management / uri (and all files) to tomcat
      JkMount /gria-service-provider-mgt/* ajp13
	
      Alias /gria-service-provider-mgt "/srv/www/tomcat5/base/webapps/gria-service-provider-mgt"
      <Directory "/srv/www/tomcat5/base/webapps/gria-service-provider-mgt">
       Options Indexes FollowSymLinks
       allow from all
      </Directory>
      #To prevent users from listing contents
      <Location "/gria-service-provider-mgt/WEB-INF/">
       AllowOverride None
       deny from all
      </Location>
    • For GRIA Client Management add the following section: 
      # The following line mounts /GRIA client management / uri (and all files) to tomcat
      JkMount /gria-client-mgt/* ajp13
	
      Alias /gria-client-mgt "/srv/www/tomcat5/base/webapps/gria-client-mgt"
      <Directory "/srv/www/tomcat5/base/webapps/gria-client-mgt">
       Options Indexes FollowSymLinks
       allow from all
      </Directory>
      #To prevent users from listing contents
      <Location "/gria-client-mgt/WEB-INF/">
       AllowOverride None
       deny from all
      </Location>
  10. Start the Tomcat server with the command: 
    # rctomcat5 start
  11. Restart the apache2 server with the following command: 
    # rcapache2 restart
  12. Access the GRIA admin pages through HTTPS, eg using https://localhost/gria-basic-app-services.

6.3.4. Apache 2.2

Configuring HTTPS for Apache 2.2

6.3.4.1. Debian 4.x and Ubuntu 7.xx

This section describes how to configure Apache 2.2 for Debian/Ubuntu systems to provide transport layer security for GRIA services.

Install Apache 2.2

Install apache2.2 running the command: sudo apt-get install apache2. This command will try to install additionally the following packages:

  • apache2-mpm-worker
  • apache2-utils
  • apache2.2-common

Apache2.2 Configuration

Edit the default apache configuration as follows:

  1. Enable ssl and proxy_ajp modules by running 
    $ sudo a2enmod ssl
$ sudo a2enmod proxy_ajp.

  2. Copy the sample gria-services.conf file into /etc/apache2/sites-available, and edit it accordingly, i.e. provide the locations of the certificate files previously created using the following parameters:

    • SSLCertificateFile
    • SSLCertificateKeyFile
    • SSLCACertificateFile
    • SSLCARevocationFile (if you have one)

    In addition, according to the GRIA packages you are installing uncomment one or more of the following lines:

    #ProxyPass /gria-basic-app-services ajp://localhost:8009/gria-basic-app-services
    #ProxyPass /gria-client-mgt ajp://localhost:8009/gria-client-mgt
    #ProxyPass /gria-service-provider-mgt ajp://localhost:8009/gria-service-provider-mgt

    Save the changes.

  3. Enable the gria-services.conf virtual host: 
    $ sudo a2ensite gria-services.conf
  4. Edit /etc/apache2/ports.conf file to include the following line: 
    Listen 443
  5. Edit /etc/apache2/mods-enabled/proxy.conf file and comment out the line: 
    Deny from all
  6. Restart apache 
    $ sudo /etc/init.d/apache2 force-reload
Powered by Plone CMS, the Open Source Content Management System