How to install rt3with kx509
============================
Add the following to the machine's lcfg:
!profile.components mADD(mysql)
!profile.version_mysql mSET(1)
!boot.services mADD(lcfg_mysql lcfg_apache)
!profile.packages mADD(lcfg-mysql-*-*)
!apache.config mSET(conf/httpd.conf.rt)
mysql.datadir /var/lib/mysql
mysql.socket /var/lib/mysql/mysql.sock
mysql.user rt
mysql.serverbase /var/lib
/*mysql.logfile /var/log/mysqld.log*/
!auth.extrapasswd mADD(rt)
auth.pwent_rt rt:*:979:0:Request Tracker PseudoUser:/rthome:/bin/bash
!auth.extragroup mADD(rt)
!auth.grpent_rt mSET(rt:*:979:)
!auth.extrapasswd mADD(wwwrun)
!auth.pwent_wwwrun mSET(wwwrun:x:28072:0:Request Tracker WWW PseudoUser:/:/bin/bash)
!auth.extragroup mADD(wwwgroup)
!auth.grpent_wwwgroup mSET(wwwgroup:*:28072:)
!boot.services mREPLACE(lcfg_kerberos, lcfg_kerberos lcfg_x509)
!boot.run mADD(lcfg_x509)
x509.keys rt
x509.service_rt hamble.inf.ed.ac.uk
x509.certfile_rt /etc/httpd/rt.crt
x509.keyfile_rt /etc/httpd/rt.key
x509.chainfile_rt /etc/httpd/rt.chain
!profile.packages mADD( +dice-kx509-cert-*-* +mod_authssl-*-* )
!profile.packages mADD(perl-Devel-StackTrace-1.04-1)
!profile.packages mADD(perl-Text-Reform-1.11-2)
!profile.packages mADD(perl-Class-Data-Inheritable-0.02-1)
!profile.packages mADD(perl-Error-0.15-1)
!profile.packages mADD(perl-IPC-ShareLite-0.09-1)
!profile.packages mEXTRA(+perl-libwww-perl-5.76-1:fd)
!profile.packages mADD(perl-Class-Container-0.10-1)
!profile.packages mADD(perl-HTTP-GHTTP-1.07-1)
!profile.packages mADD(perl-NTLM-1.02-1)
!profile.packages mADD(perl-Apache-DBI-0.93-1)
!profile.packages mADD(perl-Apache-Session-1.54-1)
!profile.packages mADD(perl-Cache-Cache-1.02-1)
!profile.packages mADD(perl-Class-ReturnValue-0.52-1)
!profile.packages mEXTRA(+perl-DBI-1.40-1:fd)
!profile.packages mADD(perl-DBIx-SearchBuilder-0.96-1)
!profile.packages mADD(perl-Digest-MD5-2.33-1.inf.1)
!profile.packages mADD(perl-Errno-1.09-1.inf.1)
!profile.packages mADD(perl-Exception-Class-1.16-1)
!profile.packages mADD(perl-FreezeThaw-0.43-1)
!profile.packages mADD(perl-HTML-Format-2.03-1)
!profile.packages mADD(perl-HTML-Mason-1.25-1:fd)
!profile.packages mADD(perl-HTML-Tree-3.18-1)
!profile.packages mADD(perl-Locale-Maketext-1.08-1.inf.1)
!profile.packages mADD(perl-Locale-Maketext-Fuzzy-0.02-1)
!profile.packages mADD(perl-Locale-Maketext-Lexicon-0.34-1)
!profile.packages mADD(perl-MLDBM-2.01-1)
!profile.packages mADD(perl-Params-Validate-0.72-1)
!profile.packages mADD(perl-Regexp-Common-2.113-1)
!profile.packages mADD(perl-Storable-2.09-1)
!profile.packages mADD(perl-Test-Inline-0.16-1)
!profile.packages mADD(perl-Text-Autoformat-1.12-1)
!profile.packages mADD(perl-Text-Quoted-1.5-1)
!profile.packages mADD(perl-Text-Template-1.44-1)
!profile.packages mADD(perl-Text-Wrapper-1.000-1)
!profile.packages mADD(perl-WWW-Mechanize-0.72-1)
!profile.packages mADD(perl-libapreq-1.3-1)
!profile.packages mADD(perl-Module-Build-0.23-1)
!profile.packages mADD(perl-Log-Dispatch-2.10-1)
!profile.packages mADD(perl-Mail-Sendmail-0.79-1)
!profile.packages mADD(perl-Mail-Sender-0.8.10-1:fd)
!profile.packages mADD(perl-MIME-tools-5.411-1)
!profile.packages mADD(perl-IO-stringy-2.109-1)
!profile.packages mADD(perl-MIME-Lite-3.01-1)
!profile.packages mADD(perl-Encode-compat-0.06-1)
!profile.packages mADD(rt-3.0.8-inf.1:fd)
After running om updaterpms run,
chown -Rf rt /var/lib/mysql
mkdir /rthome
chown rt /rthome
Then you need to start mysql:
om mysql start
Then set up the rt database:
chmod 744 rt-setup-database
./rt-setup-database --action init --dba root --prompt-for-dba-password
(The password can be found in /var/lib/mysql)
Then you need to create the kx509 keys:
om x509 configure
om x509 run
Check that keys have been created in location specified in lcfg.
In the example below, keys are created for user rt on hamble.
They are created in /etc/httpd.
x509.keys rt
x509.service_rt hamble.inf.ed.ac.uk
x509.certfile_rt /etc/httpd/rt.crt
x509.keyfile_rt /etc/httpd/rt.key
x509.chainfile_rt /etc/httpd/rt.chain
Then you need to start apache:
om apache start
Note it uses /etc/httpd/conf/httpd.conf.rt
The main bits of interest in the httpd configuration file are:
ErrorLog /tmp/error_log
TransferLog /tmp/access_log
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLMutex file:/tmp/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /tmp/ssl_engine_log
SSLLogLevel error
ServerName rt3.inf.ed.ac.uk
SSLCertificateFile /etc/httpd/rt.crt
SSLCertificateKeyFile /etc/httpd/rt.key
SSLCertificateChainFile /etc/httpd/rt.chain
SSLCACertificateFile /etc/httpd/kx509.crt
SSLEngine on
SSLVerifyClient optional
SSLVerifyDepth 3
SSLOptions +StdEnvVars
SSLSessionCache shm:/tmp/ssl_scache(512000)
SSLSessionCacheTimeout 15
ErrorDocument 403 https://errortrap/403.html
AuthName X509
AuthType Basic
AuthSSLEnable on
AuthSSLDNComponent SSL_CLIENT_S_DN_UID
AuthSSLIssuer "/C=GB/ST=Scotland/O=School of Informatics, University of Edinburgh/OU=Ephemeral Key Certification Agency/CN=kx509 CA"
AuthSSLAuthoritative on
require valid-user
allow from all
satisfy any
RewriteEngine on
RewriteRule 403.html https://authportal.inf.ed.ac.uk/login/?origin=https://%{SERVER_NAME}%{ENV:REDIRECT_AUTHSSLURI}
CustomLog /tmp/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
How to drop the database
om apache stop
as root, mysqladmin -p drop rt
To set up the database
./rt_setup_database --action init --dba root --prompt-for-dba-password
To dump from rt2 to rt3
Download necessary scripts from website or find them in ~alisond/RT
./rt-2.0-to-dumpfile (on rt2 server)
./dumpfile-to-rt-3.0 (on rt3 server)
To do a catch up
./rt-2.0-to-dumpfile since YYYY-MM-DD
and then
./dumpfile-to-rt-3.0 (on rt3 server)
.... and it's as easy as that!