-------------- Comments added by users ------
Date: Mon, 29 Jan 2001 17:49:48 +0100
From: GOMEZ Henri
To: tomcat-user@jakarta.apache.org
Cc: Jan Labanowski
Subject: RE: Installation logs for Tomcat 3.2.1 and Apache 1.3.14 for RedH
at 7.0
Did you know there is build RPM for Tomcat at jakarta.apache.org ?
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/rpms/
You may add a note in your documents.
PS: mod_jk and mo_jserv are in tomcat-mod RPM ;-)
Regards
----------------------------------------------
This is a log of my installation/Compilation of Apache DSO
with SSL, MM, and Tomcat 3.2.1 final (source distribution) under
RedHat Linux 7.0 (RH7.0), Kernel 2.2.16-22, with updates up to 2000.12.31.
This includes compilation from scratch of both Apache as well as Tomcat.
I personally usually compile stuff from scratch, since I have the NIH
(Not Invented Here) mental syndrome, and I do not like THEIR layout.
Frankly, I do not like my own layout after a while too, and change it
often. I also wrote another memo on installing binary distribution of Apache
under RedHat 7.0 and binary Tomcat. You actually need to read both.
This memo was originally writtent around Jan 13, 2001
The UNIX commands are in italic. It assumed that you will just grab them
with the mouse and paste them in your xterm...
Few terms:
Apache -- the Web Server
DSO -- Dynamic Shared Object (additional modules can be added/updated
to Apache without the need to recompile the whole thing, similar
to shared libraries, but DSO modules are not only called, but
can also call routines within Apache)
MM -- memory management or something like that - an add-on to Apache
and its modules to communicate via shared memory rather than files
(faster).
SSL -- Secure Socket Layer - the encryption and certificate package which
works with Apache
Tomcat -- the Java Server Pages (JSP) and Servlet container which uses the
Java Servlets spec 2.2, and the JSP spec 1.1.
It is still being actively developed and has some "features".
You may want to read my FAQ on Tomcat 3.1 beta 1. since it will be
easier to follow this installation log. It is available at:
http://www.ccl.net/cca/software/UNIX/apache/tomcat3.1b1-faq.html
I assume you have moderately latest GNU tools (gmake, gzip, etc...) installed
and you also have a recent version of perl installed
( http://www.cpan.org/src/index.html ). These should have come with your RH Linux
distribution.
You can also get the wget utility from
ftp://ftp.gnu.org/pub/gnu/wget/.
However, I recommend the older wget from the RH7.0 2nd CD, since it
has the man page. I describe install of the GNU wget first and then
I tell ou how to the older RH one.
You can install the latest GNU one (it is at ver 1.6 now) as:
get wget-1.6.tar.gz and move it to directory /usr/local/uploads or
the one you like the most, e.g.; /tmp.
gtar zxvf wget-1.6.tar.gz
cd wget-1.6
./configure
make
make install
and make sure it is in your PATH and INFOPATH variable (wget from GNU
has only info pages, from what I see). The wget is usually installed
in /usr/local/bin and the infopages in /usr/local/info.
I did:
PATH=/usr/local/sbin:/usr/sbin:/sbin:/bin:/usr/bin:/usr/local/bin:\
/usr/X11R6/bin:/root/bin
INFOPATH=/usr/share/info:/usr/local/info
export PATH INFOPATH
and did
install-info --info-file=/usr/local/info/wget.info --info-dir=/usr/local/info
so you can later type
info wget
and seek knowledge.
Then check by typing 'wget' alone on the command line, if it tells you
that your URL is missing, you are up and running.
The older version of wget (there is not much change) is also on your 2nd CD
in RedHat distribution. You can get it from there as:
put the 2nd CD in your CD drive
mount /mnt/cdrom
cd /mnt/cdrom/RedHat/RPMS
rpm -Uhv wget-1.5.3-10.i386.rpm
cd
and replace RedHat CD with the CD of Harmonia Mundi RUS 788032/HM 57
(Scriabin 1872-1915 and the Scrabinians) by Saison Russe, and continue
listening [BTW, are those Scriabin wax cylinders real? -- by ear, there
must be, since it is the best case of the Prelude 11/1 I have ever heard,
and I heard a lot {:-)}]).
Then you can type:
man wget
like the good old days, and learn about wget.
You also need to know what UNIX database is installed on your RH7.0 linux
system.
ls -l /usr/include/*db*
If you have
/usr/include/db1:
total 24
-rw-r--r-- 1 root root 8298 Aug 17 21:06 db.h
-rw-r--r-- 1 root root 4456 Aug 17 21:06 mpool.h
-rw-r--r-- 1 root root 2877 Aug 17 21:06 ndbm.h
you have Berkley DB installed.
If you have only:
/usr/include/gdbm:
total 16
-rw-r--r-- 1 root root 1563 Jul 13 2000 dbm.h
-rw-r--r-- 1 root root 4744 Jul 13 2000 gdbm.h
-rw-r--r-- 1 root root 2003 Jul 13 2000 ndbm.h
you only have GNU dbm installed.
You can install Berkley DB easily. Go to the RPM site,
(say: http://rufus.w3.org or http://rpmfind.net
which is the same machine). Then, go to:
--> Go directly to the RPM database --> RedHat-7.0 for i386
--> The list of RPM indexed by name -->
--> Packages beginning with letter D and take:
db1.85-4
db1-devel-1.85-4
or you can take these RPMs from the Disk 1 in RH7.0 distribution:
put disk in CD drive
mount /mnt/cdrom
cd /mnt/cdrom/RedHat/RPMS
cp cp db1-1.85-4.i386.rpm /tmp
cp db1-devel-1.85-4.i386.rpm /tmp
cd
umount /mnt/cdrom
Assuming you put the RPMs in /tmp, do:
cd /tmp
rpm -Uhv db1-devel-1.85-4.i386.rpm
rpm -Uhv db1-1.85-4.i386.rpm
(do not worry, if db1-1.85-4.i386.rpm says it is already installed, that
means that you only needed the include files from db1-devel-1.85-4.i386.rpm).
1) Be a root... Run ksh or bash or other sh, but not C-shell.
Before you install the new Apache, you have to know if you have some
other installation of Apache running. If you do, you need to decide
if you want to keep the old Apache running, or you stop it.
The problem is that Apache server by default listens to standard
Web TCP ports, and you cannot have some other Apache listen on the same
port(s). If you installed Apache as a part of RH7.0 distribution
you may consider looking at my log where I install binary Tomcat
for the binary Apache from RH7.0 distribution rather than following
this set of instructions. On the other hand, if you want to have
full control over your Apache, and the flexibility to add updates
and new modules, you may want to follow the "from scratch" install
presented here. If your old apache already "occupies" the default
Web ports, 80 -- HTTP, 443 -- HTTPS, you need to either disable the
old Apache, or to install the new Apache on some other ports, or to modify
the config file of the old Apache to make it listen to some other ports.
and restart it. Below, I will tell you how.
To learn which ports are already booked, do:
netstat -a | grep LISTEN
or
netstat -a -n | grep LISTEN
if you want to see all ports given as numbers, rather than services names.
If you get (among others):
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:https *:* LISTEN
(or, with netstat -n option:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN )
The "well known ports" for HTTP and HTTPS are booked and some web
server is running.
2) If the old server is Apache which came with RH7.0, and you want to stop
it, do:
cd /etc/rc.d/init.d
./httpd stop
chkconfig --del httpd (do not panic, you can always do:
chkconfig --add httpd
to get to start at boot again)
ps auwx | grep httpd | grep -v grep (just in case, it should not run)
and kill all processes which are reported (second column is pid) as:
kill pid1 pid2 pid2 ....
3) If you do not want to kill previous Apache, and install the
new one in such a way that their TCP ports do not conflict, just
continue on, and you will OK, since this installation uses
ports 4080 and 4443 rather than standard ports which your existing
installation is most likely using.
4) If you want to install the new Apache with the default ports (80 and 443)
and you want to change the existing Apache (I assume it is the Apache
which came with RedHat7.0 distribution) to some other ports, say
5080 (for HTTP) and 5443 (for HTTPs) you do the following:
a) stop apache:
cd /etc/rc.d/init.d
./httpd stop
b) edit file /etc/httpd/conf/httpd.conf and change ports:
cd /etc/httpd/conf
cp -p httpd.conf httpd.conf.original
emacs (or vi or whatever) httpd.conf and replace lines:
Listen 80 --> Listen 5080
Port 80 --> Port 5080
Listen 443 --> Listen 5443
<VirtualHost _default_:443> --> <VirtualHost _default_:5443>
c) restart apache and check pages
cd /etc/rc.d/init.d
./httpd start
and try if this works, i.e., try the URLs:
http://my.machine.com:5080/
https://my.machine.com:5443/
Note, that your pages will only work correctly if you were
using relative links. If at any place you have a full URL, say:
http://my.machine.com/mypage.html or http://my.machine.com/mypage.html
you need to convert it to the one which provide the port number, i.e.,
http://my.machine.com:5080/mypage.html for the HTTP, and the
https://my.machine.com:5443/mypage.html for the HTTPS. Finding such
pages may be a problem for dynamic content (e.g., CGI scripts or SSI,
or JavaScript) where the actual URL may reside in a symbolic variable.
For the static html, you may find this usefull:
find /var/www/html -type f -exec grep -l -i 'http://my.machine.com' \; print
and
find /var/www/html -type f -exec grep -l -i 'https://my.machine.com' \; print
which will list the files that contain http://my.machine.com or
https://my.machine.com string. Of course, you need to replace it
with your machine name.
5) Install Java 1.3. I did:
a) went to http://www.javasoft.com
b) clicked on Products and API on the left bar
c) clicked on Java 2 platform Standard edition J2SE
d) Java 2 SDK Standard Edition v 1.3
e) Linux Intel x86
f) GNUZIP Tar shell script, one large bundle -> [continue]
g) Yes to license [Accept]
h) j2sdk-1_3_0-linux.bin = 26,857,036 bytes -> FTP download
i) I placed the file j2sdk-1_3_0-linux.bin in:
/usr/local/uploads
j) cd /usr/local/uploads
chmod 755 j2sdk-1_3_0-linux.bin
./j2sdk-1_3_0-linux.bin
k) this produced directory: /usr/local/uploads/jdk1.3
I moved this directory :
mv /usr/local/uploads/jdk1.3 /usr/local/j2sdk-1_3_0
and then made a link:
ln -s /usr/local/j2sdk-1_3_0 /usr/local/jdk1.3
Set your environment variables for Java (I am assuming you use
some Bourne shell lookalike -- ksh or sh.
JAVA_HOME=/usr/local/jdk1.3
export JAVA_HOME
PATH=/usr/local/bin:${JAVA_HOME}/bin:${PATH}
export PATH
CLASSPATH=${JAVA_HOME}/lib/tools.jar:${JAVA_HOME}/lib/dt.jar
export CLASSPATH
6) Installed JCE 1.2.1 Java Cryptography Extension 1.2.1
Go to: http://www.javasoft.com/products/jce/
Click on: Download JCE 1.2.1 Software, policy files, and docs
This will get you: jce-1_2_1.zip
mkdir /usr/local/JCE
cd /usr/local/JCE
cp /where/u/saved/it/jce-1_2_1.zip .
unzip jce-1_2_1.zip
Then added the security provider to Java:
a) copied JCE jars to lib/ext
cp /usr/local/JCE/jce1.2.1/lib/*.jar /usr/local/jdk1.3/jre/lib/ext
CLASSPATH=${CLASSPATH}:${JAVA_HOME}/jre/lib/ext/jce1_2_1.jar
export CLASSPATH
b) edited /usr/local/jdk1.3/jre/lib/security/java.security and added
line:
security.provider.3=com.sun.crypto.provider.SunJCE
7) Installed JSSE (JavaTM Secure Socket Extension (JSSE) 1.0.1)
available from http://java.sun.com/products/jsse/
mkdir /usr/local/jsse
with a browser go to: http://java.sun.com/products/jsse/
Click on domestic distribution
Logged in, accepted, continue, answered Yes, Continue,
downloaded jsse-1_0_2-do.zip
cd /usr/local/jsse
cp /where/you/saved/it/jsse-1_0_2-do.zip .
unzip jsse-1_0_2-do.zip
I installed the JSSE as "installed extension" for jdk1.3 and
copied them to /usr/local/jdk1.3/jre/lib/ext directory
($JAVA_HOME/jre/lib/ext):
cp -p /usr/local/jsse/jsse1.0.2/lib/*jar $JAVA_HOME/jre/lib/ext
CLASSPATH=${CLASSPATH}:${JAVA_HOME}/jre/lib/ext/jcert.jar
CLASSPATH=${CLASSPATH}:${JAVA_HOME}/jre/lib/ext/jnet.jar
CLASSPATH=${CLASSPATH}:${JAVA_HOME}/jre/lib/ext/jsse.jar
export CLASSPATH
Then, I registered the provider in $JAVA_HOME/jre/lib/security/java.security
by adding a line:
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
8) Installing openssl... Even if you have the openssl and libraries already
installed, you probably have to go through this step, due to a number
of utilities and scripts which I do not see installed from original RPM.
Also openssl which come with my RH 7.0 Linux was an older version (0.9.5a).
Create directory /usr/local/openssl and retrieve latest release of openssl
mkdir /usr/local/openssl
cd /usr/local/openssl
wget http://www.openssl.org/source/openssl-0.9.6.tar.gz
Compiled the openssl [if you are in Europe, you need to
check the mod_ssl INSTALL for the no-idea option. Note: RSA released RSAREF
to public domain, so I do not have to use RSAREF library in US, and can
use the optimized library which comes with openssl:
cd /usr/local/openssl
gtar zxvf openssl-0.9.6.tar.gz
cd openssl-0.9.6
./config -fPIC shared \
--prefix=/usr/local/openssl \
--openssldir=/usr/local/openssl
make
make test
make install
cp -a /usr/local/openssl/openssl-0.9.6/lib* /usr/local/openssl/lib
9) Make top directory for Apache 1.3.14 installation. I did
/usr/local/apache_1.3.14
mkdir /usr/local/apache_1.3.14
Then set APACHE_HOME environment variable
APACHE_HOME=/usr/local/apache_1.3.14
export APACHE_HOME
I also made a subdirectory "sources" to have all needed sources in one
place:
mkdir /usr/local/apache_1.3.14/sources
cd /usr/local/apache_1.3.14/sources
Put there the tar files:
wget http://www.apache.org/dist/apache_1.3.14.tar.gz
wget http://www.modssl.org/source/mod_ssl-2.7.1-1.3.14.tar.gz
wget http://www.engelschall.com/sw/mm/mm-1.1.3.tar.gz
I also serve here some local copies of some files (those which
are not "munition" according to US export laws which are quite far
from present day reality -- people from US are going to CANADA to
develop software, put it there on anon ftp, and then "import" it to US --
another example of government protection for which we pay our taxes...)
apache_1.3.14.tar.gz
mm-1.1.3.tar.gz
10) Unpack sources to buld DSO Apache with mod_ssl and mm:
cd /usr/local/apache_1.3.14
cd sources
gtar zxvf apache_1.3.14.tar.gz
gtar zxvf mod_ssl-2.7.1-1.3.14.tar.gz
gtar zxvf mm-1.1.3.tar.gz
11) Compiled MM shared memory library
cd /usr/local/apache_1.3.14/sources/mm-1.1.3
./configure --disable-shared
make
12) Configured mod_ssl
cd /usr/local/apache_1.3.14/sources/mod_ssl-2.7.1-1.3.14
EAPI_MM=../mm-1.1.3 \
./configure \
--with-apache=/usr/local/apache_1.3.14/sources/apache_1.3.14
13) Now you need to configure, compile and install apache.
The compilation off the box will not work on RedHat 7.0.
The reason is that when RedHat changes the location of include files
the Apache guys try to adjust. But then Red Hat changes stuff again.
You need to choose between new (ndbm) and old (db or dbm) Unix Berkeley
database API and libraries (actually you can have 3 different versions
of Berkeley DB), or choose the GNU implementation (gdbm) of Berkeley DB.
The great piece describing the confusion and mess in this area is
Jan Wolter: "Unix Incompatibility Notes: DBM Hash Libraries"
http://www.wwnet.net/~janc/incnote/dbm.html.
I include local copy here.
Also you need to decide if you want to use mod_auth_db (which uses old DB
API, and the include file db.h or dbm.h) or the mod_auth_dbm (which uses
the new DB API, and include file ndbm.h). There is no much difference
between mod_auth_dbm and mod_auth_db; both are used to authenticate
users logging to your site using database approach. For many users these
modules are preffered over the mod_auth module which does Basic
Authentication with a Unix passwd type file. Of course, you can also
use other databases like mSQL, postgress, DBI. The corresponding modules
are available. Sorry, I do not want to step into it.
In any case, you will need DB or GDBM since the mod_rewrite uses it,
and you will definitely need mod_rewrite.
I present here 3 scenarios and you pick one which you like.
CHOOSE ONLY ONE!!!
a) if you do
ls -l /usr/include/db1
and it tells you that you have it you can use either mod_auth_db or
mod_auth_dbm:
aa) If you want db1 and mod_auth_db:
cd /usr/local/apache_1.3.14/sources/apache_1.3.14
SSL_BASE=/usr/local/openssl/openssl-0.9.6 \
EAPI_MM=/usr/local/apache_1.3.14/sources/mm-1.1.3 \
INCLUDES=-I/usr/include/db1 \
LIBS=-ldb1 \
./configure --prefix=/usr/local/apache_1.3.14 \
--enable-module=so \
--enable-rule=SHARED_CORE \
--enable-module=most \
--enable-shared=max \
--enable-module=ssl \
--enable-shared=ssl \
--enable-module=auth_db \
--enable-shared=auth_db \
--disable-shared=auth_dbm \
--disable-module=auth_dbm
make
ab) If you want db1 and mod_auth_dbm:
cd /usr/local/apache_1.3.14/sources/apache_1.3.14
SSL_BASE=/usr/local/openssl/openssl-0.9.6 \
EAPI_MM=/usr/local/apache_1.3.14/sources/mm-1.1.3 \
INCLUDES=-I/usr/include/db1 \
LIBS=-ldb1 \
./configure --prefix=/usr/local/apache_1.3.14 \
--enable-module=so \
--enable-rule=SHARED_CORE \
--enable-module=most \
--enable-shared=max \
--enable-module=ssl \
--enable-shared=ssl \
--disable-shared=auth_db \
--disable-module=auth_db \
--enable-module=auth_dbm \
--enable-shared=auth_dbm
make
b) you do
ls -l /usr/include/db1
and it tells you that you do not have db1, (and you do not want to
install it as described on the top of this file), so you do
ls -l /usr/include/gdbm
and it tells that you have GNU DB, and you can install mod_auth_dbm
(you probably could install the mod_auth_db, sinc GNU DB also
has the old API support, but believe me, it would be pain).
But it is painful...
cd /usr/local/apache_1.3.14/sources/apache_1.3.14/src/modules/standard
edit mod_auth_dbm.c and replace block:
#if defined(WIN32)
#include <sdbm.h>
#define dbm_open sdbm_open
#define dbm_fetch sdbm_fetch
#define dbm_close sdbm_close
#elif defined(__GLIBC__) && defined(__GLIBC_MINOR__) \
&& __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1
#include <db1/ndbm.h>
#else
#include <ndbm.h>
#endif
with:
#include <ndbm.h>
edit the mod_rewrite.h and replace block:
#if defined(__GLIBC__) && defined(__GLIBC_MINOR__) \
&& __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1
#include <db1/ndbm.h>
#else
#include <ndbm.h>
#endif
with:
#include <ndbm.h>
and finaly configure and compile apache:
cd /usr/local/apache_1.3.14/sources/apache_1.3.14
SSL_BASE=/usr/local/openssl/openssl-0.9.6 \
EAPI_MM=/usr/local/apache_1.3.14/sources/mm-1.1.3 \
INCLUDES=-I/usr/include/gdbm \
LIBS=-lgdbm \
./configure --prefix=/usr/local/apache_1.3.14 \
--enable-module=so \
--enable-rule=SHARED_CORE \
--enable-module=most \
--enable-shared=max \
--enable-module=ssl \
--enable-shared=ssl \
--enable-module=auth_dbm \
--enable-shared=auth_dbm \
--disable-shared=auth_db \
--disable-module=auth_db
make
Now you can make certificates. If you want to install self signed
certificates which you will use (read a pagefull below), do:
make certificate TYPE=custom
If you have your certificates already made and signed you can just
create dummy certificates as:
make certificate TYPE=dummy
and you will replace them later in the $APACHE_HOME/conf with the
real ones.
Then you install Apacje in the directories under $APACHE_HOME
make install
I include the log of my conversation for certificate TYPE=custom here as:
Certificate-log.txt.
One thing to remember, is to enter the fully qualified domain name of the
host on which this Apache Web server runs (in my case: server1.ccl.net)
when you are asked for info for X.509 certificate signing request
for SERVER [server.csr] at item 6. Common Name.
I then tarred my certificates/keys into a file:
cd /usr/local/apache_1.3.14/sources/apache_1.3.14/conf
tar zcvf /usr/local/apache-certificates.tgz ssl*
chmod 600 /usr/local/apache-certificates.tgz
just in case, if I lost them (these certificates were made for 5 years,
and I do not want to redo it every time I update apache). When you need
to restore the certificates, just do:
cd $APACHE_HOME/conf
tar zxvf /usr/local/apache-certificates.tgz
You can also copy them on the diskette and keep them safely. In my case:
fdformat /dev/fd0H1440
mkfs -t msdos /dev/fd0H1440
and, assuming that you have a line:
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
in your /etc/fstab file, and that the directory /mnt/floppy exists,
you mount it as:
mount /mnt/floppy
then copy your certificates:
cp /usr/local/apache-certificates.tgz /mnt/floppy
Unmount your diskette:
umount /mnt/floppy
and put the diskette in the safe place.
Of course, you could also to it with Mutils, if you have them installed:
mformat -f 1440 a:
mcopy /usr/local/apache-server1-certificates.tgz a:
mdir a:
Also, if for some reason, you need to redo the certificates (I actually
had to do it, since I had a typo in server name, discovered it after
I finished the apache installation):
cd /usr/local/apache_1.3.14/sources/apache_1.3.14
make certificate TYPE=custom
and copy them by hand to the $APACHE_HOME/conf directory:
cd /usr/local/apache_1.3.14/sources/apache_1.3.14/conf
tar zcvf /usr/local/apache-certificates.tgz ssl*
chmod 600 /usr/local/apache-certificates.tgz
cd $APACHE_HOME/conf
tar zxvf /usr/local/apache-certificates.tgz
and do not redo the make install !!!
14) edited a file in $APACHE_HOME/conf/httpd.conf (in my case:
/usr/local/apache_1.3.14/conf/httpd.conf). You can look at
the copy of my initial httpd.conf.
I made a few changes to the original default httpd.conf which was
produced by the installation, namely, changed the ports on which
Apache listens to requests so the new installtion does not interfere
with the Apache server, which currently runs on your machine (assuming
that you have some server already running). I have no way of knowing
which ports on your machine are assigned to some services. In my case
I chose the port 4080 for the unencrypted Web Server port (which
corresponds to standard port 80 for HTTP), and the 4443 port for
the secure port (which corresponds to the standard port 443 for HTTPS).
I simply changed the following lines in
/usr/local/apache_1.3.14/conf/httpd.conf:
Port 80 ---> Port 4080
Listen 80 ---> Listen 4080
Listen 443 ---> Listen 4443
<VirtualHost _default_:443> ---> <VirtualHost _default_:4443>
15) I created the a file which starts the Web server when machine
is rebooted. I named it /etc/rc.d/init.d/httpd-jkl. Its copy
is given here. Then, I started
the new apache as:
/etc/rc.d/init.d/httpd-jkl start
and checked if the pages show up at
http://server1.ccl.net:4080/
and
https://server1.ccl.net:4443/ (this one will asked me to accept the
server certificate which I created)
In the https case you should get a lot of windows
which ask you for accepting the certificate. Just click Next to the
series of questions, and also mark "Keep this certificate forever"
on one of the boxes.
Pages worked so I used chkconfig to add the script to be used at boot:
cd /etc/rc.d/init.d
chkconfig --add httpd-jkl
and checked if the links for thr rc.dx directories were added by
chkconfig --list httpd-jkl
which gave me:
httpd-jkl 0:off 1:off 2:off 3:on 4:on 5:on 6:off
and I was happy since the links in appropriate directories were created.
Note, I can start and stop apache either as:
/etc/rc.d/init.d/httpd-jkl start
/etc/rc.d/init.d/httpd-jkl stop
or as
/usr/local/apache_1.3.14/bin/apachectl startssl
/usr/local/apache_1.3.14/bin/apachectl stop
Stop apache, since you are not finshed yet.
Building and installing tomcat
==============================
16) At this point it is probably prudent to log out and log in again as root
and reset your environment variables by doing:
JAVA_HOME=/usr/local/jdk1.3
export JAVA_HOME
PATH=/usr/local/bin:${JAVA_HOME}/bin:${PATH}
export PATH
CLASSPATH=${JAVA_HOME}/lib/tools.jar:${JAVA_HOME}/lib/dt.jar
export CLASSPATH
17)You need to get the latest JAXP (Sun API and XML parsing in Java). They
have the Early Access 1.1. Click on links under:
"Java API for XML Parsing (JAXP)"
Or try the http://java.sun.com/xml/download.html
At the time I was writing it it was: Version 1.1 Early Access 2
Take it... It has DOM2 and SAX2, while the stable JAXP 1.0.1 has only
DOM1 and SAX1. So, go to:
http://java.sun.com/xml/
click on Java API for XML Processing Reference Implementation
Java API for XML Processing Reference Implementation
Version 1.1 Early Access 2
Java API for XML Processing Reference Implementation version 1.1ea2
You have to be registered (I you do Java, you are registered...)
Agree to whatever (but be careful, since their lawyers look for work
after they finished the settlement with MS) and click on download to get:
jaxp-1_1-ea2.zip = 3,095,370 bytes
I have placed it in /tmp and then:
cd /tmp
unzip jaxp-1_1-ea2.zip
mv jaxp-1.1ea2 /usr/local
XML=/usr/local/jaxp-1.1ea2
export XML
CLASSPATH=${CLASSPATH}:${XML}/jaxp.jar:${XML}/crimson.jar
CLASSPATH=${CLASSPATH}:${XML}/xalan.jar
export CLASSPATH
I compiled and ran JAXP examples:
cd ${XML}/examples/dom
javac main.java
java -cp ${CLASSPATH}:. main
cd ${XML}/examples/sax
javac main.java
and did the example for invalid document:
java -cp ${CLASSPATH}:. -Djavax.xml.parsers.validation=true \
main ../samples/namespace.xml
and the one for the valid document:
java -cp ${CLASSPATH}:. -Djavax.xml.parsers.validation=true \
main ../samples/book-order.xml
and the one for the well-formedness only
java -cp ${CLASSPATH}:. main ../samples/namespace.xml
and they seemed to work.
18) Create directory /usr/local/tomcat_3.2.1
mkdir /usr/local/tomcat_3.2.1
JAKARTA_HOME=/usr/local/tomcat_3.2.1
export JAKARTA_HOME
and put there the source release 3.2.1 of tomcat:
cd $JAKARTA_HOME
wget http://jakarta.apache.org/builds/tomcat/release/v3.2.1/src/jakarta-servletapi-3.2-src.tar.gz
wget http://jakarta.apache.org/builds/tomcat/release/v3.2.1/src/jakarta-tomcat-3.2.1-src.tar.gz
wget http://jakarta.apache.org/builds/ant/release/v1.2/src/jakarta-ant-src.tar.gz
I also have them here locally, if you want:
jakarta-ant-src.tar.gz
jakarta-servletapi-3.2-src.tar.gz
jakarta-tomcat-3.2.1-src.tar.gz
19) Untar them as:
cd $JAKARTA_HOME
mkdir jakarta-ant-src
cd jakarta-ant-src
gtar zxvf ../jakarta-ant-src.tar.gz
cd /usr/local/tomcat_3.2.1
gtar zxvf jakarta-servletapi-3.2-src.tar.gz
gtar zxvf jakarta-tomcat-3.2.1-src.tar.gz
20) Installing/building ANT -- the tool needed to build Tomcat
cd $JAKARTA_HOME/jakarta-ant-src
./bootstrap.sh
./build.sh
cd $JAKARTA_HOME/build
mv ant $JAKARTA_HOME/ant-1.2
ANT_HOME=${JAKARTA_HOME}/ant-1.2
export ANT_HOME
CLASSPATH=${CLASSPATH}:${ANT_HOME}/lib/ant.jar
export CLASSPATH
PATH=${PATH}:${ANT_HOME}/bin
export PATH
21) Installing/building servlet API
cd $JAKARTA_HOME/jakarta-servletapi-3.2-src
chmod 755 build.sh
./build.sh dist
cd $JAKARTA_HOME/dist
mv servletapi ${JAKARTA_HOME}/servletapi-3.2
SERVLETAPI_HOME=${JAKARTA_HOME}/servletapi-3.2
export SERVLETAPI_HOME
CLASSPATH=${CLASSPATH}:${SERVLETAPI_HOME}/lib/servlet.jar
export CLASSPATH
At this point we accummulated lots of environment variables. It seems
useful to create a short script which will set them when sourced. You will
find it handy when you log out and log in again and want to continue
installation. I called this script env4tomcat and placed it in my
/root/bin directory. And you can get my version here. Then I executed
. /root/bin/env4tomcat
Note that the script already contains environment variables for
TOMCAT, though we did not arrive there yet.
22) Installing/building tomcat:
When I did:
cd $JAKARTA_HOME/jakarta-tomcat-3.2.1-src
./build.sh
I got an error:
/usr/local/tomcat_3.2.1/jakarta-tomcat-3.2.1-src/build.xml:
33: /usr/local/tomcat_3.2.1/jakarta-ant/bin not found.
Rather than changing the build.xml, I did:
cd $JAKARTA_HOME
mkdir jakarta-ant
cd jakarta-ant
ln -s ${ANT_HOME}/bin bin
and repeated the compilation:
cd $JAKARTA_HOME/jakarta-tomcat-3.2.1-src
./build.sh
./build.sh dist
cd ${JAKARTA_HOME}/dist
mv tomcat ${JAKARTA_HOME}/tomcat-3.2.1
TOMCAT_HOME=${JAKARTA_HOME}/tomcat-3.2.1
export TOMCAT_HOME
23) testing Tomcat
Since there are a lot of files in the $TOMCAT_HOME/conf, I decided
to move all files which are there to a separate directory, and then
copy what I need:
cd $TOMCAT_HOME/conf
mkdir original-conf
mv * original-conf
cd original-conf
cp -p server.xml ..
cp -p web.xml ..
cp -p workers.properties ..
cp -p tomcat-users.xml ..
cp -p mod_jk.conf ..
cd ..
Since I have other Tomcats running on this machine, I changed
the default ports in $TOMCAT_HOME/conf/server.xml
cd $TOMCAT_HOME/conf
emacs/vi/joe/whatever server.xml
Change 8080 --> 4180
Change 8007 --> 4007
While the SSL connector is at this moment commented out, I changed
the port
Change 8443 --> 4143
so I do not forget about it in the future. I also mounted webapps/ROOT
as /ROOT and changed all docBase attributes of Context to full path.
While /ROOT is also mounted in server.xml as /, I need another mount
point for Apache. If I mounted ROOT as / in apache, all my content
would have to be served by Tomcat, since DocumentRoot would be located
there. There are many ways of doing this, for example, I could copy
only the index.html file to the Apache DocumentRoot directory and mount
the subirectories of /ROOT as Contexts. I decided to mount /ROOT as
context /ROOT (i.e., it will be accessed as http://my.machine:port/ROOT
and solve the problem of relative/absolute links by using rewrite module.
Note that server.xml is the file which is read in by Tomcat to
configure itself. The other files are not read in by Tomcat. The web.xml
in the ${TOMCAT_HOME}/conf is not read in either (but it is read in
in other versions of Tomcat). This web.xml should be a starting place
for your own web.xml files which you place under WEB-INF directory
in your servlet/JSP contexts (WEB applications).
The other files are mostly prototypes of config files for the various
Web servers which work with Tomcat. Moreover, based on its own
configuration, it produces prototype configuration files for various
Web servers: iis_redirect.reg-auto and uriworkermap.properties-auto (for
MS IIS), mod_jk.conf-auto (for mod_jk module of Apache), obj.conf-auto
(for Netescape or whoever/whatever server, if you know what I mean),
and tomcat-apache.conf (for Apache mod_jserv module which we do not use
here). These prototype files are essentially ready to go for simple
configurations. The files like tomcat-apache.conf, tomcat.properties,
tomcat.conf are used when tomcat was working with mod_jserv module.
We are using here mod_jk module, and these files can be ignored.
The files for mod_jk module of Apache are mod_jk.conf and
workers.properties. For the time being, I tested if Tomcat works
alone by starting it as:
cd $TOMCAT_HOME/bin
./startup.sh
then checked the stuff at tomcat port
http://server1.ccl.net:4180/
and looked at test pages. Things worked... Then I shut it down as:
./shutdown.sh
What worried me was the number of threads the Tomcat opened, namely
ps auwx | grep java | wc -l
gave 36. These are supposedly lightweight threads and you should not
worry about this.
24) Now, let us create the mod_jk module. This is a DSO object
which you load into Apache. It is called "server plug-in"
sometimes. It allows Apache to talk to Tomcat. While Tomcat
can also run inprocess, it cannot be supported with current Apache/Tomcat
combination. So there are two processes: Apache and Tomcat, and they
need to talk to each other if they want to work together (or at
least send memos {:-)}). Note that in this communication Apache
(The web server) is a client (not a server!) of Tomcat.
Tomcat is started, and listens for requests from Apache, i.e., in
this relation, it is a server. Tomcat listens by default on port 8007,
but you can change it by editing the server.xml file. In my case,
as you saw in 23) I had to change the default port since I have several
Tomcats running on my machine. The module mod_jk is compiled as:
cd $JAKARTA_HOME/jakarta-tomcat-3.2.1-src/src/native
cd apache1.3
$APACHE_HOME/bin/apxs -o mod_jk.so \
-I${JAVA_HOME}/include/linux \
-I../jk -I${JAVA_HOME}/include \
-c *.c ../jk/*.c
cp mod_jk.so ${APACHE_HOME}/libexec
While I provide here the binary:
mod_jk.so -- press right mouse button here and choose: Save Link as
which you can just copy to ${APACHE_HOME}/libexec directory I strongly
suggest that you build the one yourself, since there are many options
to Apache, and it simply will not work, if your Apache is different
than my Apache.
25) When I tested standalone Tomcat in 23), it created automatically
a config file for mod_jk for Apache which is available as:
$TOMCAT_HOME/conf/mod_jk.conf-auto
I did the following:
cd $TOMCAT_HOME/conf
mv mod_jk.conf mod_jk.conf.original
mv mod_jk.conf-auto mod_jk.conf
i.e., I saved the original and copied the automatic version to
mod_jk.conf.
For the time being, I edited the Apache config file to include
the mod_jk.conf (more needs to be done for sensible install,
though). I edited file;
$APACHE_HOME/conf/httpd.conf and at the last line I put:
Include /usr/local/tomcat_3.2.1/tomcat-3.2.1/conf/mod_jk.conf
The actual initial httpd.conf is here.
I replaced all occurances of ajp12 with ajp13 in the
${TOMCAT_HOME}/conf/mod_jk.conf and added a mount point for /ROOT
You can find the copy of it here. I also changed server.xml (see below).
Just compare it to the original with UNIX diff utility.
Made several changes to workers.properties. Namely:
changed workers.tomcat_home, workers.java_home, ps, worker.ajp12.port,
worker.ajp13.port and commented out all inprocess stuff which is meant
for the Web servers which support inprocess. You can look up them here.
Note, my ajp12 port is 4006 and ajp13 is 4007.
26) changed the $TOMCAT_HOME/conf/server.xml to activate the ajp13 connector.
Added this:
<!-- Apache AJP13 support. -->
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
<Parameter name="port" value="4007"/>
</Connector>
Left apj12 support at port 4006 since it is needed for shutdown.
Look here for initial server.xml.
27) Heavily edited the $TOMCAT_HOME/bin/startup.sh,
$TOMCAT_HOME/bin/startup.sh and $TOMCAT_HOME/bin/jspc.sh
to include necessary environmental
variables. These initial files can be found here:
startup.sh
shutdown.sh
jspc.sh
tomcat.sh
28) Started tomat
cd $TOMCAT_HOME/bin
./startup.sh
It told me something like this:
Using classpath: /usr/local/tomcat_3.2.1/tomcat-3.2.1/lib/jasper.jar:/usr/local
/tomcat_3.2.1/tomcat-3.2.1/lib/test:/usr/local/tomcat_3.2.1/tomcat-3.2.1/lib/we
bserver.jar:/usr/local/jdk1.3/lib/tools.jar:/usr/local/jdk1.3/lib/tools.jar:/us
r/local/jdk1.3/lib/dt.jar:/usr/local/jdk1.3/jre/lib/ext/jce1_2_1.jar:/usr/local
/jdk1.3/jre/lib/ext/jcert.jar:/usr/local/jdk1.3/jre/lib/ext/jnet.jar:/usr/local
/jdk1.3/jre/lib/ext/jsse.jar:/usr/local/tomcat_3.2.1/ant-1.2/lib/ant.jar:/usr/l
ocal/tomcat_3.2.1/servletapi-3.2/lib/servlet.jar:/usr/local/jaxp-1.1ea2/jaxp.ja
r:/usr/local/jaxp-1.1ea2/crimson.jar:/usr/local/jaxp-1.1ea2/xalan.jar:/usr/loca
l/tomcat_3.2.1/tomcat-3.2.1/lib/jasper.jar:/usr/local/tomcat_3.2.1/tomcat-3.2.1
/lib/webserver.jar
2001-01-28 03:31:39 - ContextManager: Adding context Ctx(/examples )
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( /admin )
Starting tomcat. Check logs/tomcat.log for error messages
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( )
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( /test )
2001-01-28 03:31:40 - PoolTcpConnector: Starting HttpConnectionHandler on 4180
2001-01-28 03:31:40 - PoolTcpConnector: Starting Ajp12ConnectionHandler on 4006
2001-01-28 03:31:41 - PoolTcpConnector: Starting Ajp13ConnectionHandler on 4007
(if you have errors, check if tomcat or something else is not running
and using the same TCP ports. Do, for exampl:
ps auxw | grep tomcat
and kill if needed. Also check if any ports from above: 4006, 4007,
4080, 4180, 4443, are used by using:
netstat -a | more
They would be listed in the first column, e.g., *.4443
)
29) Started Apache
$APACHE_HOME/bin/apachectl startssl
Things worked on port 4080(http) and 4443(https). I checked
http://server1.ccl.net:4080/examples and
https://server1.ccl.net:4443/examples
30) Stopped Tomcat
cd $TOMCAT_HOME/bin
./shutdown.sh
31) Stopped Apache
$APACHE_HOME/bin/apachectl stop
32) Reconfigured Tomcat and Apache to do things I want them to do.
a) In $APACHE_HOME/conf/httpd.conf made sure mod_jk is before mod_rewrite
LoadModule jk_module libexec/mod_jk.so
LoadModule rewrite_module libexec/mod_rewrite.so
and
AddModule mod_jk.c
AddModule mod_rewrite.c
and commented out the line
# LoadModule jk_module libexec/mod_jserv.so
in $TOMCAT_HOME/conf/mod_jk.conf
33) In the $APACHE_HOME/conf/httpd.conf I added some rewrite
rules before
## SSL Global Context
comment , and also inside 4443 virtual host scope after line:
TransferLog /usr/local/apache_1.3.14/logs/access_log :
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog /usr/local/apache_1.3.14/logs/rewrite_log
RewriteLogLevel 2
RewriteRule ^/ROOT/examples /examples [R]
RewriteRule ^/ROOT/test /test [R]
RewriteRule ^/ROOT/admin /admin [R]
RewriteRule ^/ROOT/ROOT /ROOT [R]
RewriteRule ^/tomcat.gif /ROOT/tomcat.gif [R]
RewriteRule ^/examples/servlets$ /examples/servlets/ [R]
RewriteRule ^/examples/jsp$ /examples/jsp/ [R]
RewriteRule ^/examples$ /examples/ [R]
RewriteRule ^/admin$ /admin/ [R]
RewriteRule ^/ROOT$ /ROOT/ [R]
RewriteRule ^/test$ /test/ [R]
</IfModule>
for the HTTP (port 4080) and HTTPS (virtual host at 4443). It was needed
to cure a problem that $TOMCAT_HOME/webapps/ROOT
is a Document Root for Tomcat, but for Apache, the
$APACHE_HOME/htdocs is the Document Root.
34) Created new users, in my case webinst, and webrun, and groups for
them, home directories, and regular login environment.
The webrun was assigned /bin/bash and webinst had tcsh as primary
shell (yes, I know that t/csh is brain dead, but people want it,
and people will have it -- it sucks, e.g., with its limitations:
"Word too long" when your environment variable is longer than 1024 --
it happens to me all the time with longer CLASSPATHs).
Note, that when you execute the script as
su - uid -c script
the script will be executed with the default shell (i.e., the shell
the user uid has assigned in /etc/passwd) of the uid user, and it
does not matter what you put in #!/bin/someshell on the top of your script.
While some UNICES allow you to specify shell on the command line (Linux
allows) I did not use this feature.
The script is sourced with default shell, not forked with a new shell.
The webinst will own most of the files in the web site, while the
webrun will be the user who runs the Apache server and the tomcat.
It will own log files and other files which the apache/tomcat/ needs
to write. In $APACHE_HOME/conf/httpd.conf I did:
User webrun
Group webrun
Also, I changed the directories for the Document root and CGI-BIN
Final version of httpd.conf is given here.
Also chown_ed to webrun the log directories:
chown -R webrun $APACHE_HOME/logs
chgrp -R webrun $APACHE_HOME/logs
And for tomcat:
chown -R webrun $TOMCAT_HOME/conf
chgrp -R webrun $TOMCAT_HOME/conf
chown -R webrun $TOMCAT_HOME/logs
chgrp -R webrun $TOMCAT_HOME/logs
chown -R webrun $TOMCAT_HOME/work
chgrp -R webrun $TOMCAT_HOME/work
35) In $APACHE_HOME/bin
cp apachectl apache-tomcat
and edited apache-tomcat to have a script to start/stop
tomcat and apache. This is an example: $APACHE_HOME/bin/apache-tomcat
Then chmoded apache-tomcat to be executable :
chmod 755 $APACHE_HOME/bin/apache-tomcat
36) Started the apache/tomcat as:
$APACHE_HOME/bin/apache-tomcat startssl
and checked if http://server1.ccl.net:4080/examples and
https://server1.ccl.net:4443/examples worked.
They did, so I killed the server with:
$APACHE_HOME/bin/apache-tomcat stop
Now, I also changed the startup script httpd-jkl in /etc/rc.d/init.d
to use the apache_tomcat rather than apachectl. The final version
is here. I also disabled the
RH7.0 Apache which comes with the standard installation by
/etc/rc.d/init.d/httpd stop
chkconfig --del httpd
chkconfig --list httpd
which showed rightly that httpd will not be invoked on boot:
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
and replaced Apache with this installation. I allowed the startup on
boot by activating the my script described above:
chkconfig --add httpd-jkl
chkconfig --list httpd-jkl
with list giving me OK:
httpd-jkl 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Note, since we are using different ports, you do not have to stop the
original Apache which works on standard ports 80 and 443.
37) changed permissions/ownership on the example directories
cd $TOMCAT_HOME/webapps
chown -R webinst .
chgrp -R webinst .
cd $TOMCAT_HOME/logs
chown -R webrun .
38) After all these changes, the ports should be the following:
Orig New Files affected
http(apache) --> 80 --> 4080 ${APACHE_HOME}/conf/httpd.conf
https --> 443 --> 4443 ${APACHE_HOME}/conf/httpd.conf
http(tomcat) --> 8080 --> 4180 ${TOMCAT_HOME}/conf/server.xml
(disabled)
tomcat/apj13
--> 8009 --> 4007 ${TOMCAT_HOME}/conf/workers.properties
${TOMCAT_HOME}/conf/server.xml
tomcat/apj12 --> 8007 --> 4006 ${TOMCAT_HOME}/conf/workers.properties
${TOMCAT_HOME}/conf/server.xml
39) Since starting/stopping apache+tomcat in this environment requires
one to be a root, I created C wrappers to start and stop the whole zoo.
$APACHE_HOME/bin/apache_start.c
and compiled it with
gcc -o apache_start apache_start.c
as a root, and then added suid permissions to the resulting
apache_start executable file as:
chmod ug+s apache_start
I did exactly the same with apache_stop.c
gcc -o apache_stop apache_stop.c
chmod ug+s apache_stop
$APACHE_HOME/bin/apache_stop.c
Now, people do not have to have root access to start/stop Web Server/Tomcat
I also added a C program killme.c which kills the processes which are
running by user webrun. It is indentded to be used after "apache_stop"
to kill some runaway processes started by apache, Tomcat, or JServ.
After compiling the program:
gcc -o killme killme.c
changed its user and group ownership to webrun and added
SETUID permission bits
chown webrun killme
chgrp webrun killme
chmod ug+s killme
To learn which processes need to be killed, the user does
ps -ef | grep webrun | grep -v grep
(I actually saved this line as a shell script "killwhich" so they can
just type: killwhich).
and the user can kill the processes listed by previous command as:
killme pid1 pid2 ....
where pidn is the process id number in the second column.
$APACHE_HOME/bin/killme.c
40)If you look at my httpd.conf file
I have there a virtual host on HTTPS port 4443. The DocumentRoot directory
of this virtual host points at /content/html/private and the CGI script
directory /content/cgi/private are protected with the Basic Authentication
and contain the file .htaccess file:
AuthUserFile /usr/local/apache_1.3.14/auth/htpasswd
AuthGroupFile /usr/local/apache_1.3.14/auth/htgroup
AuthName "This directory is for internal users only"
AuthType Basic
<Limit GET POST PUT>
require group cclstaff
</Limit>
My /usr/local/apache_1.3.14/auth/htpasswd was similar to:
jkl:mqcxlex/TV9ywg
bubus:yVDEJCCn9/Lxo
lalus:F90sLCbaEEo
...
i.e., listed user names and their encrypted passwords. You can
get the encrypted password by typing at UNIX command line:
perl
print crypt("PASSWORD", "AB"), "\n";
^D
where "PASSWORD" should be actual open text password in quotes,
"AB" is a two character seed (can be any combination of letters and
digits, and some other characters, but stay with letters and digits
to be on safe side), and ^D is CTRL/D. For example, the abouve would
yield: ABIp8WSAPJnhI (of course, I am not endorsing using PASSWORD for
password).
My /usr/local/apache_1.3.14/auth/htgroup was similar to:
cclstaff:jkl bubus lalus
Of course you can have more groups and people.
-- THE END --
If you see something wrong here, please let me know, so I can save
other peoples time.
Jan