CCL Home Page
Up Directory CCL README.html
Apache 1.3.26 on Sparc Solaris 2.8
This is a log of my installation/Compilation of Apache DSO
with SSL, MM, under Solaris 2.8. gcc was: egcs-2.91.66
This log includes compilation from scratch of Apache. I personally
usually compile stuff from scratch, since I have the NIH (Not Invented Here)
mental syndrome, and I do not like THEIR layout. It is still mild, and
my shrink tells me that he still does not have to report me to the authorities.
Frankly, I do not like my own layout after a while too, and change it
often. 

This memo was originally writtent around Jul 28, 2002

The UNIX commands are in italic. It assumed that you will just grab them
with the mouse and paste them in your xterm...

Few terms:
  Apache -- the Web Server
  DSO -- Dynamic Shared Object (additional modules can be added/updated
         to Apache without the need to recompile the whole thing, similar
         to shared libraries, but DSO modules are not only called, but
         can also call routines within Apache)
         
  MM  -- memory management or something like that - an add-on to Apache
         and its modules to communicate via shared memory rather than files
         (faster). 

  SSL -- Secure Socket Layer - the encryption and certificate package which
         works with Apache

I assume you have moderately latest GNU tools (gmake, gzip, etc...) installed
and you also have a recent version of perl installed distribution. 

I assume that you do all installation as root...
You can also get the wget utility from
 ftp://ftp.gnu.org/pub/gnu/wget/. The local copy is here.
You will need to have openssl libraries (libcrypto and libssl) installed
for the latest wget to compile. If you do not have them, install openssl
first as described later on in this log.
By default, it installs wget binary to /usr/local/bin and puts man page into
/usr/local/man. You can edit the Makefile after .configure step if you
want them elsewhere. I installed the latest GNU one (now 1.8.2)as: 
    get wget-1.8.2.tar.gz and move it to directory /usr/local/uploads or
       the one you like the most, e.g.; /tmp.
    gunzip wget-1.8.2.tar.gz
    gtar xvf wget-1.8.2.tar
    mv wget-1.8.2 /usr/local     # I like it in /usr/local
    cd /usr/local/wget-1.8.2
    ./configure
    make
    make install

wget has also extensive GNU info pages and if you have install, do

   info wget

and seek knowledge.

1) Be a root... Run ksh or bash or other sh, but not C-shell.
   Before you install the new Apache, you have to know if you have some
   other installation of Apache running. If you do, you need to decide
   if you want to keep the old Apache running, or you stop it. 
   The problem is that Apache server by default listens to standard
   Web TCP ports, and you cannot have some other Apache listen on the same
   port(s). If Apache was installed before you will need either to disable
   it, or choose other ports. If some Apache is running 
   (do: ps -ef | grep httpd) check which ports it is using by:

      netstat -a | grep LISTEN

   or 

      netstat -a -n | grep LISTEN

   if you want to see all ports given as numbers, rather than services names.

   If you get (among others):
      tcp        0      0 *:www             *:*                     LISTEN    
      tcp        0      0 *:https           *:*                     LISTEN    
   (or, with netstat -n option:
      tcp        0      0 0.0.0.0:80        0.0.0.0:*               LISTEN
      tcp        0      0 0.0.0.0:443       0.0.0.0:*               LISTEN )
   The "well known ports" for HTTP and HTTPS are booked and some web
   server is running. 


2) If the old server is running check the files in /etc/init.d and
   see if there is an httpd file (or similar) and stop apache as:

      /etc/init.d/httpd stop    

3) If you do not want to kill previous Apache, and install the 
   new one in such a way that their TCP ports do not conflict, just
   continue on, and you will OK, since this installation uses
   ports 4080 and 6443 rather than standard ports which your existing
   installation is most likely using (change them is already used for
   something else). If you know where is the configuration file for
   the already installed apache located, you can edit it and change
   port assignements, for example: 
      edit file /usr/local/apache1.3.13/conf/httpd.conf and change ports:
      
         cd /usr/local/apache1.3.13/conf
         cp -p httpd.conf httpd.conf.original
     
      emacs (or vi or whatever) httpd.conf and replace lines:
           Listen 80   -->    Listen 6080
           Port 80     -->    Port 6080
           Listen 443  -->    Listen 6443
           <VirtualHost _default_:443> --> <VirtualHost _default_:6443>
     then restart apache and check pages:

         cd /etc/init.d
         ./httpd start

         and try if this works, i.e., try the URLs:
            http://my.machine.com:6080/
            https://my.machine.com:6443/

8) You usually have openssl installed, but if you cannot find the
   libraries:
     /usr/lib/libcrypto* or /usr/local/lib/libcrypto*
     /usr/lib/libssl* or /usr/local/lib/libssl*  
   you need to install the openssl.
   Even if you have the openssl and libraries already
   installed, you probably have to go through this step, due to a number
   of utilities and scripts which are often not installed on the regular
   systems. There are two distributions of openssl: "normal" and
   "engine". The "engine" is an experimental version of openssl to support
   external crypto devices, and you will most likely not need it. 
   Create directory /usr/local/openssl and retrieve latest release of openssl

     mkdir /usr/local/openssl
     cd /usr/local/openssl
     wget http://www.openssl.org/source/openssl-0.9.6d.tar.gz

   Local copy of openssl-0.9.6d.tar.gz is here
   Check if you have "ar" utility in the PATH:

     which ar

   If not, you need to add some directories to the path:


     PATH=${PATH}:/usr/ccs/bin:/usr/ucb/bin
     export PATH
        
   Compiled the openssl [if you are in Europe, you need to
   check the mod_ssl INSTALL for the no-idea option. Note: RSA released RSAREF
   to public domain, so you do not have to use RSAREF library in US, and can
   use the optimized library which comes with openssl. I chose default install
   paths for openssl (/usr/local/ssl). 

     cd /usr/local/openssl
     gtar zxvf openssl-0.9.6d.tar.gz
     cd openssl-0.9.6d
     
     ./config -fPIC shared \
              --prefix=/usr/local/ssl \
              --openssldir=/usr/local/ssl
     make
     make test
     make install
     cp -a /usr/local/ssl/openssl-0.9.6d/lib* /usr/local/ssl/lib


   During "make test" it barked on me:

     bc does not work properly ('SunOStest' failed).  Looking for another bc...
     /usr/bin/bc does not work properly ('SunOStest' failed).  Looking for
     another bc ... 
     No working bc found.  Consider installing GNU bc.


   Oh, well, there is a default Soloris bc in /usr/bin/bc and it is obviously
   less powerfull than the GNU bc. But I will leave it there for now.
   This installation created: /usr/local/ssl/{bin, include, lib}.
   To make them generally available I made symbolic links in the
   /usr/local/{bin, include, lib} which are generally in the PATH...
   If you are brave, you can do links in /usr/{bin, include, lib} and/or
   set PATH and LD_LIBRARY_PATH. I made the following links:
      
     cd /usr/lib
     ln -s ../local/ssl/lib/libcrypto.a libcrypto.a
     ln -s ../local/ssl/lib/libcrypto.so.0.9.6 libcrypto.so.0.9.6
     ln -s libcrypto.so.0.9.6 libcrypto.so.0
     ln -s libcrypto.so.0 libcrypto.so
     ln -s ../local/ssl/lib/libssl.a libssl.a
     ln -s ../local/ssl/lib/libssl.so.0.9.6 libssl.so.0.9.6
     ln -s libssl.so.0.9.6 libssl.so.0
     ln -s libssl.so.0 libssl.so

     cd /usr/include
     ln -s ../local/ssl/include/openssl openssl

     cd /usr/bin
     ln -s ../local/ssl/bin/openssl openssl
     ln -s ../local/ssl/bin/c_rehash c_rehash


9) Make top directory for Apache 1.3.14 installation. I did
     /usr/local/apache_1.3.26

     mkdir /usr/local/apache_1.3.26

  Then set APACHE_HOME environment variable

    APACHE_HOME=/usr/local/apache_1.3.26
    export APACHE_HOME

 
  I also made a subdirectory "sources" to have all needed sources in one
   place: 

     mkdir /usr/local/apache_1.3.26/sources
     cd /usr/local/apache_1.3.26/sources

   Put there the tar files:

     wget http://www.apache.org/dist/httpd/apache_1.3.26.tar.gz
     wget http://www.modssl.org/source/mod_ssl-2.8.10-1.3.26.tar.gz
     wget ftp://ftp.ossp.org/pkg/lib/mm/mm-1.2.1.tar.gz

   Local copied of the tarballs from above are here:
      apache_1.3.26.tar.gz
      mod_ssl-2.8.10-1.3.26.tar.gz
      mm-1.2.1.tar.gz

10) Unpack sources to buld DSO Apache with mod_ssl and mm:

     cd /usr/local/apache_1.3.26
     cd sources
     gtar zxvf apache_1.3.26.tar.gz
     gtar zxvf mod_ssl-2.8.10-1.3.26.tar.gz
     gtar zxvf mm-1.2.1.tar.gz


11) Compiled MM shared memory library

     cd /usr/local/apache_1.3.26/sources/mm-1.2.1
     ./configure --disable-shared
     make

12) Configured  mod_ssl

     cd /usr/local/apache_1.3.26/sources/mod_ssl-2.8.10-1.3.26
     EAPI_MM=../mm-1.2.1  \  
     ./configure \
     --with-apache=/usr/local/apache_1.3.26/sources/apache_1.3.26


13) 
                 cd /usr/local/apache_1.3.26/sources/apache_1.3.26
                 SSL_BASE=/usr/local/ssl \
                 EAPI_MM=/usr/local/apache_1.3.26/sources/mm-1.2.1 \
                 ./configure --prefix=/usr/local/apache_1.3.26 \
                             --enable-module=so \
                             --enable-rule=SHARED_CORE \
                             --enable-module=most \
                             --enable-shared=max \
                             --enable-module=ssl \
                             --enable-shared=ssl 
                 make


14) Now you can make certificates. If you want to install self signed
    certificates which you will use (read a pagefull below), do:

       make certificate TYPE=custom

   One thing to remember, is to enter the fully qualified domain name of the
   host on which this Apache Web server runs (in my case: server1.ccl.net)
   when you are asked for info for X.509 certificate signing request
   for SERVER [server.csr] at item 6. Common Name.
    You can look at my dialog with the computer here.
   I then tarred my certificates/keys into a file:

     cd /usr/local/apache_1.3.26/sources/apache_1.3.26/conf
     gtar zcvf /usr/local/apache-certificates.tgz ssl*
     chmod 600 /usr/local/apache-certificates.tgz

   just in case, if I lost them (these certificates were made for 5 years,
   and I do not want to redo it every time I update apache). When you need
   to restore the certificates, just do:

     cd $APACHE_HOME/conf
     gtar zxvf  /usr/local/apache-certificates.tgz

    If you have your certificates already made and signed you can just
    create dummy certificates as:

      make certificate TYPE=dummy

    and you will replace them later in the $APACHE_HOME/conf with the
    real ones. 

    Then you install Apacje in the directories under $APACHE_HOME

      cd /usr/local/apache_1.3.26/sources/apache_1.3.26
      make install

   Also, if for some reason, you need to redo the certificates (I actually
   had to do it, since I had a typo in server name, discovered it after
   I finished the apache installation): 

     cd /usr/local/apache_1.3.26/sources/apache_1.3.26
     make certificate TYPE=custom

   and copy them by hand to the $APACHE_HOME/conf directory:

     cd /usr/local/apache_1.3.26/sources/apache_1.3.26/conf
     gtar zcvf /usr/local/apache-certificates.tgz ssl*
     chmod 600 /usr/local/apache-certificates.tgz
     cd $APACHE_HOME/conf
     gtar zxvf  /usr/local/apache-certificates.tgz

   and do not redo the make install !!! 
  
14) edited a file in $APACHE_HOME/conf/httpd.conf (in my case:
      /usr/local/apache_1.3.26/conf/httpd.conf). You can look at
    the copy of my initial httpd.conf.
    I made a few changes to the original default httpd.conf which was
    produced by the installation, namely, changed the ports on which
    Apache listens to requests so the new installtion does not interfere
    with the Apache server, which currently runs on your machine (assuming
    that you have some server already running). I have no way of knowing
    which ports on your machine are assigned to some services. In my case
    I chose the port 4080 for the unencrypted Web Server port (which
    corresponds to standard port 80 for HTTP), and the 6443 port for
    the secure port (which corresponds to the standard port 443 for HTTPS).
    I simply changed the following lines in
        /usr/local/apache_1.3.26/conf/httpd.conf: 
      Port 80                      --->  Port 6080

      Listen 80                    --->  Listen 6080
      Listen 443                   --->  Listen 6443
      <VirtualHost _default_:443>  --->  <VirtualHost _default_:6443> 
    Also uncommented the ServerName to point to a real machine.
    The modified file is here.

15) I created the a file which starts the Web server when machine
    is rebooted. I named it /etc/init.d/httpd-jkl. Its copy
    is given here. Then, I started
    the new apache as:

       /etc/init.d/httpd-jkl start

    and checked if the pages show up at
       http://heechee.ccl.net:6080/
    and
       https://heechee.ccl.net:6443/    (this one will asked me to accept the
                                         server certificate which I created)

    In the https case you should get a lot of windows
    which ask you for accepting the certificate. Just click Next to the
    series of questions, and also mark "Keep this certificate forever"
    on one of the boxes.

    Pages worked so I placed the links in the /etc/rc3.d directory to make
    the server start on boot-up.


       cd /etc/rc3.d/init.d
       ln -s ../init.d/httpd-jkl S55httpd-jkl

    Note, I can start and stop apache either as:

       /etc/init.d/httpd-jkl start
       /etc/init.d/httpd-jkl stop

    or as

       /usr/local/apache_1.3.26/bin/apachectl startssl
       /usr/local/apache_1.3.26/bin/apachectl stop


    Stop apache, since you are not finshed yet.


        Building and installing ant
        ==============================

16)  At this point it is probably prudent to log out and log in again as root
     and reset your environment variables by doing:

       JAVA_HOME=/usr/local/j2sdk1.4.1
       export JAVA_HOME
       PATH=/usr/local/bin:${JAVA_HOME}/bin:${PATH}
       export PATH

Assuming that the top directory of your Java SDK is /usr/local/j2sdk1.4.1.
My notes on installing Java 2 SDK can be found at


														 
18) Create directory /usr/local/jakarta and retrieved latest ant from
    http://jakarta.apache.org
    "Ant" does for Java what "make' does for C. It is used to build
    applications for Java. I did:
    

      mkdir /usr/local/jakarta
      cd /usr/local/jakarta
      mkdir ant1.5
      cd ant1.5
      wget http://jakarta.apache.org/builds/jakarta-ant/release/v1.5/src/jakarta-ant-1.5-src.tar.gz 
      gtar zxvf jakarta-ant-1.5-src.tar.gz

   which resulted in the jakarta-ant-1.5 subdirectory. Chech if you
   JAVA_HOME and PATH variable are properly initialized for Java.

      cd /usr/local/jakarta/ant1.5/jakarta-ant-1.5
      ./bootstrap.sh
      ./build.sh


   This created a directory dist which contains bin and lib directory.
   I moved these directories to /usr/local/jakarta/ant1.5/

      cd /usr/local/jakarta/ant1.5
      mv jakarta-ant-1.5/dist/bin .
      mv jakarta-ant-1.5/dist/lib .

   I then edited the ant script in the bin directory by adding the following
   at the top:

      JAVA_HOME=/usr/local/j2sdk1.4.1
      ANT_HOME=/usr/local/jakarta/ant1.5
      PATH=${JAVA_HOME}/bin:${ANT_HOME}/bin:/usr/local/bin:${PATH}
      export JAVA_HOME ANT_HOME PATH
      if [ ${CLASSPATH}"x" = "x" ] ; then
         CLASSPATH=${ANT_HOME}/lib/ant.jar:${ANT_HOME}/lib/optional.jar
      else 
         CLASSPATH=${CLASSPATH}:${ANT_HOME}/lib/ant.jar
         CLASSPATH=${CLASSPATH}:${ANT_HOME}/lib/optional.jar
      fi
      export CLASSPATH


   Alternatively, you could put these lines into a /etc/ant.conf file
   which is sourced at the top of the /usr/local/jakarta/ant1.5/bin/ant
   script.

   Then, I linked the ant script in /usr/local/bin as:

      ln -s /usr/local/jakarta/ant1.5/bin/ant /usr/local/bin/ant



   Building and installing tomcat 3.3.1
   ====================================

   Created directory and downloaded the release of 3.3.1

     cd /usr/local/jakarta
     mkdir tomcat3.3.1
     cd tomcat3.3.1
     wget http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1/src/jakarta-tomcat-3.3.1-src.tar.gz
     gtar zxvf jakarta-tomcat-3.3.1-src.tar.gz


   Then I built the tomcat as:

     cd /usr/local/jakarta/tomcat3.3.1/jakarta-tomcat-3.3.1-src
     ant

   This created a directory: 
     /usr/local/jakarta/tomcat3.3.1/jakarta-tomcat-3.3.1-src/build/tomcat
   I moved all files/directories  from under it to 
   /usr/local/jakarta/tomcat3.3.1

     cd /usr/local/jakarta/tomcat3.3.1/jakarta-tomcat-3.3.1-src/build/tomcat
     mv * /usr/local/jakarta/tomcat3.3.1


   Since Tomcat should not run as root, I decided to run it as
   user webrun. My webrun account in /etc/passwd was set to run /bin/ksh
   and its home directory was /home/webrun. I placed the following in the
   file /home/webrun/.profile:

      JAVA_HOME=/usr/local/j2sdk1.4.1
      TOMCAT_HOME=/usr/local/jakarta/tomcat3.3.1/
      PATH=${JAVA_HOME}/bin:${TOMCAT_HOME}/bin:${PATH}
      export JAVA_HOME TOMCAT_HOME PATH

   To make sure that Tomcat can write files and logs
   in its directories I changed ownership of some directories to webrun

     cd /usr/local/jakarta/tomcat3.3.1
     mkdir work
     chown -R webrun:webrun logs conf webapps work

   Tomcat by default runs HTTP on port 8080 and takes ports 8007 and 8009
   for connectors to Apache. If you have other Tomcat's running, you need
   to edit file server.xml in the /usr/local/jakarta/tomcat3.3.1/directory
   to point at different ports. I   My webrun was /bin/ksh ad

   I tested Tomcat as follows:

      su - webrun
      ${TOMCAT_HOME}/bin/startup.sh

   and then tried with the browser if the http://heechee.ccl.net:8080/ works
   Ran a few examples and things seemed to work.
   I stopped Tomcat by executing 

      ${TOMCAT_HOME}/bin/shutdown.sh


23) testing Tomcat. I become a "webrun" user for this part, not a root.  
    Since I have other Tomcats running on this machine, I changed
    the default ports in $TOMCAT_HOME/conf/server.xml

         cd $TOMCAT_HOME/conf

         emacs/vi/joe/whatever server.xml
               Change 8080 --> 6180
               Change 8007 --> 6007
               Change 8009 --> 6009
     While the SSL connector is at this moment commented out, I changed
     the port 
               Change 8443 --> 6243

     so I do not forget about it in the future. 
     I also added "doc" application to Tomcat. This contains the static
     documentation files from $TOMCAT_HOME/doc. I created it by using the new
     way of adding webapplication, i.e., by creating a file conf/apps-name.xml.
     In my case the file $TOMCAT_HOME/conf/apps-doc.xml was:

        <?xml version="1.0" encoding="ISO-8859-1"?>
        <webapps>
            <!-- Setting special properties for /doc
                 ( as an example of overriding the defaults )
              -->
        
           <Context path="/examples"
                    docBase="/usr/local/jakarta/tomcat3.3.1/doc"
                    debug="0"
                    reloadable="true" >
                      <SimpleRealm filename="conf/users/example-users.xml" />
                      <LogSetter name="doc_tc.log" path="logs/doc.log" />
                      <LogSetter name="dcc_servlet_log"
                                 path="logs/servlet_doc.log"
                                 servletLogger="true"/>
          </Context>
        
        </webapps>

     which was just a modification of the apps-examples.xml file.
     I then restarted TOMCAT as:


        ${TOMCAT_HOME}/bin/startup.sh

     The initial server.xml file is here and the apps-doc.xml is here.

     And checked if I can read the http://heechee.ccl.net:6180/doc
     in my browser. I could... 
     I printed myself some pages, and studied -- do the same. Namely:
       http://heechee.ccl.net:6180/doc/serverxml.html
       http://heechee.ccl.net:6180/doc/tomcat-ug.html
       http://heechee.ccl.net:6180/doc/tomcat-security.html
       http://heechee.ccl.net:6180/doc/Tomcat-Workers-HowTo.html
       http://heechee.ccl.net:6180/doc/tomcat-ssl-howto.html
       http://heechee.ccl.net:6180/doc/mod_jk-howto.html
       http://heechee.ccl.net:6180/doc/internal.html

I also mounted webapps/ROOT
     as /ROOT and changed all docBase attributes of Context to full path.
     While /ROOT is also mounted in server.xml as /, I need another mount
     point for Apache. If I mounted ROOT as / in apache, all my content
     would have to be served by Tomcat, since DocumentRoot would be located
     there. There are many ways of doing this, for example, I could copy
     only the index.html file to the Apache DocumentRoot directory and mount
     the subirectories of /ROOT as Contexts. I decided to mount /ROOT as
     context /ROOT (i.e., it will be accessed as http://my.machine:port/ROOT
     and solve the problem of relative/absolute links by using rewrite module. 
     Note that server.xml is the file which is read in by Tomcat to
     configure itself. The other files are not read in by Tomcat. The web.xml
     in the ${TOMCAT_HOME}/conf is not read in either (but it is read in
     in other versions of Tomcat). This web.xml should be a starting place
     for your own web.xml files which you place under WEB-INF directory
     in your servlet/JSP contexts (WEB applications).
     The other files are mostly prototypes of config files for the various
     Web servers which work with Tomcat. Moreover, based on its own
     configuration, it produces prototype configuration files for various
     Web servers: iis_redirect.reg-auto and uriworkermap.properties-auto (for
     MS IIS), mod_jk.conf-auto (for mod_jk module of Apache), obj.conf-auto
     (for Netescape or whoever/whatever server, if you know what I mean),
     and tomcat-apache.conf (for Apache mod_jserv module which we do not use
     here). These prototype files are essentially ready to go for simple
     configurations. The files like tomcat-apache.conf, tomcat.properties,
     tomcat.conf are used when tomcat was working with mod_jserv module.
     We are using here mod_jk module, and these files can be ignored.
     The files for mod_jk module of Apache are mod_jk.conf and
     workers.properties. For the time being, I tested if Tomcat works
     alone by starting it as:

       cd $TOMCAT_HOME/bin
       ./startup.sh
   
    then checked the stuff at tomcat port 

       http://server1.ccl.net:4180/       

    and looked at test pages. Things worked... Then I shut it down as:

       ./shutdown.sh

    What worried me was the number of threads the Tomcat opened, namely
       ps auwx | grep java | wc -l
    gave 36. These are supposedly lightweight threads and you should not
    worry about this.

24)  Now, let us create the mod_jk module. This is a DSO object
     which you load into Apache. It is called "server plug-in"
     sometimes. It allows Apache to talk to Tomcat. While Tomcat
     can also run inprocess, it cannot be supported with current Apache/Tomcat
     combination. So there are two processes: Apache and Tomcat, and they
     need to talk to each other if they want to work together (or at
     least send memos {:-)}). Note that in this communication Apache
     (The web server) is a client (not a server!) of Tomcat.
     Tomcat is started, and listens for requests from Apache, i.e., in
     this relation, it is a server. Tomcat listens by default on port 8007, 
     but you can change it by editing the server.xml file. In my case,
     as you saw in 23) I had to change the default port since I have several
     Tomcats running on my machine. The module mod_jk is compiled as:

        cd $JAKARTA_HOME/jakarta-tomcat-3.2.1-src/src/native      
        cd apache1.3
        $APACHE_HOME/bin/apxs -o mod_jk.so  \
             -I${JAVA_HOME}/include/linux \
             -I../jk -I${JAVA_HOME}/include \
             -c *.c ../jk/*.c  

        cp mod_jk.so ${APACHE_HOME}/libexec


      While I provide here the binary:
      mod_jk.so -- press right mouse button here and choose: Save Link as
      which you can just copy to ${APACHE_HOME}/libexec directory I strongly
      suggest that you build the one yourself, since there are many options
      to Apache, and it simply will not work, if your Apache is different
      than my Apache.

25)   When I tested standalone Tomcat in 23), it created automatically
      a config file for mod_jk for Apache which is available as:
      $TOMCAT_HOME/conf/mod_jk.conf-auto
      I did the following:

        cd $TOMCAT_HOME/conf
        mv mod_jk.conf mod_jk.conf.original
        mv mod_jk.conf-auto mod_jk.conf

      i.e., I saved the original and copied the automatic version to
      mod_jk.conf. 
      For the time being, I edited the Apache config file to include
      the mod_jk.conf (more needs to be done for sensible install,
      though). I edited file;
      $APACHE_HOME/conf/httpd.conf and at the last line I put:
         Include /usr/local/tomcat_3.2.1/tomcat-3.2.1/conf/mod_jk.conf
      The actual initial httpd.conf is here.
      I replaced all occurances of ajp12 with ajp13 in the
      ${TOMCAT_HOME}/conf/mod_jk.conf and added a mount point for /ROOT
      You can find the copy of it here. I also changed server.xml (see below).
      Just compare it to the original with UNIX diff utility.  
      Made several changes to workers.properties. Namely:
      changed workers.tomcat_home, workers.java_home, ps, worker.ajp12.port,
      worker.ajp13.port and commented out all inprocess stuff which is meant
      for the Web servers which support inprocess. You can look up them here.
      Note, my ajp12 port is 4006 and ajp13 is 4007. 
 
26) changed the $TOMCAT_HOME/conf/server.xml to activate the ajp13 connector.
    Added this:
        <!-- Apache AJP13 support. -->
        <Connector className="org.apache.tomcat.service.PoolTcpConnector">
            <Parameter name="handler"
       value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
            <Parameter name="port" value="4007"/>
        </Connector>
    Left apj12 support at port 4006 since it is needed for shutdown.
    Look here for initial server.xml.

27) Heavily edited the $TOMCAT_HOME/bin/startup.sh, 
    $TOMCAT_HOME/bin/startup.sh and $TOMCAT_HOME/bin/jspc.sh 
    to include necessary environmental
    variables. These initial files can be found here:
       startup.sh 
       shutdown.sh 
       jspc.sh 
       tomcat.sh 

28) Started tomat

        cd $TOMCAT_HOME/bin
        ./startup.sh

   It told me something like this:

Using classpath: /usr/local/tomcat_3.2.1/tomcat-3.2.1/lib/jasper.jar:/usr/local
/tomcat_3.2.1/tomcat-3.2.1/lib/test:/usr/local/tomcat_3.2.1/tomcat-3.2.1/lib/we
bserver.jar:/usr/local/jdk1.3/lib/tools.jar:/usr/local/jdk1.3/lib/tools.jar:/us
r/local/jdk1.3/lib/dt.jar:/usr/local/jdk1.3/jre/lib/ext/jce1_2_1.jar:/usr/local
/jdk1.3/jre/lib/ext/jcert.jar:/usr/local/jdk1.3/jre/lib/ext/jnet.jar:/usr/local
/jdk1.3/jre/lib/ext/jsse.jar:/usr/local/tomcat_3.2.1/ant-1.2/lib/ant.jar:/usr/l
ocal/tomcat_3.2.1/servletapi-3.2/lib/servlet.jar:/usr/local/jaxp-1.1ea2/jaxp.ja
r:/usr/local/jaxp-1.1ea2/crimson.jar:/usr/local/jaxp-1.1ea2/xalan.jar:/usr/loca
l/tomcat_3.2.1/tomcat-3.2.1/lib/jasper.jar:/usr/local/tomcat_3.2.1/tomcat-3.2.1
/lib/webserver.jar
2001-01-28 03:31:39 - ContextManager: Adding context Ctx(/examples )
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( /admin )
Starting tomcat. Check logs/tomcat.log for error messages
2001-01-28 03:31:39 - ContextManager: Adding context Ctx(  )
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( /test )
2001-01-28 03:31:40 - PoolTcpConnector: Starting HttpConnectionHandler on 4180
2001-01-28 03:31:40 - PoolTcpConnector: Starting Ajp12ConnectionHandler on 4006
2001-01-28 03:31:41 - PoolTcpConnector: Starting Ajp13ConnectionHandler on 4007

   (if you have errors, check if tomcat or something else is not running
   and using the same TCP ports. Do, for exampl:
      ps auxw | grep tomcat
    and kill if needed. Also check if any ports from above: 4006, 4007,
    6080, 4180, 6443, are used by using: 

       netstat -a | more

    They would be listed in the first column, e.g., *.6443
   )

29) Started Apache

   $APACHE_HOME/bin/apachectl startssl


   Things worked on port 6080(http) and 6443(https). I checked
   http://server1.ccl.net:6080/examples and
   https://server1.ccl.net:6443/examples 


30) Stopped Tomcat

        cd $TOMCAT_HOME/bin
        ./shutdown.sh


31) Stopped Apache
       
       $APACHE_HOME/bin/apachectl stop


32) Reconfigured Tomcat and Apache to do things I want them to do.

    a) In $APACHE_HOME/conf/httpd.conf made sure mod_jk is before mod_rewrite

      LoadModule jk_module          libexec/mod_jk.so
      LoadModule rewrite_module     libexec/mod_rewrite.so

    and

      AddModule mod_jk.c
      AddModule mod_rewrite.c

    and commented out the line
       # LoadModule jk_module libexec/mod_jserv.so

    in $TOMCAT_HOME/conf/mod_jk.conf

33) In the $APACHE_HOME/conf/httpd.conf I added some rewrite
    rules before
        ##  SSL Global Context
    comment , and also inside 6443 virtual host scope after line:
        TransferLog /usr/local/apache_1.3.26/logs/access_log   :
         <IfModule mod_rewrite.c>
         RewriteEngine On
         RewriteLog /usr/local/apache_1.3.26/logs/rewrite_log
         RewriteLogLevel 2
         RewriteRule ^/ROOT/examples /examples [R]
         RewriteRule ^/ROOT/test /test [R]
         RewriteRule ^/ROOT/admin /admin [R]
         RewriteRule ^/ROOT/ROOT /ROOT [R]
         RewriteRule ^/tomcat.gif /ROOT/tomcat.gif [R]
         RewriteRule ^/examples/servlets$     /examples/servlets/  [R]
         RewriteRule ^/examples/jsp$     /examples/jsp/  [R]
         RewriteRule ^/examples$     /examples/  [R]
         RewriteRule ^/admin$          /admin/  [R]
         RewriteRule ^/ROOT$          /ROOT/  [R]
         RewriteRule ^/test$          /test/  [R]
         </IfModule>

    for the HTTP (port 6080) and HTTPS (virtual host at 6443). It was needed
    to cure a problem that $TOMCAT_HOME/webapps/ROOT
    is a Document Root for Tomcat, but for Apache, the 
    $APACHE_HOME/htdocs is the Document Root. 

34) Created new users, in my case webinst, and webrun, and groups for
    them, home directories, and regular login environment.  
    The webrun was assigned /bin/bash and webinst had tcsh as primary
    shell (yes, I know that t/csh is brain dead, but people want it,
    and people will have it -- it sucks, e.g., with its limitations:
    "Word too long" when your environment variable is longer than 1024 --
    it happens to me all the time with longer CLASSPATHs).
    Note, that when you execute the script as
          su - uid -c script
    the script will be executed with the default shell (i.e., the shell
    the user uid has assigned in /etc/passwd)  of the uid user, and it 
    does not matter what you put in #!/bin/someshell on the top of your script.
    While some UNICES allow you to specify shell on the command line (Linux
    allows) I did not use this feature.
    The script is sourced with default shell, not forked with a new shell. 
    The webinst will own most of the files in the web site, while the
    webrun will be the user who runs the Apache server and the tomcat.
    It will own log files and other files which the apache/tomcat/ needs
    to write.  In $APACHE_HOME/conf/httpd.conf I did:
       User webrun
       Group webrun
    Also, I changed the directories for the Document root and CGI-BIN
    Final version of httpd.conf is given here.
    Also chown_ed to webrun the log directories:

      chown -R webrun $APACHE_HOME/logs
      chgrp -R webrun $APACHE_HOME/logs

    And for tomcat:

      chown -R webrun $TOMCAT_HOME/conf
      chgrp -R webrun $TOMCAT_HOME/conf
      chown -R webrun $TOMCAT_HOME/logs
      chgrp -R webrun $TOMCAT_HOME/logs
      chown -R webrun $TOMCAT_HOME/work
      chgrp -R webrun $TOMCAT_HOME/work

35) In $APACHE_HOME/bin

      cp apachectl apache-tomcat

    and edited apache-tomcat to have a script to start/stop
    tomcat and apache. This is an example: $APACHE_HOME/bin/apache-tomcat
    Then chmoded apache-tomcat to be executable :

       chmod 755 $APACHE_HOME/bin/apache-tomcat


36) Started the apache/tomcat as:

       $APACHE_HOME/bin/apache-tomcat startssl

    and checked if http://server1.ccl.net:6080/examples and
    https://server1.ccl.net:6443/examples worked. 
    They did, so I killed the server with:

       $APACHE_HOME/bin/apache-tomcat stop

    Now, I also changed the startup script httpd-jkl in /etc/rc.d/init.d
    to use the apache_tomcat rather than apachectl. The final version
    is here. I also disabled the
    RH7.0 Apache which comes with the standard installation by

      /etc/rc.d/init.d/httpd stop
      chkconfig --del httpd
      chkconfig --list httpd

    which showed rightly that httpd will not be invoked on boot:
      httpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off

    and replaced Apache with this installation. I allowed the startup on
    boot by activating the my script described above: 
      
      chkconfig --add httpd-jkl
      chkconfig --list httpd-jkl

    with list giving me OK:
       httpd-jkl       0:off   1:off   2:off   3:on    4:on    5:on    6:off
    Note, since we are using different ports, you do not have to stop the
    original Apache which works on standard ports 80 and 443. 

37) changed permissions/ownership on the example directories

      cd $TOMCAT_HOME/webapps
      chown -R webinst .
      chgrp -R webinst .
      cd $TOMCAT_HOME/logs
      chown -R  webrun .


38) After all these changes, the ports should be the following:

                    Orig       New     Files affected
    http(apache) --> 80   -->  6080  ${APACHE_HOME}/conf/httpd.conf

    https        --> 443  -->  6443  ${APACHE_HOME}/conf/httpd.conf

    http(tomcat) --> 8080 --> 4180   ${TOMCAT_HOME}/conf/server.xml
                                             (disabled)
    tomcat/apj13
                 --> 8009 --> 4007   ${TOMCAT_HOME}/conf/workers.properties
                                           ${TOMCAT_HOME}/conf/server.xml

    tomcat/apj12 --> 8007 --> 4006   ${TOMCAT_HOME}/conf/workers.properties
                                           ${TOMCAT_HOME}/conf/server.xml


39) Since starting/stopping apache+tomcat in this environment requires
    one to be a root, I created C wrappers to start and stop the whole zoo.
    $APACHE_HOME/bin/apache_start.c

   and compiled it with

     gcc -o apache_start apache_start.c

   as a root, and then added suid permissions to the resulting
   apache_start executable file as:

     chmod ug+s apache_start


   I did exactly the same with apache_stop.c

      gcc -o apache_stop apache_stop.c  
      chmod ug+s apache_stop   

   $APACHE_HOME/bin/apache_stop.c

   Now, people do not have to have root access to start/stop Web Server/Tomcat

   I also added a C program killme.c which kills the processes which are
   running by user webrun. It is indentded to be used after "apache_stop"
   to kill some runaway processes started by apache, Tomcat, or JServ.
   After compiling the program:

      gcc -o killme killme.c

   changed its user and group ownership to webrun and added
   SETUID permission bits

      chown webrun killme
      chgrp webrun killme
      chmod ug+s killme

   To learn which processes need to be killed, the user does

       ps -ef | grep webrun | grep -v grep

   (I actually saved this line as a shell script "killwhich" so they can
   just type: killwhich).
   and the user can kill the processes listed by previous command as:
       killme pid1 pid2 ....
   where pidn is the process id number in the second column.
   $APACHE_HOME/bin/killme.c


40)If you look at my httpd.conf file
    I have there a virtual host on HTTPS port 6443. The DocumentRoot directory
    of this virtual host points at /content/html/private and the CGI script
    directory /content/cgi/private are protected with the Basic Authentication
    and contain the file .htaccess file:

       AuthUserFile /usr/local/apache_1.3.26/auth/htpasswd
       AuthGroupFile /usr/local/apache_1.3.26/auth/htgroup
       AuthName "This directory is for internal users only"
       AuthType Basic

       <Limit GET POST PUT>
       require group cclstaff
       </Limit>

    My /usr/local/apache_1.3.26/auth/htpasswd was similar to:

      jkl:mqcxlex/TV9ywg
      bubus:yVDEJCCn9/Lxo
      lalus:F90sLCbaEEo
        ...

    i.e., listed user names and their encrypted passwords. You can
    get the encrypted password by typing at UNIX command line:

       perl
          print crypt("PASSWORD", "AB"), "\n";
       ^D

    where "PASSWORD" should be actual open text password in quotes,
    "AB" is a two character seed (can be any combination of letters and
    digits, and some other characters, but stay with letters and digits
    to be on safe side), and ^D is CTRL/D. For example, the abouve would
    yield: ABIp8WSAPJnhI (of course, I am not endorsing using PASSWORD for
    password).

    My /usr/local/apache_1.3.26/auth/htgroup was similar to:

      cclstaff:jkl bubus lalus

    Of course you can have more groups and people.     

                 -- THE END --

If you see something wrong here, please let me know, so I can save
other peoples time.

Jan    
Modified: Fri Oct 4 06:16:42 2002 GMT
Page accessed 379 times since Tue Mar 15 07:18:07 2005 GMT