Steps to set-up
an Apache SSL VirtualHost
as LCG BDII software repository
Objective:
To define and configure the VirtualHost
https://lcg-bdii.cern.ch:5252 on
host lxshare0251.cern.ch.
Background:
DNS aliases lcg-vo.cern.ch (for
the LDAP configuration of the DTEAM Virtual Organisation (VO)) and lcg-registrar.cern.ch (for
the LDAP configuration of
O=registrar) were already defined for this host as needed for the 'group'
entries in the gridmap
configuration file.
The
hostalias lcg-registrar.cern.ch is
also used (in the apache configuration file /etc/httpd/conf/httpd.conf )
as the default SSL web server (port-number 443), accepting client certificates
for LCG user registration via https://lcg-registrar.cern.ch.
Steps:
- Defined DNS alias lcg-bdii.cern.ch in http://network.cern.ch for lxshare0251.cern.ch
to create a clearly separate URL for this VirtualHost.
- Obtain a separate host certificate for this host alias and install it as
well as its key in a designated directory on the host with different filenames.
- Changed the apache configuration file so that:
- A new SSL port-number (5252) is declared (<Listen> directive) and
defined (<VirtualHost> directive).
- This VirtualHost owner's email is specified.
- The VirtualHost's DocumentRoot is given.
- The paths to this host alias' certificate and key files are mentioned.
- Prepared afs directory /afs/cern.ch/project/gd/www/gis/bdii-conf with
appropriate ACLs for the data owners. A number of people in the IT/GD/GIS
section and the group's webmasters have ' rlidwka' access control rights
in this directory.
- Wrote a
./.htaccess file
to allow directory listing.
Apache configuration sample:
The sub-set of the /etc/httpd/conf/httpd.conf file specific to the
SSL-VirtualHost definition can be found here.
All hostname, portnumber and filepath information is changed to generic values
for security and privacy reasons.
Related links:
Maria Dimou, IT/GD,
Grid Infrastructure Services