This procedure installs a secure version of the Apache webserver. For procedures for installing a non-secure Apache webserver, see Installing a Non-Secure Apache Webserver.
Become superuser on a cluster member.
Install the Apache software, including mod_ssl.
To install mod_ssl, see the Apache installation documentation or the installation instructions at http://www.modssl.org.
Update the httpd.conf configuration file.
Set the ServerName directive.
Set the BindAddress directive (optional).
Set the ServerType, ServerRoot, DocumentRoot, ScriptAlias, and LockFile directives.
Set the Port directive to the same number as the Port_list standard resource property. See Step 4 for more information.
Make changes to run as a proxy server if you choose to run the Apache software as a proxy server. See the Apache documentation for more information. If you will run the Apache software as a proxy server, the CacheRoot setting must point to a location on the cluster file system.
Verify that the port number or numbers in the httpd.conf file match those of the Port_list standard resource property.
You can edit the httpd.conf configuration file to change its port number or numbers to match the standard Sun Cluster resource property default (port 80). Alternatively, while you configure Sun Cluster HA for Apache, you can set the Port_list standard property to match the setting in the httpd.conf file.
Install all certificates and keys.
In Bin_dir directory, create a file called keypass. Make sure that no one other than the owner has any permissions for this file.
# cd Bin_dir # touch keypass # chmod 700 keypass
If you are using encrypted private key(s), perform the following Step a and Step b.
In the httpd.conf file, look for SSLPassPhraseDialog directive and modify it as follows.
# SSLPassPhraseDialog exec:/Bin_dir/keypass
See the mod_ssl documentation for details about the SSLPassPhraseDialog directive.
Edit the keypass file so that it prints the pass phrase for the encrypted key corresponding to a host and a port.
This file will be called with server:port algorithm as arguments. Make sure that the file can print the pass phrase for each of your encrypted keys when called with the correct parameters.
Later, when you attempt to start the webserver manually, it must not prompt you for a pass phrase. For example, for a secure webserver listening on ports 8080 and 8888, with private keys for both encrypted using RSA, the keypass file could be the following.
# !/bin/ksh host=`echo $1 | cut -d: -f1` port=`echo $1 | cut -d: -f2` algorithm=$2 if [ "$host" = "button-1.eng.sun.com" -a "$algorithm" = "RSA" ]; then case "$port" in 8080) echo passphrase-for-8080;; 8888) echo passphrase-for-8888;; esac fi
The keypass file must not be readable, writable, or executable by anyone other than the owner.
In the httpd.conf file, set the SSLLogLevel to warn to avoid logging a message every time the webserver is probed by Sun Cluster HA for Apache.
Update the paths in the Apache start/stop script file (Bin_dir/apachect1).
You must change the paths from the Apache defaults to match your Apache directory structure.
Perform the following tasks to verify your configuration changes.
Run apachectl configtest to check the Apache httpd.conf file for correct syntax.
Ensure that any logical hostnames or shared addresses that Apache uses are configured and online.
Issue apachectl start to start up your Apache server by hand.
Make sure that the webserver does not ask you for a passphrase.
If Apache does not start up correctly, correct the problem.
After Apache has started, stop it before moving to the next procedure.