Index: openacs-4/packages/acs-core-docs/www/openacs.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/openacs.html,v diff -u -r1.6.2.10 -r1.6.2.11 --- openacs-4/packages/acs-core-docs/www/openacs.html 4 May 2003 06:30:02 -0000 1.6.2.10 +++ openacs-4/packages/acs-core-docs/www/openacs.html 7 May 2003 17:40:59 -0000 1.6.2.11 @@ -1,22 +1,22 @@ -
+
by Vinod Kurup
OpenACS docs are written by the named authors, and may be edited
by OpenACS documentation staff.
-
The reference install stores all OpenACS services in - /web, with one subdirectory per +
The reference install stores all OpenACS services in + /web, with one subdirectory per service. The first time you install a service, you must create - that directory and set its permissions:
[root@yourserver root]# mkdir /web -[root@yourserver root]# chgrp web /web -[root@yourserver root]# chmod 770 /web + that directory and set its permissions:[root@yourserver root]# mkdir /web +[root@yourserver root]# chgrp web /web +[root@yourserver root]# chmod 770 /web [root@yourserver root]# -mkdir /web +mkdir /web chgrp web /web -chmod 770 /web
You should already have downloaded the OpenACS tarball - to the /tmp directory. If +chmod 770 /web
You should already have downloaded the OpenACS tarball + to the /tmp directory. If noot, download the OpenACS tarball and save it in - /tmp and proceed:
+ /tmp and proceed:
AOLserver needs to be started as the root user if you want to use port 80. Once it starts, though, it will drop the root privileges and run as another user, which you must specify on the command line. It's @@ -29,36 +29,36 @@ for each different service. A service name should be a single word, letters and numbers only. If the name of your site is one word, that would be a good choice. For - example "service0" might be the service name for the - service0.net + example "service0" might be the service name for the + service0.net community.
For the 4.6.3-P and 4.6.3-O Reference Platform, - we'll use a server named service0 and - a user named service0. We'll leave the password + we'll use a server named service0 and + a user named service0. We'll leave the password blank for increased security. The only way to log in will be with ssh certificates. The only people who should log in are developers for that specific instance. Add this user, and put - it in the web group so that it + it in the web group so that it can use database commands associated with that group. -
[root@yourserver root]# useradd -g web service0 +[root@yourserver root]# useradd -g web service0 [root@yourserver root]#
Set up database environment variables. They are necessary for working with the database. -
[root@yourserver root]# su - service0 -[service0@yourserver service0]$ emacs .bashrc
Put in the appropriate lines for the database you are running. If you will use both databases, put in both sets of lines.
PostGreSQL:
export LD_LIBRARY_PATH=LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/pgsql/lib +[root@yourserver root]# su - service0 +[service0@yourserver service0]$ emacs .bashrc
Put in the appropriate lines for the database you are running. If you will use both databases, put in both sets of lines.
PostGreSQL:
export LD_LIBRARY_PATH=LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/pgsql/lib export PATH=$PATH:/usr/local/pgsql/binOracle. These environment variables are specific for a local Oracle installation communicating via IPC. If you are connecting to a remote Oracle installation, you'll need to adjust these appropriately. Also, make sure that the '8.1.7' matches your Oracle version.
export ORACLE_BASE=/ora8/m01/app/oracle -export ORACLE_HOME=$ORACLE_BASE/product/8.1.7 +export ORACLE_HOME=$ORACLE_BASE/product/8.1.7 export PATH=$PATH:$ORACLE_HOME/bin export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib export ORACLE_SID=ora8 export ORACLE_TERM=vt100 export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/dataTest this by logging out and back in as - service0 and checking the paths.
[service0@yourserver service0]$ exit + service0 and checking the paths.[service0@yourserver service0]$ exit logout -[root@yourserver src]# su - service0 -[postgres@yourserver pgsql]$ env | grep PATH +[root@yourserver src]# su - service0 +[postgres@yourserver pgsql]$ env | grep PATHFor PostGreSQL, you should see:
LD_LIBRARY_PATH=LD_LIBRARY_PATH=:/usr/local/pgsql/lib PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:/root/bin:/usr/local/pgsql/bin:/usr/local/pgsql/binFor Oracle:
ORACLE_BASE=/ora8/m01/app/oracle @@ -67,104 +67,104 @@ LD_LIBRARY_PATH=/ora8/m01/app/oracle/product/8.1.7/lib:/lib:/usr/lib ORACLE_SID=ora8 ORACLE_TERM=vt100 -ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data[service0@yourserver service0]$ exit +ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data[service0@yourserver service0]$ exit logout -[root@yourserver root]#Unpack the OpenACS tarball and rename it to service0. Secure the directory so that only the owner can access it. Check the permissions by listing the directory.
[root@yourserver root]# su - service0 -[service0@yourserver service0]$ cd /web -[service0@yourserver web]$ tar xzf /tmp/openacs-4.6.3.tgz -[service0@yourserver web]$ mv openacs-4.6.3 service0 -[service0@yourserver web]$ chmod -R 700 service0 -[service0@yourserver web]$ ls -al +[root@yourserver root]#Unpack the OpenACS tarball and rename it to service0. Secure the directory so that only the owner can access it. Check the permissions by listing the directory.
[root@yourserver root]# su - service0 +[service0@yourserver service0]$ cd /web +[service0@yourserver web]$ tar xzf /tmp/openacs-4.6.3.tgz +[service0@yourserver web]$ mv openacs-4.6.3 service0 +[service0@yourserver web]$ chmod -R 700 service0 +[service0@yourserver web]$ ls -al total 3 drwxrwx--- 3 root web 1024 Mar 29 16:41 . drwxr-xr-x 25 root root 1024 Mar 29 16:24 .. drwx------ 7 service0 web 1024 Jan 6 14:36 service0 -[service0@yourserver web]$ exit +[service0@yourserver web]$ exit logout [root@yourserver root]# -su - service0 +su - service0 cd /web tar xzf /tmp/openacs-4.6.3.tgz mv openacs-4.6.3 service0 chmod -R 700 service0/ -exit
Add the Service to CVS - OPTIONAL.�If this is a development server, you may want to add +exit
Add the Service to CVS - OPTIONAL.�If this is a development server, you may want to add it to a CVS - repository..
Create and set permissions on a subdirectory in the local cvs repository.
[root@yourserver root]# mkdir /cvsroot/service0 -[root@yourserver root]# chown service0.web /cvsroot/service0 + repository..
Create and set permissions on a subdirectory in the local cvs repository.
[root@yourserver root]# mkdir /cvsroot/service0 +[root@yourserver root]# chown service0.web /cvsroot/service0 [root@yourserver root]# -mkdir /cvsroot/service0 -chown service0.web /cvsroot/service0Add the repository location to the user environment.
[root@yourserver root]# su - service0 -[service0@yourserver service0]$ emacs .bashrc
Put this string into /home/service0/.bashrc:
export CVSROOT=/cvsroot[service0@yourserver service0]$ exit +mkdir /cvsroot/service0 +chown service0.web /cvsroot/service0
Add the repository location to the user environment.
[root@yourserver root]# su - service0 +[service0@yourserver service0]$ emacs .bashrc
Put this string into /home/service0/.bashrc:
export CVSROOT=/cvsroot[service0@yourserver service0]$ exit logout [root@yourserver root]#Import all files into cvs. In order to work on files with source control, the files must be checked out from cvs. So we will import, move aside, and then check out all of the files. In the cvs import command, - service0 + service0 refers to the cvs repository to use; it uses the CVSROOT plus this string, i.e. - /cvsroot/service0. + /cvsroot/service0. "OpenACS" is the vendor tag, and "openacs-4-6-3" is the release tag. These tags will be useful in upgrading and - branching. -m sets the version comment.
[root@yourserver root]# su - service0 -[service0@yourserver service0]$ cd /web/service0 -[service0@yourserver service0]$ cvs import -m "initial install" service0 OpenACS openacs-4-6-3 -N service0/license.txt -N service0/readme.txt + branching. -m sets the version comment.[root@yourserver root]# su - service0 +[service0@yourserver service0]$ cd /web/service0 +[service0@yourserver service0]$ cvs import -m "initial install" service0 OpenACS openacs-4-6-3 +N service0/license.txt +N service0/readme.txt (many lines omitted) -N service0/www/SYSTEM/flush-memoized-statement.tcl +N service0/www/SYSTEM/flush-memoized-statement.tcl No conflicts created by this import [service0@yourserver service0]$ -su - service0 -cd /web/service0 -cvs import -m "initial install" service0 OpenACS openacs-4-6-3Move the original directory to a temporary location, and check out the cvs repository in its place. If the service starts correctly, come back and remove the temporary copy of the uploaded files.
[service0@yourserver service0]$ cd .. -[service0@yourserver web]$ mv service0 service0.orig -[service0@yourserver web]$ cvs checkout service0 -cvs checkout: Updating service0 -U service0/license.txt +su - service0 +cd /web/service0 +cvs import -m "initial install" service0 OpenACS openacs-4-6-3
Move the original directory to a temporary location, and check out the cvs repository in its place. If the service starts correctly, come back and remove the temporary copy of the uploaded files.
[service0@yourserver service0]$ cd .. +[service0@yourserver web]$ mv service0 service0.orig +[service0@yourserver web]$ cvs checkout service0 +cvs checkout: Updating service0 +U service0/license.txt (many lines omitted) -U service0/www/SYSTEM/dbtest.tcl -U service0/www/SYSTEM/flush-memoized-statement.tcl -[service0@yourserver web]$ exit +U service0/www/SYSTEM/dbtest.tcl +U service0/www/SYSTEM/flush-memoized-statement.tcl +[service0@yourserver web]$ exit logout [root@yourserver web]# -cd .. -mv service0 service0.orig -cvs checkout service0 -exitSet up several additional directories in the service root: - etc is for configuration and control files, log is for error and request (web page hit) log files, and database-backup is for database backup files. If you did the CVS step, note that these new directories are excluded from that step so that you can decide whether or not you want your logs and config files in source control.
[root@yourserver root]# su - service0 -[service0@yourserver service0]$ mkdir /web/service0/etc /web/service0/log /web/service0/database-backup -[service0@yourserver web]$ exit +cd .. +mv service0 service0.orig +cvs checkout service0 +exit
Set up several additional directories in the service root: + etc is for configuration and control files, log is for error and request (web page hit) log files, and database-backup is for database backup files. If you did the CVS step, note that these new directories are excluded from that step so that you can decide whether or not you want your logs and config files in source control.
[root@yourserver root]# su - service0 +[service0@yourserver service0]$ mkdir /web/service0/etc /web/service0/log /web/service0/database-backup +[service0@yourserver web]$ exit logout [root@yourserver web]# -su - service0 -mkdir /web/service0/etc /web/service0/log /web/service0/database-backup -exit
OPTIONAL - if you won't be using Oracle, skip to Prepare PostgreSQL for OpenACS
+
su - service0
+mkdir /web/service0/etc /web/service0/log /web/service0/database-backup
+exit
OPTIONAL - if you won't be using Oracle, skip to Prepare PostgreSQL for OpenACS
You should be sure that your user account - (e.g. service0) is in the - dba group. + (e.g. service0) is in the + dba group.
Verify membership by typing - groups when you login: + groups when you login:
-service0:~$ groups +service0:~$ groups dba web
If you do not see these groups, take the following action:
-service0:~$ su - +service0:~$ su - Password: ************ -root:~# adduser service0 dba
+root:~# adduser service0 dba
If you get an error about an undefined group, then add that group manually: @@ -173,15 +173,15 @@ root:~# groupadd dba root:~# groupadd web
- Make sure to logout as root when + Make sure to logout as root when you are finished with this step and log back in as your regular user.
Connect to Oracle using - svrmgrl and login: + svrmgrl and login:
-service0:~$ svrmgrl +service0:~$ svrmgrl SVRMGR> connect internal Connected.
@@ -204,31 +204,31 @@ Using the above output, you should determine where to store your tablespace. As a general rule, you'll want to store your tablespace on a mount point under the - /ora8 directory that is separate + /ora8 directory that is separate from the Oracle system data files. By default, the Oracle system - is on m01, so we will use - m02. This enables your Oracle + is on m01, so we will use + m02. This enables your Oracle system and database files to be on separate disks for optimized performance. For more information on such a configuration, see Chapter 12 of Philip's book. For this example, we'll use - /ora8/m02/oradata/ora8/. + /ora8/m02/oradata/ora8/.
Create the directory for the datafile; to do this, - exit from svrmgrl and login as - root for this step:
+ exit from svrmgrl and login as + root for this step:SVRMGR> exit -service0:~$ su - +service0:~$ su - Password: ************ root:~# mkdir -p /ora8/m02/oradata/ora8/ -root:~# chown service0.web /ora8/m02/oradata/ora8 +root:~# chown service0.web /ora8/m02/oradata/ora8 root:~# chmod 775 /ora8/m02/oradata/ora8 root:~# exit -service0:~$
+service0:~$
Create a tablespace for the service. It is important that the - tablespace can autoextend. This + tablespace can autoextend. This allows the tablespace's storage capacity to grow as the size of the data grows. We set the pctincrease to be a very low value so that our extents won't grow geometrically. We do not set @@ -237,11 +237,11 @@ tablespace.
-service0:~$ svrmgrl +service0:~$ svrmgrl SVRMGR> connect internal; -SVRMGR> create tablespace service0 - datafile '/ora8/m02/oradata/ora8/service001.dbf' +SVRMGR> create tablespace service0 + datafile '/ora8/m02/oradata/ora8/service001.dbf' size 50M autoextend on next 10M @@ -250,26 +250,26 @@ uniform size 32K;
Create a database user for this service. Give the user access to the tablespace and rights to connect. We'll use - service0password as our password.
+ service0password as our password.
Write down what you specify as service_name - (i.e. service0) and + (i.e. service0) and database_password - (i.e. service0password). You + (i.e. service0password). You will need this information for configuring exports and AOLserver.
-SVRMGR> create user service0 identified by service0password default tablespace service0 -temporary tablespace temp quota unlimited on service0; -SVRMGR> grant connect, resource, ctxapp, javasyspriv, query rewrite to service0; -SVRMGR> revoke unlimited tablespace from service0; -SVRMGR> alter user service0 quota unlimited on service0; +SVRMGR> create user service0 identified by service0password default tablespace service0 +temporary tablespace temp quota unlimited on service0; +SVRMGR> grant connect, resource, ctxapp, javasyspriv, query rewrite to service0; +SVRMGR> revoke unlimited tablespace from service0; +SVRMGR> alter user service0 quota unlimited on service0; SVRMGR> exit;
Your table space is now ready. In case you are trying to delete a - previous OpenACS installation, consult these commands in the section called “Deleting a tablespace” below. + previous OpenACS installation, consult these commands in Section�, “Deleting a tablespace” below.
Make sure that you can login to Oracle using your service_name account:
-service0:~$ sqlplus service0/service0password +service0:~$ sqlplus service0/service0password SQL> select sysdate from dual; SYSDATE @@ -280,50 +280,50 @@ You should see today's date in a format 'YYYY-MM-DD.' If you can't login, try redoing step 1 again. If the date is in the wrong format, make sure you followed the steps outlined in - the section called “Troubleshooting Oracle Dates” -
Create a user in the database matching the service name.
[root@yourserver root]# su - postgres -[postgres@yourserver pgsql]$ createuser service0 -Shall the new user be allowed to create databases? (y/n) y -Shall the new user be allowed to create more new users? (y/n) y + Section�, “Troubleshooting Oracle Dates” +
Create a user in the database matching the service name.
[root@yourserver root]# su - postgres
+[postgres@yourserver pgsql]$ createuser service0
+Shall the new user be allowed to create databases? (y/n) y
+Shall the new user be allowed to create more new users? (y/n) y
CREATE USER
-[postgres@yourserver pgsql]$ exit
+[postgres@yourserver pgsql]$ exit
logout
-[root@yourserver root]#
Create a database with the same name as our service name, service0.
[root@yourserver root]# su - service0 -[service0@yourserver service0]$ createdb service0 +[root@yourserver root]#
Create a database with the same name as our service name, service0.
[root@yourserver root]# su - service0 +[service0@yourserver service0]$ createdb service0 CREATE DATABASE [service0@yourserver service0]$ -su - service0 -createdb service0
Automate daily database Vacuuming. This is a process which cleans out discarded data from the database. A quick way to automate vacuuming is to edit the cron file for the database user.
[service0@yourserver service0]$ export EDITOR=emacs;crontab -e
Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.
0 1 * * * /usr/local/pgsql/bin/vacuumdb --analyze service0
Add Full Text Search Support - OPTIONAL
If you are installing Full Text Search, add required packages to the new database.
[service0@yourserver service0]$ /usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.4/contrib/tsearch/tsearch.sql
+su - service0
+createdb service0
Automate daily database Vacuuming. This is a process which cleans out discarded data from the database. A quick way to automate vacuuming is to edit the cron file for the database user.
[service0@yourserver service0]$ export EDITOR=emacs;crontab -e
Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.
0 1 * * * /usr/local/pgsql/bin/vacuumdb --analyze service0
Add Full Text Search Support - OPTIONAL
If you are installing Full Text Search, add required packages to the new database.
[service0@yourserver service0]$ /usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.4/contrib/tsearch/tsearch.sql BEGIN CREATE (many lines omitted) INSERT 0 1 COMMIT -[service0@yourserver service0]$ /usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.4/contrib/pgsql_contrib_openfts/openfts.sql +[service0@yourserver service0]$ /usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.4/contrib/pgsql_contrib_openfts/openfts.sql CREATE CREATE [service0@yourserver service0]$ -/usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.4/contrib/tsearch/tsearch.sql -/usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.4/contrib/pgsql_contrib_openfts/openfts.sql
[service0@yourserver service0]$ exit
+/usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.4/contrib/tsearch/tsearch.sql
+/usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.4/contrib/pgsql_contrib_openfts/openfts.sql
[service0@yourserver service0]$ exit logout -[root@yourserver root]#
The AOLserver architecture lets you run an arbitrary number of virtual servers. A virtual server is an HTTP service running on a specific port, e.g. port 80. In order for OpenACS to work, you - need to configure a virtual server. The Reference Platform uses a configuration file included in the OpenACS tarball. Copy it to the /web/service0/etc directory and open it in an editor to adjust the parameters.
[root@yourserver root]# su - service0 -[service0@yourserver service0]$ cd /web/service0/etc -[service0@yourserver etc]# cp /web/service0/packages/acs-core-docs/www/files/config.tcl.txt config.tcl -[service0@yourserver etc]# emacs config.tcl + need to configure a virtual server. The Reference Platform uses a configuration file included in the OpenACS tarball. Copy it to the /web/service0/etc directory and open it in an editor to adjust the parameters.[root@yourserver root]# su - service0 +[service0@yourserver service0]$ cd /web/service0/etc +[service0@yourserver etc]# cp /web/service0/packages/acs-core-docs/www/files/config.tcl.txt config.tcl +[service0@yourserver etc]# emacs config.tcl- You can continue without changing any values in the file. However, if you don't change address to match the computer's ip address, you won't be able to browse to your server from other machines. + You can continue without changing any values in the file. However, if you don't change address to match the computer's ip address, you won't be able to browse to your server from other machines.
httpport - If you want your server on a different port, enter it here. The Reference Platform port is 8000, which is suitable for development use. Port 80 is the standard http port - it's the port used by your browser when you enter http://yourserver.test. So you should use port 80 for your production site.
httpsport - This is the port for https requests. The Reference Platform https port is 8443. If http port is set to 80, httpsport should be 143 to match the standard.
- address - The IP address of the server. If you are hosting multiple IPs on one computer, this is the address specific to the web site. Each virtual server will ignore any requests directed at other addresses.
server - This is the keyword that, by convention, identifies the service. It is also used as part of the path for the service root, as the name of the user for running the service, as the name of the database, and in various dependent places. The Reference Platform uses service0. + address - The IP address of the server. If you are hosting multiple IPs on one computer, this is the address specific to the web site. Each virtual server will ignore any requests directed at other addresses.
server - This is the keyword that, by convention, identifies the service. It is also used as part of the path for the service root, as the name of the user for running the service, as the name of the database, and in various dependent places. The Reference Platform uses service0.
db_name - In almost all cases, this can be kept as a reference to $server. If for some reason, @@ -337,117 +337,117 @@ AOLServer is very configurable. These settings should get you started, but for more options, read the AOLServer docs. -
OPTIONAL: To run OpenFTS, uncomment this line from config.tcl. (To uncomment a line in a tcl file, remove the # at the beginning of the line.)
#ns_param nsfts ${bindir}/nsfts.soOPTIONAL: To run nsopenssl:
Uncomment this line from config.tcl.
#ns_param nsopenssl ${bindir}/nsopenssl.so -Prepare a certificate directory for the service.
[service0@yourserver etc]$ mkdir /web/service0/etc/certs -[service0@yourserver etc]$ chmod 700 /web/service0/etc/certs +OPTIONAL: To run OpenFTS, uncomment this line from config.tcl. (To uncomment a line in a tcl file, remove the # at the beginning of the line.)
#ns_param nsfts ${bindir}/nsfts.soOPTIONAL: To run nsopenssl:
Uncomment this line from config.tcl.
#ns_param nsopenssl ${bindir}/nsopenssl.so +Prepare a certificate directory for the service.
[service0@yourserver etc]$ mkdir /web/service0/etc/certs +[service0@yourserver etc]$ chmod 700 /web/service0/etc/certs [service0@yourserver etc]$ -mkdir /web/service0/etc/certs -chmod 700 /web/service0/etc/certsIt takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.
Use an OpenSSL perl script to generate a certificate and key.
[service0@yourserver service0]$ cd /web/service0/etc/certs -[service0@yourserver certs]$ perl /usr/share/ssl/misc/CA -newcert +mkdir /web/service0/etc/certs +chmod 700 /web/service0/etc/certs
It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.
Use an OpenSSL perl script to generate a certificate and key.
[service0@yourserver service0]$ cd /web/service0/etc/certs +[service0@yourserver certs]$ perl /usr/share/ssl/misc/CA -newcert Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key ...++++++ .......++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase:Enter a pass phrase for the CA certificate. Then, answer the rest of the questions. At the end you should see this:
Certificate (and private key) is in newreq.pem -[service0@yourserver certs]$newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.
[root@yourserver misc]# openssl rsa -in newreq.pem -out keyfile.pem +[service0@yourserver certs]$newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.
[root@yourserver misc]# openssl rsa -in newreq.pem -out keyfile.pem read RSA key Enter PEM pass phrase: writing RSA key -[service0@yourserver certs]$To create the certificate file, we take the combined file, copy it, and strip out the key.
[service0@yourserver certs]$ cp newreq.pem certfile.pem -[root@yourserver misc]# emacs certfile.pemStrip out the section that looks like
-----BEGIN RSA PRIVATE KEY----- +[service0@yourserver certs]$To create the certificate file, we take the combined file, copy it, and strip out the key.
[service0@yourserver certs]$ cp newreq.pem certfile.pem +[root@yourserver misc]# emacs certfile.pemStrip out the section that looks like
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F3EDE7CA1B404997 S/Sd2MYA0JVmQuIt5bYowXR1KYKDka1d3DUgtoVTiFepIRUrMkZlCli08mWVjE6T (11 lines omitted) 1MU24SHLgdTfDJprEdxZOnxajnbxL420xNVc5RRXlJA8Xxhx/HBKTw== ------END RSA PRIVATE KEY-----
Kill any current running AOLserver processes and start a new one. (Note, if you are using Oracle, rather than PostgreSQL, replace - nsd-postgres with - nsd-oracle). If you are using port 80, you must be root for this step.
[service0@yourserver etc]$ killall nsd + nsd-postgres with + nsd-oracle). If you are using port 80, you must be root for this step.[service0@yourserver etc]$ killall nsd nsd: no process killed -[service0@yourserver service0]$ /usr/local/aolserver/bin/nsd-postgres -t /web/service0/etc/config.tcl +[service0@yourserver service0]$ /usr/local/aolserver/bin/nsd-postgres -t /web/service0/etc/config.tcl [service0@yourserver service0]$ [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: starting to read config file... [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: finished reading config file.
Attempt to connect to the service from a web browser as you did You should specify a URL like: -
http://yourserver.test:8000+
http://yourserver.test:8000You should see a page that looks like this. If you imported your files into cvs, now that you know it worked you can erase the temp - directory with rm -rf /web/service0.orig. + directory with rm -rf /web/service0.orig.
If you don't see the login page, view your error log - (/web/service0/log/service0-error.log) + (/web/service0/log/service0-error.log) to make sure the service is starting without any problems. The most common errors here are trying to start a port 80 server while not root, failing to connect because of a firewall, and aolserver failing to start due to permissions errors or missing files. If you need to make changes, don't forget to kill any running servers with - killall nsd. -
OPTIONAL - Automate AOLserver keepalive
Assuming AOLserver started cleanly in the previous step, we'll set it up so that it's always running, and automatically restarts whenever it dies or is stopped. This step is strongly recommended, even for development sites, because it makes install and maintenance much simpler.
The Reference Platform uses Daemontools to control AOLserver. A simpler method, using init, is here.
Daemontools must already be installed. If not, install it.
Each service controlled by daemontools must have a directory in /service. That directory must have a file called run. Daemontools then creates additional files and directories to track status and log. Create the appropriate directory as /web/service0/etc/daemontools, copy the prepared run file, and set permissions. If your server is not called service0, edit /web/service0/etc/run accordingly.
[service0@yourserver log]$ cd /web/service0/etc
-[service0@yourserver etc]$ mkdir daemontools
-[service0@yourserver etc]$ cp /web/service0/packages/acs-core-docs/www/files/run.txt daemontools/run
-[service0@yourserver etc]$ chmod 700 daemontools/run
-cd /web/service0/etc
+ killall nsd.
+
OPTIONAL - Automate AOLserver keepalive
Assuming AOLserver started cleanly in the previous step, we'll set it up so that it's always running, and automatically restarts whenever it dies or is stopped. This step is strongly recommended, even for development sites, because it makes install and maintenance much simpler.
The Reference Platform uses Daemontools to control AOLserver. A simpler method, using init, is here.
Daemontools must already be installed. If not, install it.
Each service controlled by daemontools must have a directory in /service. That directory must have a file called run. Daemontools then creates additional files and directories to track status and log. Create the appropriate directory as /web/service0/etc/daemontools, copy the prepared run file, and set permissions. If your server is not called service0, edit /web/service0/etc/run accordingly.
[service0@yourserver log]$ cd /web/service0/etc
+[service0@yourserver etc]$ mkdir daemontools
+[service0@yourserver etc]$ cp /web/service0/packages/acs-core-docs/www/files/run.txt daemontools/run
+[service0@yourserver etc]$ chmod 700 daemontools/run
+cd /web/service0/etc
mkdir daemontools
-cp /web/service0/packages/acs-core-docs/www/files/run.txt daemontools/run
-chmod 700 daemontools/run
Kill any existing AOLserver instances. As root, link the daemontools directory into the /service directory. Daemontools' svscan process checks this directory every five seconds, and will quickly execute run.
[service0@yourserver etc]$ killall nsd
+cp /web/service0/packages/acs-core-docs/www/files/run.txt daemontools/run
+chmod 700 daemontools/run
Kill any existing AOLserver instances. As root, link the daemontools directory into the /service directory. Daemontools' svscan process checks this directory every five seconds, and will quickly execute run.
[service0@yourserver etc]$ killall nsd nsd: no process killed -[service0@yourserver etc]$ exit +[service0@yourserver etc]$ exit -[root@yourserver root]# ln -s /web/service0/etc/daemontools/ /service/service0
Verify that AOLserver is running.
[root@yourserver root]# ps -auxw | grep nsd -service0 5562 14.2 6.2 22436 15952 ? S 11:55 0:04 /usr/local/aolserver/bin/nsd -it /web/service0/etc/config.tcl -u serve +[root@yourserver root]# ln -s /web/service0/etc/daemontools/ /service/service0
Verify that AOLserver is running.
[root@yourserver root]# ps -auxw | grep nsd +service0 5562 14.2 6.2 22436 15952 ? S 11:55 0:04 /usr/local/aolserver/bin/nsd -it /web/service0/etc/config.tcl -u serve root 5582 0.0 0.2 3276 628 pts/0 S 11:55 0:00 grep nsd -[root@yourserver root]#
The user service0 can now control the service service0 with these commands:
+[root@yourserver root]#
The user service0 can now control the service service0 with these commands:
- svc -d /service/service0 - + svc -d /service/service0 - Bring the server down
- svc -u /service/service0 - + svc -u /service/service0 - Start the server up and leave it in keepalive mode.
- svc -o /service/service0 - + svc -o /service/service0 - Start the server up once. Do not restart it if it stops.
- svc -t /service/service0 - + svc -t /service/service0 - Stop and immediately restart the server.
- svc -k /service/service0 - + svc -k /service/service0 - Sends the server a KILL signal. This is like KILL -9. AOLserver exits immediately. If svc -t fails to fully kill AOLserver, use this option. This does not take the server out of keepalive mode, so it should still bounce back up immediately.
At this point, these commands will work only for the - root user. Grant permission for the web group to use svc commands on the service0 server.
[root@yourserver root]# svgroup web /service/service0
-[root@yourserver root]#
Verify that the controls work. You may want to tail -f /web/service0/log/service0-error.log in another window, so you can see what happens when you type these commands. + root user. Grant permission for the web group to use svc commands on the service0 server.
[root@yourserver root]# svgroup web /service/service0
+[root@yourserver root]#
Verify that the controls work. You may want to tail -f /web/service0/log/service0-error.log in another window, so you can see what happens when you type these commands.
Most of this information comes from Tom Jackson's AOLServer+Daemontools Mini-HOWTO. -
Now that you've got AOLserver up and running, let's install OpenACS 4.6.3.
You should see a page from the webserver titled - OpenACS Installation: + OpenACS Installation: Welcome. You will be warned if your version of the database driver is out of date, if AOLserver cannot connect to the database, if any modules are missing or out-of-date, or if there are any problems with filesystem permissions on the server side. But if everything is fine, you can click - Next to proceed to load the + Next to proceed to load the OpenACS Kernel data model.
@@ -460,7 +460,7 @@ Loading package .info files ... this will take a few minutes
This will really take a few minutes. Have faith! Finally, another - Next button will appear at the + Next button will appear at the bottom - click it.
@@ -470,95 +470,95 @@ previously selected packages, but watch out for any errors. Eventually, the page will display "Generating secret tokens" and then "Done"- click - Next. + Next.
You should see a page, "OpenACS Installation: Create Administrator" with form fields to define the OpenACS site administrator. Fill out the fields as appropriate, and click - Create User. + Create User.
You should see a page, "OpenACS Installation: Set System Information" allowing you to name your service. Fill out the - fields as appropriate, and click Set System + fields as appropriate, and click Set System Information
You'll see the final Installer page, "OpenACS Installation: Complete." It will tell you that the server is being restarted; note that unless you already set up a way for AOLServer to restart itself (ie. inittab or daemontools), you'll need to manually restart your service. -
[service0@yourserver service0]$ /usr/local/aolserver/bin/nsd-postgres -t /web/service0/config.tcl
+
[service0@yourserver service0]$ /usr/local/aolserver/bin/nsd-postgres -t /web/service0/config.tcl
Give the server a few minutes to start up. Then reload the final page above. You should see the front page, with an area to login near the upper right. Congratulations, OpenACS 4.6.3 is now up and running! -
OPTIONAL - Install Full Text Search.
Click Package Manager on the right side of the default home page. If prompted, log in with the account and password you entered during install.
Click on the Install -packages link.
On the next screen, after it loads, click on Uncheck all boxes, then click the second checkbox next to OpenFTS Driver 4.2. This will automatically check the first box. Then click Next.
Click Install Packages
Restart the service.
[service0@yourserver service0]$ svc -t /service/service0
-[service0@yourserver service0]$
Wait a minute, then browse back to the home page.
Click on Site Map on the top right side of the screen.
Mount the OpenFTS Full Text Search Engine in the site map.
Click the new sub folder link on the "/" line, the first line under Main Site:/.
Type openfts -and click New.
On the new openfts line, click the mount link.
Click OpenFTS -Driver.
On the openfts line, click set parameters.
Change openfts_tcl_src_path to /usr/local/src/Search-OpenFTS-tcl-0.3.2/ and click Set Parameters +
OPTIONAL - Install Full Text Search.
Click Package Manager on the right side of the default home page. If prompted, log in with the account and password you entered during install.
Click on the Install +packages link.
On the next screen, after it loads, click on Uncheck all boxes, then click the second checkbox next to OpenFTS Driver 4.2. This will automatically check the first box. Then click Next.
Click Install Packages
Restart the service.
[service0@yourserver service0]$ svc -t /service/service0
+[service0@yourserver service0]$
Wait a minute, then browse back to the home page.
Click on Site Map on the top right side of the screen.
Mount the OpenFTS Full Text Search Engine in the site map.
Click the new sub folder link on the "/" line, the first line under Main Site:/.
Type openfts +and click New.
On the new openfts line, click the mount link.
Click OpenFTS +Driver.
On the openfts line, click set parameters.
Change openfts_tcl_src_path to /usr/local/src/Search-OpenFTS-tcl-0.3.2/ and click Set Parameters
Mount the Search interface in the site map.
Click the -new sub folder link on the -Main Site line.
Type search -and click New.
Click the new -application link on the search - line.
Type search +new sub folder link on the +Main Site line.
Type search +and click New.
Click the new +application link on the search + line.
Type search where it says -untitled, choose -search from the +untitled, choose +search from the drop-down list, and click -New. -
Restart the service.
[service0@yourserver service0]$ svc -t /service/service0
-[service0@yourserver service0]$
Wait a minute, then click on Main Site at the top of the page.
Initialize the OpenFTS Engine. This creates a set of tables in the database to support FTS.
Near the bottom of the page, click on the OpenFTS Driver link. Click on Administration. -Click on Initialize OpenFTS Engine. -Click Initialize OpenFTS Engine.
Add the FTS Engine service contract
Click on the Main -Site.
Click on the ACS -Service Contract link near the bottom of the home page.
On the FtsEngineDriver +New. +
Restart the service.
[service0@yourserver service0]$ svc -t /service/service0
+[service0@yourserver service0]$
Wait a minute, then click on Main Site at the top of the page.
Initialize the OpenFTS Engine. This creates a set of tables in the database to support FTS.
Near the bottom of the page, click on the OpenFTS Driver link. Click on Administration. +Click on Initialize OpenFTS Engine. +Click Initialize OpenFTS Engine.
Add the FTS Engine service contract
Click on the Main +Site.
Click on the ACS +Service Contract link near the bottom of the home page.
On the FtsEngineDriver line, click -Install. -
Restart the service.
[service0@yourserver service0]$ svc -t /service/service0
-[service0@yourserver service0]$
Test FTS. (INCOMPLETE). Add a package that supports search,like "note," add some content, and search for it.
This is a very good time to back the service, even if it's not a production service. Making a backup now lets you roll back to this initial, clean setup at any point in the future, without repeating the install process. A full OpenACS service backup includes everything in the /web/service0/ directory. At this point it's probably sufficient to back up just the database, because you can recover the files from a tarball.
Note that, if you did the CVS options in this document, the /web/service0/etc directory is not included in cvs and you may want to add it.
PostGreSQL.�Create a backup file and verify that it was created and has a reasonable size (several megabytes).
[service0@yourserver service0]$ mkdir /web/service0/database-backup -[service0@yourserver service0]$ pg_dump -f /web/service0/database-backup/initial_backup.dmp service0 -[service0@yourserver service0]$ ls -al /web/service0/database-backup +Install. +
Restart the service.
[service0@yourserver service0]$ svc -t /service/service0
+[service0@yourserver service0]$
Test FTS. (INCOMPLETE). Add a package that supports search,like "note," add some content, and search for it.
This is a very good time to back the service, even if it's not a production service. Making a backup now lets you roll back to this initial, clean setup at any point in the future, without repeating the install process. A full OpenACS service backup includes everything in the /web/service0/ directory. At this point it's probably sufficient to back up just the database, because you can recover the files from a tarball.
Note that, if you did the CVS options in this document, the /web/service0/etc directory is not included in cvs and you may want to add it.
PostGreSQL.�Create a backup file and verify that it was created and has a reasonable size (several megabytes).
[service0@yourserver service0]$ mkdir /web/service0/database-backup +[service0@yourserver service0]$ pg_dump -f /web/service0/database-backup/initial_backup.dmp service0 +[service0@yourserver service0]$ ls -al /web/service0/database-backup total 1425 -drwxr-xr-x 2 service0 web 1024 Mar 9 14:13 . -drwx------ 11 service0 web 1024 Mar 9 14:11 .. --rw-r--r-- 1 service0 web 1449826 Mar 9 14:13 initial_backup.dmp +drwxr-xr-x 2 service0 web 1024 Mar 9 14:13 . +drwx------ 11 service0 web 1024 Mar 9 14:11 .. +-rw-r--r-- 1 service0 web 1449826 Mar 9 14:13 initial_backup.dmp [service0@yourserver service0]$ -mkdir /web/service0/database-backup -pg_dump -f /web/service0/database-backup/initial_backup.dmp service0 -ls -al /web/service0/database-backup
Oracle - INCOMPLETE.�
Backup can encompass all files in /web/service0. For a development server, putting the files in cvs is sufficient. (It's important then to back up the cvs repository!)
A quick way to automate database backup is a cron job. This is not recommended for production and is not part of the Reference Platform, because it is not cross-platform and can fail silently. More thorough methods are documented in the section called “Backup Strategy”
[service0@yourserver service0]$ export EDITOR=emacs;crontab -e
Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.
0 1 * * * /usr/local/pgsql/bin/pg_dump -f /web/service0/database-backup/service0_$(date +%Y-%m-%d).dmp service0
If you plan to back up the whole /web/service0 directory, then it would be redundant to keep a history of database backups. In that case, set up the cron job to overwrite the previous backup each time:
0 1 * * * /usr/local/pgsql/bin/pg_dump -f /web/service0/database-backup/service0_nightly.dmp service0
Backup can encompass all files in /web/service0. For a development server, putting the files in cvs is sufficient. (It's important then to back up the cvs repository!)
A quick way to automate database backup is a cron job. This is not recommended for production and is not part of the Reference Platform, because it is not cross-platform and can fail silently. More thorough methods are documented in Section�, “Backup Strategy”
[service0@yourserver service0]$ export EDITOR=emacs;crontab -e
Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.
0 1 * * * /usr/local/pgsql/bin/pg_dump -f /web/service0/database-backup/service0_$(date +%Y-%m-%d).dmp service0
If you plan to back up the whole /web/service0 directory, then it would be redundant to keep a history of database backups. In that case, set up the cron job to overwrite the previous backup each time:
0 1 * * * /usr/local/pgsql/bin/pg_dump -f /web/service0/database-backup/service0_nightly.dmp service0
Analog is a program with processes webserver access logs, performs DNS lookup, and outputs HTML reports. Analog should already be installed. A modified configuration file is included in - the OpenACS tarball.
[root@yourserver src]# su - service0 -[service0@yourserver service0]$ cd /web/service0 -[service0@yourserver service0]$ cp /web/service0/packages/acs-core-docs/www/files/analog.cfg.txt etc/analog.cfg -[service0@yourserver service0]$ mkdir www/log -[service0@yourserver service0]$ cp -r /usr/share/analog-5.31/images www/log/ -[service0@yourserver service0]$+ the OpenACS tarball.
[root@yourserver src]# su - service0 +[service0@yourserver service0]$ cd /web/service0 +[service0@yourserver service0]$ cp /web/service0/packages/acs-core-docs/www/files/analog.cfg.txt etc/analog.cfg +[service0@yourserver service0]$ mkdir www/log +[service0@yourserver service0]$ cp -r /usr/share/analog-5.31/images www/log/ +[service0@yourserver service0]$su - service0 cd /web/service0 cp /web/service0/packages/acs-core-docs/www/files/analog.cfg.txt etc/analog.cfg mkdir www/log -cp -r /usr/share/analog-5.31/images www/log/
Edit -/web/service0/etc/analog.cfg and change the variable in HOSTNAME "[my +cp -r /usr/share/analog-5.31/images www/log/
Edit +/web/service0/etc/analog.cfg and change the variable in HOSTNAME "[my organisation]" to reflect your website title. If you don't want the traffic log to be publicly visible, change -OUTFILE /web/service0/www/log/traffic.html to use a private -directory.
Run it.
[service0@yourserver service0]$ /usr/share/analog-5.31/analog -G -g/web/service0/etc/analog.cfg +OUTFILE /web/service0/www/log/traffic.html to use a private +directory.Run it.
[service0@yourserver service0]$ /usr/share/analog-5.31/analog -G -g/web/service0/etc/analog.cfg /usr/share/analog-5.31/analog: analog version 5.31/Unix /usr/share/analog-5.31/analog: Warning F: Failed to open DNS input file /home/service0/dnscache: ignoring it (For help on all errors and warnings, see docs/errors.html) /usr/share/analog-5.31/analog: Warning R: Turning off empty Search Word Report -[service0@yourserver service0]$Verify that it works by browing to http://yourserver.test:8000/log/traffic.html
Automate this by creating a file in - /etc/cron.daily.
[service0@yourserver service0]$ exit +[service0@yourserver service0]$Verify that it works by browing to http://yourserver.test:8000/log/traffic.html
Automate this by creating a file in + /etc/cron.daily.
[service0@yourserver service0]$ exit logout -[root@yourserver root]# emacs /etc/cron.daily/analogPut this into the file:
#!/bin/sh +[root@yourserver root]# emacs /etc/cron.daily/analogPut this into the file:
#!/bin/sh -/usr/share/analog-5.31/analog -G -g/web/service0/etc/analog.cfg
[root@yourserver root]# chmod 755 /etc/cron.daily/analogTest it by running the script.
[root@yourserver root]# sh /etc/cron.daily/analogBrowse to http://yourserver.test/log/traffic.html
Test your backup and recovery procedure.
Follow the instruction on the home page to change the appearance of your service or add more packages.
Proceed to the tutorial to learn how to develop your own packages.
[root@yourserver root]# chmod 755 /etc/cron.daily/analog
Test it by running the script.
[root@yourserver root]# sh /etc/cron.daily/analog
Browse to http://yourserver.test/log/traffic.html
Test your backup and recovery procedure.
Follow the instruction on the home page to change the appearance of your service or add more packages.
Proceed to the tutorial to learn how to develop your own packages.