Index: openacs-4/packages/acs-core-docs/www/openacs.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/openacs.html,v diff -u -r1.6.2.3 -r1.6.2.4 --- openacs-4/packages/acs-core-docs/www/openacs.html 29 Mar 2003 20:44:54 -0000 1.6.2.3 +++ openacs-4/packages/acs-core-docs/www/openacs.html 30 Mar 2003 06:04:04 -0000 1.6.2.4 @@ -1,24 +1,22 @@ -Install OpenACS 4.6.2

Install OpenACS 4.6.2

+Install OpenACS 4.6.2

Install OpenACS 4.6.2

by Vinod Kurup
OpenACS docs are written by the named authors, but may be edited by OpenACS documentation staff. -

Set up the file system for an OpenACS Service

  1. Unpack the OpenACS tarball. If you are following the - instructions linearly, you should done this already, in which case - you can skip this step. If not, make sure you have the OpenACS - tarball in /tmp and proceed: -

    [root@yourserver root]# cd /tmp
    -[root@yourserver tmp]# tar xzf openacs-4-6.tgz
    -
    cd /tmp
    -tar xzf openacs-4-6.tgz
  2. The reference install stores all OpenACS instances in +

Set up the file system for an OpenACS Service

  1. The reference install stores all OpenACS services in /web, with one subdirectory per - instance. Create that directory:

    [root@yourserver root]# mkdir /web
    +      service.  The first time you install a service, you must create
    +      that directory and set its permissions:

    [root@yourserver root]# mkdir /web
     [root@yourserver root]# chgrp web /web
     [root@yourserver root]# chmod 770 /web
     [root@yourserver root]#
     
    mkdir /web
     chgrp web /web
    -chmod 770 /web
  2. Set up your user account.

    +chmod 770 /web

  3. You should already have downloaded the OpenACS tarball + to the /tmp directory. If + noot, download the OpenACS + tarball and save it in + /tmp and proceed:

  4. Set up your user account.

    AOLserver needs to be started as the root user if you want to use port 80. Once it starts, though, it will drop the root privileges and run as another user, which you must specify on the command line. It's @@ -31,21 +29,21 @@ for each different service. A service name should be a single word, letters and numbers only. If the name of your site is one word, that would be a good choice. For - example "server0" might be the service name for the - server0.net + example "service0" might be the service name for the + service0.net community.

    For the 4.6.2-P and 4.6.2-O Reference Platform, - we'll use a server named server0 and - a user named server0. We'll leave the password + we'll use a server named service0 and + a user named service0. We'll leave the password blank for increased security. The only way to log in will be with ssh certificates. The only people who should log in are developers for that specific instance. Add this user, and put it in the web group so that it can use database commands associated with that group. -

    [root@yourserver root]# useradd -g web server0
    +    

    [root@yourserver root]# useradd -g web service0
     [root@yourserver root]#

    Set up database environment variables. They are necessary for working with the database. -

    [root@yourserver root]# su - server0
    -[server0@yourserver server0]$ emacs .bashrc

    Put in the appropriate lines for the database you are running. If you will use both databases, put in both sets of lines.

    • PostGreSQL:

      export LD_LIBRARY_PATH=LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/pgsql/lib
      +

      [root@yourserver root]# su - service0
      +[service0@yourserver service0]$ emacs .bashrc

      Put in the appropriate lines for the database you are running. If you will use both databases, put in both sets of lines.

      • PostGreSQL:

        export LD_LIBRARY_PATH=LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/pgsql/lib
         export PATH=$PATH:/usr/local/pgsql/bin
      • Oracle. These environment variables are specific for a local Oracle installation communicating via IPC. If you are connecting to a remote Oracle installation, you'll need to adjust these appropriately. Also, @@ -57,9 +55,9 @@ export ORACLE_SID=ora8 export ORACLE_TERM=vt100 export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data

    Test this by logging out and back in as - server0 and checking the paths.

    [server0@yourserver server0]$ exit
    +	service0 and checking the paths.

    [service0@yourserver service0]$ exit
     logout
    -[root@yourserver src]# su - server0
    +[root@yourserver src]# su - service0
     [postgres@yourserver pgsql]$ env | grep PATH
     

    For PostGreSQL, you should see:

     LD_LIBRARY_PATH=LD_LIBRARY_PATH=:/usr/local/pgsql/lib
    @@ -69,91 +67,103 @@
     LD_LIBRARY_PATH=/ora8/m01/app/oracle/product/8.1.7/lib:/lib:/usr/lib
     ORACLE_SID=ora8
     ORACLE_TERM=vt100
    -ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
    [server0@yourserver server0]$ exit
    +ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
    [service0@yourserver service0]$ exit
     logout
     
    -[root@yourserver root]#
  5. Move the OpenACS tarball to be the new root directory for - the server0 service. Secure the directory so that only the owner can access it.

    [root@yourserver root]# mv /tmp/openacs-4-6 /web/server0
    -[root@yourserver root]# chown -R server0.web /web/server0
    -[root@yourserver root]# chmod -R 700 /web/server0
    -
    mv /tmp/openacs-4-6 /web/server0
    -chown -R server0.web /web/server0/
    -chmod -R 700 /web/server0
  6. Add the Service to CVS - OPTIONAL.�If this is a development server, you may want to add it to your local CVS repository.

    1. Create and set permissions on a subdirectory in the local cvs repository.

      [root@yourserver root]# mkdir /cvsroot/server0
      -[root@yourserver root]# chown server0.web /cvsroot/server0
      +[root@yourserver root]#
    2. Unpack the OpenACS tarball and rename it to service0. Secure the directory so that only the owner can access it. Check the permissions by listing the directory.

      [root@yourserver root]# su - service0
      +[service0@yourserver service0]$ cd /web
      +[service0@yourserver web]$ tar xzf /tmp/openacs-4-6.tgz
      +[service0@yourserver web]$ mv openacs-4-6 service0
      +[service0@yourserver web]$ chmod -R 700 service0
      +[service0@yourserver web]$ ls -al
      +total 3
      +drwxrwx---    3 root     web          1024 Mar 29 16:41 .
      +drwxr-xr-x   25 root     root         1024 Mar 29 16:24 ..
      +drwx------    7 service0 web          1024 Jan  6 14:36 service0
      +[service0@yourserver web]$ exit
      +logout
      +
       [root@yourserver root]#
      -
      mkdir /cvsroot/server0
      -chown server0.web /cvsroot/server0
    3. Add the repository location to the user environment.

      [root@yourserver root]# su - server0
      -[server0@yourserver server0]$ emacs .bashrc

      Put this string into /home/server0/.bashrc:

      export CVSROOT=/cvsroot
      [server0@yourserver server0]$ exit
      +
      su - service0
      +cd /web
      +tar xzf /tmp/openacs-4-6.tgz
      +mv openacs-4-6 service0
      +chmod -R 700 service0/
      +ls -al
      +exit
    4. Add the Service to CVS - OPTIONAL.�If this is a development server, you may want to add it to your local CVS repository.

      1. Create and set permissions on a subdirectory in the local cvs repository.

        [root@yourserver root]# mkdir /cvsroot/service0
        +[root@yourserver root]# chown service0.web /cvsroot/service0
        +[root@yourserver root]#
        +
        mkdir /cvsroot/service0
        +chown service0.web /cvsroot/service0
      2. Add the repository location to the user environment.

        [root@yourserver root]# su - service0
        +[service0@yourserver service0]$ emacs .bashrc

        Put this string into /home/service0/.bashrc:

        export CVSROOT=/cvsroot
        [service0@yourserver service0]$ exit
         logout
         
         [root@yourserver root]#
      3. Import all files into cvs. In order to work on files with source control, the files must be checked out from cvs. So we will import, move aside, and then check out all of the files. In the cvs import command, - server0 + service0 refers to the cvs repository to use; it uses the CVSROOT plus this string, i.e. - /cvsroot/server0. + /cvsroot/service0. "OpenACS" is the vendor tag, and "openacs-4-6" is the release tag. These tags will be useful in upgrading and - branching. -m sets the version comment.

        [root@yourserver root]# su - server0
        -[server0@yourserver server0]$ cd /web/server0
        -[server0@yourserver server0]$ cvs import -m "initial install" server0 OpenACS openacs-4-6
        -N server0/license.txt
        -N server0/readme.txt
        +            branching.  -m sets the version comment.

        [root@yourserver root]# su - service0
        +[service0@yourserver service0]$ cd /web/service0
        +[service0@yourserver service0]$ cvs import -m "initial install" service0 OpenACS openacs-4-6
        +N service0/license.txt
        +N service0/readme.txt
         (many lines omitted)
        -N server0/www/SYSTEM/flush-memoized-statement.tcl
        +N service0/www/SYSTEM/flush-memoized-statement.tcl
         
         No conflicts created by this import
         
        -[server0@yourserver server0]$
        -
        su - server0
        -cd /web/server0
        -cvs import -m "initial install" server0 OpenACS openacs-4-6

        Move the original directory to a temporary location, and check out the cvs repository in its place. If the service starts correctly, come back and remove the temporary copy of the uploaded files.

        [server0@yourserver server0]$ cd ..
        -[server0@yourserver web]$ mv server0 server0.orig
        -[server0@yourserver web]$ cvs checkout server0
        -cvs checkout: Updating server0
        -U server0/license.txt
        +[service0@yourserver service0]$
        +
        su - service0
        +cd /web/service0
        +cvs import -m "initial install" service0 OpenACS openacs-4-6

        Move the original directory to a temporary location, and check out the cvs repository in its place. If the service starts correctly, come back and remove the temporary copy of the uploaded files.

        [service0@yourserver service0]$ cd ..
        +[service0@yourserver web]$ mv service0 service0.orig
        +[service0@yourserver web]$ cvs checkout service0
        +cvs checkout: Updating service0
        +U service0/license.txt
         (many lines omitted)
        -U server0/www/SYSTEM/dbtest.tcl
        -U server0/www/SYSTEM/flush-memoized-statement.tcl
        -[server0@yourserver web]$ exit
        +U service0/www/SYSTEM/dbtest.tcl
        +U service0/www/SYSTEM/flush-memoized-statement.tcl
        +[service0@yourserver web]$ exit
         logout
         
         [root@yourserver web]#
         
        cd ..
        -mv server0 server0.orig
        -cvs checkout server0
        +mv service0 service0.orig
        +cvs checkout service0
         exit
    5. Set up several additional directories in the service root: - etc is for configuration files - and log is for log - files. If you did the CVS step, note that these new directories are excluded from that step so that you can decide whether or not you want your logs and config files in source control.

      [root@yourserver root]# su - server0
      -[server0@yourserver server0]$ mkdir /web/server0/etc /web/server0/log
      -[server0@yourserver web]$ exit
      +      etc is for configuration and control files, log is for error and request (web page hit) log files, and database-backup is for database backup files.  If you did the CVS step, note that these new directories are excluded from that step so that you can decide whether or not you want your logs and config files in source control.

      [root@yourserver root]# su - service0
      +[service0@yourserver service0]$ mkdir /web/service0/etc /web/service0/log /web/service0/database-backup
      +[service0@yourserver web]$ exit
       logout
       
       [root@yourserver web]#
      -
      su - server0
      -mkdir /web/server0/etc /web/server0/log
      +
      su - service0
      +mkdir /web/service0/etc /web/service0/log /web/service0/database-backup
       exit

Prepare Oracle for OpenACS

OPTIONAL - if you won't be using Oracle, skip to Prepare PostgreSQL for OpenACS

You should be sure that your user account - (e.g. server0) is in the + (e.g. service0) is in the dba group.

  1. Verify membership by typing groups when you login:

    -server0:~$ groups
    +service0:~$ groups
     dba web
    If you do not see these groups, take the following action:
    -server0:~$ su -      
    +service0:~$ su -      
     Password: ************
    -root:~# adduser server0 dba
    +root:~# adduser service0 dba If you get an error about an undefined group, then add that group manually: @@ -170,7 +180,7 @@ svrmgrl and login:
    -server0:~$ svrmgrl
    +service0:~$ svrmgrl
     
     SVRMGR> connect internal
     Connected.
    @@ -208,13 +218,13 @@ exit from svrmgrl and login as root for this step:

     SVRMGR> exit
    -server0:~$ su -
    +service0:~$ su -
     Password: ************
     root:~# mkdir -p /ora8/m02/oradata/ora8/
    -root:~# chown server0.web /ora8/m02/oradata/ora8
    +root:~# chown service0.web /ora8/m02/oradata/ora8
     root:~# chmod 775 /ora8/m02/oradata/ora8
     root:~# exit
    -server0:~$
  2. +service0:~$

  3. Create a tablespace for the service. It is important that the tablespace can autoextend. This @@ -226,11 +236,11 @@ tablespace.

    -server0:~$ svrmgrl
    +service0:~$ svrmgrl
     
     SVRMGR> connect internal;
    -SVRMGR> create tablespace server0 
    -             datafile '/ora8/m02/oradata/ora8/server001.dbf' 
    +SVRMGR> create tablespace service0 
    +             datafile '/ora8/m02/oradata/ora8/service001.dbf' 
                  size 50M 
                  autoextend on 
                  next 10M
    @@ -239,26 +249,26 @@
                  uniform size 32K;
  4. Create a database user for this service. Give the user access to the tablespace and rights to connect. We'll use - server0password as our password.

    + service0password as our password.

    Write down what you specify as service_name - (i.e. server0) and + (i.e. service0) and database_password - (i.e. server0password). You + (i.e. service0password). You will need this information for configuring exports and AOLserver.

    -SVRMGR> create user server0 identified by server0password default tablespace server0
    -temporary tablespace temp quota unlimited on server0;
    -SVRMGR> grant connect, resource, ctxapp, javasyspriv, query rewrite to server0;
    -SVRMGR> revoke unlimited tablespace from server0;
    -SVRMGR> alter user server0 quota unlimited on server0;
    +SVRMGR> create user service0 identified by service0password default tablespace service0
    +temporary tablespace temp quota unlimited on service0;
    +SVRMGR> grant connect, resource, ctxapp, javasyspriv, query rewrite to service0;
    +SVRMGR> revoke unlimited tablespace from service0;
    +SVRMGR> alter user service0 quota unlimited on service0;
     SVRMGR> exit;

    Your table space is now ready. In case you are trying to delete a previous OpenACS installation, consult these commands in the section called “Deleting a tablespace” below.

  5. Make sure that you can login to Oracle using your service_name account:

    -server0:~$ sqlplus server0/server0password
    +service0:~$ sqlplus service0/service0password
     SQL> select sysdate from dual;
     
     SYSDATE
    @@ -270,49 +280,49 @@
     		  If you can't login, try redoing step 1 again. If the date is
     		  in the wrong format, make sure you followed the steps outlined in
     		  the section called “Troubleshooting Oracle Dates”
    -		  

Prepare PostgreSQL for an OpenACS Service

  1. Create a user in the database matching the service name.

    [root@yourserver root]# su - postgres
    -[postgres@yourserver pgsql]$ createuser server0
    +		  

Prepare PostgreSQL for an OpenACS Service

  1. Create a user in the database matching the service name.

    [root@yourserver root]# su - postgres
    +[postgres@yourserver pgsql]$ createuser service0
     Shall the new user be allowed to create databases? (y/n) y
     Shall the new user be allowed to create more new users? (y/n) y
     CREATE USER
     [postgres@yourserver pgsql]$ exit
     logout
     
    -[root@yourserver root]#
  2. Create a database with the same name as our service name, server0.

    [root@yourserver root]# su - server0
    -[server0@yourserver server0]$ createdb server0
    +[root@yourserver root]#
  3. Create a database with the same name as our service name, service0.

    [root@yourserver root]# su - service0
    +[service0@yourserver service0]$ createdb service0
     CREATE DATABASE
    -[server0@yourserver server0]$
    -
    su - server0
    -createdb server0
  4. Automate daily database Vacuuming. This is a process which cleans out discarded data from the database. A quick way to automate vacuuming is to edit the cron file for the database user.

    [server0@yourserver server0]$ export EDITOR=emacs;crontab -e

    Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.

    0 1 * * * /usr/local/pgsql/bin/vacuumdb server0
  5. Add Full Text Search Support - OPTIONAL

    If you are installing Full Text Search, add required packages to the new database.

    [server0@yourserver server0]$ /usr/local/pgsql/bin/psql server0 -f /usr/local/src/postgresql-7.2.3/contrib/tsearch/tsearch.sql
    +[service0@yourserver service0]$
    +
    su - service0
    +createdb service0
  6. Automate daily database Vacuuming. This is a process which cleans out discarded data from the database. A quick way to automate vacuuming is to edit the cron file for the database user.

    [service0@yourserver service0]$ export EDITOR=emacs;crontab -e

    Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.

    0 1 * * * /usr/local/pgsql/bin/vacuumdb service0
  7. Add Full Text Search Support - OPTIONAL

    If you are installing Full Text Search, add required packages to the new database.

    [service0@yourserver service0]$ /usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.3/contrib/tsearch/tsearch.sql
     BEGIN
     CREATE
     (many lines omitted)
     INSERT 0 1
     COMMIT
    -[server0@yourserver server0]$ /usr/local/pgsql/bin/psql server0 -f /usr/local/src/postgresql-7.2.3/contrib/pgsql_contrib_openfts/openfts.sql
    +[service0@yourserver service0]$ /usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.3/contrib/pgsql_contrib_openfts/openfts.sql
     CREATE
     CREATE
    -[server0@yourserver server0]$
    -
    /usr/local/pgsql/bin/psql server0 -f /usr/local/src/postgresql-7.2.3/contrib/tsearch/tsearch.sql
    -/usr/local/pgsql/bin/psql server0 -f /usr/local/src/postgresql-7.2.3/contrib/pgsql_contrib_openfts/openfts.sql
  8. [server0@yourserver server0]$ exit
    +[service0@yourserver service0]$
    +
    /usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.3/contrib/tsearch/tsearch.sql
    +/usr/local/pgsql/bin/psql service0 -f /usr/local/src/postgresql-7.2.3/contrib/pgsql_contrib_openfts/openfts.sql
  9. [service0@yourserver service0]$ exit
     logout
     
     [root@yourserver root]# 

Configure an AOLserver Service for OpenACS

  1. The AOLserver architecture lets you run an arbitrary number of virtual servers. A virtual server is an HTTP service running on a specific port, e.g. port 80. In order for OpenACS to work, you - need to configure a virtual server. The Reference Platform uses a configuration file included in the OpenACS tarball. Copy it to the /web/server0/etc directory and open it in an editor to adjust the parameters.

    [root@yourserver root]# su - server0
    -[server0@yourserver server0]$ cd /web/server0/etc
    -[server0@yourserver etc]# cp /web/server0/packages/acs-core-docs/www/files/config.tcl.txt config.tcl
    -[server0@yourserver etc]# emacs config.tcl
    +	  need to configure a virtual server.  The Reference Platform uses a configuration file included in the OpenACS tarball.  Copy it to the /web/service0/etc directory and open it in an editor to adjust the parameters.

    [root@yourserver root]# su - service0
    +[service0@yourserver service0]$ cd /web/service0/etc
    +[service0@yourserver etc]# cp /web/service0/packages/acs-core-docs/www/files/config.tcl.txt config.tcl
    +[service0@yourserver etc]# emacs config.tcl
     

    You can continue without changing any values in the file. However, if you don't change address to match the computer's ip address, you won't be able to browse to your server from other machines.

    • httpport - If you want your server on a different port, enter it here. The Reference Platform port is 8000, which is suitable for development use. Port 80 is the standard http port - it's the port used by your browser when you enter http://yourserver.test. So you should use port 80 for your production site.

    • httpsport - This is the port for https requests. The Reference Platform https port is 8443. If http port is set to 80, httpsport should be 143 to match the standard.

    • - address - The IP address of the server. If you are hosting multiple IPs on one computer, this is the address specific to the web site. Each virtual server will ignore any requests directed at other addresses.

    • server - This is the keyword that, by convention, identifies the service. It is also used as part of the path for the service root, as the name of the user for running the service, as the name of the database, and in various dependent places. The Reference Platform uses server0. + address - The IP address of the server. If you are hosting multiple IPs on one computer, this is the address specific to the web site. Each virtual server will ignore any requests directed at other addresses.

    • server - This is the keyword that, by convention, identifies the service. It is also used as part of the path for the service root, as the name of the user for running the service, as the name of the database, and in various dependent places. The Reference Platform uses service0.

    • db_name - In almost all cases, this can be kept as a reference to $server. If for some reason, @@ -327,96 +337,96 @@ started, but for more options, read the AOLServer docs.

    • OPTIONAL: To run OpenFTS, uncomment this line from config.tcl. (To uncomment a line in a tcl file, remove the # at the beginning of the line.)

      #ns_param   nsfts           ${bindir}/nsfts.so
    • OPTIONAL: To run nsopenssl:

      1. Uncomment this line from config.tcl.

        #ns_param   nsopenssl       ${bindir}/nsopenssl.so
        -
      2. Prepare a certificate directory for the service.

        [server0@yourserver etc]$ mkdir /web/server0/etc/certs
        -[server0@yourserver etc]$ chmod 700 /web/server0/etc/certs
        -[server0@yourserver etc]$ 
        -
        mkdir /web/server0/etc/certs
        -chmod 700 /web/server0/etc/certs
      3. It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.

        Use an OpenSSL perl script to generate a certificate and key.

        [server0@yourserver server0]$ cd /web/server0/etc/certs
        -[server0@yourserver certs]$ perl /usr/share/ssl/misc/CA -newcert
        +
      4. Prepare a certificate directory for the service.

        [service0@yourserver etc]$ mkdir /web/service0/etc/certs
        +[service0@yourserver etc]$ chmod 700 /web/service0/etc/certs
        +[service0@yourserver etc]$ 
        +
        mkdir /web/service0/etc/certs
        +chmod 700 /web/service0/etc/certs
      5. It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.

        Use an OpenSSL perl script to generate a certificate and key.

        [service0@yourserver service0]$ cd /web/service0/etc/certs
        +[service0@yourserver certs]$ perl /usr/share/ssl/misc/CA -newcert
         Using configuration from /usr/share/ssl/openssl.cnf
         Generating a 1024 bit RSA private key
         ...++++++
         .......++++++
         writing new private key to 'newreq.pem'
         Enter PEM pass phrase:

        Enter a pass phrase for the CA certificate. Then, answer the rest of the questions. At the end you should see this:

        Certificate (and private key) is in newreq.pem
        -[server0@yourserver certs]$

        newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.

        [root@yourserver misc]# openssl rsa -in newreq.pem -out keyfile.pem
        +[service0@yourserver certs]$

        newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.

        [root@yourserver misc]# openssl rsa -in newreq.pem -out keyfile.pem
         read RSA key
         Enter PEM pass phrase:
         writing RSA key
        -[server0@yourserver certs]$ 

        To create the certificate file, we take the combined file, copy it, and strip out the key.

        [server0@yourserver certs]$ cp newreq.pem certfile.pem
        +[service0@yourserver certs]$ 

        To create the certificate file, we take the combined file, copy it, and strip out the key.

        [service0@yourserver certs]$ cp newreq.pem certfile.pem
         [root@yourserver misc]# emacs certfile.pem

        Strip out the section that looks like

        -----BEGIN RSA PRIVATE KEY-----
         Proc-Type: 4,ENCRYPTED
         DEK-Info: DES-EDE3-CBC,F3EDE7CA1B404997
         S/Sd2MYA0JVmQuIt5bYowXR1KYKDka1d3DUgtoVTiFepIRUrMkZlCli08mWVjE6T
         (11 lines omitted)
         1MU24SHLgdTfDJprEdxZOnxajnbxL420xNVc5RRXlJA8Xxhx/HBKTw==
        ------END RSA PRIVATE KEY-----

Verify AOLserver startup

  1. +-----END RSA PRIVATE KEY-----

Verify AOLserver startup

  1. Kill any current running AOLserver processes and start a new one. (Note, if you are using Oracle, rather than PostgreSQL, replace nsd-postgres with - nsd-oracle). If you are using port 80, you must be root for this step.

    [server0@yourserver etc]$ killall nsd
    +	  nsd-oracle).  If you are using port 80, you must be root for this step. 

    [service0@yourserver etc]$ killall nsd
     nsd: no process killed
    -[server0@yourserver server0]$ /usr/local/aolserver/bin/nsd-postgres -t /web/server0/etc/config.tcl
    -[server0@yourserver server0]$ [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: starting to read config file...
    +[service0@yourserver service0]$ /usr/local/aolserver/bin/nsd-postgres -t /web/service0/etc/config.tcl
    +[service0@yourserver service0]$ [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: starting to read config file...
     [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: finished reading config file.
  2. Attempt to connect to the service from a web browser as you did You should specify a URL like:

    http://yourserver.test:8000

    You should see a page that looks like this. If you imported your files into cvs, now that you know it worked you can erase the temp - directory with rm -rf /web/server0.orig. + directory with rm -rf /web/service0.orig.

    If you don't see the login page, view your error log - (/web/server0/log/server0-error.log) + (/web/service0/log/service0-error.log) to make sure the service is starting without any problems. If you need to make changes, don't forget to kill any running servers with killall nsd. -

  3. OPTIONAL - Automate AOLserver keepalive

    Assuming AOLserver started cleanly in the previous step, we'll set it up so that it's always running, and automatically restarts whenever it dies or is stopped. This step is strongly recommended, even for development sites, because it makes install and maintenance much simpler.

    The Reference Platform uses Daemontools to control AOLserver. An earlier method using init, less flexible and reliable, is here.

    1. Daemontools must already be installed. If not, install it.

    2. Each service controlled by daemontools must have a directory in /service. That directory must have a file called run. Daemontools then creates additional files and directories to track status and log. Create the appropriate directory as /web/server0/etc/daemontools, copy the prepared run file, and set permissions. If your server is not called server0, edit /web/server0/etc/run accordingly.

      [server0@yourserver log]$ cd /web/server0/etc
      -[server0@yourserver etc]$ mkdir daemontools
      -[server0@yourserver etc]$ cp /web/server0/packages/acs-core-docs/www/files/run.txt daemontools/run
      -[server0@yourserver etc]$ chmod 700 daemontools/run
      -
      cd /web/server0/etc
      +	

    3. OPTIONAL - Automate AOLserver keepalive

      Assuming AOLserver started cleanly in the previous step, we'll set it up so that it's always running, and automatically restarts whenever it dies or is stopped. This step is strongly recommended, even for development sites, because it makes install and maintenance much simpler.

      The Reference Platform uses Daemontools to control AOLserver. An earlier method using init, less flexible and reliable, is here.

      1. Daemontools must already be installed. If not, install it.

      2. Each service controlled by daemontools must have a directory in /service. That directory must have a file called run. Daemontools then creates additional files and directories to track status and log. Create the appropriate directory as /web/service0/etc/daemontools, copy the prepared run file, and set permissions. If your server is not called service0, edit /web/service0/etc/run accordingly.

        [service0@yourserver log]$ cd /web/service0/etc
        +[service0@yourserver etc]$ mkdir daemontools
        +[service0@yourserver etc]$ cp /web/service0/packages/acs-core-docs/www/files/run.txt daemontools/run
        +[service0@yourserver etc]$ chmod 700 daemontools/run
        +
        cd /web/service0/etc
         mkdir daemontools
        -cp /web/server0/packages/acs-core-docs/www/files/run.txt daemontools/run
        -chmod 700 daemontools/run
      3. Kill any existing AOLserver instances. As root, link the daemontools directory into the /service directory. Daemontools' svscan process checks this directory every five seconds, and will quickly execute run.

        [server0@yourserver etc]$ killall nsd
        +cp /web/service0/packages/acs-core-docs/www/files/run.txt daemontools/run
        +chmod 700 daemontools/run
      4. Kill any existing AOLserver instances. As root, link the daemontools directory into the /service directory. Daemontools' svscan process checks this directory every five seconds, and will quickly execute run.

        [service0@yourserver etc]$ killall nsd
         nsd: no process killed
        -[server0@yourserver etc]$ exit
        +[service0@yourserver etc]$ exit
         
        -[root@yourserver root]# ln -s /web/server0/etc/daemontools/ /service/server0

        Verify that AOLserver is running.

        [root@yourserver root]# ps -auxw | grep nsd
        -server0   5562 14.2  6.2 22436 15952 ?       S    11:55   0:04 /usr/local/aolserver/bin/nsd -it /web/server0/etc/config.tcl -u serve
        +[root@yourserver root]# ln -s /web/service0/etc/daemontools/ /service/service0

        Verify that AOLserver is running.

        [root@yourserver root]# ps -auxw | grep nsd
        +service0   5562 14.2  6.2 22436 15952 ?       S    11:55   0:04 /usr/local/aolserver/bin/nsd -it /web/service0/etc/config.tcl -u serve
         root      5582  0.0  0.2  3276  628 pts/0    S    11:55   0:00 grep nsd
        -[root@yourserver root]#
      5. The user server0 can now control the service server0 with these commands:

      Back up the New Service - OPTIONAL

      This is a very good time to back the service, even if it's not a production service. Making a backup now lets you roll back to this initial, clean setup at any point in the future, without repeating the install process. A full OpenACS service backup includes everything in the /web/server0/ directory. At this point it's probably sufficient to back up just the database, because you can recover the files from a tarball.

      Note that, if you did the CVS options in this document, the /web/server0/etc directory is not included in cvs and you may want to add it.

      • PostGreSQL.�Create a backup file and verify that it was created and has a reasonable size (several megabytes).

        [server0@yourserver server0]$ mkdir /web/server0/database-backup
        -[server0@yourserver server0]$ pg_dump -f /web/server0/database-backup/initial_backup.dmp server0
        -[server0@yourserver server0]$ ls -al /web/server0/database-backup
        +

  4. Restart the service.

    [service0@yourserver service0]$ svc -t /service/service0
    +[service0@yourserver service0]$
  5. Test FTS. (INCOMPLETE). Add a package that supports search,like "note," add some content, and search for it.

Back up the New Service - OPTIONAL

This is a very good time to back the service, even if it's not a production service. Making a backup now lets you roll back to this initial, clean setup at any point in the future, without repeating the install process. A full OpenACS service backup includes everything in the /web/service0/ directory. At this point it's probably sufficient to back up just the database, because you can recover the files from a tarball.

Note that, if you did the CVS options in this document, the /web/service0/etc directory is not included in cvs and you may want to add it.

  • PostGreSQL.�Create a backup file and verify that it was created and has a reasonable size (several megabytes).

    [service0@yourserver service0]$ mkdir /web/service0/database-backup
    +[service0@yourserver service0]$ pg_dump -f /web/service0/database-backup/initial_backup.dmp service0
    +[service0@yourserver service0]$ ls -al /web/service0/database-backup
     total 1425
    -drwxr-xr-x    2 server0  web          1024 Mar  9 14:13 .
    -drwx------   11 server0  web          1024 Mar  9 14:11 ..
    --rw-r--r--    1 server0  web       1449826 Mar  9 14:13 initial_backup.dmp
    -[server0@yourserver server0]$
    -
    mkdir /web/server0/database-backup
    -pg_dump -f /web/server0/database-backup/initial_backup.dmp server0
    -ls -al /web/server0/database-backup
  • Oracle - INCOMPLETE.�

Set up Automated Backup - OPTIONAL

Backup can encompass all files in /web/server0. For a development server, putting the files in cvs is sufficient. (It's important then to back up the cvs repository!)

A quick way to automate database backup is a cron job. This is not recommended for production and is not part of the Reference Platform, because it is not cross-platform and can fail silently. More thorough methods are documented in the section called “Backup Strategy”

[server0@yourserver server0]$ export EDITOR=emacs;crontab -e

Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.

0 1 * * * /usr/local/pgsql/bin/pg_dump -f /web/server0/database-backup/server0_$(date +%Y-%m-%d).dmp server0

Set up Log Analysis Reports - OPTIONAL

Analog is a program with processes webserver access logs, +drwxr-xr-x 2 service0 web 1024 Mar 9 14:13 . +drwx------ 11 service0 web 1024 Mar 9 14:11 .. +-rw-r--r-- 1 service0 web 1449826 Mar 9 14:13 initial_backup.dmp +[service0@yourserver service0]$ +

mkdir /web/service0/database-backup
+pg_dump -f /web/service0/database-backup/initial_backup.dmp service0
+ls -al /web/service0/database-backup
  • Oracle - INCOMPLETE.�

  • Set up Automated Backup - OPTIONAL

    Backup can encompass all files in /web/service0. For a development server, putting the files in cvs is sufficient. (It's important then to back up the cvs repository!)

    A quick way to automate database backup is a cron job. This is not recommended for production and is not part of the Reference Platform, because it is not cross-platform and can fail silently. More thorough methods are documented in the section called “Backup Strategy”

    [service0@yourserver service0]$ export EDITOR=emacs;crontab -e

    Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.

    0 1 * * * /usr/local/pgsql/bin/pg_dump -f /web/service0/database-backup/service0_$(date +%Y-%m-%d).dmp service0

    If you plan to back up the whole /web/service0 directory, then it would be redundant to keep a history of database backups. In that case, set up the cron job to overwrite the previous backup each time:

    0 1 * * * /usr/local/pgsql/bin/pg_dump -f /web/service0/database-backup/service0_nightly.dmp service0

    Set up Log Analysis Reports - OPTIONAL

    Analog is a program with processes webserver access logs, performs DNS lookup, and outputs HTML reports. Analog should already be installed. A modified configuration file is included in @@ -546,4 +556,4 @@ [root@yourserver root]# emacs /etc/cron.daily/analog

    Put this into the file:

    #!/bin/sh
     
    -/usr/share/analog-5.31/analog -G -g/web/service0/etc/analog.cfg
    [root@yourserver root]# chmod 755 /etc/cron.daily/analog

    Test it by running the script.

    [root@yourserver root]# sh /etc/cron.daily/analog

    Browse to http://yourserver.test/log/traffic.html

    Start customizing your service

    Now you can follow the instruction on the home page to change the appearance of your service or add more packages. Or you can proceed to the tutorial to learn how to develop your own packages.

    ($Id$)
    View comments on this page at openacs.org
    +/usr/share/analog-5.31/analog -G -g/web/service0/etc/analog.cfg
    [root@yourserver root]# chmod 755 /etc/cron.daily/analog

    Test it by running the script.

    [root@yourserver root]# sh /etc/cron.daily/analog

    Browse to http://yourserver.test/log/traffic.html

    Next Steps

    ($Id$)
    View comments on this page at openacs.org