Category: Ubuntu 12.04

How To Setting Up NFS (Network File System)

Introduction

NFS (Network File System) allows you to 'share' a directory located on one networked computer with other computers/devices on that network. The computer 'sharing' the directory is called the server and the computers or devices connecting to that server are called clients. The clients 'mount' the shared directory, it becomes part of their own directory structure.

NFS is perfect for a NAS (Networked Attached Storage) deployment in a Linux/Unix environment. It is a native Linux/Unix protocol as opposed to Samba which uses the SMB protocol developed by Microsoft. The Apple OS has good support for NFS. Windows 7 has some support for NFS.

NFS is perhaps best for more 'permanent' network mounted directories such as /home directories or regularly accessed shared resources. If you want a network share that guest users can easily connect to, Samba is more suited. This is because tools exist more readily across operating systems to temporarily mount and detach from Samba shares.

Before deploying NFS you should be familiar with:

  • Linux file and directory permissions
  • Mounting and detaching (unmounting) filesystems

NFSv4 quick start

Providing you understand what you are doing, use this brief walk-through to set up an NFSv4 server on Ubuntu (with no authentication security). Then mount the share on an Ubuntu client. It has been tested on Ubuntu 10.04 Lucid Lynx.

NFSv4 server

Install the required packages… 

  • 				# apt-get install nfs-kernel-server

NFSv4 exports exist in a single pseudo filesystem, where the real directories are mounted with the –bind option.

  • Let's say we want to export our users' home directories in /home/users. First we create the export filesystem: 

    				# mkdir -p /export/users
    It's important that /export and /export/users have 777 permissions as we will be accessing the NFS share from the client without LDAP/NIS authentication. This will not apply if using authentication (see below). Now mount the real users directory with: 
    				# mount --bind /home/users /export/users
    To save us from retyping this after every reboot we add the following

    line to /etc/fstab 

    				/home/users    /export/users   none    bind  0  0

There are three configuration files that relate to an NFSv4 server: /etc/default/nfs-kernel-server, /etc/default/nfs-common and /etc/exports.

  • Those config files in our example would look like this:

    In /etc/default/nfs-kernel-server we set: 

    				NEED_SVCGSSD=no # no is default
    because we are not activating NFSv4 security this time.

    In /etc/default/nfs-common we set: 

    				NEED_IDMAPD=yes	NEED_GSSD=no # no is default
    because we want UID/GUID to be mapped from names.

In order for the ID names to be automatically mapped, both the client and server require the /etc/idmapd.conf file to have the same contents with the correct domain names. Furthermore, this file should have the following lines in the Mapping section: 

  • 				[Mapping]		Nobody-User = nobody	Nobody-Group = nogroup

    However, the client may have different requirements for the Nobody-User and Nobody-Group. For example on RedHat variants, it's nfsnobody for both. cat /etc/passwd and cat /etc/group should show the "nobody" accounts.

This way, server and client do not need the users to share same UID/GUID.

For those who use LDAP-based authentication, add the following lines to your client's idmapd.conf: 

[Translation]Method = nsswitch

This will cause idmapd to know to look at nsswitch.conf to determine where it should look for credential information (and if you have LDAP authentication already working, nsswitch shouldn't require further explanation).

  • To export our directories to a local network 192.168.1.0/24

    we add the following two lines to /etc/exports 

    				/export       192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)	/export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)

Now restart the service 

  • 				# /etc/init.d/nfs-kernel-server restart

NFSv4 client

Install the required packages… 

  • 				# apt-get install nfs-common

The client needs the same changes to /etc/default/nfs-common to connect to an NFSv4 server.

  • In /etc/default/nfs-common we set: 

    				NEED_IDMAPD=yes	NEED_GSSD=no # no is default

    because we want UID/GUID to be mapped from names. This way, server and client do not need the users to share same UID/GUID. Remember that mount/fstab defaults to NFSv3, so "mount -t nfs4" is necessary to make this work.

On the client we can mount the complete export tree with one command: 

  • 				# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/ /mnt/
	
  • 	
The directories must start and end with the forward slash.

sudo mount -t nfs4 -o proto=tcp,port=2049 fileshare-01:/mnt/local/sda1/ /mnt/nfs/fileshare-01.sda1/

Note that nfs-server:/export is not necessary in NFSv4, as it is in NFSv3. The root export :/ defaults to export with fsid=0.

It can fail sometimes with the message 

mount.nfs4: No such device

You have to load the nfs module by giving the command 

# modprobe nfs

To make sure that the module is loaded at each boot, simply add nfs on the last line of /etc/modules. We can also mount an exported subtree with: 

  • 				# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users

To save us from retyping this after every reboot we add the following line to /etc/fstab: 

  • 				nfs-server:/   /mnt   nfs4    _netdev,auto  0  0

    The auto option mounts on startup and the _netdev option waits until system network devices are loaded. However this will not work with WiFi as WiFi is set up at the user level (after login) not at system startup. If you use _netdev with WiFi the boot process will pause waiting for the server to become available.

Note that _netdev only works with nfs version 3 and before. nfs4 ignores this option. Depending on how fast the network comes up on boot the mount entry may fail and the system will just keep booting. It can still be useful if you make your own script to wait for the network to come up and then mount -a -O _netdev

Ubuntu Server doesn't come with any init.d/netfs or other scripts to do this for you.

NFS Server

Pre-Installation Setup

None of the following pre-installation steps are strictly necessary.

User Permissions

NFS user permissions are based on user ID (UID). UIDs of any users on the client must match those on the server in order for the users to have access. The typical ways of doing this are:

  • Manual password file synchronization

  • Use of LDAP

  • Use of NIS

It's also important to note that you have to be careful on systems where the main user has root access – that user can change UID's on the system to allow themselves access to anyone's files. This page assumes that the administrative team is the only group with root access and that they are all trusted. Anything else represents a more advanced configuration, and will not be addressed here.

Group Permissions

With NFS, a user's access to files is determined by his/her membership of groups on the client, not on the server. However, there is an important limitation: a maximum of 16 groups are passed from the client to the server, and, if a user is member of more than 16 groups on the client, some files or directories might be unexpectedly inaccessible.

Host Names

optional if using DNS

Add any client name and IP addresses to /etc/hosts. The real (not 127.0.0.1) IP address of the server should already be here. This ensures that NFS will still work even if DNS goes down. You could rely on DNS if you wanted, it's up to you.

NIS

optional – perform steps only if using NIS

Note: This only works if using NIS. Otherwise, you can't use netgroups, and should specify individual IP's or hostnames in /etc/exports. Read the BUGS section in man netgroup.

Edit /etc/netgroup and add a line to classify your clients. (This step is not necessary, but is for convenience). 

myclients (client1,,) (client2,,)

Obviously, more clients can be added. myclients can be anything you like; this is a netgroup name.

Run this command to rebuild the YP database: 

sudo make -C /var/yp

Portmap Lockdown

optional

Add the following line to /etc/hosts.deny: 

portmap mountd nfsd statd lockd rquotad : ALL

By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server.

Now add the following line to /etc/hosts.allow: 

portmap mountd nfsd statd lockd rquotad : list of IP addresses

Where the "list of IP addresses" string is, you need to make a list of IP addresses that consists of the server and all clients. These have to be IP addresses because of a limitation in portmap (it doesn't like hostnames). Note that if you have NIS set up, just add these to the same line.

Installation and Configuration

Install NFS Server

sudo apt-get install portmap nfs-kernel-server

Shares

Edit /etc/exports and add the shares: 

/home @myclients(rw,sync,no_subtree_check)/usr/local @myclients(rw,sync,no_subtree_check)

The above shares /home and /usr/local to all clients in the myclients netgroup. 

/home 192.168.0.10(rw,sync,no_subtree_check) 192.168.0.11(rw,sync,no_subtree_check)/usr/local 192.168.0.10(rw,sync,no_subtree_check) 192.168.0.11(rw,sync,no_subtree_check)

The above shares /home and /usr/local to two clients with fixed ip addresses. Best used only with machines that have static ip addresses. 

/home 192.168.0.0/255.255.255.0(rw,sync,no_subtree_check)/usr/local 192.168.0.0/255.255.255.0(rw,sync,no_subtree_check)

The above shares /home and /usr/local to all clients in the private network falling within the designated ip address range.

rw makes the share read/write, and sync requires the server to only reply to requests once any changes have been flushed to disk. This is the safest option (async is faster, but dangerous. It is strongly recommended that you read man exports.

After setting up /etc/exports, export the shares: 

sudo exportfs -ra

You'll want to do this command whenever /etc/exports is modified.

Restart Services

By default, portmap only binds to the loopback interface. To enable access to portmap from remote machines, you need to change /etc/default/portmap to get rid of either "-l" or "-i 127.0.0.1".

If /etc/default/portmap was changed, portmap will need to be restarted: 

sudo /etc/init.d/portmap restart

The NFS kernel server will also require a restart: 

sudo /etc/init.d/nfs-kernel-server restart

Security Note

Aside from the UID issues discussed above, it should be noted that an attacker could potentially masquerade as a machine that is allowed to map the share, which allows them to create arbitrary UIDs to access your files. One potential solution to this is IPSec, see also the NFS and IPSec section below. You can set up all your domain members to talk only to each other over IPSec, which will effectively authenticate that your client is who it says it is.

IPSec works by encrypting traffic to the server with the server's key, and the server sends back all replies encrypted with the client's key. The traffic is decrypted with the respective keys. If the client doesn't have the keys that the client is supposed to have, it can't send or receive data.

An alternative to IPSec is physically separate networks. This requires a separate network switch and separate ethernet cards, and physical security of that network.

NFS Client

Installation

sudo apt-get install portmap nfs-common

Portmap Lockdown

optional

Add the following line to /etc/hosts.deny: 

portmap : ALL

By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server.

Now add the following line to /etc/hosts.allow: 

portmap : NFS server IP address

Where "NFS server IP address" is the IP address of the server. This must be numeric! It's the way portmap works.

Host Names

optional if using DNS

Add the server name to /etc/hosts. This ensures the NFS mounts will still work even if DNS goes down. You could rely on DNS if you wanted, it's up to you.

Mounts

Check to see if everything works

You should try and mount it now. The basic template you will use is: 

sudo mount ServerIP:/folder/already/setup/to/be/shared /home/username/folder/in/your/local/computer

so for example: 

sudo mount 192.168.1.42:/home/music /home/poningru/music

Mount at startup

NFS mounts can either be automatically mounted when accessed using autofs or can be setup with static mounts using entries in /etc/fstab. Both are explained below.

Automounter

Install autofs: 

sudo apt-get install autofs

The following configuration example sets up home directories to automount off an NFS server upon logging in. Other directories can be setup to automount upon access as well.

Add the following line to the end of /etc/auto.master: 

  /home         /etc/auto.home

Now create /etc/auto.home and insert the following: 

  *             solarisbox1.company.com.au,solarisbox2.company.com.au:/export/home/&

The above line automatically mounts any directory accessed at /home/[username] on the client machine from either solarisbox1.company.com.au:/export/home/[username] or solarisbox2.company.com.au:/export/home/[username].

Restart autofs to enable the configuration: 

sudo /etc/init.d/autofs start

Static Mounts

Prior to setting up the mounts, make sure the directories that will act as mountpoints are already created.

In /etc/fstab, add lines for shares such as: 

servername:dir /mntpoint nfs rw,hard,intr 0 0

The rw mounts it read/write. Obviously, if the server is sharing it read only, the client won't be able to mount it as anything more than that. The hard mounts the share such that if the server becomes unavailable, the program will wait until it is available. The alternative is soft. intr allows you to interrupt/kill the process. Otherwise, it will ignore you. Documentation for these can be found in the Mount options for nfs section of man mount.

The filesystems can now be mounted with mount /mountpoint, or mount -a to mount everything that should be mounted at boot.

Notes

Minimalistic NFS Set Up

The steps above are very comprehensive. The minimum number of steps required to set up NFS are listed here:

http://www.ubuntuforums.org/showthread.php?t=249889

Using Groups with NFS Shares

When using groups on NFS shares (NFSv2 or NFSv3), keep in mind that this might not work if a user is a member of more than 16 groups. This is due to limitations in the NFS protocol. You can find more information on Launchpad ("Permission denied when user belongs to group that owns group writable or setgid directories mounted via nfs") and in this article: "What's the deal on the 16 group id limitation in NFS?"

IPSec Notes

If you're using IPSec, the default shutdown order in Breezy/Dapper causes the client to hang as it's being shut down because IPSec goes down before NFS does. To fix it, do: 

sudo update-rc.d -f setkey removesudo update-rc.d setkey start 37 0 6 S .

A bug has been filed here: https://launchpad.net/distros/ubuntu/+source/ipsec-tools/+bug/37536

Troubleshooting

Mounting NFS shares in encrypted home won't work on boot

Mounting an NFS share inside an encrypted home directory will only work after you are successfully logged in and your home is decrypted. This means that using /etc/fstab to mount NFS shares on boot will not work – because your home has not been decrypted at the time of mounting. There is a simple way around this using Symbolic links:

  • Create an alternative directory to mount the NFS shares in: 

$ sudo mkdir /nfs$ sudo mkdir /nfs/music

  • Edit /etc/fstab to mount the NFS share into that directory instead:

nfsServer:music /nfs/music nfs4 _netdev,auto 0 0

  • Create a symbolic link inside your home, pointing to the actual mount location (in our case delete the 'Music' directory already existing there first): 

$ rmdir /home/user/Music$ ln -s /nfs/music/ /home/user/Music

Other resources

How to administer Ubuntu Server remotely using Webmin

http://www.havetheknowhow.com/Configure-the-server/Install-Webmin.html

NOTE: If you're jumping into this guide here and have not been following from the start then it's worth mentioning that this guide has been tested on Maverick Meerkat 10.10, Lucid Lynx 10.04, Karmic Koala 9.10, 9.04 Jaunty, and 8.10 Intrepid.

Webmin is a fantastic application which makes the administration of Ubuntu Server a breeze. It's a web-based interface enabling you configure and maintain your server without having to go near any configuration files or learn any Linux commands.

To install Webmin via Putty you first need to go to http://www.webmin.com/download.html and look under the heading "Debian package suitable for Debian, Ubuntu or other derived Linux" to determine the latest version. At the time of writing this is webmin_1.580_all.deb.

NOTE: As and when later versions of Webmin are released you don't have to re-install the application from scratch using these instructions. Each time you launch Webmin via your browser Webmin automatically checks to see whether a newer version has been released and offers to perform the upgrade for you.

TIP: If you're using Putty and are going to be following this guide step-by-step then you can save yourself some typing by simply highlighting each command, right-clicking on it and selecting Copy. Then toggle over to your Putty Session and right-click once more. The command you've just copied from here will be automatically pasted into your Putty Session.

So, once you've determined the latest Webmin version type/paste the following command into a Putty Session:

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.580_all.deb

which will download the package into your current directory. Obviously you should replace webmin_1.580_all.deb with whatever the latest version is called.

Now type the following commands:

sudo apt-get update

sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libapt-pkg-perl apt-show-versions

this will install the packages required by Webmin. Now type:

sudo dpkg -i webmin_1.580_all.deb

to unpack it. Obviously, as above, replace webmin_1.580_all.deb with whatever the latest version is called.

NOTE: If webmin says that it encountered errors preventing it from installing then type the following command to fix. Webmin will then re-install itself automatically:

sudo apt-get install -f

Once it's completed it should report a message along the following lines:

Webmin install complete. You can now login to https://MyMediaServer:10000/ as root with your root password, or as any user who can use sudo to run commands as root.

I recommend changing the Webmin password by typing the following command:

sudo /usr/share/webmin/changepass.pl /etc/webmin root YourNewPassword

where YourNewPassword is the password you want to use. This will return a message along the lines of "Updated password of Webmin user root".

You can now delete the Webmin installation file by typing:

rm webmin_1.580_all.deb

Launching Webmin

To launch Webmin type the following string into the address bar of your browser:

https://mymediaserver:10000/

where mymediaserver is the name you gave your server when you installed Ubuntu. Instead of using the server name the IP address of the server will work just fine.

The first time you launch Webmin your browser will likely complain about the certificate for this site so just add the site as an exception to continue.

You should then be prompted for a username and password. Enter root for the username and use the password you just created above. You should then see the Webmin Home Screen similar to the one below:

Webmin Homepage

WebMin for Ubuntu

http://www.havetheknowhow.com/Configure-the-server/Install-Webmin.html

http://www.google.com/#sclient=psy-ab&hl=en&source=hp&q=ubuntu+webmin+11.10&pbx=1&oq=ubuntu+webmin+11.10&aq=f&aqi=g1&aql=&gs_sm=3&gs_upl=795l6552l0l7191l19l17l0l2l2l0l499l5322l2-6.9.1l18l0&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=3214e37cdfe9fa8f&biw=1280&bih=854

http://www.havetheknowhow.com/Configure-the-server/Install-Webmin.html

http://www.havetheknowhow.com/Configure-the-server/Configure-NFS.html

How To Set Up MySQL

http://ariejan.net/2007/12/12/how-to-install-mysql-on-ubuntudebian/

https://help.ubuntu.com/11.04/serverguide/C/mysql.html

MySQL is a fast, multi-threaded, multi-user, and robust SQL database server. It is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software.

Get ready

sudo apt-get update
sudo apt-get dist-upgrade

Installation

To install MySQL, run the following command from a terminal prompt: 

sudo apt-get install mysql-server

During the installation process you will be prompted to enter a password for the MySQL root user.

Once the installation is complete, the MySQL server should be started automatically. You can run the following command from a terminal prompt to check whether the MySQL server is running: 

sudo netstat -tap | grep mysql

When you run this command, you should see the following line or something similar: 

tcp        0      0 localhost:mysql         *:*                     LISTEN      2556/mysqld

If the server is not running correctly, you can type the following command to start it: 

sudo /etc/init.d/mysql restart

Configuration

You can edit the /etc/mysql/my.cnf file to configure the basic settings — log file, port number, etc. For example, to configure MySQL to listen for connections from network hosts, change the bind-address directive to the server's IP address:

# — daq — bind-address = 127.0.0.1
After making a change to /etc/mysql/my.cnf the mysql daemon will need to be restarted:
sudo /etc/init.d/mysql restart
The mysql prompt
In order to get to the mysql prompt you will want to issue the command:
mysql -u root -p mysql
Where root is the MySQL administrative user (most like it is root).
You will be prompted for the MySQL administrators password. After you have successfully authenticated you will have a new prompt that looks like:
mysql>
You are now at the MySQL prompt. You only have one command to enter for this to work. You will want to enter this command carefully:
GRANT ALL PRIVILEGES ON *.* TO username@address IDENTIFIED BY “password”;
GRANT ALL PRIVILEGES ON *.* TO root@192.168.1.198 IDENTIFIED BY “QBW password”;
FLUSH PRIVILEGES;
Where username is the username on the remote machine that will be connecting, address is the IP address of the remote machine, and password is the password that will be used by the remote user.
When that command is issued successfully you should see something like:
Query OK, 0 rows affected (0.00 sec)
As long as you get Query OK, you should be good to go.
Now when you need to connect from a remote machine you will use the IP address of the MySQL server, the username you entered in the MySQL command prompt, and the username will be the username you entered in the MySQL command prompt.
That’s it. Your MySQL server is ready to accept remote connections.
Tutorial for MySQL
http://www.yolinux.com/TUTORIALS/LinuxTutorialMySQL.html
Show Grants for user "root" and on ip 192.168.1.198
select * from information_schema.user_privileges where grantee like "'root'%";
select * from information_schema.user_privileges where grantee like "%'192.168.1.198'";
Delete Grants for user "root" on ip 192.168.1.198
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'root'@'192.168.1.198' ;
Read this again (or more like it) http://ubuntu-commands.blogspot.com/2008/11/how-do-i-enable-remote-access-to-mysql.html
Root Passsword change

If you would like to change the MySQL root password, in a terminal enter: 

sudo dpkg-reconfigure mysql-server-5.1

The mysql daemon will be stopped, and you will be prompted to enter a new password.

You may need to open port if using firewalls

You need to open port 3306 using iptables or BSD pf firewall.
A sample iptables rule to open Linux iptables firewall
/sbin/iptables -A INPUT -i eth0 -p tcp –destination-port 3306 -j ACCEPT
OR only allow remote connection from your web server located at 10.5.1.3:
/sbin/iptables -A INPUT -i eth0 -s 10.5.1.3 -p tcp –destination-port 3306 -j ACCEPT
OR only allow remote connection from your lan subnet 192.168.1.0/24:
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp –destination-port 3306 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -s 192.168.1.198 -p tcp –destination-port 3306 -j ACCEPT

Did not do these.

sudo mysqladmin -u root -h localhost password 'mypassword'
sudo mysqladmin -u root -h myhostname password 'mypassword'
update db set Host='192.168.1.198' where Db='webdb';
update user set Host='192.168.1.198' where user='webadmin';

Un-install/Remove

sudo apt-get –purge remove mysql-server mysql-common mysql-client

Resources

  • See the MySQL Home Page for more information.

  • The MySQL Handbook is also available in the mysql-doc-5.0 package. To install the package enter the following in a terminal: 

    											sudo apt-get install mysql-doc-5.0

    The documentation is in HTML format, to view them enter file:///usr/share/doc/mysql-doc-5.0/refman-5.0-en.html-chapter/index.html in your browser's address bar.

  • For general SQL information see Using SQL Special Edition by Rafe Colburn.

Java setup

Java 7

sudo apt-get install openjdk-7-jre-headless

Usually this should already be everything what we have to do. Try it by typing

$ cd /usr/bin

$ln -s j2sdk1.5-sun jdk

$ JAVA_HOME="/usr/bin/java"

$ export JAVA_HOME

$ which java

$ sudo java -version

Apache2 / SSL

How to create a self-signed SSL Certificate …

… which can be used for testing purposes or internal usage

Overview

The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessarythe data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Login or su as root (sudo su)

mkdir /etc/apache2/ssl/

cd /etc/apache2/ssl/

Step 1: Generate a Private Key

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out self.signed.key 2048

Generating RSA private key, 1024 bit long modulus
…………………………………………………++++++
……..++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:

openssl req -new -key self.signed.key -out self.signed.csr

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Ohio
Locality Name (eg, city) [Newbury]:Lewis Center
Organization Name (eg, company) [My Company Ltd]:QBytesWorld
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:qbytesworld.com
Email Address []:qbytes.dq@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

cp self.signed.key self.signed.key.org
openssl rsa -in self.signed.key.org -out self.signed.key

The newly created server.key file has no more passphrase in it.

-rw-r–r– 1 root root 1127 Feb 17 13:57 self.signed.csr
-rw-r–r– 1 root root 1679 Feb 17 13:57 self.signed.key
-rw-r–r– 1 root root 1751 Feb 17 13:57 self.signed.key.org

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

openssl x509 -req -days 3650 -in self.signed.csr -signkey self.signed.key -out self.signed.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key

Step 5: Lock it down
chmod 400 /etc/apache2/ssl/self.signed.crt
chmod 400 /etc/apache2/ssl/self.signed.csr
chmod 400 /etc/apache2/ssl/self.signed.key
chmod 400 /etc/apache2/ssl/self.signed.key.org

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

<VirtualHost *:443>
ServerName www.sample.com
ServerAlias sample.com
ServerAdmin webmaster@sample.com
JkMount /* ajp13_worker
CustomLog /srv/www-logs/samlple.ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ErrorLog /srv/www-logs/sample.com.ssl.error.log
# JkMount /status/* stat1
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/self.signed.crt
SSLCertificateKeyFile /etc/apache2/ssl/self.signed.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>

Step 7: Enable ssl module to run:

a2enmod ssl

Verify we are listening on port 443:

/etc/apache2/ports.conf

Listen 443

Edit /etc/apache2/sites-available/ssl (or whatever you called your new ssl site's config) and change port 80 in the name of the site to 443. Also change the virtual host setting. Add the lines "SSLEngine On" and "SSLCertificateFile /etc/apache2/ssl/apache.pem" . The configuration file should have the following lines:

Step 8: Restart Apache and Test

/etc/init.d/apache2 stop
/etc/init.d/apache2 start

sudo service apache2 restart

https://public.akadia.com/ 

More information:

May need more data from http://wiki.debian.org/SubversionApache2SSLHowto

TODO: Check this document and the comment that says that we're not generating the certificate we need.

Format and Mount Disk

info via: https://help.ubuntu.com/community/InstallingANewHardDrive

Get the logical name:

  • $ sudo lshw -C disk

*-disk
description: ATA Disk
product: WDC WD1600JB-00D
vendor: Western Digital
physical id: 0.0.0
bus info: scsi@0:0.0.0
logical name: /dev/sda
version: 75.1
serial: WD-WMACK2068123
size: 149GiB (160GB)
capabilities: partitioned partitioned:dos
configuration: ansiversion=5 signature=00031122
*-cdrom
description: DVD writer
product: DVD_RW ND-3550A
vendor: _NEC
physical id: 0.1.0
bus info: scsi@0:0.1.0
logical name: /dev/cdrom
logical name: /dev/cdrw
logical name: /dev/dvd
logical name: /dev/dvdrw
logical name: /dev/scd0
logical name: /dev/sr0
version: 1.05
serial: [
capabilities: removable audio cd-r cd-rw dvd dvd-r
configuration: ansiversion=5 status=ready
*-medium
physical id: 0
logical name: /dev/cdrom
*-disk
description: ATA Disk
product: WDC WD15EARS-00M
vendor: Western Digital
physical id: 0.0.0
bus info: scsi@2:0.0.0
logical name: /dev/sdb
version: 51.0
serial: WD-WMAZA3997903
size: 1397GiB (1500GB)
capabilities: partitioned partitioned:dos
configuration: ansiversion=5 signature=474f0d94

Partition disk less than 2TB:

  • $ sudo fdisk /dev/sdb

n = new part (may need to delete first)

p = partition

w = write changes

Partition disk greater than 2TB:

sudo parted /dev/sdX # substitute with your drive (and you prolly need sudo)
> mklabel gpt # makes a new gpt partition table, afaik needed for >2TB
> mkpart pri 1 -1 # makes a new primary partition from start to end,
# note there are only primary partitions on gpt

>quit

Format disk:

  • $ sudo mkfs -t ext4 /dev/sdx1

Regain some disk:

  • $ sudo tune2fs -m 1 /dev/sdx1

Get the UUID of the disk:

  • $ sudo blkid

/dev/sda1: UUID="a491df4c-8870-4f68-bb12-fb3411c14141" TYPE="ext4"
/dev/sda5: UUID="8b9ce164-3b75-48c0-a115-c73522eea519" TYPE="swap"
/dev/sdb1: UUID="1be03f9f-b068-41a2-994f-ff790307ff2c" SEC_TYPE="ext2" TYPE="ext3"

Play it safe, make a backup

cp /etc/fstab ~

Auto Mount disk:

  • $ sudo pico /etc/fstab

UUID=1be03f9f-b068-41a2-994f-ff790307ff2c /mnt/local/sdx1 ext4 defaults,errors=remount-ro 0 1

  • $ sudo mkdir -p /mnt/local/sdx1
Prevent write to local
  • $ sudo chmod 000 /mnt/local/sdx1
Mount disk
  • $ sudo mount -a
  • $ sudo mount -l

Auto Mount Network disk:

  • $ sudo pico /etc/fstab


# Network share
//192.168.1.20/d /media/qbw-srv smbfs username=%user%,password=%password%,umask=000 0 0

  • $ sudo mkdir /media/qbw-srv
  • $ sudo mount -a

Temp Mount Network disk:

  • $ sudo mount -t smbfs -o username=<username> //<win-box>/<share> /mnt/<name-of-mountpoint>

Format the disk NTFS (Not such a good ideal, does not support user:group)

sudo apt-get install ntfsprogs

sudo mkntfs /dev/sdx1 -f -L Tera -v

Artifactory setup

  • $ sudo mkdir /media/share/artifactory
  • $ sudo chown tomcat6:tomcat6 /media/share/artifactory
  • $ sudo pico /etc/default/tomcat6
    • Add highlighted red:
      Add highlighted blue if not already present
      JAVA_OPTS="-Djava.awt.headless=true -XX:+UseConcMarkSweepGC -DHUDSON_HOME=/media/shares/hudson -Dartifactory.home=/media/shares/artifactory -server -Xms1g -Xmx1g -Xss256k -XX:PermSize=128m -XX:MaxPermSize=128m -XX:NewSize=384m -XX:MaxNewSize=384m"
  • $ sudo /etc/init.d/tomcat6 restart

Download Artifactory latest from: http://sourceforge.net/projects/artifactory/files/artifactory/

Unzip

Upload WAR file to: http://ubuntu-server:8080/manager/html

Validate http://servername:8080/artifactory

Hudson setup

  • $ sudo mkdir /media/shares/hudson
  • $ sudo chown tomcat6:tomcat6 /media/shares/hudson
  • $ sudo pico /etc/default/tomcat6
    • Add highlighted red:
      Add highlighted blue if not already present
      JAVA_OPTS="-Djava.awt.headless=true -XX:+UseConcMarkSweepGC -DHUDSON_HOME=/media/shares/hudson -Dartifactory.home=/media/shares/artifactory -server -Xms1g -Xmx1g -Xss256k -XX:PermSize=128m -XX:MaxPermSize=128m -XX:NewSize=384m -XX:MaxNewSize=384m"
  • $ sudo /etc/init.d/tomcat6 restart
  • $ cd /var/lib/tomcat6/webapps
  • $ sudo wget http://hudson-ci.org/downloads/war/2.0.1/hudson.war

Validate http:\\servername:8080\hudson

Tag Cloud