First we will create and open to the directory /etc/pki/tls/keystore. The keytool command that creates the keystore, we need to supply the following:

• keystore file name: demo.colabrativ.com.jks
• key algorythm (keyalg): RSA
• alias: demo
• keysize: 2048 As of January 1, 2014 2048-bit or longer keys will be required by Certification Authority/Browser Forum.

In addition, we need to supply information on the website URL, when the keytool asks for “What is your first and last name?” The key and keystore passwords are optional. This information and information on our institution have been highlighted in green in the example below.

$ sudo mkdir /etc/pki/tls/keystore
$ cd /etc/pki/tls/keystore
$ sudo keytool -genkey -alias demo -keyalg RSA -keystore demo.colabrativ.com.jks -keysize 2048
Enter keystore password: password
Re-enter new password: password
What is your first and last name?
  [Unknown]:  demo.colabrativ.com
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  Colabrativ, Inc.
What is the name of your City or Locality?
  [Unknown]:  Orinda
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=demo.colabrativ.com, OU=Developmemt, O=Colabrativ, Inc., L=Orinda, ST=California, C=US correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):

$ ls -lt
total 4
-rw-r--r-- 1 marc users 2246 Aug 30 08:53 demo.colabrativ.com.jks

We need to supply the following:

• alias: demo
• keystore file name: demo.colabrativ.com.jks
• CSR file name: demo.colabrativ.com.csr

$ keytool -certreq -alias demo -keystore demo.colabrativ.com.jks -file demo.colabrativ.com.csr
Enter keystore password: password

$ ls -lt
total 8
-rw-r--r-- 1 marc users 1039 Aug 30 08:55 demo.colabrativ.com.csr
-rw-r--r-- 1 marc users 2246 Aug 30 08:53 demo.colabrativ.com.jks

Symantec Corporation provides a set of SSL tools at https://ssl-tools.verisign.com/#certChecker?sl=DENJS-0000-04-00, including a CSR Validation. After pasting your CSR into the window provided and running the validator, then following information on your CCR is shown:

Common Name	demo.colabrativ.com
Organization	Colabrativ, Inc.
Organizational Unit	Unknown
Locality	Orinda
State	California
Country	US
Signature	Verified
Signature Algorithm	SHA1
Key Algorithm	RSA
Key Length	2048

The signing request (demo.colabrativ.com.csr) can now be sent to the certificate authority.

After receiving the certificates from the certificate authority, they need to be loaded in the keystore before exporting the key. You need both the certificate for your URL and the intermediate certificate from the certificate authority. This example uses the following certificates and keystore:

• intermediate certificate file name: intermediate.crt
• certificate file name: demo.colabrativ.com.crt
• keystore file name: demo.colabrativ.com.jks

First the certificate authorities intermediate certificate is loaded using the alias root.

$ keytool -import -trustcacerts -alias root -file intermediate.crt -keystore demo.colabrativ.com.jks
Enter keystore password: password
Certificate was added to keystore

Then our certificate, demo.colabrativ.com.crt is loaded in the keystore using the alias demo.

$ keytool -import -trustcacerts -alias demo -file demo.colabrativ.com.crt -keystore demo.colabrativ.com.jks
Enter keystore password: password
Certificate was added to keystore

There are three steps in extracting the key from the keystore we created above:

1. Use keytool to create an intermediate PKCS12 keystore, demo.colabrativ.com.pkcs12, from the keystore, demo.colabrativ.com.jks.
2. Use OpenSSL to create a Privacy-enhanced Electronic Mail (PEM) formatted file containing both the certificate and the key, demo.colabrativ.com.pem.
3. Extract the key, demo.colabrativ.com.key, from the PEM file using a text editor.

$ sudo keytool -importkeystore -srckeystore demo.colabrativ.com.jks -destkeystore demo.colabrativ.com.pkcs12 -deststoretype PKCS12
Enter destination keystore password: password
Re-enter new password: password
Enter source keystore password: password
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

$ sudo openssl pkcs12 -in demo.colabrativ.com.pkcs12 -out demo.colabrativ.com.pem -nodes
Enter Import Password: password
MAC verified OK

$ sudo cp demo.colabrativ.com.pem demo.colabrativ.com.key
$ sudo vi demo.colabrativ.com.key

$ ls -lt
total 20
-rw-r--r-- 1 marc users 1224 Aug 30 13:57 demo.colabrativ.com.key
-rw-r--r-- 1 marc users  509 Aug 30 13:53 demo.colabrativ.com.pem
-rw-r--r-- 1 marc users  509 Aug 30 13:50 demo.colabrativ.com.pkcs12
-rw-r--r-- 1 marc users 2246 Aug 30 13:48 demo.colabrativ.com.jks
-rw-r--r-- 1 marc users 1039 Aug 30 13:46 demo.colabrativ.com.crt
-rw-r--r-- 1 marc users 1039 Aug 30 13:45 intermediate.crt
-rw-r--r-- 1 marc users 1039 Aug 30 08:55 demo.colabrativ.com.csr

After the certificate and key have been prepared, they are moved the /etc/pki/tls/certs/, and /etc/pki/tls/private/ directories, respectively.

$ sudo mv intermediate.crt /etc/pki/tls/certs/.
$ sudo mv demo.colabrativ.com.crt /etc/pki/tls/certs/.
$ sudo mv demo.colabrativ.com.key /etc/pki/tls/private/.

Shown below are the differences between the original ssl.conf file and the edited version. It is a bit hard to tell where these changes were made from the file differences, so a copy of a demonstration ssl.conf file can be downloaded at the bottom of the section.

$ cd /etc/httpd/conf.d
$ sudo cp –p ssl.conf ssl.conf.orig
$ sudo vi ssl.conf
$ sudo diff ssl.conf.orig ssl.conf
19a20,21
> NameVirtualHost *:443
>
74c76,77
> <VirtualHost _default_:443>
---
> #<VirtualHost _default_:443>
> <VirtualHost *:443>
78a82
> ServerName demo.colabrativ.com:443
85a90,100
> #
> # Proxy Server directives. Uncomment the following lines to
> # enable the proxy server:
> #
> ProxyRequests Off
> ProxyPass        /admin   https://demo.colabrativ.com:8443/admin
> ProxyPass        /demoapp https://demo.colabrativ.com:8443/demoapp
>
> SSLProxyEngine on
>
105c120,121
< SSLCertificateFile /etc/pki/tls/certs/localhost.crt
---
> #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateFile /etc/pki/tls/certs/demo.colabrativ.com.crt
112c128,129
< SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
---
> #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> SSLCertificateKeyFile /etc/pki/tls/private/demo.colabrativ.com.key
143c143
< #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
---
> SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt

Download: demo_ssl.conf

We configure Tomcat to support applications and services under the secure https protocol on port 8443. We do this by editing the server.xml file in /etc/tomcat7. We need to supply the keystore password in the 8443 Connector we enable. I have saved the original server.xml, and only show the difference between the two files below.

$ cd /etc/tomcat7
$ sudo cp -p server.xml server.xml.orig
$ sudo vi server.xml
$ sudo diff server.xml.orig server.xml
84,88c84,92
<     <!--
<     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
<                maxThreads="150" scheme="https" secure="true"
<                clientAuth="false" sslProtocol="TLS" /&gt
<     -->
---
>
>     <Connector port="8443"
>                protocol="HTTP/1.1"
>                SSLEnabled="true"
>                maxThreads="150"
>                scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="/etc/pki/tls/keystore/demo.colabrativ.com.jks"
>                keystorePass="password" />

First we will create and open to the directory /etc/pki/tls/keystore. The keytool command that creates the keystore, we need to supply the following:

• keystore file name: demo.colabrativ.keystore
• alias: tomcat
• keypass: password
• storepass: password

In addition, we need to supply information on the website URL, when the keytool asks for “What is your first and last name?” and our institution information. This information has been highlighted in green below in the example below.

$ sudo mkdir /etc/pki/tls/keystore
$ cd /etc/pki/tls/keystore
$ sudo keytool -genkey -alias tomcat -keypass password -keystore demo.colabrativ.keystore -storepass password
What is your first and last name?
  [Unknown]:  demo.colabrativ.com
What is the name of your organizational unit?
  [Unknown]:  Developmemt
What is the name of your organization?
  [Unknown]:  Colabrativ, Inc.
What is the name of your City or Locality?
  [Unknown]:  El Sobrante
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=demo.colabrativ.com, OU=Developmemt, O=Colabrativ, Inc., L=El Sobrante, ST=California, C=US correct?
  [no]:  y

A useful command to check to keystore before preceeding is:

$ sudo keytool -list -keystore demo.colabrativ.keystore
Enter keystore password: password

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Aug 27, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): 1A:2D:B5:C1:E9:1E:5C:A2:79:D3:8A:9B:A1:CE:14:72

We configure Tomcat to support applications and services under the secure https protocol on port 8443. We do this by editing the server.xml file in /etc/tomcat7. We need to supply the keystore password in the 8443 Connector we enable. I have saved the original server.xml, and only show the difference between the two files below.

$ cd /etc/tomcat7
$ sudo cp -p server.xml server.xml.orig
$ sudo vi server.xml
$ sudo diff server.xml.orig server.xml
84,88c84,92
<     <!--
<     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
<                maxThreads="150" scheme="https" secure="true"
<                clientAuth="false" sslProtocol="TLS" /&gt
<     -->
---
>
>     <Connector port="8443"
>                protocol="HTTP/1.1"
>                SSLEnabled="true"
>                maxThreads="150"
>                scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="/etc/pki/tls/keystore/demo.colabrativ.keystore"
>                keystorePass="password" />

There are three steps in extracting the certificate and key from the keystore we created above:

1. Use keytool to create an intermediate PKCS12 keystore.
2. Use OpenSSL to create a Privacy-enhanced Electronic Mail (PEM) formatted file containing the certificate and the key.
3. Extract the certificate and key from the PEM file using a text editor.

After the certificate and key have been prepared, they are moved the /etc/pki/tls/certs/, and /etc/pki/tls/private/ directories, respectively.

The ASCII demo.colabrativ.pem file created during the preparation of this tutorial can be download at the bottom of this section.

$ sudo keytool -importkeystore -srckeystore demo.colabrativ.keystore -destkeystore demo.colabrativ.intermediate -deststoretype PKCS12
Enter destination keystore password: password
Re-enter new password: password
Enter source keystore password: password
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

$ sudo openssl pkcs12 -in demo.colabrativ.intermediate -out demo..colabrativ.pem -nodes
Enter Import Password: password
MAC verified OK

$ sudo cp demo.colabrativ.pem demo.colabrativ.key
$ sudo cp demo.colabrativ.pem demo.colabrativ.crt
$ sudo vi demo.colabrativ.key
$ sudo vi demo.colabrativ.crt

$ ls -lt
total 20
-rw-r--r-- 1 root root 1224 Aug 27 10:11 demo.colabrativ.crt
-rw-r--r-- 1 root root  509 Aug 27 10:11 demo.colabrativ.key
-rw-r--r-- 1 root root 2294 Aug 27 10:02 demo.colabrativ.pem
-rw-r--r-- 1 root root 1852 Aug 27 10:00 demo.colabrativ.intermediate
-rw-r--r-- 1 root root 1333 Aug 27 09:37 demo.colabrativ.keystore

$ sudo mv demo.colabrativ.crt /etc/pki/tls/certs/.
$ sudo mv demo.colabrativ.key /etc/pki/tls/private/.

Download: demo.colabrativ.pem

We will place all the SSL information for this server in the ssl.conf file in the /etc/httpd/conf.d directory. Shown below are the differences between the original ssl.conf file and the edited version. It is a bit hard to tell where these changes were made from the file differences, so a copy of a demonstration ssl.conf file can be downloaded at the bottom of the section.

$ cd /etc/httpd/conf.d
$ sudo cp –p ssl.conf ssl.conf.orig
$ sudo vi ssl.conf
$ sudo diff ssl.conf.orig ssl.conf
19a20,21
> NameVirtualHost *:443
>
74c76,77
> <VirtualHost _default_:443>
---
> #<VirtualHost _default_:443>
> <VirtualHost *:443>
78a82
> ServerName demo.colabrativ.com:443
85a90,100
> #
> # Proxy Server directives. Uncomment the following lines to
> # enable the proxy server:
> #
> ProxyRequests Off
> ProxyPass        /admin   https://demo.colabrativ.com:8443/admin
> ProxyPass        /demoapp https://demo.colabrativ.com:8443/demoapp
>
> SSLProxyEngine on
>
105c120,121
< SSLCertificateFile /etc/pki/tls/certs/localhost.crt
---
> #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateFile /etc/pki/tls/certs/demo.colabrativ.crt
112c128,129
< SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
---
> #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> SSLCertificateKeyFile /etc/pki/tls/private/demo.colabrativ.key

Download: ssl.conf

Updating the EC2 Server using Amazon’s Yum repository

The update of the EC2 server from Amazon’s Yum repository takes only a single command “sudo yum update”. It produces a large output. During the update you will be asked two yes-no question. You should answer “yes” to both of these questions. Below I have edited the session to only include the yum command and text around the two questions.

> sudo yum update
...
===============================================================================
Install       1 Package(s)
Upgrade      47 Package(s)

Total download size: 113 M
Is this ok [y/N]: Y
...
Importing GPG key 0x21C0F39F "Amazon Linux AMI (Beta)
" from /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-beta
Is this ok [y/N]: Y

Mounting Elastic Block Storage Volume (optional)

In order to format the elastic block storage (EBS) volume, we need to install XFS filesystem utilities (xfsprogs) from the Amazon Yum repository.

The /proc/partitions file contains a list of the volumes associated with the EC2 instance. The /dev/xvda1 device is the system volume. The other volume is the unformatted EBS volume we associated with the EC2 instance. The EBS volume has two related device names; the system refers to the device as dev/xvd[f-p], but mkds.xfs takes /dev/sd[f-p]. In the case below, the device names are /dev/xsdf and /dev/sdf, respectively.

1. Format the EBS volume using mkfs.xfs and the device name (/dev/sdf)
2. Create a mount point for the volume (/ebs1).
3. Add the mount point to the /etc/fstab file.
4. Mount the volume.

> sudo yum install xfsprogs
Is this ok [y/N]: y

> more /proc/partitions
major  minor  #blocks  name
 202        1    8388608 xvda1
 202       80   10485760 xvdf

> sudo mkfs.xfs /dev/sdf
meta-data=/dev/sdf               isize=256    agcount=4, agsize=65536 blks
         =                       sectsz=512   attr=2
data     =                       bsize=4096   blocks=2621440, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0
log      =internal log           bsize=4096   blocks=2560, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0sudo vi /etc/fstab

> sudo mkdir /ebs1

> sudo cp -p /etc/fstab /etc/fstab.orig
> sudo vi /etc/fstab
> more /etc/fstab
#
LABEL=/     /           ext4    defaults,noatime  1   1
tmpfs       /dev/shm    tmpfs   defaults        0   0
devpts      /dev/pts    devpts  gid=5,mode=620  0   0
sysfs       /sys        sysfs   defaults        0   0
proc        /proc       proc    defaults        0   0
/dev/xvdf   /ebs1       xfs     noatime         0   0

> sudo mount /ebs1

After mounting the EBS volume on /ebs1, we create and link both the iExperiment and MySQL directories. We add the mounts to the /etc/fstab file, then mount the directories.

> sudo mkdir /ebs1/etc
> sudo mkdir /ebs1/etc/mysql
> sudo mkdir /ebs1/lib
> sudo mkdir /ebs1/lib/mysql
> sudo mkdir /ebs1/log
> sudo mkdir /ebs1/log/mysql
> sudo mkdir /ebs1/log/iexperiment
> sudo mkdir /ebs1/local/iexperiment

> sudo mkdir /etc/mysql
> sudo mkdir /var/lib/mysql
> sudo mkdir /var/log/mysql
> sudo mkdir /var/log/iexperiment
> sudo mkdir /var/local/iexperiment

> sudo vi /etc/fstab
> more /etc/fstab
#
LABEL=/     /           ext4    defaults,noatime  1   1
tmpfs       /dev/shm    tmpfs   defaults        0   0
devpts      /dev/pts    devpts  gid=5,mode=620  0   0
sysfs       /sys        sysfs   defaults        0   0
proc        /proc       proc    defaults        0   0
/dev/xvdf   /ebs1       xfs     noatime         0   0
/ebs1/etc/mysql          /etc/mysql              none    bind
/ebs1/lib/mysql          /var/lib/mysql          none    bind
/ebs1/log/mysql          /var/log/mysql          none    bind
/ebs1/log/iexperiment    /var/log/iexperiment    none    bind
/ebs1/local/iexperiment  /var/local/iexperiment  none    bind

> sudo mount /etc/mysql
> sudo mount /var/lib/mysql
> sudo mount /var/log/mysql
> sudo mount /var/log/iexperiment
> sudo mount /var/local/iexperiment

If MySQL has already been installed and setup, then instead of making the /mysql directories, we would move (mv) the existing MySQL directories to the EBS volume. We continue from the snippet above remaking mysql directories that are used as mount bind points.

> sudo mkdir /ebs1/etc
> sudo mkdir /ebs1/lib
> sudo mkdir /ebs1/log
> sudo mv /etc/mysql     /vol/etc/
> sudo mv /var/lib/mysql /vol/lib/
> sudo mv /var/log/mysql /vol/log/

> sudo mkdir /etc/mysql
...

Installing MySQL

MySQL and MySQL Server (mysqld) are available from the Amazon Yum repository. Like update snippets above, the snippet below has been edited to show only what is necessary.

> sudo yum install mysql
Is this ok [y/N]: y

> sudo yum install mysql-server
Is this ok [y/N]: y

After installing MySQL and MySQL Server, we start the MySQL service.

> sudo service mysqld start
Initializing MySQL database:  Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h ip-10-176-31-62 password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[  OK  ]
Starting mysqld:                                           [  OK  ]

Finally the mysql_secure_installation script is run.

> /usr/bin/mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
    

Set Up the iExperiment Database

1. Log in as root to the MySQl database. We recommend that you not put the root password in the mysql command, so that it does not end up in .bash_history.
2. Create a user ‘iexperiment‘@‘localhost‘.
3. Grant the iexperiment user appropriate privileges.

> mysql -h localhost -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create user 'iexperiment'@'localhost' identified by 'iexperimentpassword';
Query OK, 0 rows affected (0.00 sec)

mysql> grant usage on *.* to 'iexperiment'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on *.* to 'iexperiment'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
    

4. Create the /var/log/iexperiment, /var/local/iexperiment and /var/local/iexperiment/ddl directories.
5. Upload the iExperiment SQL files to the /var/local/iexperiment/ddl directory using an FTP application that supports SSL, such at FileZilla.

> sudo mkdir /var/log/iexperiment
> sudo mkdir /var/local/iexperiment
> sudo mkdir /var/local/iexperiment/ddl
    

6. Log in to MySQL as iexperiment.
7. Create a database named iexperiment.
8. Load the database by sourcing the initial_setup.sql file.

> pushd /var/local/iexperiment/ddl
/var/local/iexperiment/ddl ~
> ls -lt
total 136
-rw-rw-r-- 1 root root   917 Jul 17 21:22 initial_setup.sql
-rw-rw-r-- 1 root root  3465 Jul 17 21:08 insert_permissions_START-UP.sql
-rw-rw-r-- 1 root root   944 Jul 17 21:08 insert_admin_START-UP.sql
-rw-rw-r-- 1 root root 22612 Jul 14 17:33 create_tables.sql
-rw-rw-r-- 1 root root 73893 Jul 14 17:09 insert_record_categories.sql
-rw-rw-r-- 1 root root 18355 Jul 14 17:09 create_constraints.sql
-rw-rw-r-- 1 root root   932 Jul 14 17:08 insert_admin.sql

> mysql -h localhost -u iexperiment -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show grants;
+-----------------------------------------------------------------------------------------------------------------------------+
| Grants for iexperiment@localhost                                                                                            |
+-----------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'iexperiment'@'localhost' IDENTIFIED BY PASSWORD '*BAA33824FACE624B5B0AAC8A604733A5648A7A6B' |
+-----------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> create database iexperiment;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| iexperiment        |
| mysql              |
+--------------------+
3 rows in set (0.00 sec)

mysql> use iexperiment;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> source initial_setup.sql;

Query OK, 1 row affected (0.00 sec)
.
.
.
Query OK, 1 row affected (0.00 sec)

mysql> show tables;
+------------------------+
| Tables_in_iexperiment  |
+------------------------+
| admin_group_member     |
| ...
| version                |
+------------------------+
55 rows in set (0.00 sec)

mysql> select * from version;
+-------------+----------------------------------+
| version_num | comment                          |
+-------------+----------------------------------+
|           6 | May 25, 2010 - Switch to Records |
+-------------+----------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye
  

Create SSL Certificate

iExperiment runs under the secure HTTPS protocol; thus, we need a Secure Sockets Layer (SSL) certificate. If you already have a wildcard certificate for your domain, then you can skip this step.

Note, that if you use a self-signing certificate, then your iExperiment users will be notified of this. In FireFox they will see a “This Connection is Untrusted” page, in which they will need to open the “I understand the Risks” link and click on the “Add Exception…” button.

1. Make a directory for the SSL certificate.
2. Generate the self-signing SSL certificate. In the snippet below, the certificate’s file name, temp.iexperiment.bin, reflects the URL we are using.

> sudo mkdir /usr/etc/cert
> cd /usr/etc/cert

> sudo keytool -genkey -alias tomcat -keypass sslcert1 -keystore temp.iexperiment.bin -storepass sslcert1
What is your first and last name?
[Unknown]:  Marc Whitlow
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:  Colabrativ, Inc.
What is the name of your City or Locality?
[Unknown]:  El Sobrante
What is the name of your State or Province?
[Unknown]:  California
What is the two-letter country code for this unit?
[Unknown]:  US
Is CN=Marc Whitlow, OU=Unknown, O="Colabrativ, Inc.", L=El Sobrante, ST=California, C=US correct?
[no]:  y

> ls -l
total 4
-rw-r--r-- 1 root root 1292 Jul 18 02:30 temp.iexperiment.bin
    

Write down the certificate “keypass” as you will need it to set up Tomcat.

Setup Apache & Tomcat

1. Install Apache Hypertext Transfer Protocol Server (httpd), Apache Tomcat 6 (tomcat6), Tomcat’s web application service (tomcat6-webapps) and Apache Interface to OpenSSL (mod_ssl) from Amazon’s Yum repository.
2. Start the Apache (httpd) and Tomcat (tomcat6) services.

> sudo yum install httpd
Is this ok [y/N]: y

> sudo yum install tomcat6
Is this ok [y/N]: y

> sudo yum install tomcat6-webapps
Is this ok [y/N]: y

> sudo yum install mod_ssl
Is this ok [y/N]: y

> sudo service httpd start
Starting httpd:                                            [  OK  ]
> sudo service tomcat6 start
Starting tomcat6:                                          [  OK  ]
    

Now we can check to see if the “Amazon Linux AMI Test Page” loads in a Browser using:

• EC2 Instance’s public URL that is found in the EC2 Instance information on the AWS Management Console, e.g. http://ec2-204-236-137-138.us-west-1.compute.amazonaws.com
• The URL that was assigned to the Elastic IP address associated with the EC2 Instance in the Domain Name Server (DNS), e.g. http://temp.iexperiment.net/

Next, we will configure Tomcat to support applications and services under the secure https protocol on port 8443. We do this by editing the server.xml file in /etc/tomcat.

> cd /etc/tomcat6
> sudo cp -p server.xml server.xml.orig
> sudo vi server.xml
> diff server.xml.orig server.xml
83,88c83,92
<     
<
---
>
>                     protocol="HTTP/1.1"
>                SSLEnabled="true"
>                maxThreads="150"
>                scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="/usr/etc/cert/temp.iexperiment.bin"
>                keystorePass="sslcert1" />

> sudo service tomcat6 restart
Stopping tomcat6:                                          [  OK  ]
Starting tomcat6:                                          [  OK  ]
    

We should now beable to see the sample web applications supplied with the tomcat6-webapps Yum distribution found in /var/lib/tomcat6/webapps/sample, using the following URLs:

• “EC2 Public URL”:8080/sample e.g. http://ec2-204-236-137-138.us-west-1.compute.amazonaws.com:8080/sample
• http://”iExperiment Domain”:8080/sample, e.g. http://temp.iexperiment.net:8080/sample
• https://”iExperiment Domain”:8443/sample, e.g. https://temp.iexperiment.net:8443/sample

Adding index.html

Upload the iExperiment index.html page and any images associated with the page to the /var/www/html directory. You can either overwrite the existing index.html page or rename it.

iExperiment Applications Installation

iExperiment has three applications: Admin, Record and ResetPassword.

1. Upload the iExperiment applications .war files (admin.war, record.war and resetPassword.war) to the /var/lib/tomcat6/webapps/ directory in the EC2 server.
2. Stop the Tomcat service.
3. Create directories for the attachments and the Lucene search engine index.
4. For each of the iExperiment applications.
   1. Create a directory for the application in /var/lib/tomcat6/webapps/
   2. Change the group to tomcat.

   li>Unzip the contents of the war file into the newly created directory.

   3. Upload and replace the “application”.html file with deployment specific version.
   4. Add deployment specific images to the images directory.
   5. Upload and replace existing iexperiment.properties, dbpool.properties and log4j.properties with files specific for this deployment.
5. Start the Tomcat service.

> sudo service tomcat6 stop
Stopping tomcat6:                                          [  OK  ]

> sudo mkdir /var/local/iexperiment/attachments
> sudo mkdir /var/local/iexperiment/lucene
> sudo chown -R tomcat:tomcat /var/local/iexperiment/*

> cd /var/lib/tomcat6/webapps/
> ls -lt
total 12
drwxrwxr-x 5 root tomcat 4096 Jul 14 14:53 sample
drwxrwxr-x 5 root tomcat 4096 Jul 14 14:53 examples
drwxrwxr-x 3 root tomcat 4096 Jul 14 14:53 ROOT

> sudo mkdir record
> sudo mkdir admin
> sudo mkdir resetPassword
> sudo chgrp tomcat *

# Begein of admin application configuration.
> pushd admin
> sudo unzip ../admin.war

# After uploading Admin.html
> sudo chown -R root:root *.html

# After uploading deployment specific images to the images diectory.
> pushd images
> sudo chown -R root:root *
> popd

# After uploading the deployment specific properties files
# to the WEB-INF/classes directory
> pushd WEB-INF/classes/
> sudo chown -R root:root *.properties
> ls -lt
total 28
-rw-rw-r-- 1 root root 1287 Jul 14 18:33 log4j.properties
-rw-rw-r-- 1 root root 2020 Jul 14 18:33 iexperiment.properties
-rw-rw-r-- 1 root root 1514 Jul 14 18:33 dbpool.properties
drwxr-xr-x 3 root root 4096 Jul 14 17:49 net
drwxr-xr-x 3 root root 4096 Jul 14 17:49 org
drwxr-xr-x 4 root root 4096 Jul 14 17:49 com
-rw-r--r-- 1 root root 1370 May  3 19:05 mail.properties

# End of admin application configuration.
# Repeat for the record and resetPassword applications. 

> sudo service tomcat6 start
Starting tomcat6:                                          [  OK  ]
    

Removing Port 8443 from HTTPS Requests

The final task in setting up the iExperiment Server is to remove the port number from the secure https requests. We do this by relay the port 443 TCP connections to port 8443 using iptables in the Netfilter package that already installed on the EC2 instance.

1. Using iptables redirect the incoming port 443 request to port 8443.
2. Using iptables redirect the output from the incoming port 443 request to port 8443.
3. We can see these rules in the “nat” table using the command “sudo iptables -t nat -L”.
4. Save the iptable in /etc/iptables.conf, and change ownership to root.
5. Finally, add “/sbin/iptables-restore < /etc/iptables.conf” to the bottom to /etc/rc.local file.

> sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
> sudo iptables -t nat -I OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8443

> sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:https redir ports 8443

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:https redir ports 8443

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

> sudo iptables-save > iptables.conf
> more iptables.conf
# Generated by iptables-save v1.4.7 on Thu Sep  8 03:32:23 2011
*nat
:PREROUTING ACCEPT [5:300]
:OUTPUT ACCEPT [50:3801]
:POSTROUTING ACCEPT [50:3801]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT
# Completed on Thu Sep  8 03:32:23 2011

> sudo cp -p iptables.conf /etc/.
> sudo chown -R root:root /etc/iptables.conf
> sudo ls -l /etc/iptables.conf
-rw-rw-r-- 1 root root 332 Sep  8 03:32 /etc/iptables.conf

> sudo vi /etc/rc.local
> more /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/sbin/iptables-restore < /etc/iptables.conf