Michael Doran Home Page
Contact | Site Map | Search  
  Home > Archives > Adding SSL to Apache > Post-install Config
This page is deprecated: please read archives disclaimer.

Adding SSL to Apache for WebVoyage, a VUGM 2001 Technical Session

Tutorial

Post-install Configuration

  Configure Apache

If you followed the installation advice regarding install paths, you should now have two separate installations of Apache: the original Endeavor-installed version and the new SSL-enabled version. (SSL-enabled Apache can be run with SSL turned on or off.)

httpd.conf 1

Before you use the SSL version, you will need to edit its httpd.conf file. Open up (or print out) the Endeavor-installed httpd.conf file and use that as a guide to configure the SSL-enabled httpd.conf. In addition to making the new httpd.conf conform to the old one, you will notice that there are additional SSL configuration stanzas. You can leave most of the SSL variables set to default values, however you will have to specify an SSL DocumentRoot, etc.

Testing

Once httpd.conf is edited, you can start up the new SSL-enabled Apache and take it for a test drive. Since you are probably using a test certificate at this point, you will likely not want to change any URL links to your production version of WebVoyage (so as not to surprise users with security alerts). One testing option is to run an SSL-enabled Apache instance specifying a port number other than the default and then test SSL functionality by typing in https on the address line of your browser.

Startup scripts 2,3

When your Unix server changes run-levels (e.g when being rebooted), it looks at scripts in various run-level directories in order to determine which processes and applications to either turn off or turn on. Your current Endeavor-installed Apache has these (or similar) start/stop scripts:
    /etc/init.d/httpd
    /etc/rc0.d/K10httpd
    /etc/rc2.d/S99httpd

When you are done testing the SSL Apache and want to make it your operational version, you will need to either edit the Endeavor supplied scripts or use the apachectl file as a template for new ones. You will also need to edit the "start" case within the startup script so that the httpd daemon gets the SSL switch (-DSSL) as an argument.

  Purchase a certificate

During installation of the SSL-enabled Apache you should have created a test certificate. That's fine while you kick the tires, but once you're ready to go operational you need to get a certificate issued by a certificate authority.

  Configure WebVoyage 4

webvoyage.ini 5,6

Pretty much the only WebVoyage configuration that Endeavor specifies is to set SSL=TRUE in the Security Options stanza of the webvoyage.ini file.

ImageServer

Sites using ImageServer, will need to change the URL (from http to https) for the ScanDoc variable in the Links stanza of opac.ini and/or voyager.ini.

Links

Then change any links pointing to WebVoyage from http to https. (https://Voyager.Server.edu/)

Dilemma?

We want to use SSL to encrypt patron information. However, we don't necessarily want to use SSL to encrypt any other pages. Why not? Because encryption is processor-intensive and we don't want to waste CPU cycles encrypting non-confidential data.

Does it create enough of a performance drag that users will notice? A Comparison of HTTP and HTTPS Performance done at New York University suggests it may not be much of a problem. As always, your mileage may vary.

  Notes
  1. Recent releases of Apache combine all the configuration data into one file - httpd.conf. Earlier releases spread the data among three config files - httpd.conf, access.conf, and srm.conf. Adjust the above instructions accordingly.

  2. Run-level directories are the Solaris way; AIX uses the /etc/inittab file and (optionally) the /etc/rc.local directory.

  3. Files in the run-level directories (e.g rc2.d and rc0.d) are actually either hard or soft links to files in the init.d directory. If you follow this convention, edits only need to be made to one file.

  4. See the Voyager 2000.1 WebVoyage Manual, pages 181-182. For Voyager 99.1 the same info is in the OPAC Manual, pages 225-226.

  5. This webvoyage.ini variable was necessary in Voyager 99.1, due to Pwebrecon generating some absolute pathnames for images, but in my experience with Voyager 2000.1, Secure Sockets Layer works okay regardless of whether this variable is set to true or false. My advice is to go ahead and set it to true.

  6. Voyager 99.1 sites: The "[Security Options]" stanza may not exist in your webvoyage.ini file, in which case you will have to create it. Also be aware that the variable is case sensitive, so use an uppercase TRUE.
Michael Doran     -     University of Texas at Arlington     -     UTA Libraries