Adi Setio Nugroho

Software yang dibutuhkan harus sudah terinstal. Software tersebut antara lain :
• Apache 2.x (mod_jk, mod_security, mod_evasive, mod_deflate)
• Apache-tomcat 6.x
• Java SDK 1.6.x
• Postgresql 8.x

Karena distro yg saya pakai RHEL 5.5 jadi untuk install langsung saja jalanin perintah yum

yum install postgresql httpd php

untuk java saya download yg source, tinggal ekstrak aja ke /usr/local/src

lalu berikan hak akses

chmod 777 /usr/local/src/jdk1.6.0/bin/*

1. Konfigurasi database

a. Edit baris berikut di postgresql.conf menjadi :

listen_addresses = ‘*’
port = 5432

b. Tambahkan baris berikut di pg_hba.conf :

host all all 192.168.0.1/24 trust

asumsi 192.168.0.1 sebagai server aplikasi

c. Restart postgresql dengan perintah berikut :

service postgresql restart

d. Buat user di database :

root@lpse:/# su postgres
postgres@lpse:$ /usr/bin/psql
postgres=# create user epns;
CREATE ROLE
postgres=# create user secman;
CREATE ROLE

e. Buat database production :

root@lpse:/# su postgres
postgres@lpse:$ createdb –U postgres epns-prod –O epns
postgres@lpse:$ createdb –U postgres secman-prod –O secman

f. Import database :

root@lpse:/# su postgres
postgres@lpse:$ psql
postgres=# \cd /home/sysadmin
postgres=# \c epns-prod
epns-prod=# \i epns_master_prod_220.sql
epns-prod=# \i 7_upgrade_to_R5b.sql
postgres=# \c secman-prod
secman-prod=# \i secman_master_prod_220.sql

g. Ubah password user :

root@lpse:/# su postgres
postgres@lpse:$ psql
postgres=# ALTER USER epns PASSWORD ‘passwordku’;
ALTER ROLE
postgres=# ALTER USER secman PASSWORD ‘passwordku’;
ALTER ROLE

2. Konfigurasi Aplikasi :

a. copy source aplikasi LPSE ke /usr/local/src

cp -R /home/sysadmin/lpse/appserv/epns-prod/ /usr/local/src/

b. Set konfigurasi koneksi database :

saya asumsikan database berada dalam server yg sama yaitu 192.168.0.1

edit file /usr/local/src/epns-prod/eproc/WEB-INF/classes/application.properties menjadi seperti berikut :

secman.jdbc.driverClassName=org.postgresql.Driver
secman.jdbc.url=jdbc:postgresql://192.168.0.1/secman-prod
secman.jdbc.username=secman
secman.jdbc.password=[password user secman]
secman.jdbc.validationQuery=SELECT 1
jdbc.driverClassName=org.postgresql.Driver
jdbc.url=jdbc:postgresql://192.168.0.1/epns-prod
jdbc.username=epns
jdbc.password=[password user epns]
jdbc.validationQuery=SELECT 1
jdbc.validationQuery=SELECT 1

c. Install tomcat :

Copy source tomcat ke /usr/local/src

cp -R /home/sysadmin/lpse/src/apache-tomcat-production/ /usr/local/src/

d. setting path home java

edit file /etc/profile, tambahkan baris berikut :

export JRE_HOME=/usr/local/src/jdk1.6.0/
export JAVA_HOME=/usr/local/src/jdk1.6.0/

e. ubah port AJP13 menjadi 7009

edit file /usr/local/src/apache-tomcat-production/conf/server.xml

[Connector port="7009" protocol="AJP/1.3" redirectPort="8443" /]

f. Tutup port 8080

edit file /usr/local/src/apache-tomcat-production/conf/server.xml berikan tanda komentar pada baris berikut :

[Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" /]

g. Arahkan tomcat ke path aplikasi LPSE berada

edit file /usr/local/src/apache-tomcat-production/conf/server.xml tambahkan baris berikut :

[Context path="/eproc" docBase="/usr/local/src/epns-prod/eproc" reloadable="false"] [/Context]

[Listener className="org.apache.jk.config.ApacheConfig"
modJk="/etc/httpd/modules/mod_jk.so"
workersConfig="/etc/httpd/workers.properties" /]

h. Buat konfigurasi workers.properties untuk menghubungkan tomcat dengan apache

nano /etc/httpd/workers.properties

ps=/
worker.list=worker1 worker2
worker.worker1.port=8089
worker.worker1.host=localhost
worker.worker1.type=ajp13
worker.worker1.lbfactor=1
worker.worker2.port=7079
worker.worker2.host=localhost
worker.worker2.type=ajp13
worker.worker2.lbfactor=2
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=worker1 worker2
worker.inprocess.type=jni
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)catalina.jar
worker.inprocess.cmd_line=start
worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)lib$(ps)
i386$(ps)classic$(ps)libjvm.so
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr

i. tambahkan baris berikut pada httpd.conf untuk redirect website

Alias /eproc /usr/local/src/epns-prod/eproc
RedirectMatch ^/$ /eproc/app

j. edit file mod_jk.conf seperti berikut :

LoadModule jk_module modules/mod_jk.so

JkWorkersFile /etc/httpd/workers.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info
JkLogStampFormat “[%a %b %d %H:%M:%S %Y] “
JkMount /eproc* worker1

k. install dan konfigurasi module security

yum mod_evasive mod_security

edit mod_evasive.conf :

[IfModule mod_evasive20.c /]
DOSHashTableSize 6194
DOSPageCount 25
DOSSiteCount 80
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
[/IfModule]

edit mod_security.conf :

SecAuditEngine RelevantOnly
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditLogParts ABCFHZ
SecAuditLog /home/logs_apache_tomcat/security/audit_apache.log
SecDebugLog /home/logs_apache_tomcat/security/modsec_debug.log
SecDebugLogLevel 3
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:none
SecRuleEngine On
SecServerSignature “Netscape-Enterprise/6.0 PHP5.2.0 mod_asp/3.4.5″
SecRule ARGS “\.\./”
SecRule ARGS “<[[:space:]]*script"
SecRule ARGS “<(.|\n)+>“
SecRule REQUEST_BODY “(document\.cookie|Set-Cookie|SessionID=)”
SecRule REQUEST_BODY “<[^>]*meta*\”?[^>]*>”
SecRule REQUEST_BODY “<[^>]*style*\”?[^>]*>”
SecRule REQUEST_BODY “<[^>]*script*\”?[^>]*>”
SecRule REQUEST_BODY “<[^>]*iframe*\”?[^>]*>”
SecRule REQUEST_BODY “<[^>]*object*\”?[^>]*>”
SecRule REQUEST_BODY “<[^>]*img*\”?[^>]*>”
SecRule REQUEST_BODY “<[^>]*applet*\”?[^>]*>”
SecRule REQUEST_BODY “<[^>]*form*\”?[^>]*>”
SecRule REQUEST_HEADERS:User-Agent “Nikto” “log,deny,status:403,msg:’Nikto Scanners Identified’”
SecRule HTTP_HOST “\x25″
SecRule HTTP_HOST “^$” “log,allow,msg:’no http host’”
SecRule HTTP_USER_AGENT “^$” “log,allow,msg:’No user agent’”
SecRule REQUEST_BODY “/^(etc|bin|sbin|tmp|var|opt|dev|kernel|exe)$/”
SecRule ARGS “delete[[:space:]]+from”
SecRule ARGS “insert[[:space:]]+into”
SecRule ARGS “select.+from”
SecRule ARGS “\<\!--\#"
SecRule ARGS “((=))[^\n]*(<)[^\n]+(>)”
SecRule REQUEST_BODY “(\’|\”)”
SecRule REQUEST_BODY “!^[\x20-\x7f]+$”
SecRule REQUEST_URI “^/(bin|cgi|cgi(\.cgi|-91[45]|-sys|-local|s|-win|-exe|-home|-perl)|(mp|web)cgi|(ht|ows-)bin|scripts|fcgi-bin)/”
SecRule REQUEST_BODY “/bin/ps”
SecRule ARGS “wget\x20″
SecRule ARGS “uname\x20-a”
SecRule REQUEST_BODY “/nessus_is_probing_you_”
SecRule REQUEST_URI “^OR 1=1–*”

edit mod_deflate.conf :

LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so
SetOutputFilter DEFLATE
DeflateBufferSize 65536
DeflateCompressionLevel 9
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
DeflateMemLevel 9
DeflateWindowSize 15
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch “Windows 98″ gzip-only-text/html
BrowserMatch “MSIE [45]” gzip-only-text/html
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpeg|jpe|jpg|png|ico|t?gz|zip|rar|pdf|doc|xls|dat)$ no-gzip dont-vary
LogFormat ‘”%r” %{outstream}n/%{instream}n (%{ratio}n%%)’ deflate
CustomLog /var/log/apache2/deflate_log deflate

l. restart service httpd lalu start tomcat

service httpd restart

/usr/local/src/apache-tomcat-production/bin/startup.sh

jika ingin apache dan tomcat start saat booting lakukan langkah berikut :

chkconfig httpd on

edit file /etc/rc.local tambahkan baris berikut :

/usr/local/src/apache-tomcat-production/bin/startup.sh

[root@MKRI06 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
[root@MKRI06 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
[root@MKRI06 ~]# cat /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
IPADDR=192.168.80.11
NETWORK=192.168.80.0
NETMASK=255.255.255.192
GATEWAY=192.168.80.1
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
[root@MKRI06 ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=MKRI06.MKRI.GO.ID
[root@MKRI06 ~]# cat /etc/modprobe.conf
alias eth0 bnx2
alias eth1 bnx2
alias scsi_hostadapter aacraid
alias scsi_hostadapter1 ata_piix
alias scsi_hostadapter2 lpfc
alias usb-controller ehci-hcd
alias usb-controller1 uhci-hcd
alias bond0 bonding
options bond0 mode=balance-alb miimon=100
options lpfc lpfc_discovery_threads=1
[root@MKRI06 ~]# cat /etc/resolv.conf
search MKRI.GO.ID
nameserver 192.168.80.6
nameserver 192.168.80.7
[root@MKRI06 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 MKRI06.MKRI.GO.ID MKRI06 localhost.localdomain localhost

Sedikit catatan lagi.. script untuk redirect website ke browser di mobile handphone.. script ini akan otomatis mendeteksi browser yang digunakan oleh pengunjung site, jika pengunjung menggunakan browser di handphone maka website akan langsung di arahkan ke website versi mobile milik anda, sebagai contoh disini website versi normalnya www.example.com dan website versi mobilenya m.example.com

### START REDIRECT WEBSITE KE MOBILE HANDPHONE ###

RewriteEngine On

RewriteCond %{HTTP_ACCEPT} “text/vnd.wap.wml|application/vnd.wap.xhtml+xml” [NC]
RewriteCond %{HTTP_HOST} “!m.example.com” [NC]
RewriteRule (.*) http://m.example.com/$1 [L]

RewriteCond %{HTTP_USER_AGENT} (midp|nokia|symbian|iphone|blackberry|android|opera mini|ipod|iemobile|UP\.Browser) [NC]
RewriteCond %{HTTP_HOST} “!m.example.com” [NC]
RewriteRule (.*) http://m.example.com/$1 [L]

### END REDIRECT WEBSITE KE MOBILE HANDPHONE ###

Untuk catatan saya ambil sumber ini dari http://overflow.web.id/source/SSL-Apache.Configuration.txt tentang konfigurasi apache ssl

Konfigurasi Apache dengan certificate SSL/TLS
——————————————————————————-
By Henry Saptono ,
Depok, April 2007
——————————————————————————-

Tulisan ini mencoba menjelaskan secara ringkas dan praktis bagaimana melakukan
konfigurasi SSL (enable secure socket layer) di Apache 2.0.

Asumsi:
——————————————————————————-
Server web Anda (Apache 2.0) berada pada mesin dengan nama (hostname/FQDN)
sotnec.nurulfikri.com, perlu diperhatikan bahwa hostname mesin Anda harus
dapat dilookup (valid terdaftar di DNS). Sebelumnya web server Anda hanya
menjalankan service http(port 80), sekarang Anda berkeinginan mengaktifkan
service https(port 443) pada web server Anda. Pada web server Anda terdapat
2 virtualhost yang jalan dalam mode HTTPS yang masing masing virtual host
memiliki hostname (FQDN) yaitu “mars.nurulfikri.com” dan “bumi.nurulfikri.com”.

Langkah-langkah step by step konfigurasi SSL (enable secure socket layer) di
Apache 2.0:
——————————————————————————

Tahap 1: Setup your own CA (Certificate Authority)
—————————————————

Agar apache web server Anda dapat menjalankan secure (SSL/TLS encrypted) web server,
Anda harus memmiliki sebuah “private key” dan sebuah “certificate” untuk web server Anda.
Untuk website commercial, Mungkin Anda dapat membeli certificate yang telah ditanda tangani
oleh root CA yang terkenal.
Untuk Intranet atau special-purpose , Anda dapat membuat CA sendiri. Ini dapat
dilakukan dengan menggunakan tools OpenSSL .

Disini, kita akan membuat sebuah private CA key dan sebuah certificate private CA X.509.
Kita juga akan membuat direktori untuk menyimpan certs dan keys:

# mkdir /root/CA
# chmod 0770 /root/CA
# cd /root/CA

# openssl genrsa -des3 -out my-ca.key 2048
# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
# openssl x509 -in my-ca.crt -text -noout
Certificate:
Data:
Version: 3 (0×2)
Serial Number: 0 (0×0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ID, ST=Jawa Barat, L=Depok, O=PT NCI, OU=IT,
CN=sotnec.nurulfikri.com/emailAddress=henry@nurulfikri.com
Validity
Not Before: Apr 3 02:10:25 2007 GMT
Not After : Mar 31 02:10:25 2017 GMT
Subject: C=ID, ST=Jawa Barat, L=Depok, O=PT NCI, OU=IT,
CN=sotnec.nurulfikri.com/emailAddress=henry@nurulfikri.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d2:55:bb:2c:54:17:11:8e:15:9d:5f:58:c5:a2:
ae:f2:a6:c2:a7:c3:9d:bd:7c:f7:2a:b0:ac:1a:25:
3e:4c:4c:ee:c7:27:ed:68:79:85:22:77:7f:46:9a:
e3:48:2a:b4:c7:87:f9:03:6f:47:54:c7:31:4f:35:
b7:57:b0:02:d0:0e:9c:5a:87:52:58:09:3c:c6:cd:
1b:a5:53:b7:4f:97:9f:52:e7:c8:22:3b:fa:0d:3a:
6c:98:1b:ae:87:9e:7b:78:b3:c1:d1:87:97:b8:8f:
88:29:a7:2d:18:60:30:4a:fb:84:3f:c8:e8:8c:bd:
86:1f:9c:b9:45:a0:1f:be:04:66:37:60:e8:c4:0a:
e1:fd:04:84:f8:cd:4a:4a:95:5f:c4:6e:20:d7:e0:
c8:c4:a0:1f:3b:e7:01:7c:16:06:11:b8:b3:1a:65:
ed:f1:da:7d:76:80:5a:3e:7c:05:4a:4c:da:cf:8a:
6f:8f:e4:6c:65:ed:ec:4c:61:4f:8e:0b:3c:28:9b:
fd:47:7c:40:68:c0:7b:74:cc:03:87:7d:ed:29:e0:
18:b9:01:64:e7:4b:f6:cb:a0:bc:3c:85:e7:4a:4d:
14:80:16:ea:54:80:a7:00:40:f9:fc:21:4a:c9:45:
e5:32:c3:f1:3f:d9:bd:ce:e6:86:f5:c9:c4:4a:ea:
9a:bb
Exponent: 65537 (0×10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
43:F7:93:F4:F5:7A:D1:24:F5:A8:F1:4E:CF:F9:9C:3C:83:73:25:34
X509v3 Authority Key Identifier:
keyid:43:F7:93:F4:F5:7A:D1:24:F5:A8:F1:4E:CF:F9:9C:3C:83:73:25:34
DirName:/C=ID/ST=Jawa Barat/L=Depok/O=PT
NCI/OU=IT/CN=sotnec.nurulfikri.com/emailAddress=henry@nurulfikri.com
serial:00

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
8f:75:79:48:6b:d0:7e:02:9f:1c:f8:9d:39:e5:5b:6e:c7:1e:
e9:6e:a3:e4:d1:d3:9b:db:33:62:f6:67:aa:54:90:38:78:61:
4a:fb:b8:fd:0c:74:d5:ac:08:ff:00:a2:fb:98:b3:56:44:6e:
7f:8d:77:d9:5d:0f:ee:40:06:62:46:aa:bc:8b:ff:c7:a3:e6:
83:b9:63:f8:c7:ef:1a:ed:6e:eb:57:e9:d1:2c:f0:12:50:4b:
7d:5b:c5:22:b0:a0:12:65:93:81:e3:54:f8:85:10:8d:5b:d3:
9b:56:59:b8:3d:01:07:6e:33:d6:52:c5:8e:b3:c9:48:95:7b:
26:c2:74:ab:d3:b0:3a:ad:52:bb:69:86:dc:83:40:b6:9a:f0:
b3:f7:46:5d:ca:99:61:c6:7e:ac:92:c5:a9:3b:80:c1:05:e7:
5f:7b:24:8d:1e:eb:dc:85:fe:77:c5:99:4b:10:d3:d5:3c:fa:
24:f2:f5:a4:e6:7d:dd:c7:e2:25:8a:c1:18:59:92:f7:42:77:
27:1e:3d:36:c3:6a:65:ab:1d:c5:34:a8:ab:66:9e:1f:d6:9c:
50:46:76:94:bc:67:27:29:60:55:b3:88:65:58:63:85:c5:f2:
d9:dc:f9:06:d4:27:a2:18:22:65:36:72:80:44:cf:b6:d2:d5:
28:e4:25:35

Catatan:
Perintah openssl yang pertama akan membuat CA key . Perintah yang kedua
akan membuat X.509 certificate dengan waktu hidup 10 tahun (10-year lifetime).
Perintah ketiga akan menampilkan certificate kita secara lengkap.

Tahap 2: Membuat key dan certificate untuk web server:
———————————————————

Sekarang, kita membuat X.509 certificate dan private key nya untuk web server.
Karena kita membuat certificate secara langsung, kita akan membuat key dan
certificate, kemudian certificate yang diminta akan di”tandatangani” dengan CA key
yang telah kita buat pada tahap 1. Kita juga dapat membuat multiple keys untuk
multiple web servers (virtual host) dengan cara yang sama.
Satu hal yang perlu dicatat bahwa SSL/TLS private keys untuk web server memerlukan
512 atau 1024 bits. Ukuran key yang lain bisa jadi tidak kompatibel dengan
browser-browser tertentu.

Dalam contoh kasus disini kita akan membuat key dan certificate untuk
virtualhost mars.nurulfikri.com dan bumi.nurulfikri.com.

# openssl genrsa -des3 -out mars-server.key 1024
# openssl req -new -key mars-server.key -out mars-server.csr
# openssl x509 -req -in mars-server.csr -out mars-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
# openssl x509 -in mars-server.crt -text -noout
# openssl genrsa -des3 -out bumi-server.key 1024
# openssl req -new -key bumi-server.key -out bumi-server.csr
# openssl x509 -req -in bumi-server.csr -out bumi-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
# openssl x509 -in bumi-server.crt -text -noout

Sebaiknya semua file key yang ada di /root/CA dirubah ijin aksesnya menjadi
0400 sbb:
# chmod 0400 *.key
# ls /root/CA/

Tahap 3: Mengexport/Menyalin keys dan certificate, ke dalam direktori konfigurasi apache
—————————————————————————————
# mkdir /etc/httpd/conf/ssl.crt
# mkdir /etc/httpd/conf/ssl.key

# cp my-ca.crt /etc/httpd/conf/ssl.crt
# cp mars-server.crt /etc/httpd/conf/ssl.crt
# cp mars-server.key /etc/httpd/conf/ssl.key
# cp bumi-server.key /etc/httpd/conf/ssl.key
# cp bumi-server.crt /etc/httpd/conf/ssl.crt

Tahap 4: Membuat directory documentroot & index.html utk masing-masing virtualhost
———————————————————————————–
# mkdir /var/www/mars
# chmod 0775 /var/www/mars
# cd /var/www/mars
# echo “Hello mars” > index.html
# mkdir /var/www/bumi
# cd /var/www/bumi
# chmod 0775 /var/www/bumi
# echo “Hello bumi” > index.html

Tahap 5: Mengkonfigurasi Apache, agar mensuport SSL/TLS
——————————————————–

# vi /etc/httpd/conf.d/ssl.conf

————————————————————————————
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see
#
# Do NOT simply read the instructions in here without understanding
# what they do. They’re here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#

LoadModule ssl_module modules/mod_ssl.so

#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

##
## SSL Virtual Host Context
##

NameVirtualHost 192.168.1.33:443

# General setup for the virtual host, inherited from global configuration
DocumentRoot “/var/www/mars”
ServerName mars.nurulfikri.com:443
ErrorLog logs/mars-ssl_error_log
TransferLog logs/mars-ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/mars-server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mars-server.key

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

# General setup for the virtual host, inherited from global configuration
DocumentRoot “/var/www/bumi”
ServerName bumi.nurulfikri.com:443
ErrorLog logs/bumi-ssl_error_log
TransferLog logs/bumi-ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/bumi-server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/bumi-server.key

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

—————————————————————————————————-

Setelah menkonfigurasi apache . kemudian restart service apache:
[root@sotnec ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server bumi.nurulfikri.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]

Catatan:
pada saat Anda restart service apache maka anda akan ditanyakan pass phrase
untuk keys yang telah anda buat sbb, maka berikanlah pass phrase tersebut
sesuai dengan pass phrase yang telah anda buat.

Lalu coba Anda akses web server dengan URL sbb:
https://mars.nurulfikri.com

dan

https://bumi.nurulfikri.com

————————
WEB server key password:
————————
Setelah Anda melakukan tahap-tahap diatas maka web server Anda sudah
mensupport SSL, namun perlu diingat setiap kali Anda restart atau start
service apache Anda maka Anda harus memasukkan pass pharse(password) dari key
masing-masing virtual host, nah ini terkadang kurang simple atau fleksibel
menurut sebagian orang tetapi sebenarnya itu lebih safe/secure. Jika Anda
tidak ingin setiap kali me-restart apache harus memasukkan pass
phrase(password) dari key masing-masing virtualhost maka Anda harus melakukan
beberapa tahap sbb:

[root@sotnec ~]# cd /etc/httpd/conf/ssl.key
[root@sotnec ssl.key]# cp bumi-server.key bumi-server.key.org
[root@sotnec ssl.key]# openssl rsa -in bumi-server.key.org -out
bumi-server.key
Enter pass phrase for bumi-server.key.org:
writing RSA key
[root@sotnec ssl.key]# less bumi-server.key
[root@sotnec ssl.key]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server mars.nurulfikri.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
[root@sotnec ssl.key]# cp mars-server.key mars-server.key.org
[root@sotnec ssl.key]# openssl rsa -in mars-server.key.org -out
mars-server.key
Enter pass phrase for mars-server.key.org:
writing RSA key
[root@sotnec ssl.key]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@sotnec ssl.key]#

Selamat mencoba.!

———————
Daftar pustaka:
———————-
http://www.vanemery.com/Linux/Apache/apache-SSL.html
http://localhost/manual/mod/mod_ssl.html
http://www.google.co.id

Dapet dari master dba neh cara install oracle 10g, nyolong dikit ilmunya :-”

[MODE CONSOLE/TERMINAL]

rpm -q –qf ‘%{NAME}-%{VERSION}-%{RELEASE} (%{ARCH})\n’ \
binutils compat-db control-center gcc gcc-c++ glibc glibc-devel \
glibc-common gnome-libs libstdc++ libstdc++-devel make pdksh setarch \
sysstat xscreensaver openmotif libaio libaio-devel

[PASTIKAN SEMUA PAKET SUDAH DIINSTALL -- UNTUK 64BIT ADA BEBERAPA YG DOBEL
JIKA ADA PAKET YANG ... is not installed --> PAKET TSB HARUS DIINSTALL]

/usr/sbin/groupadd -g 501 oinstall
/usr/sbin/groupadd -g 502 dba
/usr/sbin/useradd -u 501 -m -g oinstall -G dba oracle
id oracle

passwd oracle
[ISIKAN PASSWORD]

mkdir -p /u01/app/oracle
chown -R oracle:oinstall /u01/app/oracle
chmod -R 775 /u01/app/oracle

cat >> /etc/sysctl.conf < net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 262144
net.core.wmem_max = 262144
kernel.shmall = 2097152
kernel.shmmax = 536870912 --> 1/2 memory fisik
kernel.shmmni = 4096
kernel.msgmax = 8192
kernel.msgmnb = 65535
kernel.msgmni = 2878
kernel.sem = 250 32000 100 142
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
EOF

/sbin/sysctl -p

cat >> /etc/security/limits.conf < oracle soft nproc 2047
oracle hard nproc 16384
oracle soft nofile 1024
oracle hard nofile 63536
EOF

cat >> /etc/pam.d/login < session required /lib/security/pam_limits.so
EOF

cat >> /etc/profile < if [ \$USER = "oracle" ]; then
if [ \$SHELL = "/bin/ksh" ]; then
ulimit -p 16384
ulimit -n 63536
else
ulimit -u 16384 -n 63536
fi
umask 022
fi
EOF

cat >> /etc/csh.login < if ( \$USER == "oracle" ) then
limit maxproc 16384
limit descriptors 63536
umask 022
endif
EOF

======================================================

INSTALL DATABASE SOFTWARE -- AS ORACLE USER
[MODE GRAPHIC]

1. unzip 10201_database_linux32.zip [ as root user ]

2. chown -R oracle.oinstall database

3. Select Advance Installation

4. Click Next

5. [change path of inventory directory -- kolom 1 ]
menjadi --> /u01/app/oracle/oraInventory

6. Click Next

7. selected the Enterprise Edition option.

8. Name: OraDb10g_home1
Path: /u01/app/oracle/product/10.2.0/db_1

9. Click Next

10. Installer akan cek requirement nya.. pastikan semua ok

11. Select the option to “Install database software only.”

12. Click Next

13. Pastikan:
- Global Settings > Oracle Home: /u01/app/oracle/product…. (OraDb.._home1)

14. Click INSTALL

15. /u01/app/oracle/product/10.2.0/db_1/root.sh — AS ROOT on ALL NODES –
Enter ajah

16. Klik OK

17. Klik EXIT

———————————————————————–

INSTALL DATABASE — AS ORACLE USER
[MODE GRAPHIC]

1. cd /u01/app/oracle/product/10.2.0/db_1/bin

2. ./dbca

3. Click Next

4. Pilih –> Create a Database

5. Pilih –> Custom database

6. Isi Global Database Name & SID
[ex: orcl .. tp jangan buat ini sbg Production]
Click Next

7. Biarkan DEFAULT.. Clik Next

8. Set password for Administration

9. Pilih File system
Click Next

10. Pilih ‘Use Common Location for All database Files’
Database Files Location: /u01/app/oracle/oradata
Click Next

11. Centang ‘Specify Flash Recovery Area’
Flash Recovery Area: /u01/app/oracle/flash_recovery_area
Flash Recovery Area Size = 5120
Click Next

12. Biarkan DEFAULT
Click Next

13. Pilih Typical, Percentage = 50
klik tab sizing –> Block Size = 8192 Bytes (OLTP) ; Process = 300
klik tab Connection Mode –> Shared Server Mode ; Shared Server = 20 (memory < 2 GB)
Click Next

14. Pastikan:
Datafiles = /u01/app/oracle/oradata/{DB_NAME}/ ....
Click Next

15. Centang 'Create Database'
Click Finish

16. Click OK

17. INSTALLATION ON PROGRESS...

18. FINISH INSTALLATION
Klik EXIT

----------------------------------------------------------------------

INSTALL LISTENER -- AS ORACLE USER
[MODE GRAPHIC]

1. cd /u01/app/oracle/product/10.2.0/db_1/bin

2. export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1

3. export ORACLE_SID=oracle

4. ./netca

5. Select Listener configuration
Click Next

6. Pilih Add
Click Next

7. Biarkan Default
Click Next

8. Selected TCP
Click Next

9. Biarkan Default port = 1521
Click Next

10. Click Next

11. Click Next again

12. Select Naming Methos configuration
Click Next

13. Select Local Naming & click '>‘
Click Next

14. Click Next again

15. FINISH

—————————————————————-

==================================================

[MODE CONSOLE/TERMINAL]

—– HOUSE KEEPING — AS ORACLE USER —–

Login as oracle and modify ~/.bash_profile file, add :

## Oracle setting

## Each RAC node must have a unique ORACLE_SID. (i.e. orcl1, orcl2,…)
export SID=orcl
# GANTI ‘orcl’ DENGAN NAMA SID YG TELAH DIBUAT

#export ASM=+ASM
# UNCOMMENT BARIS DI ATAS JIKA MENGGUNAKAN ORACLEASM

export ORACLE_SID=$SID
export ORACLE_BASE=/u01/app/oracle
export ORACLE_HOME=$ORACLE_BASE/product/10.2.0/db_1

export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/lib32
export LIBPATH=$LD_LIBRARY_PATH

export ORACLE_ADMIN=$ORACLE_HOME/admin
export PATH=$ORACLE_HOME/bin:$PATH:.

alias rman=’$ORACLE_HOME/bin/rman’
alias home=’cd $HOME’
alias dbs=’cd $ORACLE_HOME/dbs’
alias bdump=’cd $ORACLE_HOME/admin/orcl/bdump’
alias udump=’cd $ORACLE_HOME/admin/orcl/udump’
alias netw=’cd $ORACLE_HOME/network/admin’
alias sid=’echo ORACLE_SID=$ORACLE_SID && echo ORACLE_HOME=$ORACLE_HOME’
alias db=’export ORACLE_SID=$SID && export ORACLE_HOME=$ORACLE_BASE/product/10.2.0/db_1′

#alias asm=’export ORACLE_SID=$ASM && export ORACLE_HOME=$ORACLE_BASE/product/10.2.0/asm’
#UNCOMMENT BARIS DI ATAS JIKA MENGGUNAKAN ORACLEASM
#alias crsstat=’/u01/app/oracle/product/10.2.0/crs/bin/crsstat.sh’

———————————————————————

—– HOUSE KEEPING — AS ROOT USER —–

Login as root and modify /etc/oratab file and change last character to Y for apropriate database.
ORCL:/u01/app/oracle/product/10.2.0/db_1:Y

————————-

As root user create new file “oracle” (init script for startup and shutdown the database)
in /etc/init.d/ directory with following content:

vi /etc/init.d/oracle
[TRUS ISIKAN DENGAN INI]

#!/bin/bash
#
# oracle Init file for starting and stopping
# Oracle Database. Script is valid for 10g and 11g versions.
#
# chkconfig: 35 80 30
# description: Oracle Database startup script

# Source function library.

. /etc/rc.d/init.d/functions

ORACLE_OWNER=”oracle”
ORACLE_HOME=”/u01/app/oracle/product/10.2.0/db_1″
INSTANCE=”orcl”
# GANTI ‘orcl’ DENGAN NAMA SID YG TELAH DIBUAT

INSTANCEDOWN=0
FAILED=0
RETVAL=0
prog=”oracle DB”

case “$1″ in

start)
echo -n $” Starting $prog: ”
su - $ORACLE_OWNER -c “$ORACLE_HOME/bin/dbstart $ORACLE_HOME”
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo ” [ OK ]”
else
echo ” [ FAILED ]”
fi
RETVAL=$?
;;

status)
echo -n $” Check $prog: ”
# Check DB
for PROCESS in pmon smon
do
RC=$(ps -ef | egrep $INSTANCE | egrep -v ‘grep’ | egrep $PROCESS)
if [ "${RC}" = "" ] ; then
INSTANCEDOWN=1
#echo -e “Instance ${INSTANCE} ${PROCESS} down!”
fi
done
if [ ${INSTANCEDOWN} = "1" ] ; then
echo -e ” Instance $INSTANCE is DOWN!!!”
FAILED=1
else
echo -e ” Instance $INSTANCE is running.”
fi
RETVAL=$?
;;

stop)
echo -n $” Stopping Oracle DB: ”
su - $ORACLE_OWNER -c “$ORACLE_HOME/bin/dbshut $ORACLE_HOME”
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo ” [ OK ]”
else
echo ” [ FAILED ]”
fi
RETVAL=$?
;;

*)

echo $”Usage: $0 {start|stop|status}”
echo -e “\n ”
exit 1

esac

echo -e “\n ”
exit $RETVAL

———————————————————————

—– HOUSE KEEPING — AS ORACLE USER —–

1)
Login as oracle and modify /u01/app/oracle/product/10.2.0/db_1/bin/dbstart file,
modify :

# Set this to bring up Oracle Net Listener
ORACLE_HOME_LISTNER=/ade/vikrkuma_new/oracle

[EDIT MENJADI]
# Set this to bring up Oracle Net Listener
ORACLE_HOME_LISTNER=/u01/app/oracle/product/10.2.0/db_1

2)
[ PASTIKAN FILE listener.log di /u01/app/oracle/product/10.2.0/db_1/ owner = oracle ]

1. cd /u01/app/oracle/product/10.2.0/db_1/

2. chown oracle.oinstall listener.log

3. ls -l listener.log
[ OUTPUT sperti = -rw-r--r-- 1 oracle oinstall 1936 Feb 20 17:30 listener.log ]

———————————————————————–

—– HOUSE KEEPING — AS ROOT USER —–

1. chmod +x /etc/init.d/oracle

2. cd /etc/init.d/

3. ./oracle

4. /sbin/chkconfig –add oracle

5. /sbin/chkconfig oracle on

6. /sbin/chkconfig –list oracle
[ OUTPUT = oracle 0:off 1:off 2:on 3:on 4:on 5:on 6:off]

7. /sbin/service oracle status
[HARUS ADA STATUS OUTPUT]

8. /etc/init.d/oracle stop
[ DATABASE MUST BE SHUTDOWN --> cek dengan:
tail -10f /u01/app/oracle/product/10.2.0/db_1/admin/oracle/bdump/alert* ]

9. /etc/init.d/oracle start
[ DATABASE MUST BE STARTED --> cek dengan:
tail -10f /u01/app/oracle/product/10.2.0/db_1/admin/oracle/bdump/alert* ]

10. REBOOT

===========================================================