# Configuring extra services on lsa-mac-dev1

# Install Xcode developer tools

################### WEB SERVICE ######################################
# Create an SSL certificate with the hostname of the server as the CN
In Server Admin, select the hostname of the server
Click the Certificates tab
Click the + button
  Common Name: lsa-mac-dev1.lsait.lsa.umich.edu
  Org: University of Michigan
  OU: LSA IT
  City: Ann Arbor
  State: Michigan
  (leave the others as defaults)
Click Save

Open a web-browser to here:
  https://webservices.itcs.umich.edu/
and choose the Request an SSL certificate option (you'll be filling it out momentarily)
Back in Server Admin:
Select the cert you just created
Under the gearwheel menu, choose Generate CSR
Drag the certificate icon to the webpage's CSR box
Fill out the form, being sure to choose umwebCA as the signer


In Server Admin, start the Web Service
Click the Sites button, and select the default site (*)
- On the Options tab, allow 'CGI Execution'
- On the Logging tab, set both the access and error logs to archive every 7 days
Click Save

cd /etc/apache2
sudo mkdir cosign
cd cosign
sudo vi site_conf

#### BEGINNING OF FILE
CosignHostname weblogin.umich.edu
CosignRedirect https://weblogin.umich.edu/
CosignPostErrorRedirect https://weblogin.umich.edu/post_error.html
CosignService lsa-hpc
CosignCrypto /etc/certificates/lsa-mac-dev1.lsait.lsa.umich.edu.crtkey /etc/certificates/lsa-mac-dev1.lsait.lsa.umich.edu.crtkey /etc/apache2/cosign/CAcerts
CosignHttpOnly on

<Location />
CosignProtected on
</Location>

<Location /lsa-stats.cgi>
CosignProtected off
</Location>

<Location /unprotected>
CosignProtected off
</Location>
#### END OF FILE

cd /etc/apache2/sites
# Add this line to your  site, anywhere inside the <VirtualHost> block
        Include "/etc/apache2/cosign/site_conf"

##### Build and install cosign:
Download the latest version from http://weblogin.org/
setenv CFLAGS "-arch x86_64"  # Be sure to use your correct arch here
setenv LDFLAGS "-Wl,-arch -Wl,x86_64"  # Be sure to use your correct arch here
./configure --enable-apache2=/usr/sbin/apxs
Modify filters/apache2/Makefile and add the following to the end of the CFLAGS line:
     -Wc,-arch -Wc,x86_64
make
sudo cp -R CAcerts /etc/apache2/cosign
cd filters/apache2/
sudo /usr/sbin/apxs -i -a -n 'cosign' mod_cosign.la

sudo mkdir -p /var/cosign/filter
sudo chown www /var/cosign/filter
cd /etc/apache2/cosign/CAcerts
sudo c_rehash .

cd /Library/WebServer/Documents/
sudo mv index.html index.html.orig
sudo touch index.html
sudo ln -s /usr/local/bin/lsa-stats.cgi 
sudo ln -s /Volumes/DataDisk/server-room
sudo ln -s /usr/local/bin/power-report.cgi



Open Firewall port 80 to the world



############################# OTHER STUFF
Unarchived backup of /usr/local that was saved to spare partition

############################# Server room monitoring stuff
sudo ln -s /Volumes/DataDisk/server-room/powernet_mib_388/powernet388.mib /usr/share/snmp/mibs
sudo ln -s /Volumes/DataDisk/server-room/snmptrapd.conf /etc/snmp
sudo ln -s /Volumes/DataDisk/server-room/snmptrapd.plist /Library/LaunchDaemons/
sudo launchctl load /Library/LaunchDaemons/snmptrapd.plist

#### this is the snmptrapd.conf:
logoption s 1
printeventnumbers  yes
traphandle default /usr/local/bin/snmptrap-handler
# The new version of snmptrapd normally requires authentication with the traps - this disables that:
disableAuthorization yes
#### End of snmptrapd.conf


Configure 2nd ethernet interface as follows:
IP: 192.168.1.222
SubnetMask: 255.255.252.0

In firewall setup:
Create a new address group called "APC Network" that contains ONLY:
  192.168.0.0/22
Add a new service and permit it to the "APC Network"
  SNMP Traps   162 [udp]