Knowledgebase:
APACHE INSTALLATION FOR PCI COMPLIANCE
Posted by Wayne Smith, Last modified by Wayne Smith on 11 June 2015 10:18 AM

Our PA-DSS certification requires that your Apache server use suEXEC. This places the following additional restrictions on the installation of the Miva Merchant Virtual machine:

1. Each virtual host must have its own private cgi-bin directory

2. Each virtual host must have a unique user and group, and suEXEC must be configured to use the correct user/group with a SuexecUserGroup directive for each <VirtualHost> tag.

3. If using the environment variable based configuration, the configuration must be modified to pass through suEXEC by prepending "HTTP_" to all names. For example, MvCONFIG_DIR_MIVA becomes HTTP_MvCONFIG_DIR_MIVA.

In addition, for a PA-DSS certified installation of Miva Merchant, the Miva Merchant Virtual Machine configuration must also include:

1. Correct "openssl" and "openssl_crypto" directives containing the paths to OpenSSL libraries.
2. A "cadir" directive containing the path to the current version of the Miva Merchant Virtual Machine certificates (included in the distribution)
3. The MySQL database library must be installed and properly referenced in the Miva Merchant Virtual Machine configuration file.
4. While not required for Miva Merchant, we recommend that the engine "htscallerid" cookie be disabled.

STEP BY STEP INSTALLATION ON APACHE WITH suEXEC AND ENVIRONMENT CONFIGURATION:
------------------------------------------------------------------------------
1. Place the file "cgi-bin/mivavm" in the virtual host's private cgi-bin directory.

2. Change the ownership and permissions of the "mivavm" binary with the following commands:

# chown <vhost-user>.<vhost-group> mivavm
# chmod 0755 mivavm

3. Copy "lib/config/env.so" to the virtual host's private cgi-bin directory as "libmivaconfig.so", with the ownership and permissions the same as the "mivavm" binary in step 2.

4. Create a "mivadata" directory parallel to the virtual host's HTML document root. This directory *MUST NOT* be contained in a web accessible location.

5. Change the ownership and permissions of the "mivadata" directory with the following commands:

# chown <vhost-user>.<vhost-group> mivadata
# chmod 0750 mivadata

6. Add the following lines to your "httpd.conf" (or "srm.conf", if using an older version of Apache) within the appropriate <VirtualHost> tag for the site being configured.

SetEnv HTTP_MvCONFIG_DIR_MIVA /path/to/vhost/document_root
SetEnv HTTP_MvCONFIG_DIR_DATA /path/to/vhost/mivadata
SetEnv HTTP_MvCONFIG_DIR_BUILTIN /usr/local/miva/lib/builtins
SetEnv HTTP_MvCONFIG_DIR_CA /path/to/mivavm/distribution/certs/openssl-1.0
SetEnv HTTP_MvCONFIG_DATABASE_MIVASQL /path/to/mivavm/distribution/lib/databases/mivasql.so
SetEnv HTTP_MvCONFIG_DATABASE_MYSQL /path/to/mivavm/distribution/lib/databases/mysql.so
SetEnv HTTP_MvCONFIG_SSL_OPENSSL /lib/libssl.so.6
SetEnv HTTP_MvCONFIG_SSL_CRYPTO /lib/libcrypto.so.6
SetEnv HTTP_MvCONFIG_COOKIES 0

AddType application/x-miva-compiled .mvc
Action application/x-miva-compiled /cgi-bin/mivavm

NOTE: If your UNIX distribution uses OpenSSL v0.9.x, you must change the value of HTTP_MvCONFIG_DIR_CA to end in "openssl-0.9".

7. Restart your Apache server.

STEP BY STEP INSTALLATION ON APACHE WITH suEXEC AND 3.x CONFIGURATION:
----------------------------------------------------------------------
1. Place the file "cgi-bin/mivavm" in the virtual host's private cgi-bin directory.

2. Change the ownership and permissions of the "mivavm" binary with the following commands:

# chown <vhost-user>.<vhost-group> mivavm
# chmod 0755 mivavm

3. Copy "lib/config/3x.so" to "libmivaconfig.so" in the virtual host's private cgi-bin directory.

4. Create a "mivadata" directory parallel to the virtual host's HTML document root. This directory *MUST NOT* be contained in a web accessible location.

5. Change the ownership and permissions of the "mivadata" directory with the following commands:

# chown <vhost-user>.<vhost-group> mivadata
# chmod 0750 mivadata

6. Create a 3.x configuration file with the name "mivavm.conf" in the virtual host's private cgi-bin directory. An example configuration file follows:

mivaroot=/path/to/vhost/document_root
stdmodedatadir=/path/to/vhost/mivadata
redirectonly=1
openssl=/lib/libssl.so.6
openssl_crypto=/lib/libcrypto.so.6
cadir=/path/to/mivavm/distribution/cadir/openssl-1.0
usecookies=0
builtindir=/path/to/mivavm/distribution/lib/builtins

<DATABASE-LIB METHOD="MivaSQL" LIBRARY="/path/to/mivavm/distribution/lib/databases/mivasql.so">
<DATABASE-LIB METHOD="MySQL" LIBRARY="/path/to/mivavm/distribution/lib/databases/mysql.so">

NOTE: If your UNIX distribution uses OpenSSL v0.9.x, you must change the value of cadir to end in "openssl-0.9".

7. Add the following lines to your "httpd.conf" (or "srm.conf", if using an older version of Apache).

AddType application/x-miva-compiled .mvc
Action application/x-miva-compiled /cgi-bin/mivavm

(0 vote(s))
This article was helpful
This article was not helpful

Help Desk Software by Kayako support.miva.com/supportsuite/index.php?