APACHE INSTALLATION FOR PCI COMPLIANCE
Posted by Wayne Smith, Last modified by Wayne Smith on 11 June 2015 10:18 AM
|
|
Our PA-DSS certification requires that your Apache server use suEXEC. This places the following additional restrictions on the installation of the Miva Merchant Virtual machine: 1. Each virtual host must have its own private cgi-bin directory 2. Each virtual host must have a unique user and group, and suEXEC must be configured to use the correct user/group with a SuexecUserGroup directive for each <VirtualHost> tag. 3. If using the environment variable based configuration, the configuration must be modified to pass through suEXEC by prepending "HTTP_" to all names. For example, MvCONFIG_DIR_MIVA becomes HTTP_MvCONFIG_DIR_MIVA. In addition, for a PA-DSS certified installation of Miva Merchant, the Miva Merchant Virtual Machine configuration must also include: 1. Correct "openssl" and "openssl_crypto" directives containing the paths to OpenSSL libraries. STEP BY STEP INSTALLATION ON APACHE WITH suEXEC AND ENVIRONMENT CONFIGURATION: 2. Change the ownership and permissions of the "mivavm" binary with the following commands: # chown <vhost-user>.<vhost-group> mivavm 3. Copy "lib/config/env.so" to the virtual host's private cgi-bin directory as "libmivaconfig.so", with the ownership and permissions the same as the "mivavm" binary in step 2. 4. Create a "mivadata" directory parallel to the virtual host's HTML document root. This directory *MUST NOT* be contained in a web accessible location. 5. Change the ownership and permissions of the "mivadata" directory with the following commands: # chown <vhost-user>.<vhost-group> mivadata 6. Add the following lines to your "httpd.conf" (or "srm.conf", if using an older version of Apache) within the appropriate <VirtualHost> tag for the site being configured. SetEnv HTTP_MvCONFIG_DIR_MIVA /path/to/vhost/document_root AddType application/x-miva-compiled .mvc NOTE: If your UNIX distribution uses OpenSSL v0.9.x, you must change the value of HTTP_MvCONFIG_DIR_CA to end in "openssl-0.9". 7. Restart your Apache server. STEP BY STEP INSTALLATION ON APACHE WITH suEXEC AND 3.x CONFIGURATION: 2. Change the ownership and permissions of the "mivavm" binary with the following commands: # chown <vhost-user>.<vhost-group> mivavm 3. Copy "lib/config/3x.so" to "libmivaconfig.so" in the virtual host's private cgi-bin directory. 4. Create a "mivadata" directory parallel to the virtual host's HTML document root. This directory *MUST NOT* be contained in a web accessible location. 5. Change the ownership and permissions of the "mivadata" directory with the following commands: # chown <vhost-user>.<vhost-group> mivadata 6. Create a 3.x configuration file with the name "mivavm.conf" in the virtual host's private cgi-bin directory. An example configuration file follows: <DATABASE-LIB METHOD="MivaSQL" LIBRARY="/path/to/mivavm/distribution/lib/databases/mivasql.so"> NOTE: If your UNIX distribution uses OpenSSL v0.9.x, you must change the value of cadir to end in "openssl-0.9". 7. Add the following lines to your "httpd.conf" (or "srm.conf", if using an older version of Apache). AddType application/x-miva-compiled .mvc | |
|