OpenIMS installation kit (build )
For Windows an installation kit is available from OpenSesame ICT.
The Linux requirements (needed packages) can be found here.
In general it should be possible to install OpenIMS in any Apache / PHP compatible environment (e.g. Sun Solaris, FreeBSD and Mac OS X). Please see Linux packages for a full list of required software. OpenIMS needs a dedicated server. For multipurpose servers (which is not recommended) multiple instances of Apache might be required.
Please note that not all environments can use all versions of all involved products. E.g. when an OpenIMS environment is migrated from one server to another server it might require exactly the same versions as on the original server.
An internet connection is required during and after the installation of OpenIMS.
Preparations for Windows:
- My Computer > Right click on each partition and choose "Properties": Make sure indexing for fast file search is disabled.
- Check if any antivirus software is installed on the server, and if so, make sure that "on access" scanning is disabled. Or, at the very least, disable on access scanning for C:\Windows\Temp; the backups, dfc, tmp and logs-subdirectories of the OpenIMS root directory; the \Tmp-directory that you create outside the OpenIMS root; the mysql\data-directory; and the sphinx\data-directory.
How to configure Apache
Add the following to the proper httpd.conf (e.g. /etc/httpd/conf/httpd.conf) sections and/or files:
LoadModule status_module modules/mod_status.so
- Set DocumentRoot to the OpenIMS root directory.
- Add "AllowOverride all" to the proper <Directory ...> entry (OpenIMS root, seems to be the default setting with Ensim).
- Make sure to restart Apache to load the latest httpd.conf
- For Linux: make sure that Apache is automatically started
- Test Apache using e.g. http://localhost/server-status
How to conigure MySQL:
The following configuration can be added.altered in /etc/my.cnf:
key_buffer = 16M
max_allowed_packet = 15000000
table_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
myisam_sort_buffer_size = 8M
· Download openims.zip (part of the installation kit)
· Copy openims.zip to the "openims root directory"
· Unzip openims.zip (e.g. "unzip openims.zip" or "\cygwin\bin\unzip openims.zip") in the "openims root directory"
· Create "tmp" and "tmp/locks" subdirectories in the openims root directory
· Make sure the latest OpenIMS agent is installed on your client
· (Mac OS X, Linux:) don't forget to set the correct owner of the openims root directory (usually the apache process owner)
More information on (re)configuring OpenIMS (machine and site configurations) can be found on the Internet: http://doc.openims.com/
· Create a .htaccess in the OpenIMS root directory containing:
deny from all
ErrorDocument 404 /index.php
ErrorDocument 403 /index.php
· Highly recommended: Ensure that the Apache module mod_expires is available and enabled, and add the following to .htaccess:
ExpiresByType image/gif A2592000
ExpiresByType image/jpg A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType image/png A2592000
· Please note a valid machine name, digital certificate, rsa public key and rsa keypair have to be obtained first (e.g. from OpenSesame ICT)
· Edit myconfig.php (OpenIMS root directory) to enter the basic machine configuration (allowing OpenIMS to start).
Use at least the following lines (configuration is for windows, for linux, change the windows/linux settings and set localsendmail to yes):
$myconfig["defaultlanguage"] = "nl"; // user interface language
$myconfig["windows"] = "yes";
$myconfig["linux"] = "no";
$myconfig["hasgzlib"] = "no"; // use gzip which is build into PHP
$myconfig["hasgzcompress"] = "no"; // gzcompress and gzuncompress functions
$myconfig["gzipcommand"] = "c:\\cygwin\\bin\\gzip"; // path to gzip executable
$myconfig["gunzipcommand"] = "c:\\cygwin\\bin\\gunzip"; // path to gunzip executable
$myconfig["tarcommand"] = "c:\\cygwin\\bin\\tar"; // path to tar executable
$myconfig["localsendmail"] = "no"; // use local sendmail or relay to other server
$myconfig["usetosendmail"] = "rack132"; // relay server if localsendmail is "no"
$myconfig["antiword"] = "c:\\antiword\\antiword.exe"; // path to antiword executable
$myconfig["pdftotext"] = "c:\\xpdf\\pdftotext.exe"; // path to pdftotext executable
$myconfig["ppthtml"] = "c:\\xlhtml\\ppthtml.exe"; // path to ppthtml executable
$myconfig["xlhtml"] = "c:\\xlhtml\\xlhtml.exe"; // path to xlhtml executable
$myconfig["diff"] = "c:\\cygwin\\bin\\diff.exe"; // path to diff executable
$myconfig["unzip"] = "c:\\cygwin\\bin\\unzip.exe"; // path to unzip executable
$myconfig["chmod"] = 0777; // for all OpenIMS related files (suexec can be used to make it 0755, a dedicated server is recomended)
$myconfig["tmp"] = "e:\\tmp\\openims\\"; // path for temporary files
$myconfig["allowarraysinrequest"] = "no";
Mac OS X and Fink: In myconfig.php use /sw/bin/antiword, /sw/bin/pfdtptext and /sw/bin/pptphtml
If, after copying gzip.exe to gunzip.exe (step 1), the selftest still reports that gunzip doesn't work, add the -d flag:
$myconfig["gunzipcommand"] = "c:\\cygwin\\bin\\gunzip -d";
· Log in as ultravisor (see above) and use http://<<<propername>>>/openims/openims.php?mode=admin&submode=maint to enter the full machine and site configuration
· Use http://<<<propername>>>/openims/openims.php?mode=internal to create sitecollections (customers), sites and to connect those sites to domains.
Please take notice: names of sitecollections must end with “_sites”, names of sites must end with “_com" or “_nl”.
· If your are going to use MYSQL as xmlengine, use the Admin section > Maintenance > Backup to dump the current system. After backing up add the following to myconfig.php:
$myconfig["xmlmysql"]["host"] = "localhost";
$myconfig["xmlmysql"]["user"] = "root";
$myconfig["xmlmysql"]["password"] = "...";
$myconfig["xmlmysql"]["database"] = "openimsxml";
$myconfig["xmlengine"] = "MYSQL";
//$myconfig["ftengine"] = "MYSQL";
//$myconfig["sdexengine"] = "MYSQL";
//$myconfig["dfcengine"] = "MYSQL";
After succesfully changing the myconfig.php file use the Admin section > Maintenance > Backup to restore the backup you just made. After restoring the backup you can remove the // in front of the ftengine, sdexengine and dfcengine lines.
Don’t forget to use the Admin section > Maintenance > (Re)generate XML indexes to regenerate the indexes.
· REMOVE FROM MYCONFIG THE LINES CONTAINING $myconfig["backdoorrandom"]="…" AND $myconfig["backdoormd5"]="…"
Configure batch processing
· Make sure the clock and the timezone are correct, preferably use an automatically synchronized clock
· Copy the contents of /kit/win/batchkit (openims root directory) to c:\batchkit
· > C:
· > cd \batchkit
· If a different directory or a non English version of windows is used change install.bat using e.g. notepad
· Execute install.bat
· Execute on.bat to enable OpenIMS batch processing (off.bat can be used to disable OpenIMS batch processing)
· Check if batch processing is running in the task scheduler (result 0x1) (the tasks should be run under the 'system' account)
· If the tasks don't run and result in error 0x80, check Microsoft Knowledge Base Article - 812400
· Set timezone (to Europe/Amsterdam) and ntp-server.
· Else: Edit crontab to enable nightly clock synchronisations (user root using crontab -e):
0 0 * * * rdate -s time.nist.gov > /dev/null 2> /dev/null
1 0 * * * /sbin/hwclock --systohc > /dev/null 2> /dev/null
· (All platforms:) Edit crontab (e.g. user root, crontab -e):
* * * * * wget --timeout=1 --tries=1 http://<<<IP ADDRESS>>>/nkit/callmeoften.php > /dev/null 2> /dev/null
* * * * * rm -f /root/callmeoften* > /dev/null 2> /dev/null
Met –spider wordt de callmeoften.php niet meer aangemaakt:
* * * * * /usr/local/bin/wget --spider --timeout=1 --tries=1 http://<<IP_ADRRESS>>/nkit/callmeoften.php > /dev/null 2>&1
· Check in /etc/crontab if night processing (e.g. Apache log rotation) is at 4:00 am (OpenIMS batch is at 2:00 am)
Check the OpenIMS configuration
· Use http://<<<propername>>>/openims/openims.php?mode=admin&submode=maint&action=checkup to check the OpenIMS configuration
· Check the appropriate OpenIMS functionality (CMS, DMS, EMS etc.)
· Check the ability to send mail using N_Sendmail (use internal & external mail addresses), check for relaying errors.
example: N_Sendmail(“email@example.com”,”firstname.lastname@example.org”,”test 1”,”test 1”)
Implement AutoCAD, Microsoft Word and Microsoft Excel integration (DMS Only)
Please follow these instructions: http://doc.openims.com/beheer/ondertekende_macro
Disable atime (Linux only)
Optionally, the "atime" feature of the file system can be disabled. This can improve file performance. (Add the noatime option to the options in the correct fstab entry.)
All functionality, configuration, and especially backup and restore facilities
· Read the installation manual carefully for steps you may have missed.
· Go to http://<<<hostname>>>/nkit/phpinfo.php to make sure that apache and php are working properly, and that the php settings are correct.
· Check the apache logs (i.e. /var/log/httpd/error.log) for errors.
· If images and short url's (a short url would be http://<<<hostname>>>/adm instead of the full url http://<<<hostname>>>/openims/openims.php?mode=admin) are not working, this usually means that .htaccess is not present / has a syntax error / is not being read by apache (check your AllowOverride-settings is httpd.conf).
· To view OpenIMS errors (including many errors related to the configuration of php), go to http://<<<hostname>>>/showerrors, enable the "Show Errors" option, and then reload (Ctrl+F5) the page you were trying to view.
· If (with /showerrors) you get the php error "headers already sent", check that you do not have any whitespace before <? or after ?> in myconfig.php or in your site configuration.
· Go the the OpenIMS-directory and do “php -f myconfig.php” on the command line (on Windows, you may need to specify the full path to php.exe), to verify that there are no syntax errors in myconfig.php.
· If at http://<<<hostname>>> you get a blank page, and at http://<<<hostname>>>/adm you get a login popup but are unable to login with any accounts you created (and if this is not normal at this point in the installation):
· Enable the temporary backdoor in myconfig.php so that you can log in using the account "ultravisor".
· Go to http://<<<hostname>>>/openims/openims.php?mode=internal.
· If you seeno sitecollections with mode=internal, you have an empty database and/or your database connection is broken.
· If youdo see sitecollections with mode=internal, make sure that the domain you are using (in your URL) to log in to OpenIMS corresponds exactly to one of the domains listed with mode=internal.
Appendix A: Using OpenSSL (Windows)
Apache and SSL can be used with Windows. A good manual can be found here: http://tud.at/programm/apache-ssl-win32-howto.php3. See also below.
Some files must be downloaded: a modified Apache executable and OpenSSL.
- Modified Apache executable: Take care of your Apache version! Look for files named like "Apache_1.3.31-Mod_SSL_2.8.18-Openssl_0.9.7d-Win32.zip" in http://tor.ath.cx/~hunter/apache/
- OpenSSL: Look in http://tor.ath.cx/~hunter/apache/ for files like "Openssl-0.9.7d-Win32.zip".
(Steps to be taken: stop Apache, copy original Apache directory to a backup directory. Copy the .exe and .so files from modified Apache executable archive to the Apache directory but don’t overwrite the de conf files! Don't forget to copy the two dll's to win32. Modify conf files, install OpenSSL (in C:\openssl), create keys, copy keys. Restart Apache).
The Apache + SSL on Win32 HOWTO
Version 1.6.6 (changelog: view source)
A newer and hopefully more often updated version of this HOWTO which also covers Apache 2 is available from http://raibledesigns.com/tomcat/ssl-howto.html.
This page describes the installation of the Win32 version of Apache with the mod_ssl extension. The newest version should always be available from http://tud.at/programm/apache-ssl-win32-howto.php3.
This process worked for many people on Windows NT, 98, ME, 2000 and XP; please mail me your suggestions and bug reports.
You can even install Apache with SSL in addition to the Microsoft Internet Information Server if you need to.
Note: sometimes, there are changes between the precompiled apache distributions so that this HOWTO is not correct anymore. In this case, if the current version does not work for you, download an older version - one that was published before the modification date of this HOWTO.
Or, if you like adventures, try to make it run, and mail me if you needed to change anything.
Please note that Apache 1.3.x on Win32 is considered beta quality as it doesn't reach the stability and performance of Apache on Un*x platforms. The 2.x versions are perhaps better but this HOWTO doesn't cover 2.x yet.
1.: Installing Apache
Get the Win32 version of the Apache web server from one of the mirrors. It is called something like apache_x_y_z_win32.exe. This is a self-extracting archive that contains the Apache base system and sample configuration files.
Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on modssl.org, you cannot expect it to work with 2.0.x.
Install Apache as described in http://www.apache.org/docs/windows.html.
Note: You can skip this step and get a full Apache+SSL distribution from modssl.org, as described below. There will be no fancy installation program but you won't need to overwrite the stock Apache files. This is the better way if you are experienced and don't fear editing configuration files (which you will need to do anyway).
Change at least the following parameters in Apache-dir/conf/httpd.conf:
[Replace all occurences of www.my-server.dom with the real domain name!]
- Port 80 (Comment it out; Port is not necessary, Listen overrides it later.)
- in addition to IIS) Listen 80
- Listen 443 (So your server listens on the standard SSL port)
- (if in addition to IIS) DocumentRoot and the corresponding <Directory some-dir> to your Inetpub\wwwroot
Install the Apache service (NT/2000 only) and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.
Try http://www.my-server.dom:443/. It won't be encrypted yet but if this works then the port configuration (port 443) is right.
2.: Getting OpenSSL and mod_ssl
Go to http://www.modssl.org/contrib/ or http://hunter.campbus.com/ and find a file called like Apache_X-mod_ssl_Y-openssl_Z-WIN32[-i386].zip. Download and unzip it to a new directory.
If you need the newest version, you will have to compile it yourself if it is not there. Don't ask me about it; I don't have it, I don't compile the versions on modssl.org, and I don't have access to development tools on Win32.
Copy the files ssleay32.dll and libeay32.dll from the Apache/modssl distribution directory to WINNT\System32. This is important! About 70 % of the e-mails I receive is because people forget to do this. If you don't find those files or openssl.exe in the apache zip, get a file called like openssl-version-win32.zip from one of the download sites.
You'll need a config file for OpenSSL.exe. Here is one (right-click on it and "Save as..."). (There is an openssl.cnf in the distribution with different wording of some questions, but it should do it, too.) Copy it to the directory openssl.exe is in.
(This is a normal text file. It is really called so; however, some Windows versions insist on hiding the extension from you. You can edit it with Windows notepad or a good editor, but it shouldn't be necessary.)
3.: Creating a test certificate
The following instructions are from http://www.apache-ssl.org/#FAQ.
openssl req -config openssl.cnf -new -out my-server.csr
This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.
openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.
You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.
If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
openssl x509 -in my-server.cert -out my-server.der.crt -outform DER
Create an Apache/conf/ssl directory and move my-server.key and my-server.cert into it.
4.: Configuring Apache and mod_ssl
Copy the executable files (*.exe, *.dll, *.so) from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first and DO NOT overwrite your edited config files etc.!).
Find the LoadModule directives in your httpd.conf file and add this after the existing ones, according to the file you have found in the distribution:
LoadModule ssl_module modules/ApacheModuleSSL.dll
LoadModule ssl_module modules/ApacheModuleSSL.so
LoadModule ssl_module modules/mod_ssl.so
in newer versions.
In newer versions of the distribution, it could also be necessary to add
after the AddModule lines that are already in the config file.
Add the following to the end of httpd.conf:
# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info
#SSLRandomSeed startup builtin
# for windows: replace c:/openims with the openims directory (use forward slashes)
SSLRandomSeed startup file:c:/openims/private/random.txt
# for linux???
# You can later change "info" to "warn" if everything is OK
Don't forget to call apache with -D SSL if the IfDefine directive is active in the config file!
You might need to use regedit to change the key HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z to the correct number if the apache.exe from modssl.org/contrib is not the same version as the previously installed one. (This seems not to be necessary with recent versions.)
Also, if you use IfDefine directives and start apache as a service, you need to edit the apache command line in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache2) (I haven't tried this).
Start the server, this time from the command prompt (not as a service) in order to see the error messages that prevent Apache from starting. If everything is OK, (optionally) press CTRL+C to stop the server and start it as a service if you prefer.
If it doesn't work, Apache should write meaningful messages to the screen and/or into the error.log and SSL.log files in the Apache/logs directory.
If something doesn't work, set all LogLevels to the maximum and look into the logfiles. They are very helpful.
DON'T e-mail me or the other contributors without having plain Apache installed (Step 1). We will ignore your request; we are not the Free Apache Helpdesk and there is enough good documentation on configuring Apache; if that is not enough for you, you shouldn't run a secure server anyway. Also, DON'T e-mail without having looked into the error.log and SSL.log with LogLevel set to Debug.
Debugging connect problems
Problems connecting to the server with a browser can have many reasons, many of them on the client (proxy, DNS, general IE dumbness).
So, if you encounter problems connecting with SSL, try another browser and/or look into the settings. If even this doesn't work, you can use OpenSSL to debug the problem.
bb@www$ openssl s_client -connect no-such-machine:443
gethostbyname failure # Error resolving this DNS name. Connect with the IP address.
bb@www$ openssl s_client -connect www1.tud.at:443
connect: Connection refused
# No SSL server on this port. Double-check the Listen and Port directives.
bb@www$ openssl s_client -connect apcenter.apcinteractive.net:443
# everything OK. OpenSSL shows the information it obtained from the server.
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Emailemail@example.com
verify error:num=18:self signed certificate
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Emailfirstname.lastname@example.org
0 s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Emailemail@example.com
i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Emailfirstname.lastname@example.org
subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Emailemail@example.com
issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Emailfirstname.lastname@example.org
No client certificate CA names sent
SSL handshake has read 1281 bytes and written 320 bytes
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Key-Arg : None
Start Time: 980696025
Timeout : 300 (sec)
Verify return code: 0 (ok)
GET / HTTP/1.0
and press RETURN twice]
HTTP/1.1 200 OK
Date: Sun, 28 Jan 2001 15:34:58 GMT
Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4
Cache-Control: no-cache, no-store, must-revalidate, private
Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
# the server shows its main document
Q: I see the following when starting Apache:
Syntax error on line [some number] of ...httpd.conf
Cannot load apache/modules/mod_ssl.so into server
(126) The module could not be found:
A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on Win9x/ME)?
You can verify this by copying openssl.exe into a directory of its own and executing it. If it complains about not being able to find some DLLs, then you haven't copied them into the correct directory.
One user told me that he had this problem even when he did everything right. He then found the problem: corrupt openssl DLLs. So if you get this error despite having done everything correctly, try the openssl DLLs from another version from modssl.org/contrib.
Q: I see the following when starting Apache:
Syntax error on line [some number] of apache/conf/httpd.conf:
Cannot load apache/modules/apachemodulessl.dll into server:
(127) The specified procedure could not be found:
Syntax error on line [some number] of apache/conf/httpd.conf:
Invalid command 'SSLMutex', perhaps mis-spelled or defined by a module not
included in the server configuration
A: You didn't add the AddModule line (or not where it belongs, it belongs below the other AddModule lines).
Q: SSL doesn't work in the browser and I see the following in some logfile:
[Fri Nov 16 15:46:30 2001] [error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to
A: How much clearer can an error message get? Your VirtualHost or Listen configuration is wrong.
Questions about Java servlets, OpenSSL compilation etc.
Don't ask us about installing servlet extensions, recompiling mod_ssl or Apache with EAPI, recompiled versions etc. We have no idea and won't be able help you. We are just users and not programmers.
If your needs are so special, you are better off with a Debian GNU/Linux or OpenBSD server. It will save you lots of trouble. Really.
Apache Web Server: http://www.apache.org
mod_ssl configuration: http://www.modssl.org/docs/2.8/ssl_reference.html
PHP Hypertext preprocessor: http://www.php.net
Author of this document: Balázs Bárány (http://tud.at)
(mail me your questions, but only after having looked into the error logs with LogLevel debug. You can mail me in English, German and Hungarian.
If I am constantly ignoring your e-mail, read all the hints in the HOWTO about how to e-mail me.)
Contributor: Horst Bräuner (OpenSSL configuration on NT)
Contributor: Christoph Zich (Windows 98)
Contributor: Torsten Stanienda (Test with 1.3.12, IfDefine directive)
Contributor: Peter Holm (Listen and Port directives)
Last change: 2003-11-20
This document can be redistributed under the GNU Free Documentation License. © Balázs Bárány 1999-2003
Appendix B: Enabling LDAP (Windows)
· In php.ini: enable extension=php_ldap.dll.
(Note: php.ini usually resides in c:\windows, after installing Zend, it probably resides in c:\program
· When not using Zend, don’t forget to copy c:\php\dlls\*.dll to c:\windows\system32, these dll’s are used by the ldap module.
· restart Apache