Created by OpenACS community, last modified by Gustaf Neumann 24 Oct 2023, at 01:45 PM
There are many ways to get OpenACS working for you quickly and/or easily. See Try OpenACS for demonstrations and hosting solutions. In general, OpenACS can be installed with NaviServer or with AOLserver, which are two closely related servers. While NaviServer sees regular development, the AOLserver community is very conservative. Some of the guides below refer to AOLserver, some to NaviServer.
Packaged installations
For some platforms, a packaged version of OpenACS is available:
Generic installation scripts
For many Linux platforms (e.g. Ubuntu, Debian, Fedora), one can use the generic installer that compiles all base components (using NaviServer) and creates users/groups as needed; which works with PostgreSQL 9.2 or newer. These install scripts can also be used on Mac OS X, when MacPorts are installed. These installer scripts are regularly updated.
The following alternative script installs AOLserver and the contained modules from sources. Using AOLserver for new OpenACS installations is NOT RECOMMENDED (last release 2011), but could be useful or necessary in certain contexts. It assumes, that PostgreSQL is already installed:
- Install AOLserver: https://openacs.org/storage/view/aolserver/install.tgz
- Install OpenACS: en:openacs-subsystem-install
Manually installing OpenACS:
In a productive environment, one may need to customize the installation further manually according to the needs, since the configuration options are fairly large, and only the common parts are covered by these scripts. We recommend using the script as reference in this case and adapt the installation steps according to your needs.
Created by Gustaf Neumann, last modified by Gustaf Neumann 24 Oct 2023, at 10:04 AM
- Security:
- Stronger password hashes for OpenACS
- New password hashes in addition to the classical "salted-sha1"
- "scram-sha-256": SCRAM (RFC 7677) with parameter recommendation from RFC 7677; requires OpenSSL 1.1.1 and NaviServer 4.99.23 or newer
- "scrypt-16384-8-1": SCRYPT (RFC 7914) with parameter "-n 16384 -r 8 -p 1"; requires OpenSSL 3.0 and NaviServer 4.99.23 or newer
- "argon2-argon2-12288-3-1": Argon2 (RFC9106), Parameterization recommendation from OWASP: m=12288 (12 MiB), t=3, p=1; requires OpenSSL 3.2 and NaviServer 5.0 or newer
- "argon2-rfc9106-high-mem": Argon2 (RFC9106), first (memory intense) recommendation from RFC 9106; requires OpenSSL 3.2 and NaviServer 5.0 or newer
- "argon2-rfc9106-low-mem": Argon2 (RFC9106), second recommendation from RFC 9106; requires OpenSSL 3.2 and NaviServer 5.0 or newer
- Preferences of the password hash algorithms can be set via kernel package parameter "PasswordHashAlgorithm", the first available algorithm is taken from the preference list, hash re-coding happens automatically at the next login.
- See https://openacs.org/forums/message-view?message_id=5537869
- Added optional CSP rules based on MIME types. This is important for user-contributed content. When users upload e.g. SVG-files to the file storage, and the content is served from there, it poses a potential security hole. One can now define an additional parameter called "StaticCSP" in the section "ns/server/$server/acs" of the OpenACS configuration file to deactivate execution of script files from static content.
ns_param StaticCSP {
image/svg+xml "script-src 'none'"
}
- Cookie-Namespace: When multiple OpenACS instances are served from the same domain name, the same cookies (e.g. ad_session_id, ad_login, ...) are set to all servers. For sensible cases, a cookie-namespace can be used, which can be used as a replacement of the traditional "ad_" prefix. This can be as well set in the section "ns/server/$server/acs" of the OpenACS configuration file
# Provide optionally a different cookie namespace
# (used for prefixing OpenACS cookies)
ns_param CookieNamespace "ad_"
- Improved templating:
- Client-side double click prevention
- Support for generic icon names, which can be mapped differently depending on the installed packages and themes: The generic names are supported via <adp:icon name="NAME" title=...>. By using this feature, one can use font-based icons (like e.g. glyphicons of Bootstrap5, bootstrap-icons, fa-icons, ...) instead of the old-style .gif and .png images. This makes the appearance more uniform, has better resizing behavior, and works more efficiently (fewer requests for embedded resources). Most of the occurrences of the old-style images in standard core and non-core packages in oacs-5-10 are already replaced.
- Support for listing registered URNs
- Require NaviServer (i.e. drop AOLserver support).
Rationale: AOLserver cannot be compiled with the required modules with recent Tcl versions. Trying to backport NaviServer compatibility functions seems to be an overkill for the OpenACS project.
- Further reduce divergence between Oracle and Postgres SQL. Target version of Oracle could be 12.*, as Extended support ends in 2022 (see https://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf)
- limit / rownum -> fetch first
- use Postgres schemas for stored procedures so that they can be invoked with the same Oracle idiom
- Bootstrap 3 reached EOL in 2019, Bootstrap 4 had EOL 2022, so we should migrate to Bootstrap 5 (details: https://github.com/twbs/release)
- New Packages:
- openacs-bootstrap5
- bootstrap-icons
- fa-icons
- highcharts
- Potential incompatibility with OpenACS 5.10.0: "permission::permission_p" returns Boolean values as "t" and "f" and not "1" and "0". Avoid literal comparisons of the result and use boolean tests available in Tcl/OpenACS.
- Support for fresh installations on Oracle 19c (for details, see: oacs-5-10-on-oracle-19c)
- Require Tcl 8.6.2, XOTcl 2.1, PostgreSQL 12 (PostgreSQL 11 EOL: November 23), tdom 0.9
