Set up uPortal on geni-portal.co.internet2.edu
Install Shib SP
(done already, or see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall)
Configure SP for Delegation
(As per Configuring Shibboleth Delegation for a Portal.)
- Edit
/etc/shibboleth/shibboleth2.xml
:- Add
exportAssertion="true"/
to<Host name="geni-portal.co.internet2.edu"> <Path name="secure" authType="shibboleth" requireSession="true" /> </Host>
- XXX May need to edit server IP ACL
- Replace the
AttributeExtractor
block with the following:<AttributeExtractor type="Chaining"> <AttributeExtractor type="XML" path="attribute-map.xml"/> <AttributeExtractor type="KeyDescriptor" signingId="Signing-Keys"/> </AttributeExtractor>
- Add
/etc/init.d/shibd restart
Create an NMI User
Check Version Numbers
Set the appropriate version numbers in the paths, or use symlinks instead.
# /usr/sbin/useradd -d /home/nmi -g 100 -s /bin/bash -u 20037 -c 'NMI Software' nmi # cat >> ~nmi/.bashrc JAVA_HOME=/usr/java/default export JAVA_HOME JAVA_OPTS="-XX:MaxPermSize=128m" export JAVA_OPTS ANT_HOME=/home/nmi/ant/apache-ant-1.7.1 export ANT_HOME MAVEN_HOME=/home/nmi/maven/apache-maven-2.2.1 export MAVEN_HOME PATH=${PATH}:${ANT_HOME}/bin:${MAVEN_HOME}/bin
Download and install Java JDK (not just the JRE)
- Download from http://java.sun.com/javase/downloads/index.jsp
sh ./jdk-6u20-linux-i586-rpm.bin
Install Hypersonic
For a production installation, some other database should be used.
Download zip from http://www.hsqldb.org to ~nmi/hsql/
# su - nmi $ cd hsql $ unzip hsqldb_1_8_1_2.zip $ mkdir hsqldb/data $ cd hsqldb/demo
Create an appropriate init.d script and
# /sbin/chkconfig --add hsql # /etc/init.d/hsql start
or manually start HSQL via
$ ./runServer.sh -port 8887 -database uPortal &
Install Ant
Not All Ants Are Alike
Don't use yum's ant, as it causes build errors about xml-commons-apis not found.
Also, use v1.7.1, not 1.8.1.
Download from http://ant.apache.org/bindownload.cgi or http://archive.apache.org/dist/ant/binaries.
$ cd ~nmi $ mkdir ant $ cd ant $ tar xjf apache-ant-1.7.1-bin.tar.bz2
Install Maven
Download from http://maven.apache.org/download.html.
$ cd ~nmi $ mkdir maven $ cd maven $ tar xjf apache-maven-2.2.1-bin.tar.bz2
Install Tomcat
- Download from http://tomcat.apache.org/download-60.cgi.
$ cd ~nmi $ tar xzf apache-tomcat-6.0.28.tar.gz $ ln -s apache-tomcat-6.0.28 tomcat6
- Edit
tomcat6/conf/catalina.properties
. Setshared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar
- Edit
tomcat6/conf/server.xml
. AddemptySessionPath="true"
to<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
- Edit
tomcat6/conf/server.xml
. Addrequest.tomcatAuthentication="false"
(otherwiseREMOTE_USER
won't be passed through).<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" request.tomcatAuthentication="false" />
- Create a startup script
$ vi /etc/init.d/nmi-tomcat6
- Set up init.d links
# /sbin/chkconfig --add nmi-tomcat6
- Start Tomcat
# /etc/init.d/nmi-tomcat6 start
- After testing, stop Tomcat in preparation for Portal installation.
# /etc/init.d/nmi-tomcat6 stop
Configure httpd SSL
Set up an SSL cert with the correct server name, though it's not clear this is strictly necessary.
$ cd ~nmi $ mkdir ssl $ cd ssl $ openssl req -new -x509 -nodes -out server.crt -keyout server.key Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Michigan Locality Name (eg, city) [Newbury]:Ann Arbor Organization Name (eg, company) [My Company Ltd]:Internet2 Organizational Unit Name (eg, section) []:COmanage Dev Common Name (eg, your name or your server's hostname) []:geni-portal.co.internet2.edu Email Address []: # mv ~nmi/ssl/server.crt /etc/pki/tls/certs/ # mv ~nmi/ssl/server.key /etc/pki/tls/private/ # vi /etc/httpd/conf.d/ssl.conf Change the paths to the above # /etc/init.d/httpd restart
Configure AJP connector
uPortal spews a bunch of stuff into the top-level Tomcat space, so it's easiest to tell mod_ajp what not to pass.
- Add the following to
/etc/httpd/conf.d/proxy_ajp.conf
:ProxyPass /cgi-bin ! ProxyPass /Shibboleth.sso ! ProxyPass /secure ! ProxyPass /shibboleth ! ProxyPass / ajp://localhost:8009/
/etc/init.d/httpd restart
Install uPortal
$ cd ~nmi $ mkdir uportal $ cd uportal
- Download from http://www.jasig.org/uportal/download.
$ tar xzf uPortal-3.2.1.tar.gz $ cd uPortal-3.2.1
- Create a
build.properties
file and set the locations for Tomcat and Maven.$ cp build.properties.sample build.properties $ vi build.properties Set server.home=/home/nmi/tomcat6 maven.home=/home/nmi/maven/apache-maven-2.2.1
- Run
initportal
. This will set up a default portal and database. (It might take around 15 minutes to run.)$ ant initportal [... lots of output] BUILD SUCCESSFUL Total time: 14 minutes 20 seconds
- Start Tomcat.
$ /etc/init.d/nmi-tomcat6 start
- Verify that https://geni-portal.co.internet2.edu/uPortal renders the portal.
Reconfigure internal CAS
By default, uPortal will try to access CAS via localhost, which won't work for testing or the next step. Note CAS is accessed over HTTP not HTTPS. This is to work around issues with certificate validation. Since we'll only use CAS briefly, this is just easier.
$ /etc/init.d/nmi-tomcat6 stop
- Edit
~/uportal/uPortal-3.2.1/uportal-war/src/main/webapp/WEB-INF/web.xml
and change the CAS server URLs fromhttp://localhost:8080
tohttp://geni-portal.co.internet2.edu
. Be sure to leaveServerName
ashttps
, as this is not used to generate CAS URLs. - Edit
~/uportal/uPortal-3.2.1/uportal-impl/src/main/resources/properties/security.properties
similarly. $ cd ~/uportal/uPortal-3.2.1
$ ant deploy-war
$ /etc/init.d/nmi-tomcat6 start
Set up Portal admin user
Before setting up shib authentication, create a new user in uPortal that will match the username returned in $REMOTE_USER and that has admin privileges.
$ cd ~/uportal/uPortal-3.2.1 $ ant md5passwd -Dusername=benno@i2.edu [...] [java] Enter Password for benno@i2.edu: somepass
- Login as the user you just created (eg: benno@i2.edu). This will create the skeletal user record needed next.
- Logout.
- Login as an existing admin user.
- Click "Admin Tools".
- Click "Manage groups".
- Click "Portal System".
- Click "Portal Administrators".
- Click "Edit Group".
- Click "Add Members".
- Enter the username in the search box and click "Go".
- Tick the checkbox next to the user you created and click "Select Marked".
- Click "Done With Selection". The new user is now an admin. You can log out and log back in as that user and you should now see the admin tab.
Reconfigure uPortal to use Shib auth
- vi /etc/httpd/conf.d/shib.conf
<Location /uPortal/Login> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location>
- /etc/init.d/httpd restart
$ /etc/init.d/nmi-tomcat6 stop
- Configure uPortal to get the username from the
REMOTE_USER
header. Inuportal-impl/src/main/resources/properties/security.properties
comment out allroot.*
properties and add the propertyroot=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
- Configure uPortal to create users on demand based on the
REMOTE_USER
header. Inuportal-impl/src/main/resources/properties/contexts/userContext.xml
replaceSimplePersonManager
beanwith the<bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" />
RemoteUserPersonManager
bean.<bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" />
- Configure uPortal to populate user's attributes based on headers from Shibboleth.
- In
pom.xml
update the line: (XXX RC8 or RC6?)To<person-directory.version>1.5.0-RC3</person-directory.version>
<person-directory.version>1.5.0-RC8</person-directory.version>
- In
uportal-impl/src/main/resources/properties/contexts/personDirectoryContext.xml
add the following beans (XXX update for correct attributes?) and comment out the previous definitions ofrequestAttributeSourceFilter
andrequestAdditionalDescriptors
.<!-- | Servlet filter that creates an attribute for the serverName +--> <bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter"> <property name="additionalDescriptors" ref="requestAdditionalDescriptors" /> <property name="usernameAttribute" value="remoteUser" /> <property name="remoteUserAttribute" value="remoteUser" /> <property name="serverNameAttribute" value="serverName" /> <property name="processingPosition" value="BOTH" /> <property name="headerAttributeMapping"> <map> <!-- MODIFY THESE MAPPINGS TO EXPOSE HEADERS FROM SHIB AS USER ATTRIBUTES --> <entry key="cn"> <list> <value>cn</value> <value>displayName</value> </list> </entry> <entry key="givenName" value="givenName" /> </map> </property> </bean> <!-- | Session-scoped descriptors object. One of these will exist for each user in their session. It will store the | attributes from the reques set by the requestAttributeSourceFilter +--> <bean id="requestAdditionalDescriptors" class="org.jasig.services.persondir.support.MediatingAdditionalDescriptors"> <property name="delegateDescriptors"> <list> <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="globalSession"> <aop:scoped-proxy /> </bean> <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="request"> <aop:scoped-proxy /> </bean> </list> </property> </bean>
- In
uportal-war/src/main/webapp/WEB-INF/web.xml
add the following servlet filter<filter> <filter-name>requestAttributeSourceFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>requestAttributeSourceFilter</filter-name> <url-pattern>/Login</url-pattern> </filter-mapping>
- In
$ ant deploy-war
$ /etc/init.d/nmi-tomcat6 start
Configure uPortal for delegated assertion processing
(As per https://wiki.jasig.org/display/UPM31/Configuring+uPortal+to+pass+the+SAML+Assertion.)
$ /etc/init.d/nmi-tomcat6 stop
- Edit
pom.xml
and add this line after theservlet-api.version
line.<uportal-shibboleth-delegation-integration.version>1.1.0</uportal-shibboleth-delegation-integration.version>
- Also, add this block after the
person-directory-impl
dependency.<dependency> <groupId>org.jasig.service</groupId> <artifactId>uportal-shibboleth-delegation-integration</artifactId> <version>${uportal-shibboleth-delegation-integration.version}</version> </dependency>
- Edit
uportal-impl/pom.xml
and add this dependency after theperson-directory-impl
dependency.<dependency> <groupId>org.jasig.service</groupId> <artifactId>uportal-shibboleth-delegation-integration</artifactId> <scope>compile</scope> </dependency>
- Add the following to
uportal-war/src/main/webapp/WEB-INF/web.xml
<filter> <filter-name>SamlAssertionFilter</filter-name> <filter-class>org.jasig.portal.security.provider.SamlAssertionFilter</filter-class> <init-param> <param-name>samlAssertionSessionAttributeName</param-name> <param-value>SAML Assertion</param-value> </init-param> <init-param> <param-name>idpPublicKeysSessionAttributeName</param-name> <param-value>IdP Public Keys</param-value> </init-param> </filter> <filter-mapping> <filter-name>SamlAssertionFilter</filter-name> <servlet-name>Login</servlet-name> </filter-mapping>
- Add the following to
uportal-impl/src/main/resources/properties/contexts/portletContainerContext.xml
:- Add
<ref bean="samlAssertionUserInfoService" />
touserInfoServices
. - Add
<bean id="samlAssertionUserInfoService" class="org.jasig.portal.portlet.container.services.SamlAssertionUserInfoService"> <property name="userInstanceManager" ref="userInstanceManager" /> <property name="portletWindowRegistry" ref="portletWindowRegistry" /> <property name="portletEntityRegistry" ref="portletEntityRegistry" /> <property name="portletDefinitionRegistry" ref="portletDefinitionRegistry" /> <property name="portalRequestUtils" ref="portalRequestUtils" /> <!-- These have to match what portlets declare for user attributes in portlet.xml --> <property name="samlAssertionKey" value="samlAssertion" /> <property name="idpPublicKeysKey" value="idpPublicKeys" /> <!-- These have to match the values defined for the SamlAssertionFilter in web.xml --> <property name="samlAssertionSessionKey" value="SAML Assertion" /> <property name="idpPublicKeysSessionKey" value="IdP Public Keys" /> </bean>
- Add
$ ant deploy-war
$ /etc/init.d/nmi-tomcat6 start