You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

Deploying the SP on Fedora Core 4

We have deployed a Shibboleth 1.3 SP on the following system:

  • Red Hat Fedora Core 4 (Linux 2.6.14-1.1656_FC4smp #1 SMP)
  • Apache 2.0.54

Protected resources:

The SP providerId:

Note: All NCSA SP providerIds should satisfy the pattern ^https://\(.+\.)?ncsa\.uiuc\.edu/shibboleth$

Test apache

If apache is not responding, try poking a couple of holes in the firewall:

/sbin/iptables -I RH-Firewall-1-INPUT -p tcp --dport http -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -p tcp --dport https -j ACCEPT

To save this iptables configuration use the following command:

/etc/init.d/iptables save

Download/install RPMs

# get all the RPMs:
$ wget -r -l1 --no-parent --no-directories -A.rpm -o log.txt \
  http://shibboleth.internet2.edu/downloads/RPMS/i386/fedora/4/ &
# sanity check:
$ rpm -ql --package log4cpp-0.3.5rc1-1.i386.rpm

# install log4cpp:
$ su
$ rpm -ihv log4cpp*
$ rpm -ql log4cpp-0.3.5rc1-1
$ rpm -ql log4cpp-debuginfo-0.3.5rc1-1
$ rpm -ql log4cpp-devel-0.3.5rc1-1
$ rpm -ql log4cpp-docs-0.3.5rc1-1

# install xerces:
$ rpm -ihv xerces*
$ rpm -ql xerces-c-2.6.1-2
$ rpm -ql xerces-c-debuginfo-2.6.1-2
$ rpm -ql xerces-c-devel-2.6.1-2
$ rpm -ql xerces-c-doc-2.6.1-2
$ rpm -ql xerces-c-samples-2.6.1-2

# install xml-security:
$ rpm -ihv xml-security*
$ rpm -ql xml-security-c-1.2.0-1
$ rpm -ql xml-security-c-debuginfo-1.2.0-1
$ rpm -ql xml-security-c-devel-1.2.0-1
$ rpm -ql xml-security-c-docs-1.2.0-1

# install opensaml:
$ rpm -ihv opensaml*
$ rpm -ql opensaml-1.1-5
$ rpm -ql opensaml-debuginfo-1.1-5
$ rpm -ql opensaml-devel-1.1-5

# test opensaml (90% success rate is expected):
$ export SAMLSCHEMAS=/usr/share/xml/opensaml
$ /usr/bin/samltest
Running 10 tests
...
Failed 1 of 10 tests
Success rate: 90%

# install shibboleth:
$ rpm -ihv shibboleth*
error: Failed dependencies:
		  selinux-policy-targeted-sources is needed by
		  shibboleth-selinux-policy-targeted-1.3-8.i386

# install selinux-policy-targeted-sources:
$ yum install selinux-policy-targeted-sources
$ rpm -ql selinux-policy-targeted
/etc/selinux
/etc/selinux/targeted
/etc/selinux/targeted/booleans
/etc/selinux/targeted/contexts
/etc/selinux/targeted/contexts/customizable_types
/etc/selinux/targeted/contexts/dbus_contexts
/etc/selinux/targeted/contexts/default_contexts
/etc/selinux/targeted/contexts/default_type
/etc/selinux/targeted/contexts/failsafe_context
/etc/selinux/targeted/contexts/files
/etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux/targeted/contexts/files/file_contexts.homedirs
/etc/selinux/targeted/contexts/files/homedir_template
/etc/selinux/targeted/contexts/files/media
/etc/selinux/targeted/contexts/initrc_context
/etc/selinux/targeted/contexts/port_types
/etc/selinux/targeted/contexts/removable_context
/etc/selinux/targeted/contexts/userhelper_context
/etc/selinux/targeted/contexts/users
/etc/selinux/targeted/contexts/users/root
/etc/selinux/targeted/policy
/etc/selinux/targeted/policy/policy.19
/etc/selinux/targeted/users
/etc/selinux/targeted/users/local.users
/etc/selinux/targeted/users/system.users
/usr/share/man/man8/ftpd_selinux.8.gz
/usr/share/man/man8/httpd_selinux.8.gz
/usr/share/man/man8/kerberos_selinux.8.gz
/usr/share/man/man8/named_selinux.8.gz
/usr/share/man/man8/nfs_selinux.8.gz
/usr/share/man/man8/nis_selinux.8.gz
/usr/share/man/man8/rsync_selinux.8.gz
/usr/share/man/man8/samba_selinux.8.gz
/usr/share/man/man8/ypbind_selinux.8.gz

# try to install shibboleth again:
$ rpm -ihv shibboleth*
cat: /selinux/policyvers: No such file or directory
cat: /selinux/mls: No such file or directory
cat: /selinux/policyvers: No such file or directory
cat: /selinux/mls: No such file or directory
/usr/sbin/load_policy:  Warning! unable to get boolean names:  No such file or directory
/usr/sbin/load_policy:  security_load_policy failed
make: *** [tmp/load] Error 3

# try to update shibboleth:
$ rpm -Uhv shibboleth*
Preparing...					 ########################################### [100%]
		  package shibboleth-1.3-8 is already installed
		  package shibboleth-debuginfo-1.3-8 is already installed
		  package shibboleth-devel-1.3-8 is already installed
		  package shibboleth-selinux-policy-targeted-1.3-8 is already installed

# remove shibboleth and selinux:
$ rpm --erase shibboleth-1.3-8 shibboleth-debuginfo-1.3-8 shibboleth-devel-1.3-8 shibboleth-selinux-policy-targeted-1.3-8
$ rpm --erase selinux-policy-targeted-sources

# custom install shibboleth (no selinux):
$ rpm -ihv shibboleth-1.3-8.i386.rpm shibboleth-debuginfo-1.3-8.i386.rpm shibboleth-devel-1.3-8.i386.rpm
$ rpm -ql shibboleth-1.3-8
$ rpm -ql shibboleth-debuginfo-1.3-8
$ rpm -ql shibboleth-devel-1.3-8

# test opensaml (100% success rate is expected):
$ export SAMLSCHEMAS=/usr/share/xml/shibboleth
$ /usr/bin/samltest
Running 10 tests
...
OK!

Install SRPMs

If you prefer to install from source, follow these directions: http://shib.kuleuven.be/docs/sp/build-rpms.shtml

Modify httpd.conf

# modify apache config:
$ cp /etc/httpd/conf/httpd.conf /tmp/httpd.conf.bak
$ sed 's/^#ServerName www.example.com:80/ServerName computer.ncsa.uiuc.edu:80/' /etc/httpd/conf/httpd.conf > /tmp/httpd.conf
$ sed 's/^UseCanonicalName Off/UseCanonicalName On/' /tmp/httpd.conf > /etc/httpd/conf/httpd.conf

# modify ssl config:
$ cp /etc/httpd/conf.d/ssl.conf /tmp/ssl.conf.bak
$ sed 's/^SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt/SSLCertificateFile \/etc\/grid-security\/hostcert.pem/' /etc/httpd/conf.d/ssl.conf > /tmp/ssl.conf
$ sed 's/^SSLCertificateKeyFile \/etc\/pki\/tls\/private\/localhost.key/SSLCertificateKeyFile \/etc\/grid-security\/hostkey.pem/' /tmp/ssl.conf > /etc/httpd/conf.d/ssl.conf
$ sed 's/^#DocumentRoot "\/var\/www\/html"/DocumentRoot "\/var\/www\/html"/' /etc/httpd/conf.d/ssl.conf > /tmp/ssl.conf
$ sed 's/^#ServerName www.example.com:443/ServerName computer.ncsa.uiuc.edu:443/' /tmp/ssl.conf > /etc/httpd/conf.d/ssl.conf

# create secure resource:
$ mkdir /var/www/html/secure
$ echo '<p>secure</p>' > /var/www/html/secure/index.html

Tips:

# stop/start apache:
$ /usr/sbin/apachectl stop
$ /usr/sbin/apachectl start

# restart apache:
$ /usr/sbin/apachectl restart

Modify shib.conf

TBD

Modify shibboleth.xml

Mods too numerous to mention:

diff -b /etc/shibboleth/shibboleth.xml /etc/shibboleth/shibboleth.xml.dist

The most important change is the RequestMap element in shibboleth.xml:

<RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
  <RequestMap requireSessionWith="IQ" applicationId="default">
	 <!--
	 This requires a session for documents in /secure on the containing host with http and
	 https on the default ports. Note that the name and port in the <Host> elements MUST match
	 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
	 below.
	 -->
	 <Host name="computer.ncsa.uiuc.edu">
		<!-- protect /secure -->
		<Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
		  <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
		  <!--
		  <Path name="admin" applicationId="foo-admin"/>
		  -->
		</Path>
		<!-- protect /cgi-bin/SP-CA-protected but in general leave /cgi-bin unprotected -->
		<Path name="cgi-bin">
		  <Path name="SP-CA-protected" authType="shibboleth" requireSession="true" exportAssertion="true"/>
		</Path>
	 </Host>
  </RequestMap>
</RequestMapProvider>

Install debug scripts

Numerous useful test scripts, in a variety of languages: http://shib.kuleuven.be/download/sp/test_scripts/

Set log level="DEBUG"

# (may not be necessary)
$ touch /var/log/httpd/native.log
$ chmod 777 /var/log/httpd/native.log  # FIX THIS!

Generate bossie credential

https://bossie.doit.wisc.edu:3443/cert/i2server/csr

Join InQueue

TBD

Refresh metadata

# the wrong way to retrieve metadata:
$ wget http://wayf.internet2.edu/InQueue/IQ-metadata.xml

# the correct way to retrieve metadata:
$ wget http://wayf.internet2.edu/InQueue/inqueue.pem
$ /usr/sbin/siterefresh --cert inqueue.pem \
  --url http://wayf.internet2.edu/InQueue/IQ-metadata.xml \
  --out IQ-metadata.xml

Modify AAP.xml

TBD

How to use the shibd script

# this was done by the RPM:
$ /sbin/chkconfig --add /etc/shibboleth/shibd

# restart shibd:
$ /etc/init.d/shibd status
shibd is stopped
$ /etc/init.d/shibd start
Starting shibd:
$ /etc/init.d/shibd status
shibd (pid 2386) is running...

Upgrading the SP

# query old packages:
$ rpm -ql opensaml-1.1-5
$ rpm -ql opensaml-debuginfo-1.1-5
$ rpm -ql opensaml-devel-1.1-5
$ rpm -ql shibboleth-1.3-8
$ rpm -ql shibboleth-debuginfo-1.3-8
$ rpm -ql shibboleth-devel-1.3-8

# backup shibboleth config:
$ tar cvf /tmp/shibboleth-1.3-8.tar /etc/shibboleth/ /etc/init.d/shibd /etc/httpd/conf.d/shib.conf

# get opensaml and shibboleth rpms:
$ cd /tmp
$ wget -r -l1 --no-parent --no-directories -Aopensaml*.rpm -o log.txt http://shibboleth.internet2.edu/downloads/RPMS/i386/fedora/4/ &
$ wget -r -l1 --no-parent --no-directories -Ashibboleth*.rpm -o log.txt http://shibboleth.internet2.edu/downloads/RPMS/i386/fedora/4/ &

# query new packages:
$ rpm -qip opensaml-1.1-6.i386.rpm
$ rpm -qip opensaml-debuginfo-1.1-6.i386.rpm
$ rpm -qip opensaml-devel-1.1-6.i386.rpm
$ rpm -qip shibboleth-1.3-11.i386.rpm
$ rpm -qip shibboleth-debuginfo-1.3-11.i386.rpm
$ rpm -qip shibboleth-devel-1.3-11.i386.rpm

# test new packages:
$ rpm -U --test opensaml-1.1-6.i386.rpm
$ rpm -U --test opensaml-debuginfo-1.1-6.i386.rpm
$ rpm -U --test opensaml-devel-1.1-6.i386.rpm
$ rpm -U --test shibboleth-1.3-11.i386.rpm
$ rpm -U --test shibboleth-debuginfo-1.3-11.i386.rpm
$ rpm -U --test shibboleth-devel-1.3-11.i386.rpm

# stop shibd:
$ /etc/init.d/shibd status
shibd (pid 1712) is running...
$ /etc/init.d/shibd stop
/etc/init.d/shibd stop

# update opensaml:
$ rpm -Uvh opensaml-1.1-6.i386.rpm
$ rpm -Uvh opensaml-debuginfo-1.1-6.i386.rpm
$ rpm -Uvh opensaml-devel-1.1-6.i386.rpm

# test opensaml (90% success rate is expected):
$ export SAMLSCHEMAS=/usr/share/xml/opensaml
$ /usr/bin/samltest
..
Failed 1 of 10 tests
Success rate: 90%

# update shibboleth:
$ rpm -Uvh shibboleth-1.3-11.i386.rpm
$ rpm -Uvh shibboleth-debuginfo-1.3-11.i386.rpm
$ rpm -Uvh shibboleth-devel-1.3-11.i386.rpm

# test opensaml (100% success rate is expected):
$ export SAMLSCHEMAS=/usr/share/xml/shibboleth
$ /usr/bin/samltest
Running 10 tests
...
OK!

# start processes:
$ /etc/init.d/shibd status
shibd is stopped
$ /etc/init.d/shibd start
Starting shibd:
$ /etc/init.d/httpd graceful
  • No labels