Wednesday, May 16, 2012

Shibboleth IdP SLO part 2 (Installation)

Installation

Download

Download Shibboleth IdP SLO from http://software.niif.hu
curl -L -O http://software.niif.hu/maven2/edu/internet2/middleware/shibboleth-identityprovider/2.3.5-slo10/shibboleth-identityprovider-2.3.5-slo10-bin.tar.gz
and extract
tar zxvf shibboleth-identityprovider-2.3.5-slo10-bin.tar.gz

Modify the login page

  • We should modify the login page before installing, it can be done later but we must run the install script again to apply the change to the current running IdP, modify login.jsp in shibboleth-identityprovider-2.3.5-slo10/src/main/webapp directory.

Copy library

  • copy some library from the installer to the CATALINA_HOME directory
cp -r endorsed /usr/local/src/tomcat6/

Install

Run the install script from the installation directory:
./install.sh
install:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]
/opt/shibboleth-idp
What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.com]
idp.example.com
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
 
Updating property file: /root/shibboleth-identityprovider-2.3.5-slo10/src/installer/resources/install.properties
Created dir: /opt/shibboleth-idp
Created dir: /opt/shibboleth-idp/bin
Created dir: /opt/shibboleth-idp/conf
Created dir: /opt/shibboleth-idp/credentials
Created dir: /opt/shibboleth-idp/lib
Created dir: /opt/shibboleth-idp/lib/endorsed
Created dir: /opt/shibboleth-idp/logs
Created dir: /opt/shibboleth-idp/metadata
Created dir: /opt/shibboleth-idp/war
Generating signing and encryption key, certificate, and keystore.
Copying 5 files to /opt/shibboleth-idp/bin
Copying 9 files to /opt/shibboleth-idp/conf
Copying 1 file to /opt/shibboleth-idp/metadata
Copying 51 files to /opt/shibboleth-idp/lib
Copying 5 files to /opt/shibboleth-idp/lib/endorsed
Copying 1 file to /root/shibboleth-identityprovider-2.3.5-slo10/src/installer
Building war: /root/shibboleth-identityprovider-2.3.5-slo10/src/installer/idp.war
Copying 1 file to /opt/shibboleth-idp/war
Deleting: /root/shibboleth-identityprovider-2.3.5-slo10/src/installer/web.xml
Deleting: /root/shibboleth-identityprovider-2.3.5-slo10/src/installer/idp.war

BUILD SUCCESSFUL
Edit the apache configuration /etc/apache2/site-enabled/default-ssl
Listen 443

<VirtualHost IDP-IP-ADRESSE:443 [IDP-IPv6-ADRESSE]:443>
  ServerName              idp.example.com:443
  SSLEngine               on
  SSLCertificateFile      /etc/apache2/ssl/cert/servercert.pem
  SSLCertificateKeyFile   /etc/apache2/ssl/private/serverkey.pem

  <Location /idp>
    Allow from all
    ProxyPass ajp://localhost:8009/idp
  </Location>
</VirtualHost>

Listen 8443
 
<VirtualHost IDP-IP-ADRESSE:8443 [IDP-IPv6-ADRESSE]:8443>
  ServerName              idp.example.com:8443
  SSLEngine               on
  SSLCertificateFile      /etc/apache2/ssl/cert/servercert.pem
  SSLCertificateKeyFile   /etc/apache2/ssl/private/serverkey.pem
  # der Apache soll das das Client-Zertifikat des SPs nicht validieren
  # sondern nur an den IdP weiterreichen der dies dann mithilfe der
  # Metadaten macht:
  SSLVerifyClient optional_no_ca
  # damit auch Zertifikate mit einer längeren CA-Kette funktionieren:
  SSLVerifyDepth  10
  # damit Apache das Client-Zertifkat an Tomcat weiterleitet:
  SSLOptions      +StdEnvVars +ExportCertData
 
  <Location /idp>
    Allow from all
    ProxyPass ajp://localhost:8009/idp
  </Location>
 
</VirtualHost>

Load the Shibboleth IdP from Tomcat

  • Create idp.xml:
# vi /usr/local/src/tomcat6/conf/Catalina/localhost/idp.xml
  • Add the following entry:
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true" antiResourceLocking="false"
antiJARLocking="false" unpackWAR="false"
swallowOutput="true" />

Test the Shibboleth IdP

  • Start the Tomcat server
/usr/local/src/tomcat6/bin/catalina.sh start
  • Start the Apache server
  • Access https://idp.example.com/idp/profile/Status and https://idp.example.com:8443/idp/profile/Status. If everything is going well, it should have ok result.

Installation << Back | Next >> Configuration

No comments: