Info | ||
---|---|---|
| ||
This page is now being maintained here |
Table of Contents |
---|
Reference
SP Instance Setup
- start up Alestic 32-bit Ubuntu 11.10 instance (ami-6ba27502)
- apt
Code Block sudo apt-get update sudo apt-get upgrade -y
- users
- prepare for staff accounts
- create staff account
- shib
Code Block sudo useradd -m -k /etc/skel-staff -s /bin/bash -g staff shib sudo passwd shib [shib-password]
- utils
Code Block sudo apt-get install unzip -y sudo apt-get install tree -y
- env
Code Block vi ~/.bashrc
- add
No Format export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/jre
- add
apache
- install
Code Block sudo apt-get install apache2-mpm-worker -y
- backup original
Code Block sudo cp -a /etc/apache2/ /tmp/2012-02-21.orig sudo mkdir /etc/apache2/.backup sudo mv /tmp/2012-02-21.orig/ /etc/apache2/.backup/
- modules
Code Block sudo a2enmod authnz_ldap sudo a2enmod ssl sudo a2enmod rewrite sudo apt-get install libapache2-mod-proxy-html sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod proxy_ajp sudo a2ensite default-ssl
- proxy
Code Block sudo vi /etc/apache2/mods-enabled/proxy.conf
No Format <Proxy *> AddDefaultCharset off Order deny,allow #Deny from all #Allow from .example.com Allow from all </Proxy> ProxyVia On ProxyPass / ajp://localhost:8009/
- apache default site
Code Block sudo vi /etc/apache2/sites-enabled/000-default
- add
No Format ServerAdmin admin@duraspace.org RewriteEngine On RewriteOptions Inherit
- add
apache cert
- reference
Code Block sudo vi /etc/apache2/sites-enabled/default-ssl
- add
No Format ServerAdmin admin@duracloud.org RewriteEngine On RewriteOptions Inherit SSLCertificateFile /etc/ssl/certs/duracloud.org.crt SSLCertificateKeyFile /etc/ssl/private/duracloud.org.key #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
- add
tomcat
Code Block |
---|
sudo apt-get install tomcat6 -y |
- tomcat, jk
Code Block sudo mkdir /usr/share/tomcat6/logs sudo mkdir -p /usr/share/tomcat6/conf/jk sudo vi /usr/share/tomcat6/conf/jk/workers.properties
No Format worker.list = worker1 worker.worker1.type = ajp13 worker.worker1.port = 8009 worker.worker1.connection_pool_size = 1 worker.worker1.connection_pool_timeout = 60
Code Block sudo chown -R tomcat6 /usr/share/tomcat6/*
Code Block sudo cp -a /var/lib/tomcat6/conf/server.xml /var/lib/tomcat6/conf/server.xml.orig sudo vi /var/lib/tomcat6/conf/server.xml
- add
No Format <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" tomcatAuthentication="false" address="127.0.0.1" /> <Listener className="org.apache.jk.config.ApacheConfig" modJk="/usr/lib/apache2/modules/mod_jk.so" jkConfig="/usr/share/tomcat6/conf/jk/mod_jk.conf" workersConfig="/usr/share/tomcat6/conf/jk/workers.properties" />
- add
- tomcat, sample.war
- deploy sample.war to /var/lib/tomcat6/webapps/
shib SP
- debian package
Code Block sudo apt-get install libapache2-mod-shib2 -y note, patch required after initial install attempt: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp2/+bug/884402 (borice 2011-11-22) sudo apt-get install libshibsp-dev -y sudo apt-get install libshibsp-doc sudo a2enmod shib2
- shibboleth2.xml update
Code Block sudo cp /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.orig sudo vi /etc/shibboleth/shibboleth2.xml
- diff of shibboleth2.xml and shibboleth2.xml.orig
- attribute-map.xml
Code Block sudo cp /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.orig sudo vi /etc/shibboleth/attribute-map.xml
- add
No Format <!-- Principal ID --> <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" id="principal-id"/>
- add
- logger
Code Block sudo cp /etc/shibboleth/shibd.logger /etc/shibboleth/shibd.logger.orig sudo vi /etc/shibboleth/shibd.logger
No Format from: log4j.rootCategory=INFO, shibd_log, warn_log to: log4j.rootCategory=DEBUG, shibd_log, warn_log
- shib keys http://www.ctrip.ufl.edu/shiboleth2-sp-on-debian-lenny-howto
Code Block cd /usr/sbin sudo ./shib-keygen -h shib.dfr.duracloud.org
- shib / apache
Code Block sudo vi /etc/apache2/sites-available/default-ssl
- add at bottom
No Format <Location /sample/hello*> AuthType shibboleth ShibRequireSession On require valid-user </Location> <Location /sample/basic*> AuthType basic AuthName "Woods Basic" AuthUserFile /home/shib/shib.db require valid-user </Location> <LocationMatch /sample/[^b]> AuthType shibboleth ShibRequireSession On require valid-user </LocationMatch>
Code Block sudo vi /etc/apache2/httpd.conf
- add
No Format <Location /> AuthType shibboleth ShibRequireSession Off require valid-user ShibUseHeaders On require shibboleth </Location>
- add at bottom
restart
Code Block |
---|
sudo service apache2 restart sudo service tomcat6 restart sudo service shibd restart |
Test
- Hit the sample URL: https://dev.duracloud.org/sample/hello.jsp
- Verify that user is prompted for credentials (at least first time)
- Verify that REMOTE_USER is populated with username (on webpage)