Changes between Version 16 and Version 17 of idpiam2018

Timestamp:

Sep 12, 2018, 10:19:32 AM (6 years ago)

Author:

admin

Comment:

--

idpiam2018

@@ -31 +31 @@
 * 
 {{{
-vim /etc/environment```
+vim /etc/environment
 }}}
 {{{
@@ -189 +189 @@
 
 
-12. Install Letsencrypt and enable HTTPS:
-* 
-{{{
-   add-apt-repository ppa:certbot/certbot
-}}}
-* 
-{{{
-   apt install python-certbot-apache
-}}}
-* 
-{{{
-   certbot --apache -d idp.YOUR-DOMAIN
-}}}
-   
-{{{
-   Plugins selected: Authenticator apache, Installer apache
-   Enter email address (used for urgent renewal and security notices) (Enter 'c' to
-   cancel): YOU@YOUR-DOMAIN
-
-   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   Please read the Terms of Service at
-   https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
-   agree in order to register with the ACME server at
-   https://acme-v02.api.letsencrypt.org/directory
-   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   (A)gree/(C)ancel: A
-
-   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   Would you be willing to share your email address with the Electronic Frontier
-   Foundation, a founding partner of the Let's Encrypt project and the non-profit
-   organization that develops Certbot? We'd like to send you email about our work
-   encrypting the web, EFF news, campaigns, and ways to support digital freedom.
-   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   (Y)es/(N)o: Y
-   
-   Obtaining a new certificate
-   Performing the following challenges:
-   http-01 challenge for idp.YOUR-DOMAIN
-   Waiting for verification...
-   Cleaning up challenges
-   Created an SSL vhost at /etc/apache2/sites-available/idp-le-ssl.conf
-   Enabled Apache socache_shmcb module
-   Enabled Apache ssl module
-   Deploying Certificate to VirtualHost /etc/apache2/sites-available/idp-le-ssl.conf
-   Enabling available site: /etc/apache2/sites-available/idp-le-ssl.conf
-   
-   
-   Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   1: No redirect - Make no further changes to the webserver configuration.
-   2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
-   new sites, or if you're confident your site works on HTTPS. You can undo this
-   change by editing your web server's configuration.
-   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
-   Redirecting vhost in /etc/apache2/sites-enabled/rr3.conf to ssl vhost in /etc/apache2/sites-available/rr3-le-ssl.conf
-   
-   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   Congratulations! You have successfully enabled https://idp.YOUR-DOMAIN
-}}}
-  
-
-
-13. (OPTIONAL) If you haven't follow the letsencrypt method Create a Certificate and a Key self-signed for HTTPS
+12. Create a Certificate and a Key self-signed for HTTPS and enable secure web server. '''(Skip this step if you are installing IDP on production environment)''' 
 * 
 {{{
@@ -261 +198 @@
    openssl req -x509 -newkey rsa:4096 -keyout /root/certificates/idp-key-server.key -out /root/certificates/idp-cert-server.crt -nodes -days 1095
 }}}
-   If you purchased SSL certificates from a Public CA, move the Certificate and the Key file for HTTPS server to `/root/certificates`: 
-   
-* 
-{{{
-   mv /location-to-crts/idp-cert-server.crt /root/certificates
-}}}
-* 
-{{{
-   mv /location-to-crts/idp-key-server.key /root/certificates
-}}}
-* 
-{{{
-   mv /location-to-crts/PublicCA.crt /root/certificates
-}}}
+   
    
    Then,
@@ -286 +210 @@
    chmod 644 /root/certificates/idp-cert-server.crt
 }}}
-* 
-{{{
-   chmod 644 /root/certificates/PublicCA.crt
-}}}
+
 
    Create the file `/etc/apache2/sites-available/idp-ssl.conf` as follows:
@@ -322 +243 @@
         SSLCertificateFile /root/certificates/idp-cert-server.crt
         SSLCertificateKeyFile /root/certificates/idp-key-server.key
-        SSLCertificateChainFile /root/certificates/publicCA.crt
+        #SSLCertificateChainFile /root/certificates/publicCA.crt
         ...
       </VirtualHost>
@@ -353 +274 @@
    </VirtualHost>
 }}}
+
+13. ('''Do this only on your production servers''') Skip '''step 12''' and Install Letsencrypt and enable HTTPS:
+* 
+{{{
+   add-apt-repository ppa:certbot/certbot
+}}}
+* 
+{{{
+   apt install python-certbot-apache
+}}}
+* 
+{{{
+   certbot --apache -d idp.YOUR-DOMAIN
+}}}
+   
+{{{
+   Plugins selected: Authenticator apache, Installer apache
+   Enter email address (used for urgent renewal and security notices) (Enter 'c' to
+   cancel): YOU@YOUR-DOMAIN
+
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Please read the Terms of Service at
+   https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
+   agree in order to register with the ACME server at
+   https://acme-v02.api.letsencrypt.org/directory
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   (A)gree/(C)ancel: A
+
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Would you be willing to share your email address with the Electronic Frontier
+   Foundation, a founding partner of the Let's Encrypt project and the non-profit
+   organization that develops Certbot? We'd like to send you email about our work
+   encrypting the web, EFF news, campaigns, and ways to support digital freedom.
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   (Y)es/(N)o: Y
+   
+   Obtaining a new certificate
+   Performing the following challenges:
+   http-01 challenge for idp.YOUR-DOMAIN
+   Waiting for verification...
+   Cleaning up challenges
+   Created an SSL vhost at /etc/apache2/sites-available/idp-le-ssl.conf
+   Enabled Apache socache_shmcb module
+   Enabled Apache ssl module
+   Deploying Certificate to VirtualHost /etc/apache2/sites-available/idp-le-ssl.conf
+   Enabling available site: /etc/apache2/sites-available/idp-le-ssl.conf
+   
+   
+   Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   1: No redirect - Make no further changes to the webserver configuration.
+   2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
+   new sites, or if you're confident your site works on HTTPS. You can undo this
+   change by editing your web server's configuration.
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
+   Redirecting vhost in /etc/apache2/sites-enabled/rr3.conf to ssl vhost in /etc/apache2/sites-available/rr3-le-ssl.conf
+   
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Congratulations! You have successfully enabled https://idp.YOUR-DOMAIN
+}}}
+  
+
 
 == Configure Apache Tomcat 8 ==
@@ -517 +501 @@
 You may need to press enter on `Installation Directory: [/opt/shibboleth-idp]`
 
-25. Create and prepare the "'''shibboleth'''" MySQL DB to host the values of the several '''persistent-id''' and '''StorageRecords''' MySQL DB to host other useful information about user consent:
-
-* '''mysql_secure_installation'''
+25. Create and prepare the "'''shibboleth'''" MySQL DB to host the values of the several '''persistent-id''' and '''!StorageRecords'''  MySQL DB to host other useful information about user consent:
+
+* {{{mysql_secure_installation}}}
 
 {{{
@@ -586 +570 @@
 All done!
 }}}
-* log in to your MySQL Server: `mysql -u root -p'`    
+* log in to your MySQL Server: `mysql -u root -p` Make sure to replace `##ROOT-DB-PASSWORD##`, `##USERNAME##`, `##PASSWORD##` with your own
 {{{
     SET NAMES 'utf8';