Changes between Version 5 and Version 6 of idpiam2018
- Timestamp:
- Sep 3, 2018, 8:18:42 AM (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
idpiam2018
v5 v6 453 453 == Speed up Tomcat 8 startup == 454 454 455 456 455 21. Find out the JARs that can be skipped from the scanning: 457 * 458 {{{ 459 cd /opt/shibboleth-idp/}}} * 460 {{{ 461 ls webapp/WEB-INF/lib | awk '{print $1",\\"}'}}} 462 Insert the output list into ```/etc/tomcat8/catalina.properties``` at the tail of ```tomcat.util.scan.StandardJarScanFilter.jarsToSkip}}} Make sure about the ```,\``` symbols 463 464 Restart Tomcat 8: 465 * 456 * 457 {{{ 458 cd /opt/shibboleth-idp/ 459 }}} 460 * 461 {{{ 462 ls webapp/WEB-INF/lib | awk '{print $1",\\"}' 463 }}} 464 Insert the output list into `/etc/tomcat8/catalina.properties` at the tail of `tomcat.util.scan.StandardJarScanFilter.jarsToSkip` Make sure about the `,\` symbols 465 466 Restart Tomcat 8: 467 * 466 468 {{{ 467 469 service tomcat8 restart}}} 468 470 469 ### Configure Shibboleth Identity Provider v3.2.1 to release the persistent-id (Stored mode) 470 471 == Configure Shibboleth Identity Provider v3.2.1 to release the persistent-id (Stored mode) == 471 472 472 473 22. Test IdP by opening a terminal and running these commands: 473 474 * 474 475 {{{ 475 cd /opt/shibboleth-idp/bin}}}* 476 {{{ 477 ./status.sh``` (You should see some informations about the IdP installed) 476 cd /opt/shibboleth-idp/bin 477 }}} 478 * 479 {{{ 480 ./status.sh}}} 481 (You should see some informations about the IdP installed) 478 482 479 483 23. Install '''MySQL Connector Java''' and other useful libraries used by Tomcat for MySQL DB (if you don't have them already): 480 484 * 481 485 {{{ 482 apt-get install mysql-server libmysql-java libcommons-dbcp-java libcommons-pool-java}}}* 483 {{{ 484 cd /usr/share/tomcat8/lib/}}}* 485 {{{ 486 ln -s ../../java/mysql.jar mysql-connector-java.jar}}}* 487 {{{ 488 ln -s ../../java/commons-pool.jar commons-pool.jar}}}* 489 {{{ 490 ln -s ../../java/commons-dbcp.jar commons-dbcp.jar}}}* 491 {{{ 492 ln -s ../../java/tomcat-jbcp.jar tomcat-jbcp.jar}}} Ignore if you get errors for some of the ```ln``` commands as the files might be already there. 486 apt-get install mysql-server libmysql-java libcommons-dbcp-java libcommons-pool-java 487 }}} 488 * 489 {{{ 490 cd /usr/share/tomcat8/lib/ 491 }}} 492 * 493 {{{ 494 ln -s ../../java/mysql.jar mysql-connector-java.jar 495 }}} 496 * 497 {{{ 498 ln -s ../../java/commons-pool.jar commons-pool.jar 499 }}} 500 * 501 {{{ 502 ln -s ../../java/commons-dbcp.jar commons-dbcp.jar 503 }}} 504 * 505 {{{ 506 ln -s ../../java/tomcat-jbcp.jar tomcat-jbcp.jar}}} Ignore if you get errors for some of the `ln` commands as the files might be already there. 493 507 494 508 24. Rebuild the '''idp.war''' of Shibboleth with the new libraries: 495 509 * 496 510 {{{ 497 cd /opt/shibboleth-idp/ ; ./bin/build.sh}}} You may need to press enter on `Installation Directory: [/opt/shibboleth-idp]` 511 cd /opt/shibboleth-idp/ ; ./bin/build.sh 512 }}} 513 You may need to press enter on `Installation Directory: [/opt/shibboleth-idp]` 498 514 499 515 25. Create and prepare the "'''shibboleth'''" MySQL DB to host the values of the several '''persistent-id''' and '''StorageRecords''' MySQL DB to host other useful information about user consent: 500 516 501 * `mysql_secure_installation` 502 503 504 }}}Securing the MySQL server deployment.517 * '''mysql_secure_installation''' 518 519 {{{ 520 Securing the MySQL server deployment. 505 521 506 522 Connecting to MySQL using a blank password. … … 566 582 All done! 567 583 }}} 568 * log in to your MySQL Server: 569 ```mysql -u root -p}}} 570 ```sql 584 * log in to your MySQL Server: `mysql -u root -p' 585 {{{ 571 586 SET NAMES 'utf8'; 572 587 … … 607 622 quit 608 623 }}} 609 610 * Restart mysql service: 611 ```service mysql restart}}} 612 26. Enable the generation of the ```persistent-id``` (this replace the deprecated attribute *eduPersonTargetedID*) 613 614 * 615 {{{ 616 vim /opt/shibboleth-idp/conf/saml-nameid.properties}}} 617 (the *sourceAttribute* MUST BE an attribute, or a list of comma-separated attributes, that uniquely identify the subject of the generated ```persistent-id```. It MUST BE: '''Stable''', '''Permanent''' and '''Not-reassignable''') 624 * Restart mysql service: `service mysql restart' 625 26. Enable the generation of the `persistent-id` (this replace the deprecated attribute //eduPersonTargetedID//) 626 * 627 {{{ 628 vim /opt/shibboleth-idp/conf/saml-nameid.properties 629 }}} 630 (the //sourceAttribute// MUST BE an attribute, or a list of comma-separated attributes, that uniquely identify the subject of the generated `persistent-id`. It MUST BE: '''Stable''', '''Permanent''' and '''Not-reassignable''') 618 631 619 632 {{{ … … 628 641 idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator 629 642 }}} 630 631 632 {{{ 633 vim /opt/shibboleth-idp/conf/saml-nameid.xml }}}634 Remove the comment from the line containing: 635 643 * Enable the '''SAML2PersistentGenerator''': 644 * 645 {{{ 646 vim /opt/shibboleth-idp/conf/saml-nameid.xml 647 }}} 648 Remove the comment from the line containing: 636 649 {{{ 637 650 <ref bean="shibboleth.SAML2PersistentGenerator" /> 638 639 640 {{{ 641 vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml }}}642 Remove the comment to the bean called "'''c14n/SAML2Persistent'''". 643 651 }}} 652 * 653 {{{ 654 vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml 655 }}} 656 Remove the comment to the bean called "'''c14n/SAML2Persistent'''". 644 657 {{{ 645 658 <ref bean="c14n/SAML2Persistent" /> 646 659 }}} 647 660 27. Enable '''JPAStorageService''' for the '''StorageService''' of the user consent: 648 * 649 {{{ 650 vim /opt/shibboleth-idp/conf/global.xml``` and add this piece of code to the tail before the ending \</beans\>: 661 * `vim /opt/shibboleth-idp/conf/global.xml` and add this piece of code to the tail before the ending \</beans\>: 651 662 652 663 {{{ … … 681 692 <property name="database" value="MYSQL" /> 682 693 </bean> 683 }}} (and modify the "'''USER_DB_NAME'''" and "'''PASSWORD'''" for your "'''shibboleth'''" DB) 684 685 * Modify the IdP configuration file: 686 * 687 {{{ 688 vim /opt/shibboleth-idp/conf/idp.properties}}} 694 }}} 695 (and modify the "'''USER_DB_NAME'''" and "'''PASSWORD'''" for your "'''shibboleth'''" DB) 696 697 * Modify the IdP configuration file: 698 * 699 {{{ 700 vim /opt/shibboleth-idp/conf/idp.properties 701 }}} 689 702 {{{ 690 703 idp.session.StorageService = shibboleth.JPAStorageService … … 696 709 # Support lookup by SP for SAML logout 697 710 idp.session.secondaryServiceIndex = true 698 711 }}} 699 712 (This will indicate to IdP to store the data collected by User Consent into the "'''StorageRecords'''" table) 700 713 701 714 702 715 28. Connect the openLDAP to the IdP to allow the authentication of the users: 703 * use ` ``openssl x509 -outform der -in /etc/ssl/certs/ldap_server.pem -out /opt/shibboleth-idp/credentials/ldap_server.crt``` to load the ldap certificate.716 * use `openssl x509 -outform der -in /etc/ssl/certs/ldap_server.pem -out /opt/shibboleth-idp/credentials/ldap_server.crt` to load the ldap certificate. 704 717 705 If you host ldap in a seperate machine, copy the ldap_server.crt to ` ``/opt/shibboleth-idp/credentials}}} *718 If you host ldap in a seperate machine, copy the ldap_server.crt to `/opt/shibboleth-idp/credentials}}} * 706 719 {{{ 707 720 vim /opt/shibboleth-idp/conf/ldap.properties}}} … … 763 776 * 764 777 {{{ 765 ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn}}} * the baseDN ==> ` ``ou=people, dc=example,dc=org``` (branch containing the registered users)766 * the bindDN ==> ` ``cn=admin,dc=example,dc=org``` (distinguished name for the user that can made queries on the LDAP)778 ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn}}} * the baseDN ==> `ou=people, dc=example,dc=org` (branch containing the registered users) 779 * the bindDN ==> `cn=admin,dc=example,dc=org` (distinguished name for the user that can made queries on the LDAP) 767 780 768 781 … … 780 793 30. Build the '''attribute-resolver.xml''' to define which attributes your IdP can manage. Here you can find the '''attribute-resolver-v1-LEARN.xml''' provided by LEARN: 781 794 * Download the attribute resolver provided by LEARN: 782 ` ``wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml}}}783 * Modify ` ``services.xml``` file:784 ` ``vim /opt/shibboleth-idp/conf/services.xml}}}795 `wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml}}} 796 * Modify `services.xml` file: 797 `vim /opt/shibboleth-idp/conf/services.xml}}} 785 798 {{{ 786 799 <value>%{idp.home}/conf/attribute-resolver.xml</value> … … 791 804 <value>%{idp.home}/conf/attribute-resolver-v1-LEARN.xml</value> 792 805 }}} 793 * Configure the LDAP Data Connector to be compliant to the values put on ` ``ldap.properties```. (See above suggestions)806 * Configure the LDAP Data Connector to be compliant to the values put on `ldap.properties`. (See above suggestions) 794 807 795 808 * Restart Tomcat8: 796 ` ``service tomcat8 restart}}}797 31. Enable the SAML2 support by changing the ` ``idp-metadata.xml``` and disabling the SAML v1.x deprecated support:809 `service tomcat8 restart}}} 810 31. Enable the SAML2 support by changing the `idp-metadata.xml` and disabling the SAML v1.x deprecated support: 798 811 * 799 812 {{{ … … 843 856 }}} 844 857 32. Obtain your IdP metadata here: 845 * ` ``https://idp.YOUR-DOMAIN/idp/shibboleth}}}858 * `https://idp.YOUR-DOMAIN/idp/shibboleth}}} 846 859 33. Register you IdP on the test Federation: 847 860 * … … 880 893 }}} 881 894 * Retrive the Federation Certificate used to verify its signed metadata: 882 * ` ``wget https://fr-training.ac.lk/metadata-signer -O /opt/shibboleth-idp/metadata/federation-cert.pem}}}895 * `wget https://fr-training.ac.lk/metadata-signer -O /opt/shibboleth-idp/metadata/federation-cert.pem}}} 883 896 884 897 885 35. Reload service with id ` ``shibboleth.MetadataResolverService``` to retrieve the Federation Metadata:886 * ` ``cd /opt/shibboleth-idp/bin}}} * ```./reload-service.sh -id shibboleth.MetadataResolverService}}}898 35. Reload service with id `shibboleth.MetadataResolverService` to retrieve the Federation Metadata: 899 * `cd /opt/shibboleth-idp/bin}}} * `./reload-service.sh -id shibboleth.MetadataResolverService}}} 887 900 888 901 … … 894 907 ### Configure Attribute Filters to release the mandatory attributes to the default IDEM Resources: 895 908 896 37. Make sure that you have the "` ``tmp/httpClientCache```" used by "```shibboleth.FileCachingHttpClient```":909 37. Make sure that you have the "`tmp/httpClientCache`" used by "`shibboleth.FileCachingHttpClient`": 897 910 * 898 911 {{{ 899 912 mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown tomcat8 /opt/shibboleth-idp/tmp/httpClientCache}}} 900 38. Modify your ` ``services.xml```:913 38. Modify your `services.xml`: 901 914 * 902 915 {{{ … … 919 932 </util:list> 920 933 }}} 921 39. Reload service with id ` ``shibboleth.AttributeFilterService``` to refresh the Attribute Filter followed by the IdP:922 * ` ``cd /opt/shibboleth-idp/bin}}} * ```./reload-service.sh -id shibboleth.AttributeFilterService}}}934 39. Reload service with id `shibboleth.AttributeFilterService` to refresh the Attribute Filter followed by the IdP: 935 * `cd /opt/shibboleth-idp/bin}}} * `./reload-service.sh -id shibboleth.AttributeFilterService}}} 923 936 924 937 … … 928 941 * 929 942 {{{ 930 cd /var/log/tomcat8}}}* 943 cd /var/log/tomcat8 944 }}} 945 * 931 946 {{{ 932 947 vim catalina.out}}} … … 934 949 * 935 950 {{{ 936 cd /opt/shibboleth-idp/logs}}} * '''Audit Log:''' ` ``vim idp-audit.log}}} * '''Consent Log:''' ```vim idp-consent-audit.log}}} * '''Warn Log:''' ```vim idp-warn.log}}} * '''Process Log:''' ```vim idp-process.log}}}951 cd /opt/shibboleth-idp/logs}}} * '''Audit Log:''' `vim idp-audit.log}}} * '''Consent Log:''' `vim idp-consent-audit.log}}} * '''Warn Log:''' `vim idp-warn.log}}} * '''Process Log:''' `vim idp-process.log}}}
