Configuration of Shibboleth 0.8 origin side on Debian GNU/Linux stable/i386
Most of this document can also be found in the origin deployment guide
on shibboleth's homepage. For this installation, the configuration
directory /etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/ has been used.
/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/keystore.jks:
The certificates and keys used for apache can be shared with shibboleth.
This requires to store them in a java keystore. Shibboleth comes bundled
with an filled one. For the SWITCH AAI, it is a good idea to begin with
an empty keystore for productive installations. An already filled one
"keystore.jks" is in the source tree of shibboleth.
$ keytool -list -storepass aIa4i82 -keystore keystore.jks
will output a list of aliases. For each alias, delete it with:
$ keytool -storepass aIa4i82 -delete -alias $ALIAS -keystore keystore.jks
Or read the man page of keytool ...
/opt/jakarta-tomcat-4.1.24-LE-jdk14/conf/server.xml:
/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/arp.site.xml:
Simplest possible ARP.
/etc/tomcat/jk/workers.properties: (no changes)
workers.tomcat_home=/usr/share/tomcat
ps=/
worker.list=ajp12, ajp13
worker.ajp12.port=8007
worker.ajp12.host=localhost
worker.ajp12.type=ajp12
worker.ajp12.lbfactor=1
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=ajp12, ajp13
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr
/etc/apache-ssl/httpd.conf:
LoadModule jk_module /usr/lib/apache/1.3/mod_jk.so
LoadModule auth_ldap_module /usr/lib/apache/1.3/auth_ldap.so
AuthType Basic
AuthName "HS"
AuthLDAPURL ldap://loihi.switch.ch:389/o=Switch,c=CH?uid?sub?(objectClass=*)
require valid-user
JkWorkersFile /etc/tomcat/jk/workers.properties
JkLogFile "/var/log/apache/mod_jk.log"
JkLogLevel debug
JkMount /shibboleth/* ajp13
/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/origin.properties:
Remember to replace $PASS with your password.
edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer = maunakea.switch.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.authenticationDomain = \
switch.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl = \
https://maunakea.switch.ch/shibboleth/AA
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath = \
file:///etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/keystore.jks
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword = $PASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias = switch
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword = $PASS
edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName = \
maunakea.switch.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors = false
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url = ldap://loihi.switch.ch/o=SWITCH,c=ch
edu.internet2.middleware.shibboleth.aa.AAServlet.ldapUserDnPhrase = uid=%s
edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation = \
edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
edu.internet2.middleware.shibboleth.aa.arp.provider.\
FileSystemArpRepository.Path = file:///etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth
edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = \
edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
edu.internet2.middleware.shibboleth.audiences = urn:mace:InCommon:pilot:2003