Configuration of Shibboleth 0.8 origin side on Debian GNU/Linux stable/i386

Most of this document can also be found in the origin deployment guide
on shibboleth's homepage. For this installation, the configuration
directory /etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/ has been used.

/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/keystore.jks:

The certificates and keys used for apache can be shared with shibboleth.
This requires to store them in a java keystore. Shibboleth comes bundled
with an filled one. For the SWITCH AAI, it is a good idea to begin with
an empty keystore for productive installations. An already filled one
"keystore.jks" is in the source tree of shibboleth.
$ keytool -list -storepass aIa4i82 -keystore keystore.jks
will output a list of aliases. For each alias, delete it with:
$ keytool -storepass aIa4i82 -delete -alias $ALIAS -keystore keystore.jks
Or read the man page of keytool ...

/opt/jakarta-tomcat-4.1.24-LE-jdk14/conf/server.xml:

<Server port="8005" shutdown="SHUTDOWN" debug="0">
  <Service name="Tomcat-Standalone">
    <Connector className="org.apache.ajp.tomcat4.Ajp13Connector" port="8009"
        minProcessors="5" maxProcessors="75" acceptCount="10" debug="0"
        address="127.0.0.1" tomcatAuthentication="false" />
    <Engine name="Standalone" defaultHost="localhost" debug="0">
      <Logger className="org.apache.catalina.logger.FileLogger"
          prefix="catalina_log." suffix=".txt" timestamp="true" />
      <Realm className="org.apache.catalina.realm.MemoryRealm" />
      <Host name="localhost" debug="0" appBase="webapps" unpackWARs="false">
        <Valve className="org.apache.catalina.valves.AccessLogValve"
            directory="logs"  prefix="localhost_access_log." suffix=".txt"
            pattern="common" />
        <Logger className="org.apache.catalina.logger.FileLogger"
            directory="logs" prefix="localhost_log." suffix=".txt"
            timestamp="true"/>
      </Host>
    </Engine>
  </Service>
</Server>


/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/arp.site.xml:

<?xml version="1.0" encoding="UTF-8"?>
<AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="urn:mace:shibboleth:arp:1.0"
    xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd">
  <Description>
    Simplest possible ARP.
  </Description>
  <Rule>
    <Target>
      <AnyTarget/>
    </Target>
    <Attribute name="urn:mace:eduPerson:1.0:eduPersonScopedAffiliation">
      <AnyValue release="permit"/>
    </Attribute>
    <Attribute name="urn:mace:eduPerson:1.0:roomNumber">
      <AnyValue release="permit"/>
    </Attribute>
  </Rule>
</AttributeReleasePolicy>




/etc/tomcat/jk/workers.properties: (no changes)

workers.tomcat_home=/usr/share/tomcat
ps=/
worker.list=ajp12, ajp13
worker.ajp12.port=8007
worker.ajp12.host=localhost
worker.ajp12.type=ajp12
worker.ajp12.lbfactor=1
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=ajp12, ajp13
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr


/etc/apache-ssl/httpd.conf:

LoadModule     jk_module         /usr/lib/apache/1.3/mod_jk.so
LoadModule     auth_ldap_module  /usr/lib/apache/1.3/auth_ldap.so
<Location /shibboleth/HS>
  AuthType     Basic
  AuthName     "HS"
  AuthLDAPURL  ldap://loihi.switch.ch:389/o=Switch,c=CH?uid?sub?(objectClass=*)
  require      valid-user
</Location>
<IfModule mod_jk.c>
  JkWorkersFile  /etc/tomcat/jk/workers.properties
  JkLogFile      "/var/log/apache/mod_jk.log"
  JkLogLevel     debug
  JkMount        /shibboleth/*   ajp13
</IfModule>


/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/origin.properties:

Remember to replace $PASS with your password.

edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer = maunakea.switch.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.authenticationDomain = \
    switch.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl = \
    https://maunakea.switch.ch/shibboleth/AA
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath = \
    file:///etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/keystore.jks
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword = $PASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias = switch
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword = $PASS
edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName = \
    maunakea.switch.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors = false
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url = ldap://loihi.switch.ch/o=SWITCH,c=ch
edu.internet2.middleware.shibboleth.aa.AAServlet.ldapUserDnPhrase = uid=%s
edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation = \
    edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
edu.internet2.middleware.shibboleth.aa.arp.provider.\
    FileSystemArpRepository.Path = file:///etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth
edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = \
    edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
edu.internet2.middleware.shibboleth.audiences = urn:mace:InCommon:pilot:2003