Configuring Shibboleth 1.0 origin side on Debian GNU/Linux stable/i386
----------------------------------------------------------------------
# location: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.0/
# [where you also find sample config files]
# authors: Thomas Lenggenhager & Urs Marti, SWITCH
# contact: aai@switch.ch
# version: 2.1 - 20030702
# This guide is only an addition to the original Shibboleth 1.0
# Origin-Deployment Guide which you should read first.
# References to that original guide are marked as
# (see ORIG-chapter#)
# For this installation according to the Filesystem Hierarchy Standard,
# the configuration directory has been chosen as:
# /etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/
# We used the domain 'domain.ch' for these examples, you should replace
# it with your own domain name.
/etc/apache-ssl/ca-bundle.crt
-----------------------------
That file must include the CA certificate as well as the server certificate
sind by the CA!
/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/keystore.jks (see ORIG-5.b)
---------------------------------------------------------------
The certificates and keys used for apache can be shared with Shibboleth.
This requires to store them in a java keystore. Shibboleth comes bundled
with a pre-filled keystore.
For SWITCHaai, it is a good idea to begin with an empty keystore.
You either get it from http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.0/
which has a 'storepass' value of 'shibhs', or empty the one included in
the distribution as follows:
$ cd /etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth
$ keytool -storepass shibhs -keystore keystore.jks -list
will output a list of aliases.
For each alias, delete it with:
$ keytool -storepass shibhs -keystore keystore.jks -delete -alias $ALIAS
Change the default password 'shibhs' to your own password $STOREPASS:
$ keytool -storepass shibhs -keystore keystore.jks -storepasswd -new $STOREPASS
To re-use the existing Apache-SSL key, re-encode the private key from
PEM into PKCS8/DER (do not encrypt the output) to be able to include it
afterwards into the keystore:
$ cd /etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth
$ openssl pkcs8 -in /etc/apache-ssl/apache.pem -topk8 -nocrypt \
-outform DER -out maunakea.der.pkcs8
Add the PKCS8/DER encoded (not-encrypted) private key as well as
the ca-cert bundle into the empty keystore and use the own key
password $KEYPASS:
$ cd /etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth
$ export SHIB_HOME=/opt/shibboleth-origin-1.0
$ /opt/shibboleth-origin-1.0/bin/extkeytool -importkey \
-keystore keystore.jks -storepass $STOREPASS -alias domain.ch \
-keyfile maunakea.der.pkcs8 -keypass $KEYPASS \
-certfile /etc/apache-ssl/ca-bundle.crt \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
Now, you might want to remove the unencrypted file with the private-key
$ rm maunakea.der.pkcs8
/opt/jakarta-tomcat-4.1.24-LE-jdk14/conf/server.xml (see ORIG-3.b.7)
---------------------------------------------------
/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/arps/arp.site.xml (see ORIG-5.a)
--------------------------------------------------------------------
Simplest ARP, releasing all swissEduPerson attributes to every resource.
/etc/tomcat/jk/workers.properties (no changes) (see ORIG-3.b.6)
----------------------------------------------
workers.tomcat_home=/usr/share/tomcat
ps=/
worker.list=ajp12, ajp13
worker.ajp12.port=8007
worker.ajp12.host=localhost
worker.ajp12.type=ajp12
worker.ajp12.lbfactor=1
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=ajp12, ajp13
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr
/etc/apache-ssl/httpd.conf (see ORIG-3.b.6, ORIG-4.c)
--------------------------
LoadModule jk_module /usr/lib/apache/1.3/mod_jk.so
LoadModule auth_ldap_module /usr/lib/apache/1.3/auth_ldap.so
AuthType Basic
AuthName "HS"
AuthLDAPURL ldap://ldap-server.domain.ch:389/o=domain,c=CH?uid?sub?(objectClass=*)
require valid-user
JkWorkersFile /etc/tomcat/jk/workers.properties
JkLogFile "/var/log/apache-ssl/mod_jk.log"
JkLogLevel debug
JkMount /shibboleth/* ajp13
/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/origin.properties (see ORIG-4.a)
--------------------------------------------------------------------
Remember to replace $STOREPASS and $KEYPASS with your own passwords.
edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer = origin-server.domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName = urn:mace:switch.ch:SWITCHaai:pilot:domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl = https://origin-server.domain.ch/shibboleth/AA
edu.internet2.middleware.shibboleth.hs.HandleServlet.username = REMOTE_USER
edu.internet2.middleware.shibboleth.hs.HandleServlet.authMethod = urn:oasis:names:tc:SAML:1.0:am:password
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath = file:///etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/keystore.jks
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword = $STOREPASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias = domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword = $KEYPASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.certAlias = domain.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName = origin-server.domain.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors = false
edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver.ResolverConfig = file:///etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/resolver.xml
edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation = edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository.Path = file:///etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/arps/
edu.internet2.middleware.shibboleth.aa.arp.BaseArpRepository.ArpTTL = 300
edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL = 1000
edu.internet2.middleware.shibboleth.audiences = urn:mace:switch.ch:SWITCHaai:pilot
/etc/opt/jakarta-tomcat-4.1.24-LE-jdk14/shibboleth/resolver.xml (see ORIG-4.e, ORIG-5.c)
---------------------------------------------------------------