Configuring Shibboleth 1.1 origin side on Debian GNU/Linux stable/i386
----------------------------------------------------------------------

* location: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/
*           [where you also find sample config files]
* authors:  Thomas Lenggenhager & Urs Marti, SWITCH
* contact:  aai@switch.ch
* version:  2.4 - 20030911

* This guide is only an addition to the original Shibboleth 1.1
* Origin-Deployment Guide which you should read first.
* References to that original guide are marked as
*    (see ORIG-chapter#)

* For this installation according to the Filesystem Hierarchy Standard,
* the configuration directory has been chosen as:
* /etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/


* We used the domain 'domain.ch' for these examples, you should replace
* it with your own domain name.

/etc/apache/ssl.crt/ca-bundle.crt
---------------------------------
That file must include the CA certificate as well as the server certificate
signed by the CA!


/etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/keystore.jks (see ORIG-5.b)
---------------------------------------------------------------
The certificates and keys used for Apache can be shared with Shibboleth.
This requires to store a copy of them in a Java keystore. Shibboleth
comes bundled with a pre-filled keystore.
For SWITCHaai, it is a good idea to begin with an empty keystore.
You either get it from
 - http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/
   which has a 'storepass' value of 'shibhs', or
 - empty the one included in the distribution as follows: 
   $ cd /etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth
   $ keytool -storepass shibhs -keystore keystore.jks -list
   will output a list of aliases.
   For each alias, delete it with:
   $ keytool -storepass shibhs -keystore keystore.jks -delete -alias $ALIAS

Change the default password 'shibhs' to your own password $STOREPASS:
$ keytool -storepass shibhs -keystore keystore.jks -storepasswd -new $STOREPASS

To re-use the existing Apache SSL key, re-encode the private key from
PEM into PKCS8/DER (do not encrypt the output) to be able to include it
afterwards into the keystore:
$ cd /etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth
$ openssl pkcs8 -in /etc/apache/ssl.key/apache.pem -topk8 -nocrypt \
  -outform DER -out maunakea.der.pkcs8

Add the PKCS8/DER encoded (non-encrypted) private key as well as the
ca-cert bundle into the empty keystore and use the own key password $KEYPASS:
$ cd /etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth
$ export SHIB_HOME=/opt/shibboleth-origin-1.1
$ /opt/shibboleth-origin-1.1/bin/extkeytool -importkey \
  -keystore keystore.jks -storepass $STOREPASS -alias domain.ch \
  -keyfile maunakea.der.pkcs8 -keypass $KEYPASS \
  -certfile /etc/apache/ssl.crt/ca-bundle.crt \
  -provider org.bouncycastle.jce.provider.BouncyCastleProvider

Now, you might want to remove the unencrypted file with the private-key
$ rm maunakea.der.pkcs8


/opt/jakarta-tomcat-4.1.27-LE-jdk14/conf/server.xml (see ORIG-3.b.7)
---------------------------------------------------
<Server port="8005" shutdown="SHUTDOWN" debug="0">
  <Service name="Tomcat-Standalone">
    <Connector className="org.apache.ajp.tomcat4.Ajp13Connector" port="8009"
        minProcessors="5" maxProcessors="75" acceptCount="10" debug="0"
        address="127.0.0.1" tomcatAuthentication="false"/>
    <Engine name="Standalone" defaultHost="localhost" debug="0">
      <Logger className="org.apache.catalina.logger.FileLogger"
          prefix="catalina_log." suffix=".txt" timestamp="true"/>
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                 debug="0" resourceName="UserDatabase"/>
      <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve"
            directory="logs"  prefix="localhost_access_log." suffix=".txt"
            pattern="common" resolveHosts="false"/>
        <Logger className="org.apache.catalina.logger.FileLogger"
            directory="logs" prefix="localhost_log." suffix=".txt"
            timestamp="true"/>
      </Host>
    </Engine>
  </Service>
</Server>


/etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/arps/arp.site.xml (see ORIG-5.b)
--------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:arp:1.0"
                xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd">
        <Description>Simplest ARP, releasing all swissEduPerson attributes to every resource.</Description>
        <Rule>
                <Target>
                        <AnyTarget/>
                </Target>

        <!-- Object Class Person -->
                <Attribute name="urn:mace:dir:attribute-def:sn">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:telephoneNumber">
                        <AnyValue release="permit"/>
                </Attribute>
        <!-- End Object Class Person -->

        <!-- Object Class organizationalPerson -->
                <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:postalAddress">
                        <AnyValue release="permit"/>
                </Attribute>
        <!-- End Object Class organizationalPerson -->

        <!-- Object Class eduPerson -->
                <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
                        <AnyValue release="permit"/>
                </Attribute>
        <!-- End Object Class eduPerson -->

        <!-- Object Class inetOrgPerson -->
                <Attribute name="urn:mace:dir:attribute-def:givenName">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:homePhone">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:homePostalAddress">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:mail">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:mobile">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:dir:attribute-def:preferredLanguage">
                        <AnyValue release="permit"/>
                </Attribute>
        <!-- End Object Class inetOrgPerson -->

        <!-- Object Class swissEduPerson -->
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonGender">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel">
                        <AnyValue release="permit"/>
                </Attribute>
                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory">
                        <AnyValue release="permit"/>
                </Attribute>
        <!-- End Object Class swissEduPerson -->

        </Rule>
</AttributeReleasePolicy>


/etc/tomcat/jk/workers.properties (no changes) (see ORIG-3.b.6)
----------------------------------------------
workers.tomcat_home=/usr/share/tomcat
ps=/
worker.list=ajp12, ajp13
worker.ajp12.port=8007
worker.ajp12.host=localhost
worker.ajp12.type=ajp12
worker.ajp12.lbfactor=1
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=ajp12, ajp13
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr


/etc/apache/httpd.conf (see ORIG-3.b.6, ORIG-3.b.8, ORIG-4.c)
----------------------
LoadModule     jk_module         /usr/lib/apache/1.3/mod_jk.so
LoadModule     auth_ldap_module  /usr/lib/apache/1.3/auth_ldap.so
<Location /shibboleth/AA>              
       SSLVerifyClient optional              
       SSLOptions +StdEnvVars +ExportCertData                          
</Location>
<Location /shibboleth/HS>
  AuthType     Basic
  AuthName     "HS"
  AuthLDAPURL  ldap://ldap-server.domain.ch:389/o=domain,c=CH?uid?sub?(objectClass=*)
  require      valid-user
</Location>
<IfModule mod_jk.c>
  JkWorkersFile  /etc/tomcat/jk/workers.properties
  JkLogFile      "/var/log/apache/mod_jk.log"
  JkLogLevel     debug
  JkMount        /shibboleth/*   ajp13
</IfModule>


/etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/origin.properties (see ORIG-4.a, ORIG-5.a)
--------------------------------------------------------------------
Remember to replace $STOREPASS and $KEYPASS with your own passwords.

edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer = origin-server.domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName = urn:mace:switch.ch:SWITCHaai:pilot:domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl = https://origin-server.domain.ch/shibboleth/AA
edu.internet2.middleware.shibboleth.hs.HandleServlet.username = REMOTE_USER
edu.internet2.middleware.shibboleth.hs.HandleServlet.authMethod = urn:oasis:names:tc:SAML:1.0:am:password
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath = file:///etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/keystore.jks
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword = $STOREPASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias = domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword = $KEYPASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.certAlias = domain.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName = origin-server.domain.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors = false
edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver.ResolverConfig = file:///etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/resolver.xml
edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation = edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository.Path = file:///etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/arps/
edu.internet2.middleware.shibboleth.aa.arp.BaseArpRepository.ArpTTL = 300
edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL = 1000
edu.internet2.middleware.shibboleth.audiences = urn:mace:switch.ch:SWITCHaai:pilot


/etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/resolver.xml (see ORIG-4.a.i, ORIG-5.d)
---------------------------------------------------------------
<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns="urn:mace:shibboleth:resolver:1.0"
                xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver-1.0.xsd">

<!-- LDAP schemata core=rfc2256 inetorgperson=rfc2798-->

<!-- Object Class Person -->
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:sn">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:telephoneNumber">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
<!-- End Object Class Person -->

<!-- Object Class organizationalPerson -->
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:facsimileTelephoneNumber">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:postalAddress">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
<!-- End Object Class organizationalPerson -->

<!-- Object Class eduPerson -->
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonOrgDN">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonOrgUnitDN">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>

        <!-- To use these attributes, you should change the smartScope value to match your site's domain name. -->
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="domain.ch">
                <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
        </SimpleAttributeDefinition>
<!-- End Object Class eduPerson -->

<!-- Object Class inetOrgPerson -->
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:givenName">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:homePhone">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:homePostalAddress">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:mail">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:mobile">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:preferredLanguage">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
<!-- End Object Class inetOrgPerson -->

<!-- Object Class swissEduPerson -->
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonGender">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
<!-- End Object Class swissEduPerson -->

        <JNDIDirectoryDataConnector id="directory">
                <Search filter="uid=%PRINCIPAL%">
                        <Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
                </Search>
                <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
                <Property name="java.naming.provider.url" value="ldap://ldap-server.domain.ch:389/o=domain,c=CH" />
<!--
                <Property name="java.naming.security.principal" value="cn=admin,O=domain,c=CH" />
-->
<!--
                <Property name="java.naming.security.credentials" value="examplePassword" />
-->
        </JNDIDirectoryDataConnector>

</AttributeResolver>


Test the resolver config (ORIG-5.d.i)
------------------------
$ /opt/shibboleth-origin-1.1/bin/resolvertest --user=demouser --file=file:///etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/resolver.xml