Configuring Shibboleth 1.1 origin side on Debian GNU/Linux stable/i386
----------------------------------------------------------------------
* location: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/
* [where you also find sample config files]
* authors: Thomas Lenggenhager & Urs Marti, SWITCH
* contact: aai@switch.ch
* version: 2.4 - 20030911
* This guide is only an addition to the original Shibboleth 1.1
* Origin-Deployment Guide which you should read first.
* References to that original guide are marked as
* (see ORIG-chapter#)
* For this installation according to the Filesystem Hierarchy Standard,
* the configuration directory has been chosen as:
* /etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/
* We used the domain 'domain.ch' for these examples, you should replace
* it with your own domain name.
/etc/apache/ssl.crt/ca-bundle.crt
---------------------------------
That file must include the CA certificate as well as the server certificate
signed by the CA!
/etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/keystore.jks (see ORIG-5.b)
---------------------------------------------------------------
The certificates and keys used for Apache can be shared with Shibboleth.
This requires to store a copy of them in a Java keystore. Shibboleth
comes bundled with a pre-filled keystore.
For SWITCHaai, it is a good idea to begin with an empty keystore.
You either get it from
- http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/
which has a 'storepass' value of 'shibhs', or
- empty the one included in the distribution as follows:
$ cd /etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth
$ keytool -storepass shibhs -keystore keystore.jks -list
will output a list of aliases.
For each alias, delete it with:
$ keytool -storepass shibhs -keystore keystore.jks -delete -alias $ALIAS
Change the default password 'shibhs' to your own password $STOREPASS:
$ keytool -storepass shibhs -keystore keystore.jks -storepasswd -new $STOREPASS
To re-use the existing Apache SSL key, re-encode the private key from
PEM into PKCS8/DER (do not encrypt the output) to be able to include it
afterwards into the keystore:
$ cd /etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth
$ openssl pkcs8 -in /etc/apache/ssl.key/apache.pem -topk8 -nocrypt \
-outform DER -out maunakea.der.pkcs8
Add the PKCS8/DER encoded (non-encrypted) private key as well as the
ca-cert bundle into the empty keystore and use the own key password $KEYPASS:
$ cd /etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth
$ export SHIB_HOME=/opt/shibboleth-origin-1.1
$ /opt/shibboleth-origin-1.1/bin/extkeytool -importkey \
-keystore keystore.jks -storepass $STOREPASS -alias domain.ch \
-keyfile maunakea.der.pkcs8 -keypass $KEYPASS \
-certfile /etc/apache/ssl.crt/ca-bundle.crt \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
Now, you might want to remove the unencrypted file with the private-key
$ rm maunakea.der.pkcs8
/opt/jakarta-tomcat-4.1.27-LE-jdk14/conf/server.xml (see ORIG-3.b.7)
---------------------------------------------------
/etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/arps/arp.site.xml (see ORIG-5.b)
--------------------------------------------------------------------
Simplest ARP, releasing all swissEduPerson attributes to every resource.
/etc/tomcat/jk/workers.properties (no changes) (see ORIG-3.b.6)
----------------------------------------------
workers.tomcat_home=/usr/share/tomcat
ps=/
worker.list=ajp12, ajp13
worker.ajp12.port=8007
worker.ajp12.host=localhost
worker.ajp12.type=ajp12
worker.ajp12.lbfactor=1
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=ajp12, ajp13
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr
/etc/apache/httpd.conf (see ORIG-3.b.6, ORIG-3.b.8, ORIG-4.c)
----------------------
LoadModule jk_module /usr/lib/apache/1.3/mod_jk.so
LoadModule auth_ldap_module /usr/lib/apache/1.3/auth_ldap.so
SSLVerifyClient optional
SSLOptions +StdEnvVars +ExportCertData
AuthType Basic
AuthName "HS"
AuthLDAPURL ldap://ldap-server.domain.ch:389/o=domain,c=CH?uid?sub?(objectClass=*)
require valid-user
JkWorkersFile /etc/tomcat/jk/workers.properties
JkLogFile "/var/log/apache/mod_jk.log"
JkLogLevel debug
JkMount /shibboleth/* ajp13
/etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/origin.properties (see ORIG-4.a, ORIG-5.a)
--------------------------------------------------------------------
Remember to replace $STOREPASS and $KEYPASS with your own passwords.
edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer = origin-server.domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName = urn:mace:switch.ch:SWITCHaai:pilot:domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl = https://origin-server.domain.ch/shibboleth/AA
edu.internet2.middleware.shibboleth.hs.HandleServlet.username = REMOTE_USER
edu.internet2.middleware.shibboleth.hs.HandleServlet.authMethod = urn:oasis:names:tc:SAML:1.0:am:password
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath = file:///etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/keystore.jks
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword = $STOREPASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias = domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword = $KEYPASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.certAlias = domain.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName = origin-server.domain.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors = false
edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver.ResolverConfig = file:///etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/resolver.xml
edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation = edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository.Path = file:///etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/arps/
edu.internet2.middleware.shibboleth.aa.arp.BaseArpRepository.ArpTTL = 300
edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL = 1000
edu.internet2.middleware.shibboleth.audiences = urn:mace:switch.ch:SWITCHaai:pilot
/etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/resolver.xml (see ORIG-4.a.i, ORIG-5.d)
---------------------------------------------------------------
Test the resolver config (ORIG-5.d.i)
------------------------
$ /opt/shibboleth-origin-1.1/bin/resolvertest --user=demouser --file=file:///etc/opt/jakarta-tomcat-4.1.27-LE-jdk14/shibboleth/resolver.xml