URL: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/origin/install-origin-1.1-debian.html
Authors: Patrik Schnellmann (Version > 1.0), Fabio Poroli (Version 1.0) - SWITCH
$Date: 2005/07/11 08:48:31 $
$Revision: 1.1.1.1 $

How To Install Shibboleth 1.1 Origin on Debian GNU/Linux 3.0 (woody)

This guide describes Debian specific installation and configuration for the SWITCHaai Federation.It complements the original Shibboleth 1.1 Origin Deployment Guide from Internet2. Please make sure you are familiar with the original documentation before following this document.
References to the original guide are marked as (see ORIG-chapter#).

Note: For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the Deployment section of our website.

Note: If you want to join the AAI-Test Federation instead of the productive SWITCHaai Federation, please consult the AAI-Test Reconfiguration guide for information how to reconfigure your Shibboleth origin.

1. Debian 3.0 Configuration

In order to deploy Shibboleth 1.1 Origin on debian stable, some additional system configuration has to be done.

1.1 APT Configuration

Use Debian woody and set the memory cache for apt by adding the following two lines to the file /etc/apt/apt.conf:

APT::Default-Release "woody";
APT::Cache-Limit "8388608";

The Debian 3.0 (woody) should be updated and the latest security patches installed (in particular for SSL support). A recommended APT configuration file /etc/apt/sources.list could contain the following entries:


# /etc/apt/sources.list: package resource list for APT
#
# Standard package sources for woody
#
deb http://mirror.switch.ch/ftp/mirror/debian/ woody main non-free contrib
deb http://mirror.switch.ch/ftp/mirror/debian-non-US/ woody/non-US main non-free contrib
#
# Standard source package sources for woody
#
deb-src http://mirror.switch.ch/ftp/mirror/debian/ woody main non-free contrib
deb-src http://mirror.switch.ch/ftp/mirror/debian-non-US/ woody/non-US main non-free contrib
#
# Security patches and updates
#
deb ftp://mirror.switch.ch/mirror/debian-security woody/updates main contrib non-free
deb http://security.debian.org/ woody/updates main contrib non-free

2. Shibboleth 1.1 Origin Installation

Shibboleth originally requires an Apache and a Java Application Server (Tomcat) installation. Apache is used as SSL security-filter and as authentication mechanism. All authenticated requests pertinent to Shibboleth are then passed to Tomcat.

Apache uses as authentication mechanism the so called basic or digest authentication, where the user is prompted in a simple dialog window for his username and password. Even though this system is reliable it presents some disadvantages:
  1. The dialog is not really customizable (i.e. only limited information can be written to the screen).
  2. If the user need to access another resource then he needs to login again.
  3. Before entering his credentials the user cannot easily identify the server he's connecting to e.g. by showing information about the server certificate in case of a https connection.
In order to prevent these issues, a single-sign-on system (SSO) can be introduced. A SSO basically allows to create custom login pages and when the user successfully logs in, then the SSO returns to the user a session cookie, that is stored in the browser's memory. If the user would like to access another resource, then the SSO checks for the cookie and if it is available and valid, it does not ask username and password again.

A good overview of SSO systems is provided here by the Internet2 WebISO project.

The probably most used SSO system is Pubcookie. PubCookie is an open-source software and it is used by Apache as a Plugin module for user authentication.

The installation of Apache is not always required as Tomcat can perform authentication and SSL encryption by itself. Also for Tomcat there are some SSO systems that we can use. See the following guidelines for a Tomcat only installation using the SSO system CAS of the YALE University.

2.1 Requirements

2.1.1 Apache

Apache version 1.3.x or 2.0.x need to be installed on the server, we used here 1.3.x as it is the default Apache version in the stable release of Debian 3.0. In order to use Shibboleth we need, however, two additional Apache modules: mod_ssl and mod_jk.
apt-get install libapache-mod-ssl apt-get install libapache-mod-jk

2.1.2 Java

In order to deploy the Shibboleth Origin you need to install a Java Development Kit (JDK). As the JDK is not part of the Debian distribution you can choose to download it from the Java Home Page and install it or you can get a ready made package using the apt-tools:
After the installation of the JDK please remember to set the $JAVA_HOME variable according to the installation path:

export JAVA_HOME=/opt/j2sdk1.4.2_01

Also include $JAVA_HOME/bin and $JAVA_HOME/jre/bin in the $PATH variable. (This can be done in /etc/profile for instance.)

2.1.3 Tomcat (see ORIG-3.a)

Debian's stable Tomcat 4.0.4 is not sufficient. Using a Tomcat download mirror and following the Filesystem Hierarchy Standard, /opt is the right place to install it.

# cd /opt
# wget http://mirror.switch.ch/ftp/mirror/apache/dist/jakarta/tomcat-4/v4.1.29/bin/jakarta-tomcat-4.1.29-LE-jdk14.tar.gz
# tar xzvf jakarta-tomcat-4.1.29-LE-jdk14.tar.gz
# ln -s ./jakarta-tomcat-4.1.29-LE-jdk14 ./tomcat

2.1.4 Shibboleth Origin 1.1 (see ORIG-3.b)

This is the main Shibboleth Origin package.
# cd /opt
# wget http://www.switch.ch/aai/docs/shibboleth/internet2/1.1/shibboleth-origin-1.1.tar.gz
# tar xzvf shibboleth-origin-1.1.tar.gz
After this basic installation we need to copy the libraries (xalan, dom3-xml-apis, dom3-xercesImpl) that came with the shibboleth tar-ball to be endorsed in the Java Application Server.
# cd /opt/shibboleth-origin-1.1
# cp webApplication/WEB-INF/lib/xalan-2.4.1.jar ./endorsed/
# cp -p endorsed/* /opt/tomcat/common/endorsed/

2.2 Placement of the configuration files

Using a Java Application Server like Tomcat we need to build a war-file and then deploy it in the web application directory of the server. During this deployment all existing files in the directory will be overwritten. Also the file src/conf/origin.properties, that is the most important configuration file for Shibboleth, is overwritten. In order to avoid the overwriting of the critical files you have two possibilities:

1) Store the files in a separate directory, that is not overwritten during deployment.
2) Keep all the original files in the Shibboleth home directory. Changing a file requires to build a new .war-file and deploy it again.

Our preferred choice was the first one to store the configuration files in the separate configuration directory

    /etc/opt/tomcat/shibboleth-origin-1.1

(following the Filesystem Hierarchy Standard using /etc/opt for storing the configuration files).
The following steps need to be performed to achieve this.
  1. Edit the file /opt/shibboleth-origin-1.1/webAppConfig/origin.xml (this file will be translated to WEB-INF/web.xml during the build process) as follows:
    <!-- ... -->
<servlet>
  <servlet-name>Logging Service</servlet-name>
  <servlet-class>edu.internet2.middleware.shibboleth.log.LogServ</servlet-class>
  <init-param>
    <param-name>log4jConfigFileLocation</param-name>
    <param-value>file:///etc/opt/tomcat/shibboleth-origin-1.1/log4j.properties</param-value>
  </init-param>
  <load-on-startup>1</load-on-startup>
</servlet>
<servlet>
 <servlet-name>HS</servlet-name>
 <display-name>Shibboleth Handle Service</display-name>
 <servlet-class>edu.internet2.middleware.shibboleth.hs.HandleServlet</servlet-class>
 <init-param>
   <param-name>OriginPropertiesFile</param-name>
   <param-value>file:///etc/opt/tomcat/shibboleth-origin-1.1/origin.properties</param-value>
 </init-param>
</servlet>        
<servlet>
  <servlet-name>AA</servlet-name>
  <display-name>Shibboleth Attribute Authority</display-name>
  <servlet-class>edu.internet2.middleware.shibboleth.aa.AAServlet</servlet-class>
  <init-param>
    <param-name>OriginPropertiesFile</param-name>
    <param-value>file:///etc/opt/tomcat/shibboleth-origin-1.1/origin.properties</param-value>
  </init-param>
</servlet>
<!-- ... -->

  2. Move the configuration file in the separate directory /etc/opt/tomcat/shibboleth-origin-1.1.
    # mkdir /etc/opt/tomcat/shibboleth-origin-1.1 
    # mv /opt/shibboleth-origin-1.1/src/conf/* /etc/opt/tomcat/shibboleth-origin-1.1/
    # rmdir /opt/shibboleth-origin-1.1/src/conf
  3. (Optional) Edit the file
    /opt/shibboleth-origin-1.1/build.xml
    script to avoid the copy operation of the configuration files in the war-file. For this purpose you need to change the Ant target compile in the following way:

    ...
        <target name="compile" depends="init">
            <javac srcdir="${src}" destdir="${build}" includes="**/*.java" debug="on">
                <classpath refid="build.path" />
            </javac>
            <copy todir="${build}/schemas">
                <fileset dir="${src}/schemas"/>
            </copy>
        </target>
    ...

At this point we are ready to deploy and configure Shibboleth Origin.

2.3 Shibboleth Deployment

In  order to deploy Shibboleth you need now to build the war-file using Ant:

# cd /opt/shibboleth-origin-1.1
# ./ant build-util
# ./ant dist-origin
# cp -p dist/shibboleth.war /opt/tomcat/webapps/

2.4 Shibboleth Origin Configuration

The configuration of Shibboleth is a bit complex, as many files need to configured correctly, especially for the security setup.
If you are not using Apache, then we suggest to follow these steps as well, except for the point 2.4.1.3 - 2.4.1.5.

2.4.1 Starting from scratch with Apache security (see ORIG-5.c)

  1. Generate a RSA private key to be used in Apache:

    $ openssl genrsa -des3 -out SYSTEMNAME.enckey 1024

    A good idea is normally to remove the pass phrase of the generated key:

    $ openssl rsa -in SYSTEMNAME.enckey -out SYSTEMNAME.enckey

  2. Generate a certificate signing request (CSR) and send the output to the CA or RA for signing. Please remember to set as "common name" the own server name:

    $ openssl req -new -key SYSTEMNAME.enckey

  3. Move the private key SYSTEMNAME.enckey in /etc/apache/ssl.key and the received signed server certificate SYSTEMNAME.cer to /etc/apache/ssl.crt.

    $ mv SYSTEMNAME.enckey /etc/apache/ssl.key
    $ mv     SYSTEMNAME.cer /etc/apache/ssl.crt

  4. Point the variables SSLCertificateKeyFile and SSLCertificateFile in the Apache configuration file /etc/apache/httpd.conf to the files above.

  5. Add the CA signer certificate ROOT_CERTIFICATE.cer to the bundle of known server certificates in /etc/apache/ssl.crt/ca-bundle.crt if it is not already there:

    $ cat ROOT_CERTIFICATE.cer >> /etc/apache/ssl.crt/ca-bundle.crt

2.4.2 Starting from scratch with Tomcat security (see ORIG-5.b)

The certificate and the keys used for Shibboleth/Tomcat can be shared with Apache. In order to achieve this we need to duplicate the keys generated for Apache into a Java Keystore.

Start with an empty Java keystore: Create a new keystore using the command (use your own keystore password STOREPASS):
$ keytool -genkey -v -alias aaaa -keystore keystore.jks -storepass STOREPASS
and then remove the alias "aaaa" from the keystore:
$ keytool -delete -alias aaaa -keystore keystore.jks

In the following, substitute SYSTEMNAME with your host's FQDN (fully qualified domain name).
  1. To re-use the existing Apache SSL key, re-encode the private key generated for the Apache installation from PEM into PKCS8/DER (do not encrypt the output) to be able to import it into the keystore lateron:

    $ openssl pkcs8 -in SYSTEMNAME.enckey -topk8 -nocrypt -outform DER -out /tmp/SYSTEMNAME.der.pkcs8

  2. Add the PKCS8/DER encoded (non-encrypted) private key as well as the CA signer certificate (for SWITCHaai you can use this certificate) into the empty keystore and use the own key password KEYPASS (Note: If you use Tomcat - and you will - KEYPASS and STOREPASS have to be the same!):

    $ cd /etc/opt/tomcat/shibboleth-origin-1.1
    $ export SHIB_HOME=/opt/shibboleth-origin-1.1
    $ cat SYSTEMNAME.cer     ROOT_CERTIFICATE.cer > /tmp/cert.bundle
    $ /opt/shibboleth-origin-1.1/bin/extkeytool -importkey\
      -keystore keystore.jks -storepass STOREPASS -alias SYSTEMNAME \
      -keyfile /tmp/SYSTEMNAME.der.pkcs8 -keypass KEYPASS \
      -certfile     /tmp/cert.bundle \
      -provider org.bouncycastle.jce.provider.BouncyCastleProvider

  3. Tomcat needs to trust the signer CA. For this reason we need to add the signer CA certificate to the Java $JAVA_HOME/jre/lib/security/cacerts file:

    $ openssl x509 -in     SYSTEMNAME.cer -out SYSTEMNAME.cer.der -outform DER
    $ keytool -import -trustcacerts -alias xxxx -file     SYSTEMNAME.cer.der

    For the alias xxxx you would typically use a short name for the Certification Authority such as switchserverca.

  4. Now, you might want to remove the unencrypted file with the private-key /tmp/SYSTEMNAME.der.pkcs8.
The keystore is now ready to use.

2.4.3 Check configuration files

In Appendix A you can find a list of configuration files as used on our systems.

After that you can start your Apache/Tomcat servers in the usual way.

Appendix

A1. File  /opt/tomcat/conf/server.xml (see ORIG-3.b.7)

<Server port="8005" shutdown="SHUTDOWN" debug="0">
  <Service name="Tomcat-Standalone">
    <Connector className="org.apache.ajp.tomcat4.Ajp13Connector" port="8009"
        minProcessors="5" maxProcessors="75" acceptCount="10" debug="0"
        address="127.0.0.1" tomcatAuthentication="false"/>
    <Engine name="Standalone" defaultHost="localhost" debug="0">
      <Logger className="org.apache.catalina.logger.FileLogger"
          prefix="catalina_log." suffix=".txt" timestamp="true"/>
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                 debug="0" resourceName="UserDatabase"/>
      <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve"
            directory="logs"  prefix="localhost_access_log." suffix=".txt"
            pattern="common" resolveHosts="false"/>
        <Logger className="org.apache.catalina.logger.FileLogger"
            directory="logs" prefix="localhost_log." suffix=".txt"
            timestamp="true"/>
      </Host>
    </Engine>
  </Service>
</Server>

A2. File /etc/opt/tomcat/shibboleth/arps/arp.site.xml (see ORIG-5.b.)

In this example, all the attributes specified are released to any target. See our attribute specification (PDF, 411 kB).

<?xml version="1.0" encoding="UTF-8"?>
<AttributeReleasePolicy 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns="urn:mace:shibboleth:arp:1.0"
   xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd">
     <Description>Example release policy permitting mandatory attributes.</Description>
     <Rule>
         <Target>
             <AnyTarget/>
         </Target>

         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:sn">
              <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:givenName">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonGender">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:preferredLanguage">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:mail">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:homePostalAddress">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:postalAddress">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:homePhone">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:telephoneNumber">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:mobile">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN">
             <AnyValue release="permit"/>
         </Attribute>
         <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement">
             <AnyValue release="permit"/>
         </Attribute>
    </Rule>
</AttributeReleasePolicy>

A3. File /etc/tomcat/jk/workers.properties (no changes) (see ORIG-3.b.6)

workers.tomcat_home=/usr/share/tomcat
ps=/
worker.list=ajp12, ajp13
worker.ajp12.port=8007
worker.ajp12.host=localhost
worker.ajp12.type=ajp12
worker.ajp12.lbfactor=1
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=ajp12, ajp13
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr

A4. /etc/apache/httpd.conf (see ORIG-3.b.6, ORIG-3.b.8, ORIG-4.c)

mod_ssl configuration

Global configuration 

LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

# The whole SSL configuration in this context
# the main server and all SSL-enabled virtual hosts.

# We surround the directives with <IfModule> .. </Ifmodule>, so that Apache
# will keep a valid configuration even if mod_ssl is ever removed.
<IfModule mod_ssl.c>

# These will make apache listen to port 443 in addition to the
# standard port 80. HTTPS requests use port 443.
Listen 80
Listen 443

# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

# Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

# Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
SSLSessionCache         dbm:/var/run/mod_ssl_scache
SSLSessionCacheTimeout  300

# Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  file:/var/run/mod_ssl_mutex

# Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

# Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
SSLLog      /var/log/apache/ssl_engine.log
SSLLogLevel info
</IfModule>

Virtual Host configuration 

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
# SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine On

# SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with `make certificate' under
#   built time. Keep in mind that if you've both a RSA and a DSA
#   certificate you can configure both in parallel (to also allow
#   the use of DSA ciphers, etc.)
SSLCertificateFile /etc/apache/ssl.crt/HOST.DOMAIN.CH.crt

# Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/apache/ssl.key/HOST.DOMAIN.CH.key

# Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convenience.
SSLCertificateChainFile /etc/apache/ssl.crt/CAKEYCHAIN.crt

#Sertificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath	/etc/apache/ssl.crt
SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt

# Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath     /etc/apache/ssl.crl
#SSLCARevocationFile     /etc/apache/ssl.crl/ca-bundle.crl

# Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
SSLVerifyDepth	10

# SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't
#   wait for the close notify alert from client. When you need a
#   different shutdown approach you can use one of the following
#   variables:
#   ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, 
#     i.e. no SSL close notify alert is send or allowed to received.
#     This violates the SSL/TLS standard but is needed for some
#     brain-dead browsers. Use this when you receive I/O errors
#     because of the standard approach where mod_ssl sends the close
#     notify alert.
#   ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed,
#     i.e. a SSL close notify alert is send and mod_ssl waits for the
#     close notify alert of the client. This is 100% SSL/TLS standard
#     compliant, but in practice often causes hanging connections with
#     brain-dead browsers. Use this only for browsers where you know
#     that their SSL implementation works correctly.
#
#   NOTICE: Most problems of broken clients are also related to the
#   HTTP keep-alive facility, so you usually additionally want to
#   disable keep-alive for those clients, too. Use variable
#   "nokeepalive" for this.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>
</IfModule>

mod_jk configuration

The following directives for instance configure a "basic authentication" via an LDAP server. There are, however, other authentication methods like Pubcookie or other SSO systems (CAS) as described above.

LoadModule     jk_module         /usr/lib/apache/1.3/mod_jk.so
LoadModule     auth_ldap_module  /usr/lib/apache/1.3/auth_ldap.so
<Location /shibboleth/AA>
       SSLOptions +StdEnvVars +ExportCertData
</Location>
<Location /shibboleth/HS>
  AuthType     Basic
  AuthName     "HS"
  AuthLDAPURL  ldap://ldap-server.domain.ch:389/o=domain,c=CH?uid?sub?(objectClass=*)
  require      valid-user
</Location>
<IfModule mod_jk.c>
  JkWorkersFile  /etc/tomcat/jk/workers.properties
  JkLogFile      "/var/log/apache/mod_jk.log"
  JkLogLevel     debug
  JkMount        /shibboleth/*   ajp13
</IfModule>

A5. /etc/opt/tomcat/shibboleth/origin.properties (see ORIG-4.a, ORIG-5.a)

Remember to replace $STOREPASS and $KEYPASS with your own passwords.

edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer=origin-server.domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName=urn:mace:switch.ch:SWITCHaai:pilot:domain.ch
edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl=https://origin-server.domain.ch/shibboleth/AA
edu.internet2.middleware.shibboleth.hs.HandleServlet.username=REMOTE_USER
edu.internet2.middleware.shibboleth.hs.HandleServlet.authMethod=urn:oasis:names:tc:SAML:1.0:am:password
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath=file:///etc/opt/tomcat/shibboleth/keystore.jks
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword=$STOREPASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias=SYSTEMNAME
edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword=$KEYPASS
edu.internet2.middleware.shibboleth.hs.HandleServlet.certAlias=domain.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName=origin-server.domain.ch
edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors=false
edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver.ResolverConfig=file:///etc/opt/tomcat/shibboleth/resolver.xml
edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation=edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository.Path=file:///etc/opt/tomcat/shibboleth/arps/
edu.internet2.middleware.shibboleth.aa.arp.BaseArpRepository.ArpTTL=300
edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation=edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL=1000
edu.internet2.middleware.shibboleth.audiences=urn:mace:switch.ch:SWITCHaai:pilot

A6. /etc/opt/tomcat/shibboleth/resolver.xml (see ORIG-4.a.i, ORIG-5.d)

<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns="urn:mace:shibboleth:resolver:1.0"
                xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver-1.0.xsd">

        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:sn">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:givenName">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonGender">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:preferredLanguage">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:mail">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:homePostalAddress">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:postalAddress">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:homePhone">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:telephoneNumber">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:mobile">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonOrgDN">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonOrgUnitDN">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>
        <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement">
                <DataConnectorDependency requires="directory"/>
        </SimpleAttributeDefinition>

        <JNDIDirectoryDataConnector id="directory">
                <Search filter="uid=%PRINCIPAL%">
                        <Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
                </Search>
                <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
                <Property name="java.naming.provider.url" value="ldap://ldap-server.domain.ch:389/O=domain,C=ch" />
<!--
                <Property name="java.naming.security.principal" value="CN=admin,O=domain,C=ch" />
-->
<!--
                <Property name="java.naming.security.credentials" value="examplePassword" />
-->
        </JNDIDirectoryDataConnector>

</AttributeResolver>
In order to test the resolver configuration (ORIG-5.d.i) you can use following tool written for Shibboleth:

$ /opt/shibboleth-origin-1.1/bin/resolvertest --user=demouser --file=file:///etc/opt/tomcat/shibboleth/resolver.xml
--
$Id: install-origin-1.1-debian.html,v 1.1.1.1 2005/07/11 08:48:31 schnell Exp $