Moving Shibboleth IdP to a RHEL virtual machine at the University of Canterbury
From BeSTGRID
This page documents how the University of Canterbury Shibboleth IdP was moved from a CentOS based system (a blade) to a new RHEL based system (a VMware virtual machine). The process involved reinstalling the IdP from scratch - reusing configuration files from the IdP. This page documents what were all the necessary steps on the new IdP - including all configuration done there.
[edit] Preliminary installation steps
- Get a RHN account (Bill Rea) and register with
rhn-register
- Update the system
yum update
- Install necessary packages (utilities, and what would be needed to compile & install Shibboleth-SP)
yum install ntp mc openldap-servers openldap-clients gcc gcc-c++ compat-gcc-34 compat-gcc-34-c++ curl-devel httpd-devel httpd yum install kernel-devel tomcat5
- Install Sun Java 6 and make it the default Java alternative:
sh jdk-6u7-linux-i586-rpm.bin
export JAVA_HOME=/usr/java/latest alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 16007 \ --slave /usr/bin/rmiregistry rmiregistry $JAVA_HOME/bin/rmiregistry \ --slave /usr/share/man/man1/java.1 java.1 $JAVA_HOME/man/man1/java.1 \ --slave /usr/share/man/man1/rmiregistry.1 rmiregistry.1 $JAVA_HOME/man/man1/rmiregistry.1 \ --slave /usr/lib/jvm/jre jre $JAVA_HOME/jre \ --slave /usr/lib/jvm-exports/jre jre_exports $JAVA_HOME/jre/lib \ --slave /usr/bin/keytool keytool $JAVA_HOME/bin/keytool \ --slave /usr/bin/rmic rmic $JAVA_HOME/bin/rmic \ --slave /usr/bin/javah javah $JAVA_HOME/bin/javah \ --slave /usr/bin/javadoc javadoc $JAVA_HOME/bin/javadoc \ --slave /usr/bin/javac javac $JAVA_HOME/bin/javac \ --slave /usr/bin/jarsigner jarsigner $JAVA_HOME/bin/jarsigner \ --slave /usr/bin/jar jar $JAVA_HOME/bin/jar \ --slave /usr/lib/jvm/java java_sdk $JAVA_HOME \ --slave /usr/lib/jvm-exports/java java_sdk_exports $JAVA_HOME/lib
- Setup NTP:
- Edit /etc/ntp.conf to use only local canterbury server (and comment out RHEL pool servers):
server clock1.canterbury.ac.nz
- Enable and start ntp
- Edit /etc/ntp.conf to use only local canterbury server (and comment out RHEL pool servers):
chkconfig ntpd on service ntpd start
[edit] Archiving old configuration
- Archive everything relevant on the old IdP with tar and copy the tarball (idp-move.tar) to the new IdP:
/etc/httpd/conf.d /etc/certs /etc/cron.hourly /usr/local/shibboleth-* # autograph, idp, idp-backup /var/lib/tomcat5/common/endorsed /var/lib/tomcat5/webapps /root # bin,cert,inst,work /etc/profile.d # java.sh, shib.sh
tar cf idp-move.tar /etc/httpd/conf.d/ /etc/certs/ /etc/cron.hourly/ /usr/local/shibboleth-* /var/lib/tomcat5/common/endorsed* /var/lib/tomcat5/webapps/ /root/{bin,cert,inst,work} /etc/profile.d/
- Hmmm... better recompile Shibboleth, idp had just version 1.3.2, we should use 1.3.3 available now.
[edit] Network address considerations
- For testing, use already the target hostname idp.canterbury.ac.nz - and add that to /etc/hosts
132.181.39.162 idp.canterbury.ac.nz
- But keep DHCP registration as "ucidp": </tt>/etc/sysconfig/network-scripts/ifcfg-eth0</tt> contains
DHCP_HOSTNAME=ucidp
[edit] Shibboleth 1.3.3 installation
- Start installing Shibboleth 1.3.3 following MAMS recipe - and reuse existing stuff where applicable. Install new Autograph.
- Create environment file: /etc/profile.d/shib.sh:
export SHIB_HOME=/usr/local/shibboleth-idp export SHIB_SP_HOME=/usr/local/shibboleth-sp
- Create environment file: /etc/profile.d/java.sh:
export JAVA_HOME=/usr/java/latest
- Update tomcat endorsed jars: resolver.jar xalan.jar xercesImpl.jar xml-apis.jar
- remove [jaxp_parser_impl].jar and [xml-commons-apis].jar (symlinks to /usr/share/java)
- copy shibboleth-1.3.3/endorsed into /var/lib/tomcat5/common/endorsed
- Install Shibboleht-idp: run
cd ~/work/shibboleth-1.3.3-install ./ant => all defaults, enter /var/lib/tomcat5 as Tomcat directory.
- Stop here and start installing ShARPE, following MAMS ShARPE recipe
[edit] Installing ShARPE
- Modify Shib-Idp build.xml and custom/extensions-build.xml javac language version from 1.4 to 1.5
- Invoke Ant - following the discussion at my ShARPE install page, the magic command is:
cd ~/work/ShARPE/ /root/work/apache-ant-1.7.1/bin/ant --noconfig -Dshib.src=/root/work/shibboleth-1.3.3-install
- Answer "y" to Attribute Mapping (and I believe it's ignored)
- Again enter /var/lib/tomcat5 as Tomcat home directory.
[edit] Back to IdP installation
- Now back to IdP installation: certificates: Copy /etc/certs from old IdP:
- aa-{cert,key}.pem - backend certificate
- host-{cert,key}.pem - front-end certificate
- CA/* - certification authorities
- metadata - certificiates for metadata verification
- Enable SSL in Apache
- Install Apache SSL module
yum install mod_ssl
- Copy /etc/httpd/conf.d/ssl.conf over from old IdP.
- Listens at port 8443, leaves ssl engine initialization up to VirtualHosts
- Install Apache SSL module
- Enable SSL virtual hosts
- Copy /etc/httpd/conf.d/shib-vhosts.conf over from old IdP
- Change IP address in VirtualHost definition from 132.181.2.17 (idp) to 132.181.39.42 (ucidp)
- Connect Apache to Tomcat AJP connector for /shibboleth-idp/*
- Using the ModProxy MAMS recipe
- Passing also ShARPE URLs
- Add the following to /etc/httpd/conf.d/proxy_ajp.conf
ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /shibboleth-idp ajp://localhost:8009/shibboleth-idp ProxyPass /jsp-examples ajp://localhost:8009/jsp-examples ProxyPass /ShARPE ajp://localhost:8009/ShARPE ProxyPass /Autograph ajp://localhost:8009/Autograph ProxyPass /SPDescription ajp://localhost:8009/SPDescription
- Check Tomcat AJP configuration in /etc/tomcat5/server.xml - add the authentication="false" parameters to the 8009 Connector definition
<Connector port="8009" request.tomcatAuthentication="false" tomcatAuthentication="false" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
[edit] Metadata updates
- Setup metadata updates: copy the update scripts from the old IdP into /etc/cron.hourly - idp-metadata and idp-bestgrid-metadata
[edit] Configuring the IdP
- Configure idp.xml: copy /usr/local/shibboleth-idp/etc/idp.xml over from old IdP
- Base idp.xml has not changed in shibboleth-1.3.3
- The idp.xml file copied over includes:
- idp hostname/entityId
- ShARPE ARP engine
- certificate locations
- metadata locations for Level2 and BeSTGRID
- No additional changes should be needed for ShARPE:
- idp.xml already uses the MAMSFileSystemArpRepository for ReleasePolicyEngine
- proxy_ajp.conf already maps ShARPE, SPDescription, and Autograph
- Configure LDAP resolver: copy /usr/local/shibboleth-idp/etc/resolver.ldap over from old IdP
- Configure ARP: copy over the "blank" /usr/local/shibboleth-idp/etc/arps/arp.site.xml from old IdP
- Install Autograph - upload new Autograph.war into /var/lib/tomcat/webapps and let Tomcat explode it
- Change ownership of IdP files:
chown -R tomcat:tomcat /usr/local/shibboleth-idp/
- Start Tomcat, let it explode WARs
service tomcat5 start
- Edit /etc/sysconfig/iptables and enable incoming ports 80,443,8443
service iptables reload
- Make Apache and Tomcat automatically start
chkconfig httpd on chkconfig tomcat5 on
[edit] Installing Autograph
- Configure new Autograph
service tomcat5 stop
- No need to remove old autograph-redirection-switch.jar - it was never installed.
- Install new Autograph-SSO.jar into /var/lib/tomcat5/webapps/shibboleth-idp/WEB-INF/lib (and make it owned by tomcat)
- Copy /var/lib/tomcat5/webapps/ShARPE/WEB-INF/lib/commons-codec-1.3.jar into /var/lib/tomcat5/webapps/Autograph/WEB-INF/lib/commons-codec-1.3.jar to make the SHA Crosswalk function work
- Copy conf/crosswalkconfig.properties into /var/lib/tomcat5/webapps/Autograph/WEB-INF/classes to make crosswalk work.
- Would have to change ProtocolHandler in idp.xml from /SSO to /IdP - but that has been copied over with idp.xml
- For Autograph configuration, plan:
- Autograph homedir in /usr/local/shibboleth-autograph
- user profiles in /usr/local/shibboleth-autograph/userProfiles
- SPDs in /usr/local/shibboleth-autograph/SPDs
- Configure Autograph home:
- Move /var/lib/tomcat5/webapps/Autograph/WEB-INF/homeDir as /usr/local/shibboleth-autograph
- Edit /var/lib/tomcat5/webapps/Autograph/WEB-INF/web.xml
- Set AutographHome to /usr/local/shibboleth-autograph/
- Try DisplayAgreement = once (appears to work on idp-test)
- Set BlockOnNoService = false
- Copy over SPDs from old IdP (avcc.karen, dreamspark) into /usr/local/shibboleth-autograph/SPDs
- Leaving IAMConfiguration.xml and AttributeInfoPointData.xml intact (EPTID is already defined in the stock one)
- Copy over user profiles from old IdP into /usr/local/shibboleth-autograph/userProfiles
- Copy over user arps from old IdP into /usr/local/shibboleth-idp/etc/arps
- Include Autograph in SSO profile: edit webapps/shibboleth-idp/WEB-INF/web.xml
- context-param userProfileStorePath = /usr/local/shibboleth-autograph/userProfiles
- servlet AutographRedirectionSwitch
- servlet-mapping AutographRedirectionSwitch to /SSO
- Remap IdP servlet from /SSO to /IdP
- Resolve issues around conf/crosswalkconfig.properties:
- Edit /var/lib/tomcat5/webapps/shibboleth-idp/ShARPE/WEB-INF/classes/conf/crosswalkconfig.properties and expand the $IDP_HOME variable:
CrosswalkListFile=/usr/local/shibboleth-idp/etc/mams-core-crosswalk/crosswalk.properties CrosswalkPath=/usr/local/shibboleth-idp/etc/mams-core-crosswalk/mapper/
Now, make sure it also exists as
/var/lib/tomcat5/webapps/Autograph/WEB-INF/classes/conf/crosswalkconfig.properties /var/lib/tomcat5/webapps/ShARPE/WEB-INF/classes/conf/crosswalkconfig.properties /var/lib/tomcat5/webapps/shibboleth-idp/WEB-INF/classes/conf/crosswalkconfig.properties
- Note: webapps/ShARPE/WEB-INF/classes/conf comes with a version which uses file:/usr/local.... let's keep an eye open on that.
[edit] Configuring Autograph admin login
- Configuring Autograph Admin Login
- Protect only /Autograph/Login, not all of Autograph - otherwise, the admin's personal login would override the login-as feature.
- Autograph takes proper care and denies access that did not come through the login page
- It looks like luckily, the password is not "test".
- Let's try to change the password:
- Yes, works with
cd /var/lib/tomcat5/webapps/Autograph/WEB-INF/lib java -classpath md5.jar:mams-websharpe.jar au.edu.mq.melcoe.mams.common.GenerateAdminPassword java -classpath md5.jar:mams-websharpe.jar:/root/work/apache-ant-1.7.1/lib/ant.jar au.edu.mq.melcoe.mams.common.GenerateAdminPassword
- Works and produces the following output:
This utility will generate password for ShARPE Please enter the password: secretpasswor Your password is: "$1$ShARPE00$......................"
- Now, Autograph admin login should be work via /Autograph/view/adminLogin.jsp
- However, that doesn't work: the form redirects to /Autograph/Login, which requires a login that would authenticate at Apache level against the LDAP server. Once the user authenticates at Apache level, those credentials take over whatever was entered in the adminLogin form.
- Older versions of Autograph sent the admin login to /Autograph/AdminLogin - but that's not available in the new version of Autograph.
[edit] Issues to look at
- EPTID maybe broken - looks like it's the same for all SPs
HashFunction hashing: vladimir.mencl@canterbury.ac.nzaRequesterCanterbury ID seednull = 0BzDqgp9J1sDXvXuxzFh9vmAZSw
- ??? REQUEST_O_R ???? or will it just work when it's actually sent to a SP?
- OK: Works OK when passed to an SP in an assertion - but displays an incorrect value inside SP
- ResolverTest
- Copy over /root/bin/resolvertest-appendcp from old IdP. Use with
# assume SHIB_HOME=/usr/local/shibboleth-idp export IDP_HOME=$SHIB_HOME export CLASSPATH=/var/lib/tomcat5/webapps/shibboleth-idp/WEB-INF/classes/ resolvertest-appendcp --idpXml=file://$SHIB_HOME/etc/idp.xml --user=vme28 --requester=urn:mace:federation.org.au:testfed:avcc.karen.net.nz --responder urn:mace:federation.org.au:testfed:canterbury.ac.nz
[edit] Decompression Error
Sometimes, the SP SSL client fails witherror:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
This issue is already known in the Shibboleth Community and elsewhere.
This is an OpenSSL bug, and a supposed remedy is to disable session caching.
While the Shibboleth project page has a fix to be implemented in the SP, it's only available in Shibboleth2. For Shibboleth 1.3.x, the only way is to disable session caching in Apache: add the following to /etc/httpd/conf.d/ssl.conf:
SSLSessionCache none
[edit] Configuring additional attributes
[edit] Country and Organization
- Country and Organization are already (statically) defined in Resolver.ldap.xml, but Country's not yet in Autograph: add the following to AttributeInfoPointData.xml
<Attribute id="urn:mace:dir:attribute-def:c" type="string">
<FriendlyName lang="en">country</FriendlyName>
<Description lang="en">no description</Description>
</Attribute>
[edit] Affiliation
- Affiliation
- Need to update Crosswalk IF function with the update I got from Hung in order for old crosswalk to work for students.
- Let's now try a proper Scriptlet for all the features I needed
- YES it works - the following scriptlet definition:
<ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
<AttributeDependency requires="urn:mace:canterbury:attribute:ucdeptcode"/>
<AttributeDependency requires="urn:mace:canterbury:attribute:ucstudentid"/>
<Scriptlet><![CDATA[
ResolverAttribute deptCodeAttr = dependencies.getAttributeResolution("urn:mace:canterbury:attribute:ucdeptcode");
ResolverAttribute studentIdAttr = dependencies.getAttributeResolution("urn:mace:canterbury:attribute:ucstudentid");
String deptCodeStr = null;
String studentIdStr = null;
if (deptCodeAttr != null) {
Iterator i = deptCodeAttr.getValues();
if (i.hasNext()) { deptCodeStr = (String)i.next(); };
};
if (studentIdAttr != null) {
Iterator i = studentIdAttr.getValues();
if (i.hasNext()) { studentIdStr = (String)i.next(); };
};
if (deptCodeStr == "MISC" ) {
resolverAttribute.addValue("student");
resolverAttribute.addValue("member");
} else
if ( (deptCodeStr=="EXTI") || (deptCodeStr=="EXTL")) {
if (studentIdStr != null) {
resolverAttribute.addValue("alum");
} else {
resolverAttribute.addValue("affiliate");
};
} else
if ( deptCodeStr=="STAF") {
resolverAttribute.addValue("affiliate");
} else if ( deptCodeStr != null ) {
/* we have a non-null deptcode that is not any of the
* special ones, therefore the user is a regular staff
* member */
resolverAttribute.addValue("staff");
resolverAttribute.addValue("member");
};
]]></Scriptlet>
</ScriptletAttributeDefinition>
Notes:
- I'm adding also a member attribute value for Staff & Students (ie, not alum/affiliate)
- I'm switching eduPersonScopedAffiliation to use smartScope="canterbury.ac.nz"
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="canterbury.ac.nz">
<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
</SimpleAttributeDefinition>
- Add the same logic (without "member" and without scope) for primaryAffiliation
<ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation">
<AttributeDependency requires="urn:mace:canterbury:attribute:ucdeptcode"/>
<AttributeDependency requires="urn:mace:canterbury:attribute:ucstudentid"/>
<Scriptlet><![CDATA[
ResolverAttribute deptCodeAttr = dependencies.getAttributeResolution("urn:mace:canterbury:attribute:ucdeptcode");
ResolverAttribute studentIdAttr = dependencies.getAttributeResolution("urn:mace:canterbury:attribute:ucstudentid");
String deptCodeStr = null;
String studentIdStr = null;
if (deptCodeAttr != null) {
Iterator i = deptCodeAttr.getValues();
if (i.hasNext()) { deptCodeStr = (String)i.next(); };
};
if (studentIdAttr != null) {
Iterator i = studentIdAttr.getValues();
if (i.hasNext()) { studentIdStr = (String)i.next(); };
};
if (deptCodeStr == "MISC" ) {
resolverAttribute.addValue("student");
} else
if ( (deptCodeStr=="EXTI") || (deptCodeStr=="EXTL")) {
if (studentIdStr != null) {
resolverAttribute.addValue("alum");
} else {
resolverAttribute.addValue("affiliate");
};
} else
if ( deptCodeStr=="STAF") {
resolverAttribute.addValue("affiliate");
} else if ( deptCodeStr != null ) {
/* we have a non-null deptcode that is not any of the
* special ones, therefore the user is a regular staff
* member */
resolverAttribute.addValue("staff");
};
]]></Scriptlet>
</ScriptletAttributeDefinition>
[edit] Shared Token FAST: OBSOLETE
- Installing FAST
- Following ARCS IdP documentation and README inside FAST-idp.zip
- Download FAST-idp
wget http://www.mams.org.au/downloads/FAST-idp.zip
- Copy all jars into /var/lib/tomcat5/webapps/shibboleth-idp/WEB-INF/lib/
- Note: commons-codec-1.3.jar already exists
- A few other jars exist in different versions:
- commons-logging-1.03.jar (old) vs. commons-logging-1.1.jar (new)
- xmlsec-20050514.jar (old) vs. xmlsec-1.3.0.jar (new)
- Keeping so far both.
- Add the attribute definition to resolver.ldap.xml
- If no attribute dependency is provided, FAST will use just IdP and user identification - but that is perfectly sufficient.
<CustomAttributeDefinition id="urn:mace:federation.org.au:attribute:auEduPersonSharedToken"
class="au.edu.mq.melcoe.mams.fst.wsservice.SharedTokenAttrDef">
</CustomAttributeDefinition>
- Testing shared token:
- With resolvertest, I need to include all jars from /var/lib/tomcat5/webapps/shibboleth-idp/WEB-INF/lib/ in classpath - and then Yes, I do have a shared token attribute!
- With Autograph: define the attribute first in/usr/local/shibboleth-autograph/connectorConfigs/AttributeInfoPointData.xml
<Attribute id="urn:mace:federation.org.au:attribute:auEduPersonSharedToken" type="string">
<FriendlyName lang="en">shared token</FriendlyName>
<Description lang="en">no description</Description>
</Attribute>
- Testing on a SP: define the attribute in AAP.xml:
<AttributeRule Name="urn:mace:federation.org.au:attribute:auEduPersonSharedToken" Header="Shib-AuEduPerson-SharedToken">
<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
- Restart shibd
- Testing in Autograph:
- Installing JARS the same as for IdP itself (similar case, commons-codec-1.3.jar and xalan-2.7.0.jar already exist, and xmlsec-20050514.jar already existed vs. new version xmlsec-1.3.0.jar)
- Works OK - except that I get a different value then inside the IdP.
- ShARPE ... looks like not really a point to do it now.
[edit] SharedToken: IMAST
- Based on the recommendation from ARCS, I have decided to switch from FAST to IMAST:
- Avoiding a single point of failure (and possible future bottleneck).
- Avoiding the need to rely on the SharedToken service (which has dropped the database a few times in the past, triggering a change of the SharedToken value for all users)
- IMAST will better fit IdMS processes in the future.
I was following the ARCS IMAST installation guidelines:
- Get IMAST source code
svn co https://projects.arcs.org.au/svn/systems/trunk/idp/imast
- Fix a bug: the code was ignoring the IDP_IDENTIFIER setting (and as Autograph does not provide a responder value, the attribute would not resolve in Autograph)
Index: SharedTokenAttrDef.java
===================================================================
--- SharedTokenAttrDef.java (revision 795)
+++ SharedTokenAttrDef.java (working copy)
@@ -75,7 +75,7 @@
String userIdentifier = this.getPrivateUniqueID(attributes,
imastProperties);
- String idpIdentifier = responder;
+ String idpIdentifier = imastProperties.getProperty("IDP_IDENTIFIER", responder);
String privateSeed = imastProperties
.getProperty("PRIVATE_SEED");
- Edit the configuration file (conf/imast.properties)
USER_IDENTIFIER=uid # uid is non-reassignable, so we can rely just on that # mail might change (in change of name), so let's not use it IDP_IDENTIFIER=idp.canterbury.ac.nz # entityId may change AAF moves to production - let's use just the hostname PRIVATE_SEED=private_seed WORK_MODE=PNP # we so far don't store the value in LDAP
- Build IMAST
ant
- Install arcs-imast-0.3.0.jar into WEB-INF/lib for shibboleth-idp, Autograph, and ShARPE
- Remove all files installed by FAST (see above)
- Add the attribute definition into resolver.ldap.xml (and remove the old FAST definition if still present)
<CustomAttributeDefinition id="urn:mace:federation.org.au:attribute:auEduPersonSharedToken"
class="au.org.arcs.imast.SharedTokenAttrDef">
<DataConnectorDependency requires="directory"/>
</CustomAttributeDefinition>
- Define the attribute also for Autograph if not defined yet - add the following to /usr/local/shibboleth-autograph/connectorConfigs/AttributeInfoPointData.xml
<Attribute id="urn:mace:federation.org.au:attribute:auEduPersonSharedToken" type="string">
<FriendlyName lang="en">shared token</FriendlyName>
<Description lang="en">no description</Description>
</Attribute>
- Restart IdP & Autograph
service tomcat5 restart
[edit] UC specific attributes
Defining ucdeptcode, ucstudentid, and uccourse and making them available via Autograph:
resolver.ldap.xml
<SimpleAttributeDefinition
id="urn:mace:canterbury.ac.nz:attribute:ucdeptcode" sourceName="ucdeptcode">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:canterbury.ac.nz:attribute:ucstudentid" sourceName="ucstudentid">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:canterbury.ac.nz:attribute:uccourse" sourceName="uccourse">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
AttributeInfoPointData.xml:
<Attribute id="urn:mace:canterbury.ac.nz:attribute:ucdeptcode" type="string">
<FriendlyName lang="en">UC Department code</FriendlyName>
<Description lang="en">no description</Description>
</Attribute>
<Attribute id="urn:mace:canterbury.ac.nz:attribute:uccourse" type="string">
<FriendlyName lang="en">UC Course code</FriendlyName>
<Description lang="en">no description</Description>
</Attribute>
<Attribute id="urn:mace:canterbury.ac.nz:attribute:ucstudentid" type="string">
<FriendlyName lang="en">UC Student ID</FriendlyName>
<Description lang="en">no description</Description>
</Attribute>
[edit] Configuring the IdP for SLCS service
[edit] Configuring additional hosts
Because slcstest.arcs.org.au is only registered at Level 1, I had to manually add a mini-federation with the SLCS-test SP metadata:
- Add additional hosts into the federation (slcstest.arcs.org.au, registered only at Level 1)
- Create extra-metadata.xml - take level-1-metadata.xml and keep only
- Testbed Federation Level 1 CA's <ds:KeyInfo>
- <EntityDescriptor entityID="urn:mace:federation.org.au:testfed:vpac.org:slcstest.arcs.org.au">
- Change OrganizationDisplayName from "VPAC" to "VPAC SLCS server" to distinguish it in Autograph from other VPAC's entries.
- Include the file in idp.xml:
<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="file:/usr/local/shibboleth-idp/etc/extra-metadata.xml"/>
[edit] Configure a direct SSO URL
Because the new version Autograph redirection servlet always redirects /Autograph/ConfigurationDecision and automated tools may not be able to handle the sequence of redirects, it may be necessary to point them to /shibboleth-idp/IdP (instead of /shibboleth-idp/SSO) - which goes straight to the IdP SSO login, bypassing Autograph-related redirects.
The following configuration bits would define a new URL /shibboleth-idp/SSODirect, which would be functional equivalent to /shibboleth-idp/IdP. Do not define the new SSODirect URL and instead just use /shibboleth-idp/IdP.
- Add a new ProtocolHandler for /shibboleth-idp/SSODirect in idp.xml:
<ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler">
<Location>https?://[^:/]+(:(443|80))?/shibboleth-idp/SSODirect</Location>
</ProtocolHandler>
- And define a servlet mapping for the IdP servlet under this new URL in /var/lib/tomcat5/webapps/shibboleth-idp/WEB-INF/web.xml:
<servlet-mapping>
<servlet-name>IdP</servlet-name>
<url-pattern>/SSODirect</url-pattern>
</servlet-mapping>
- And protect this URL in /etc/httpd/conf.d/shib-vhosts.conf
<Location /shibboleth-idp/SSODirect>
- Finally, configure the SLCS client to use this new URL:
- edit etc/glite-slcs-ui/slcs-metadata.aaf.xml and change the SSO URL to /shibboleth-idp/SSODirect (twice).
- As said above, point the client just to /shibboleth-idp/IdP.
[edit] Testing the SLCS service
- Access the service via https://slcstest.arcs.org.au/SLCS/login
- If the service is still in Level 1 federation and your IdP is in Level 2, go to the Level 2 WAYF URL
- To test the certificate, fetch the CA cert attached to http://projects.arcs.org.au/trac/slcs-client/
- On my gateways:
- upload the CA certificate to ng2hpcdev and nggums
- On NGGUMS, configure Apache to send an empty list of CA names, so that the browser lets user pick from all certificates.
# VLADIMIR: We need Apache not to send any CA names at all - sending all of the # trusted CAs would trigger a bug and Apache would lock up. And sending only # some of them would prevent users with certificates from other CAs from using # their certificates - their browser would not offer that certificate. # The safest thing to do is thus to send an empty list of CA names. # And the only way to do that is to use the SSLCADNRequestPath directive # pointing to an empty directory. # It is safe to assume /opt/vdt/apache/conf won't contain any certificates... SSLCADNRequestPath /opt/vdt/apache/conf
- Alternatively, I could list the likely-to-be-used CAs in the SSLCADNRequestFile directive: create /opt/vdt/apache/conf/extra/ssl-dn-list.pem containing APACGrid + ARCS SLCS CA certificates.
- Upload the CA certificate also to gridgwtest - so that client globusrun-ws trusts the user cert when connecting to Globus services.
[edit] Problems with the old IdP
- The SLCS server was failing with the old IdP with the following message - after successfully going through one Artifact resolution query.
2008-09-12 14:45:19 ERROR SAML.SAMLSOAPHTTPBinding [511] sessionNew: failed while contacting SAML responder: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression 2008-09-12 14:45:19 ERROR shibd.Listener [511] sessionNew: caught exception while creating session: SOAPHTTPBindingProvider::send() failed while contacting SAML responder: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
- Wireshark shows the message to be "SSLv3 Alert: Decompression failure"
- This is documented as a known problem with decompression at http://www.davidpashley.com/blog/debian/libssl-bad-decompression
- However, updating openssl to openssl-0.9.8b-8.3.el5_0.2 did not help.
- However, this works with the new IdP (RHEL based, openssl-0.9.8b-10.el5)
[edit] Notes on testing
- I was getting no attributes at a remote SP: that is because the SP issues a query to the IdP's AA service, and it was ending on the wrong IdP.
- I had then still my query failing: that was because I used the IdP AA certificates for the test SP: that does not work, the AA certificates are marked as Server Only.
- Using the generic commercial front-end certificate for the test SP worked though...
- BeSTGRID federation metadata contained AVCC twice (for uc-avcc) and that confuses Autograph quite a lot.... two entries under the same name, each configures a different ARP - and another name configures of of these two ARPs.
- Fixed: old entry removed.
- Signing policy "once" works, and redirection to Autograph works too
[edit] Issues to report
Autograph:
- adminLogin does not work.
- SPDs are being ignored?
- Autograph uses cookie based state control
[edit] Long-term TODO
- look at TomcatAuthentication
[edit] Preparing switchover
- Redirecting selected traffic to the new IdP:
- Forward ports 444 and 8444 via ssh to ucidp
ssh root@ucidp -L 444:ucidp.canterbury.ac.nz:443 -L 8444:ucidp.canterbury.ac.nz:8443 -o GatewayPorts=yes
- Redirect port 443 to 444 and 8443 to 8444 for selected hosts:
iptables -t nat -A PREROUTING -p tcp --src gridws2 --dport 443 -j REDIRECT --to-port 444 iptables -t nat -A PREROUTING -p tcp --src gridws2 --dport 8443 -j REDIRECT --to-port 8444 iptables -t nat -A PREROUTING -p tcp --src slcstest.arcs.org.au --dport 443 -j REDIRECT --to-port 444 iptables -t nat -A PREROUTING -p tcp --src slcstest.arcs.org.au --dport 8443 -j REDIRECT --to-port 8444
- Trying a proper NAT solution - so far fiddling with port 8448
- Enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
- Redirect all port 8448 traffic to port 8443 traffic at ucidp:
iptables -t nat -A PREROUTING -p tcp --dport 8448 -j DNAT --to-destination 132.181.39.42:8443
- And at the same time, do a source address translation so that the reply packets go back the same route
iptables -t nat -A POSTROUTING -p tcp -d 132.181.39.42 -j SNAT --to-source 132.181.2.17
- Now, for the real changeover, the only remaining step will be to redirect all traffic from ports 443 and 8443 to ucidp:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 132.181.39.42:443 iptables -t nat -A PREROUTING -p tcp --dport 8443 -j DNAT --to-destination 132.181.39.42:8443
- Testing this: yes, selectively redirecting ports 443 and 8443 for traffic from gridws2 and slcstest.arcs.org.au works:
iptables -t nat -A PREROUTING -p tcp --src gridws2 --dport 8443 -j DNAT --to-destination 132.181.39.42:8443 iptables -t nat -A PREROUTING -p tcp --src gridws2 --dport 443 -j DNAT --to-destination 132.181.39.42:443 iptables -t nat -A PREROUTING -p tcp --src slcstest.arcs.org.au --dport 443 -j DNAT --to-destination 132.181.39.42:443 iptables -t nat -A PREROUTING -p tcp --src slcstest.arcs.org.au --dport 8443 -j DNAT --to-destination 132.181.39.42:8443
