== Install Shibboleth == Since grinnell doesn't have access to any repositories with the Shibboleth RPMs, I manually downloaded the RPMs from here: http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/x86_64/. libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm liblog4shib1-1.0.6-1.1.el6.x86_64.rpm libsaml8-2.5.2-1.1.el6.x86_64.rpm libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm libxmltooling6-1.5.2-1.1.el6.x86_64.rpm opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm shibboleth-2.5.1-1.2.el6.x86_64.rpm xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm Note that unixODBC was a dependency that I installed via yum. It had another dependency that was installed automatically. {{{ [root@grinnell tmp]# yum install unixODBC Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to reg ister. This system is receiving updates from RHN Classic or RHN Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package unixODBC.x86_64 0:2.2.14-12.el6_3 will be installed --> Processing Dependency: libltdl.so.7()(64bit) for package: unixODBC-2.2.14-12.el6_3.x86_64 --> Running transaction check ---> Package libtool-ltdl.x86_64 0:2.2.6-15.5.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Installing: unixODBC x86_64 2.2.14-12.el6_3 rhel-x86_64-server-6 378 k Installing for dependencies: libtool-ltdl x86_64 2.2.6-15.5.el6 rhel-x86_64-server-6 44 k Transaction Summary ========================================================================================================= Install 2 Package(s) Total download size: 422 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: (1/2): libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm | 44 kB 00:00 (2/2): unixODBC-2.2.14-12.el6_3.x86_64.rpm | 378 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 1.9 MB/s | 422 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : libtool-ltdl-2.2.6-15.5.el6.x86_64 1/2 Installing : unixODBC-2.2.14-12.el6_3.x86_64 2/2 Verifying : unixODBC-2.2.14-12.el6_3.x86_64 1/2 Verifying : libtool-ltdl-2.2.6-15.5.el6.x86_64 2/2 Installed: unixODBC.x86_64 0:2.2.14-12.el6_3 Dependency Installed: libtool-ltdl.x86_64 0:2.2.6-15.5.el6 Complete! [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# rpm -iv libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm liblog4shib1-1.0.6-1.1.el6.x86_64.rpm libsaml8-2.5.2-1.1.el6.x86_64.rpm libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm libxmltooling6-1.5.2-1.1.el6.x86_64.rpm opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm shibboleth-2.5.1-1.2.el6.x86_64.rpm xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm warning: libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7d0a1b3d: NOKEY Preparing packages for installation... libxerces-c-3_1-3.1.1-2.4.el6 libxml-security-c17-1.7.0-1.3.el6 liblog4shib1-1.0.6-1.1.el6 libcurl-openssl-7.30.0-1.1.el6 libxmltooling6-1.5.2-1.1.el6 libsaml8-2.5.2-1.1.el6 xmltooling-schemas-1.5.2-1.1.el6 opensaml-schemas-2.5.2-1.1.el6 shibboleth-2.5.1-1.2.el6 }}} == Configure Shibboleth == 1. Add the metadata for the UA IdP to a new file called /etc/shibboleth/alaska-metadata.xml. It just needs to contain a single EntityDescriptor element for the UA IdP that can be copied from the InCommon metadata. And then that simply needs to be wrapped around a EntitiesDescriptor element. Note that I would have simply referenced the InCommon metadata from the SP, but grinnell doesn't have access to connect to the InCommon site to retrieve it. Therefore, I created a local copy. 2. In the /etc/shibboleth/shibboleth2.xml file: a. Set the entityID of the SP. And add "bannerid" to the front of the REMOTE_USER values. This is done so that REMOTE_USER gets set as the authenticated users' BannerID, which then gets passed to Tomcat and available for the Grouper UI. Authentication in the Grouper UI will work if REMOTE_USER is either the subject id (which is the case here) or a subject identifier. {{{ }}} b. Add the reference to the metadata file. Replace the following: {{{ }}} .. with this: {{{ }}} c. Add the entityID of the IdP. Replace the following: {{{ SAML2 SAML1 }}} .. with this: {{{ SAML2 SAML1 }}} d. Set handlerSSL="true" in the Sessions element. 3. In the /etc/shibboleth/attribute-map.xml file, add the mapping for the BannerID attribute. {{{ }}} 4. Restart the SP: {{{ [root@grinnell shibboleth]# /etc/init.d/shibd restart Stopping shibd: [ OK ] Starting shibd: /sbin/restorecon: Warning no default label for /var/run/shibboleth/shibd.pid [ OK ] }}} == Configure Apache == 1. Configure mod_proxy_ajp. Add the file /etc/httpd/conf.d/proxy_ajp.conf with the contents: {{{ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /grouper/ ajp://localhost:8009/grouper/ }}} 2. Add the following to the end of /etc/httpd/conf.d/shib.conf to require Shibboleth {{{ AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user }}} 3. Restart Apache {{{ [root@grinnell conf.d]# /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@grinnell conf.d]# }}} == Configure Tomcat == 1. In the file /etc/tomcat6/server.xml, make sure the AJP connector listening on port 8009 is not commented out and make sure request.tomcatAuthentication is set to false. {{{ }}} 2. Restart Tomcat {{{ [root@grinnell tomcat6]# /etc/init.d/tomcat6 stop Stopping tomcat6: [ OK ] [root@grinnell tomcat6]# ps -ef | grep -i tomcat root 18377 7627 0 09:21 pts/3 00:00:00 grep -i tomcat [root@grinnell tomcat6]# /etc/init.d/tomcat6 start Starting tomcat6: [ OK ] }}} == Install Grouper UI == 1. Download and copy the UI to /tmp/ on grinnell. The tarball is located at http://www.internet2.edu/grouper/release/2.1.4/grouper.ui-2.1.4.tar.gz. 2. Extract into /srv/grouper/grouper.ui-2.1.4. {{{ [root@grinnell grouper]# cd /srv/grouper [root@grinnell grouper]# cp /tmp/grouper.ui-2.1.4.tar.gz . [root@grinnell grouper]# gunzip grouper.ui-2.1.4.tar.gz [root@grinnell grouper]# tar xf grouper.ui-2.1.4.tar [root@grinnell grouper]# cd grouper.ui-2.1.4 [root@grinnell grouper.ui-2.1.4]# }}} 3. Create build.properties (based on build.properties.template). {{{ [root@grinnell grouper.ui-2.1.4]# cp build.properties.template build.properties }}} And then set the property for grouper.folder: {{{ grouper.folder=../grouper.api-2.1.4 }}} Finally, uncomment the property to use a local log4j configuration file. {{{ use.local.log4j=true }}} 4. Copy the log4j.properties file from the API install into the UI directory. Then customize it. {{{ [root@grinnell grouper.ui-2.1.4]# cp /srv/grouper/grouper.api-2.1.4/conf/log4j.properties . }}} As far as customizations go, for now just replace all instances of ${grouper.home} with /usr/share/tomcat6/. This is so that Grouper logs generated by the UI are placed in /usr/share/tomcat6/logs. 5. Set the following properties in conf/resources/grouper/nav.properties {{{ member.sort.string0=Last name #member.sort.string1= }}} 6. Remove the security-constraint, login-config, and security-role elements from the file webapp/WEB-INF/web.core.xml. {{{ Tomcat login /login.do @grouper.role@ BASIC Grouper Application The role that is required to log in to the Grouper UI @grouper.role@ }}} 7. Remove the security-constraint elements from the file webapp/WEB-INF/web.ajax.xml. {{{ UI /grouperUi/app/* * UI /grouperUi/appHtml/* * UI /grouperExternal/app/* * UI /grouperExternal/appHtml/* * }}} 8. Build the WAR file by simply running 'ant war'. {{{ [root@grinnell grouper.ui-2.1.4]# ant war Buildfile: build.xml war: dist: -setup: -choose-webapp: [propertyfile] Updating property file: /srv/grouper/grouper.ui-2.1.4/.lastbuild.properties [echo] In setup - do.clean = true cleanable=${webapp.folder.cleanable} -doStop: -doCleanWebappClassFolder: [echo] Removing /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes -doClean: [echo] Removing /srv/grouper/grouper.ui-2.1.4/dist/grouper [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist/grouper [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/temp [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp -resources: [echo] In resources - Build folder = /srv/grouper/grouper.ui-2.1.4/dist/grouper -dist-grouper: [echo] Creating /srv/grouper/grouper.ui-2.1.4/dist/grouper [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib [echo] Copying Grouper configuration files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes [copy] Copying 24 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes -local-log4j: [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes -fix-grouper-home: [echo] Attempting to replace grouper.home with /srv/grouper/grouper.ui-2.1.4/../grouper.api-2.1.4/ [echo] Copying ui resources to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources [copy] Copying 8 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources -additional-build: -optional-conf: -webapp: [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/temp [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp -compileGrouper: [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp/jarBin [javac] Compiling 264 source files to /srv/grouper/grouper.ui-2.1.4/temp/jarBin [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5 [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] Note: Some input files use unchecked or unsafe operations. [javac] Note: Recompile with -Xlint:unchecked for details. [javac] 1 warning [jar] Building jar: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib/grouper-ui.jar -additional-build: [copy] Copying 115 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib [copy] Copying 5 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib -copyContent: [echo] Copying core UI files to /srv/grouper/grouper.ui-2.1.4/dist/grouper [copy] Copying 604 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper [echo] Processing web.xml [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp [echo] web.xmls.isempty=:${web.xmls.isempty}: -merge-xmls: [echo] temp.dir : /srv/grouper/grouper.ui-2.1.4/temp [echo] final.web.xmls : ${final.web.xmls} [echo] ui.folder : /srv/grouper/grouper.ui-2.1.4 [echo] webapp.folder : /srv/grouper/grouper.ui-2.1.4/dist/grouper [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp [echo] Transforming: /srv/grouper/grouper.ui-2.1.4/temp/50.web.core.xml [echo] /srv/grouper/grouper.ui-2.1.4/temp/60.web.ajax.xml [echo] /srv/grouper/grouper.ui-2.1.4/temp/99.web.core-filters.xml [echo] [echo] [echo] Base = /srv/grouper/grouper.ui-2.1.4/temp/50.web.core.xml [echo] + /srv/grouper/grouper.ui-2.1.4/temp/60.web.ajax.xml [echo] -> /srv/grouper/grouper.ui-2.1.4/temp/web.1.xml [echo] [echo] Base = /srv/grouper/grouper.ui-2.1.4/temp/web.1.xml [echo] + /srv/grouper/grouper.ui-2.1.4/temp/99.web.core-filters.xml [echo] -> /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/web.xml [echo] Result: 0 -copy-core-web-xml: -copyContextXmlToMetaInf: [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/dist/grouper/META-INF -copyContextXmlToTomcat: -html: -war: [echo] Creating /srv/grouper/grouper.ui-2.1.4/dist/grouper.war [jar] Building jar: /srv/grouper/grouper.ui-2.1.4/dist/grouper.war -web: [echo] **************************************************** [echo] ** The Grouper UI will fail to start if the user ** [echo] ** which your application server runs as does not ** [echo] ** have permission to write to the log files that ** [echo] ** are configured in log4j.properties. See ** [echo] ** build.properties for more information ** [echo] **************************************************** BUILD SUCCESSFUL Total time: 44 seconds }}} 9. Copy WAR to Tomcat. {{{ [root@grinnell grouper.ui-2.1.4]# cp /srv/grouper/grouper.ui-2.1.4/dist/grouper.war /usr/share/tomcat6/webapps/ }}} 10. Restart Tomcat {{{ [root@grinnell tomcat6]# /etc/init.d/tomcat6 stop Stopping tomcat6: [ OK ] [root@grinnell tomcat6]# ps -ef | grep -i tomcat root 18377 7627 0 09:21 pts/3 00:00:00 grep -i tomcat [root@grinnell tomcat6]# /etc/init.d/tomcat6 start Starting tomcat6: [ OK ] }}}