| Version 8 (modified by uaguest_SPatel1@…, 11 years ago) (diff) |
|---|
Install Shibboleth
Since grinnell doesn't have access to any repositories with the Shibboleth RPMs, I manually downloaded the RPMs from here: http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/x86_64/.
libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm
liblog4shib1-1.0.6-1.1.el6.x86_64.rpm
libsaml8-2.5.2-1.1.el6.x86_64.rpm
libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm
libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm
libxmltooling6-1.5.2-1.1.el6.x86_64.rpm
opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm
shibboleth-2.5.1-1.2.el6.x86_64.rpm
xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm
Note that unixODBC was a dependency that I installed via yum. It had another dependency that was installed automatically.
[root@grinnell tmp]# yum install unixODBC Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to reg ister. This system is receiving updates from RHN Classic or RHN Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package unixODBC.x86_64 0:2.2.14-12.el6_3 will be installed --> Processing Dependency: libltdl.so.7()(64bit) for package: unixODBC-2.2.14-12.el6_3.x86_64 --> Running transaction check ---> Package libtool-ltdl.x86_64 0:2.2.6-15.5.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Installing: unixODBC x86_64 2.2.14-12.el6_3 rhel-x86_64-server-6 378 k Installing for dependencies: libtool-ltdl x86_64 2.2.6-15.5.el6 rhel-x86_64-server-6 44 k Transaction Summary ========================================================================================================= Install 2 Package(s) Total download size: 422 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: (1/2): libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm | 44 kB 00:00 (2/2): unixODBC-2.2.14-12.el6_3.x86_64.rpm | 378 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 1.9 MB/s | 422 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : libtool-ltdl-2.2.6-15.5.el6.x86_64 1/2 Installing : unixODBC-2.2.14-12.el6_3.x86_64 2/2 Verifying : unixODBC-2.2.14-12.el6_3.x86_64 1/2 Verifying : libtool-ltdl-2.2.6-15.5.el6.x86_64 2/2 Installed: unixODBC.x86_64 0:2.2.14-12.el6_3 Dependency Installed: libtool-ltdl.x86_64 0:2.2.6-15.5.el6 Complete! [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# rpm -iv libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm liblog4shib1-1.0.6-1.1.el6.x86_64.rpm libsaml8-2.5.2-1.1.el6.x86_64.rpm libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm libxmltooling6-1.5.2-1.1.el6.x86_64.rpm opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm shibboleth-2.5.1-1.2.el6.x86_64.rpm xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm warning: libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7d0a1b3d: NOKEY Preparing packages for installation... libxerces-c-3_1-3.1.1-2.4.el6 libxml-security-c17-1.7.0-1.3.el6 liblog4shib1-1.0.6-1.1.el6 libcurl-openssl-7.30.0-1.1.el6 libxmltooling6-1.5.2-1.1.el6 libsaml8-2.5.2-1.1.el6 xmltooling-schemas-1.5.2-1.1.el6 opensaml-schemas-2.5.2-1.1.el6 shibboleth-2.5.1-1.2.el6
Configure Shibboleth
- Add the metadata for the UA IdP to a new file called /etc/shibboleth/alaska-metadata.xml. It just needs to contain a single EntityDescriptor? element for the UA IdP that can be copied from the InCommon? metadata. And then that simply needs to be wrapped around a EntitiesDescriptor? element. Note that I would have simply referenced the InCommon? metadata from the SP, but grinnell doesn't have access to connect to the InCommon? site to retrieve it. Therefore, I created a local copy.
- In the /etc/shibboleth/shibboleth2.xml file:
- Set the entityID of the SP. And add "bannerid" to the front of the REMOTE_USER values. This is done so that REMOTE_USER gets set as the authenticated users' BannerID, which then gets passed to Tomcat and available for the Grouper UI. Authentication in the Grouper UI will work if REMOTE_USER is either the subject id (which is the case here) or a subject identifier.
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://grinnell.alaska.edu/shibboleth"
REMOTE_USER="bannerid eppn persistent-id targeted-id">
- Add the reference to the metadata file. Replace the following:
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
.. with this:
<MetadataProvider type="XML" file="alaska-metadata.xml"/>
- Add the entityID of the IdP. Replace the following:
<SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
.. with this:
<SSO entityID="urn:mace:incommon:alaska.edu"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
- In the /etc/shibboleth/attribute-map.xml file, add the mapping for the BannerID attribute.
<Attribute name="urn:mace:alaska.edu:attributes:bannerid" id="bannerid" />
- Restart the SP:
[root@grinnell shibboleth]# /etc/init.d/shibd restart
Stopping shibd: [ OK ]
Starting shibd: /sbin/restorecon: Warning no default label for /var/run/shibboleth/shibd.pid
[ OK ]
Configure Apache
- Configure mod_proxy_ajp. Add the file /etc/httpd/conf.d/proxy_ajp.conf with the contents:
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /grouper/ ajp://localhost:8009/grouper/
- Add the following to the end of /etc/httpd/conf.d/shib.conf to require Shibboleth
<Location /> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location>
- Restart Apache
[root@grinnell conf.d]# /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@grinnell conf.d]#
Configure Tomcat
- In the file /etc/tomcat6/server.xml, make sure the AJP connector listening on port 8009 is not commented out and make sure request.tomcatAuthentication is set to false.
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" request.tomcatAuthentication="false" />
- Restart Tomcat
[root@grinnell tomcat6]# /etc/init.d/tomcat6 stop Stopping tomcat6: [ OK ] [root@grinnell tomcat6]# ps -ef | grep -i tomcat root 18377 7627 0 09:21 pts/3 00:00:00 grep -i tomcat [root@grinnell tomcat6]# /etc/init.d/tomcat6 start Starting tomcat6: [ OK ]
Install Grouper UI
- Download and copy the UI to /tmp/ on grinnell. The tarball is located at http://www.internet2.edu/grouper/release/2.1.4/grouper.ui-2.1.4.tar.gz.
- Extract into /srv/grouper/grouper.ui-2.1.4.
[root@grinnell grouper]# cd /srv/grouper [root@grinnell grouper]# cp /tmp/grouper.ui-2.1.4.tar.gz . [root@grinnell grouper]# gunzip grouper.ui-2.1.4.tar.gz [root@grinnell grouper]# tar xf grouper.ui-2.1.4.tar [root@grinnell grouper]# cd grouper.ui-2.1.4 [root@grinnell grouper.ui-2.1.4]#
- Create build.properties (based on build.properties.template).
[root@grinnell grouper.ui-2.1.4]# cp build.properties.template build.properties
And then set the property for grouper.folder:
grouper.folder=../grouper.api-2.1.4
Finally, uncomment the property to use a local log4j configuration file.
use.local.log4j=true
- Copy the log4j.properties file from the API install into the UI directory. Then customize it.
[root@grinnell grouper.ui-2.1.4]# cp /srv/grouper/grouper.api-2.1.4/conf/log4j.properties .
As far as customizations go, for now just replace all instances of ${grouper.home} with /usr/share/tomcat6/. This is so that Grouper logs generated by the UI are placed in /usr/share/tomcat6/logs.
- Set the following properties in conf/resources/grouper/nav.properties
member.sort.string0=Last name #member.sort.string1=
- Remove the security-constraint, login-config, and security-role elements from the file webapp/WEB-INF/web.core.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Tomcat login</web-resource-name>
<url-pattern>/login.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>@grouper.role@</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Grouper Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Grouper UI
</description>
<role-name>@grouper.role@</role-name>
</security-role>
- Remove the security-constraint elements from the file webapp/WEB-INF/web.ajax.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperUi/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperUi/appHtml/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperExternal/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperExternal/appHtml/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
- Build the WAR file by simply running 'ant war'.
[root@grinnell grouper.ui-2.1.4]# ant war
Buildfile: build.xml
war:
dist:
-setup:
-choose-webapp:
[propertyfile] Updating property file: /srv/grouper/grouper.ui-2.1.4/.lastbuild.properties
[echo] In setup - do.clean = true cleanable=${webapp.folder.cleanable}
-doStop:
-doCleanWebappClassFolder:
[echo] Removing /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes
[delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes
-doClean:
[echo] Removing /srv/grouper/grouper.ui-2.1.4/dist/grouper
[delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist/grouper
[delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist
[delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/temp
[mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp
-resources:
[echo] In resources - Build folder = /srv/grouper/grouper.ui-2.1.4/dist/grouper
-dist-grouper:
[echo] Creating /srv/grouper/grouper.ui-2.1.4/dist/grouper
[mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper
[mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes
[mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib
[echo] Copying Grouper configuration files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes
[copy] Copying 24 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes
-local-log4j:
[copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes
-fix-grouper-home:
[echo] Attempting to replace grouper.home with /srv/grouper/grouper.ui-2.1.4/../grouper.api-2.1.4/
[echo] Copying ui resources to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources
[mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources
[copy] Copying 8 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources
-additional-build:
-optional-conf:
-webapp:
[delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/temp
[mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp
-compileGrouper:
[mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp/jarBin
[javac] Compiling 264 source files to /srv/grouper/grouper.ui-2.1.4/temp/jarBin
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] Note: Some input files use or override a deprecated API.
[javac] Note: Recompile with -Xlint:deprecation for details.
[javac] Note: Some input files use unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
[javac] 1 warning
[jar] Building jar: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib/grouper-ui.jar
-additional-build:
[copy] Copying 115 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib
[copy] Copying 5 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib
-copyContent:
[echo] Copying core UI files to /srv/grouper/grouper.ui-2.1.4/dist/grouper
[copy] Copying 604 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper
[echo] Processing web.xml
[copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp
[echo] web.xmls.isempty=:${web.xmls.isempty}:
-merge-xmls:
[echo] temp.dir : /srv/grouper/grouper.ui-2.1.4/temp
[echo] final.web.xmls : ${final.web.xmls}
[echo] ui.folder : /srv/grouper/grouper.ui-2.1.4
[echo] webapp.folder : /srv/grouper/grouper.ui-2.1.4/dist/grouper
[copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp
[copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp
[echo] Transforming: /srv/grouper/grouper.ui-2.1.4/temp/50.web.core.xml
[echo] /srv/grouper/grouper.ui-2.1.4/temp/60.web.ajax.xml
[echo] /srv/grouper/grouper.ui-2.1.4/temp/99.web.core-filters.xml
[echo]
[echo]
[echo] Base = /srv/grouper/grouper.ui-2.1.4/temp/50.web.core.xml
[echo] + /srv/grouper/grouper.ui-2.1.4/temp/60.web.ajax.xml
[echo] -> /srv/grouper/grouper.ui-2.1.4/temp/web.1.xml
[echo]
[echo] Base = /srv/grouper/grouper.ui-2.1.4/temp/web.1.xml
[echo] + /srv/grouper/grouper.ui-2.1.4/temp/99.web.core-filters.xml
[echo] -> /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/web.xml
[echo] Result: 0
-copy-core-web-xml:
-copyContextXmlToMetaInf:
[copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/dist/grouper/META-INF
-copyContextXmlToTomcat:
-html:
-war:
[echo] Creating /srv/grouper/grouper.ui-2.1.4/dist/grouper.war
[jar] Building jar: /srv/grouper/grouper.ui-2.1.4/dist/grouper.war
-web:
[echo] ****************************************************
[echo] ** The Grouper UI will fail to start if the user **
[echo] ** which your application server runs as does not **
[echo] ** have permission to write to the log files that **
[echo] ** are configured in log4j.properties. See **
[echo] ** build.properties for more information **
[echo] ****************************************************
BUILD SUCCESSFUL
Total time: 44 seconds
- Copy WAR to Tomcat.
[root@grinnell grouper.ui-2.1.4]# cp /srv/grouper/grouper.ui-2.1.4/dist/grouper.war /usr/share/tomcat6/webapps/
- Restart Tomcat
[root@grinnell tomcat6]# /etc/init.d/tomcat6 stop Stopping tomcat6: [ OK ] [root@grinnell tomcat6]# ps -ef | grep -i tomcat root 18377 7627 0 09:21 pts/3 00:00:00 grep -i tomcat [root@grinnell tomcat6]# /etc/init.d/tomcat6 start Starting tomcat6: [ OK ]
