Version 9 (modified by uaguest_SPatel1@…, 11 years ago) (diff) |
---|
Install Shibboleth
Since grinnell doesn't have access to any repositories with the Shibboleth RPMs, I manually downloaded the RPMs from here: http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/x86_64/.
libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm
liblog4shib1-1.0.6-1.1.el6.x86_64.rpm
libsaml8-2.5.2-1.1.el6.x86_64.rpm
libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm
libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm
libxmltooling6-1.5.2-1.1.el6.x86_64.rpm
opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm
shibboleth-2.5.1-1.2.el6.x86_64.rpm
xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm
Note that unixODBC was a dependency that I installed via yum. It had another dependency that was installed automatically.
[root@grinnell tmp]# yum install unixODBC Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to reg ister. This system is receiving updates from RHN Classic or RHN Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package unixODBC.x86_64 0:2.2.14-12.el6_3 will be installed --> Processing Dependency: libltdl.so.7()(64bit) for package: unixODBC-2.2.14-12.el6_3.x86_64 --> Running transaction check ---> Package libtool-ltdl.x86_64 0:2.2.6-15.5.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Installing: unixODBC x86_64 2.2.14-12.el6_3 rhel-x86_64-server-6 378 k Installing for dependencies: libtool-ltdl x86_64 2.2.6-15.5.el6 rhel-x86_64-server-6 44 k Transaction Summary ========================================================================================================= Install 2 Package(s) Total download size: 422 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: (1/2): libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm | 44 kB 00:00 (2/2): unixODBC-2.2.14-12.el6_3.x86_64.rpm | 378 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 1.9 MB/s | 422 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : libtool-ltdl-2.2.6-15.5.el6.x86_64 1/2 Installing : unixODBC-2.2.14-12.el6_3.x86_64 2/2 Verifying : unixODBC-2.2.14-12.el6_3.x86_64 1/2 Verifying : libtool-ltdl-2.2.6-15.5.el6.x86_64 2/2 Installed: unixODBC.x86_64 0:2.2.14-12.el6_3 Dependency Installed: libtool-ltdl.x86_64 0:2.2.6-15.5.el6 Complete! [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# rpm -iv libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm liblog4shib1-1.0.6-1.1.el6.x86_64.rpm libsaml8-2.5.2-1.1.el6.x86_64.rpm libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm libxmltooling6-1.5.2-1.1.el6.x86_64.rpm opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm shibboleth-2.5.1-1.2.el6.x86_64.rpm xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm warning: libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7d0a1b3d: NOKEY Preparing packages for installation... libxerces-c-3_1-3.1.1-2.4.el6 libxml-security-c17-1.7.0-1.3.el6 liblog4shib1-1.0.6-1.1.el6 libcurl-openssl-7.30.0-1.1.el6 libxmltooling6-1.5.2-1.1.el6 libsaml8-2.5.2-1.1.el6 xmltooling-schemas-1.5.2-1.1.el6 opensaml-schemas-2.5.2-1.1.el6 shibboleth-2.5.1-1.2.el6
Configure Shibboleth
- Add the metadata for the UA IdP to a new file called /etc/shibboleth/alaska-metadata.xml. It just needs to contain a single EntityDescriptor? element for the UA IdP that can be copied from the InCommon? metadata. And then that simply needs to be wrapped around a EntitiesDescriptor? element. Note that I would have simply referenced the InCommon? metadata from the SP, but grinnell doesn't have access to connect to the InCommon? site to retrieve it. Therefore, I created a local copy.
- In the /etc/shibboleth/shibboleth2.xml file:
- Set the entityID of the SP. And add "bannerid" to the front of the REMOTE_USER values. This is done so that REMOTE_USER gets set as the authenticated users' BannerID, which then gets passed to Tomcat and available for the Grouper UI. Authentication in the Grouper UI will work if REMOTE_USER is either the subject id (which is the case here) or a subject identifier.
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> <ApplicationDefaults entityID="https://grinnell.alaska.edu/shibboleth" REMOTE_USER="bannerid eppn persistent-id targeted-id">
- Add the reference to the metadata file. Replace the following:
<!-- Example of locally maintained metadata. --> <!-- <MetadataProvider type="XML" file="partner-metadata.xml"/> -->
.. with this:
<MetadataProvider type="XML" file="alaska-metadata.xml"/>
- Add the entityID of the IdP. Replace the following:
<SSO entityID="https://idp.example.org/idp/shibboleth" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
.. with this:
<SSO entityID="urn:mace:incommon:alaska.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
- Set handlerSSL="true" in the Sessions element.
- In the /etc/shibboleth/attribute-map.xml file, add the mapping for the BannerID attribute.
<Attribute name="urn:mace:alaska.edu:attributes:bannerid" id="bannerid" />
- Restart the SP:
[root@grinnell shibboleth]# /etc/init.d/shibd restart Stopping shibd: [ OK ] Starting shibd: /sbin/restorecon: Warning no default label for /var/run/shibboleth/shibd.pid [ OK ]
Configure Apache
- Configure mod_proxy_ajp. Add the file /etc/httpd/conf.d/proxy_ajp.conf with the contents:
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /grouper/ ajp://localhost:8009/grouper/
- Add the following to the end of /etc/httpd/conf.d/shib.conf to require Shibboleth
<Location /> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location>
- Restart Apache
[root@grinnell conf.d]# /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@grinnell conf.d]#
Configure Tomcat
- In the file /etc/tomcat6/server.xml, make sure the AJP connector listening on port 8009 is not commented out and make sure request.tomcatAuthentication is set to false.
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" request.tomcatAuthentication="false" />
- Restart Tomcat
[root@grinnell tomcat6]# /etc/init.d/tomcat6 stop Stopping tomcat6: [ OK ] [root@grinnell tomcat6]# ps -ef | grep -i tomcat root 18377 7627 0 09:21 pts/3 00:00:00 grep -i tomcat [root@grinnell tomcat6]# /etc/init.d/tomcat6 start Starting tomcat6: [ OK ]
Install Grouper UI
- Download and copy the UI to /tmp/ on grinnell. The tarball is located at http://www.internet2.edu/grouper/release/2.1.4/grouper.ui-2.1.4.tar.gz.
- Extract into /srv/grouper/grouper.ui-2.1.4.
[root@grinnell grouper]# cd /srv/grouper [root@grinnell grouper]# cp /tmp/grouper.ui-2.1.4.tar.gz . [root@grinnell grouper]# gunzip grouper.ui-2.1.4.tar.gz [root@grinnell grouper]# tar xf grouper.ui-2.1.4.tar [root@grinnell grouper]# cd grouper.ui-2.1.4 [root@grinnell grouper.ui-2.1.4]#
- Create build.properties (based on build.properties.template).
[root@grinnell grouper.ui-2.1.4]# cp build.properties.template build.properties
And then set the property for grouper.folder:
grouper.folder=../grouper.api-2.1.4
Finally, uncomment the property to use a local log4j configuration file.
use.local.log4j=true
- Copy the log4j.properties file from the API install into the UI directory. Then customize it.
[root@grinnell grouper.ui-2.1.4]# cp /srv/grouper/grouper.api-2.1.4/conf/log4j.properties .
As far as customizations go, for now just replace all instances of ${grouper.home} with /usr/share/tomcat6/. This is so that Grouper logs generated by the UI are placed in /usr/share/tomcat6/logs.
- Set the following properties in conf/resources/grouper/nav.properties
member.sort.string0=Last name #member.sort.string1=
- Remove the security-constraint, login-config, and security-role elements from the file webapp/WEB-INF/web.core.xml.
<security-constraint> <web-resource-collection> <web-resource-name>Tomcat login</web-resource-name> <url-pattern>/login.do</url-pattern> </web-resource-collection> <auth-constraint> <!-- NOTE: This role is not present in the default users file --> <role-name>@grouper.role@</role-name> </auth-constraint> </security-constraint> <!-- Define the Login Configuration for this Application --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Grouper Application</realm-name> </login-config> <!-- Security roles referenced by this web application --> <security-role> <description> The role that is required to log in to the Grouper UI </description> <role-name>@grouper.role@</role-name> </security-role>
- Remove the security-constraint elements from the file webapp/WEB-INF/web.ajax.xml.
<security-constraint> <web-resource-collection> <web-resource-name>UI</web-resource-name> <url-pattern>/grouperUi/app/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>UI</web-resource-name> <url-pattern>/grouperUi/appHtml/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>UI</web-resource-name> <url-pattern>/grouperExternal/app/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>UI</web-resource-name> <url-pattern>/grouperExternal/appHtml/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>
- Build the WAR file by simply running 'ant war'.
[root@grinnell grouper.ui-2.1.4]# ant war Buildfile: build.xml war: dist: -setup: -choose-webapp: [propertyfile] Updating property file: /srv/grouper/grouper.ui-2.1.4/.lastbuild.properties [echo] In setup - do.clean = true cleanable=${webapp.folder.cleanable} -doStop: -doCleanWebappClassFolder: [echo] Removing /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes -doClean: [echo] Removing /srv/grouper/grouper.ui-2.1.4/dist/grouper [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist/grouper [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/dist [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/temp [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp -resources: [echo] In resources - Build folder = /srv/grouper/grouper.ui-2.1.4/dist/grouper -dist-grouper: [echo] Creating /srv/grouper/grouper.ui-2.1.4/dist/grouper [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib [echo] Copying Grouper configuration files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes [copy] Copying 24 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes -local-log4j: [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes -fix-grouper-home: [echo] Attempting to replace grouper.home with /srv/grouper/grouper.ui-2.1.4/../grouper.api-2.1.4/ [echo] Copying ui resources to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources [copy] Copying 8 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/classes/resources -additional-build: -optional-conf: -webapp: [delete] Deleting directory /srv/grouper/grouper.ui-2.1.4/temp [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp -compileGrouper: [mkdir] Created dir: /srv/grouper/grouper.ui-2.1.4/temp/jarBin [javac] Compiling 264 source files to /srv/grouper/grouper.ui-2.1.4/temp/jarBin [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5 [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] Note: Some input files use unchecked or unsafe operations. [javac] Note: Recompile with -Xlint:unchecked for details. [javac] 1 warning [jar] Building jar: /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib/grouper-ui.jar -additional-build: [copy] Copying 115 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib [copy] Copying 5 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/lib -copyContent: [echo] Copying core UI files to /srv/grouper/grouper.ui-2.1.4/dist/grouper [copy] Copying 604 files to /srv/grouper/grouper.ui-2.1.4/dist/grouper [echo] Processing web.xml [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp [echo] web.xmls.isempty=:${web.xmls.isempty}: -merge-xmls: [echo] temp.dir : /srv/grouper/grouper.ui-2.1.4/temp [echo] final.web.xmls : ${final.web.xmls} [echo] ui.folder : /srv/grouper/grouper.ui-2.1.4 [echo] webapp.folder : /srv/grouper/grouper.ui-2.1.4/dist/grouper [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/temp [echo] Transforming: /srv/grouper/grouper.ui-2.1.4/temp/50.web.core.xml [echo] /srv/grouper/grouper.ui-2.1.4/temp/60.web.ajax.xml [echo] /srv/grouper/grouper.ui-2.1.4/temp/99.web.core-filters.xml [echo] [echo] [echo] Base = /srv/grouper/grouper.ui-2.1.4/temp/50.web.core.xml [echo] + /srv/grouper/grouper.ui-2.1.4/temp/60.web.ajax.xml [echo] -> /srv/grouper/grouper.ui-2.1.4/temp/web.1.xml [echo] [echo] Base = /srv/grouper/grouper.ui-2.1.4/temp/web.1.xml [echo] + /srv/grouper/grouper.ui-2.1.4/temp/99.web.core-filters.xml [echo] -> /srv/grouper/grouper.ui-2.1.4/dist/grouper/WEB-INF/web.xml [echo] Result: 0 -copy-core-web-xml: -copyContextXmlToMetaInf: [copy] Copying 1 file to /srv/grouper/grouper.ui-2.1.4/dist/grouper/META-INF -copyContextXmlToTomcat: -html: -war: [echo] Creating /srv/grouper/grouper.ui-2.1.4/dist/grouper.war [jar] Building jar: /srv/grouper/grouper.ui-2.1.4/dist/grouper.war -web: [echo] **************************************************** [echo] ** The Grouper UI will fail to start if the user ** [echo] ** which your application server runs as does not ** [echo] ** have permission to write to the log files that ** [echo] ** are configured in log4j.properties. See ** [echo] ** build.properties for more information ** [echo] **************************************************** BUILD SUCCESSFUL Total time: 44 seconds
- Copy WAR to Tomcat.
[root@grinnell grouper.ui-2.1.4]# cp /srv/grouper/grouper.ui-2.1.4/dist/grouper.war /usr/share/tomcat6/webapps/
- Restart Tomcat
[root@grinnell tomcat6]# /etc/init.d/tomcat6 stop Stopping tomcat6: [ OK ] [root@grinnell tomcat6]# ps -ef | grep -i tomcat root 18377 7627 0 09:21 pts/3 00:00:00 grep -i tomcat [root@grinnell tomcat6]# /etc/init.d/tomcat6 start Starting tomcat6: [ OK ]