wiki:IdPFreshInstall

Version 13 (modified by dabantz@…, 10 years ago) (diff)

--

Server Installation of Shibboleth Identity Provider (IdP): Clean Install

Although all Linux servers managed by UA OIT, Technical Services are RHEL, most of the instructions below are appropriate VMWare CentOS 6 and for Virtual Box CentOS 6. I have noted differences in installation for Virtual Box CentOS 6 where appropriate.

Installation Pre-requisites

The following topics address applications that must be installed appropriately before the Shibboleth IdP installation.

Install Web Server

Although other web servers can manage Shibboleth, at UA the server is implemented via Tomcat. As of 8 January 2014, Shibboleth IdP is restricted to Tomcat versions no higher than Tomcat 6. RHEL Tomcat is not an option due to the necessary location and configuration choices. The following link provides instructions for Tomcat 6 download/install as

Tomcat 6 Download
Tomcat 6 Documentation

Instructions specific to Shibboleth IdP versions 7 and higher can be found at:

Preparing Apache Tomcat for the Shibboleth Identity Provider

Configuring Tomcat connector & security

Tomcat configuration appears to be very version dependent. That is, the same configuration statements in one version of Tomcat will not work properly in another. So some research and updating is needed for each new version of tomcat.

The UA IdP as of 2015-01 is using tomcat version 6. For that version, we configured tomcat to respond on secured port 8444 [IdP runs as tomcat so must use high-numbered port] with the following configuration snippet in the tomcat directory (/opt/tomcat/conf/server.xml on the UA IdP servers) as of 2015-01:

<Connector port="8444" 
    protocol="HTTP/1.1" 
    SSLEnabled="true" 
    maxThreads="150" 
    scheme="https" 
    secure="true" 
    clientAuth="false" 
    sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA"
    keystoreFile="/opt/shibboleth-idp/credentials/idp.alaska.edu.jks" 
    keystorePass="••••••••••••" />

This limits ciphers to those supported in the installed JDK version and considered safest by Qualsys SSL Labs. This configuration does not support PFS; that will require an update to tomcat and JDK.

Install Compatible JDK - Open JDK

RHEL Java installations are not compatible with Shibboleth IdP. Tomcat must also be configured to use Open JDK rather than RHEL. The following instructions guide users through determining which Open JDK java versions are appropriate for your server and then making the installation.

Determine the OpenJDK Version

RHEL Response

[root@anaconda]# yum makecache && yum search openjdk

...
=============================== N/S Matched: openjdk ===============================
java-1.6.0-openjdk.x86_64 : OpenJDK Runtime Environment
java-1.6.0-openjdk-demo.x86_64 : OpenJDK Demos
java-1.6.0-openjdk-devel.x86_64 : OpenJDK Development Environment
java-1.6.0-openjdk-javadoc.x86_64 : OpenJDK API Documentation
java-1.6.0-openjdk-plugin.x86_64 : OpenJDK Web Browser Plugin
java-1.6.0-openjdk-src.x86_64 : OpenJDK Source Bundle
java-1.7.0-openjdk.x86_64 : OpenJDK Runtime Environment
java-1.7.0-openjdk-demo.x86_64 : OpenJDK Demos
java-1.7.0-openjdk-devel.x86_64 : OpenJDK Development Environment
java-1.7.0-openjdk-javadoc.noarch : OpenJDK API Documentation
java-1.7.0-openjdk-src.x86_64 : OpenJDK Source Bundle
icedtea-web.x86_64 : Additional Java components for OpenJDK

Virtual Box CentOS 6

[root@localhost ~]# yum makecache && yum search openjdk

...

=============================== N/S Matched: openjdk ===============================
java-1.6.0-openjdk.i686 : OpenJDK Runtime Environment
java-1.6.0-openjdk-demo.i686 : OpenJDK Demos
java-1.6.0-openjdk-devel.i686 : OpenJDK Development Environment
java-1.6.0-openjdk-javadoc.i686 : OpenJDK API Documentation
java-1.6.0-openjdk-src.i686 : OpenJDK Source Bundle
java-1.7.0-openjdk.i686 : OpenJDK Runtime Environment
java-1.7.0-openjdk-demo.i686 : OpenJDK Demos
java-1.7.0-openjdk-devel.i686 : OpenJDK Development Environment
java-1.7.0-openjdk-javadoc.noarch : OpenJDK API Documentation
java-1.7.0-openjdk-src.i686 : OpenJDK Source Bundle
icedtea-web.i686 : Additional Java components for OpenJDK - Java browser plug-in and
                 : Web Start implementation

Install Selected OpenJDK Version

The following command installs the desired java version of OpenJDK. The version will vary based on the results of the command above.

[root@localhost ~]# su -c "yum install java-1.7.0-openjdk"

Install ntpd

First determine if ntpd is installed on the server. If it is not, install it.

[root@localhost ~]# service ntpd status

If ntpd is not installed, a message is returned specifying the service request is unknown. The following command installs ntpd via yum.

[root@localhost ~]# yum install ntp ntpdate ntp-doc

Once installed status can always be checked by:

[root@localhost ~]# service ntpd status
ntpd is stopped

The following commands control ntpd:

  • service ntpd start
  • service ntpd stop
  • chkconfig ntpd on

The first two are self-explanatory. The last sets ntpd to set the correct time at boot.

Install OpenSSH if required

If the installation is on a VM that does not include scp, sftp, or rcp, then the following command will download and install that package.

[root@localhost /]# yum install openssh-clients

...

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       2 Package(s)

Total download size: 969 k
Is this ok [y/N]: y
Downloading Packages:
(1/3): openssh-5.3p1-94.el6.i686.rpm                     | 260 kB     00:00     
(2/3): openssh-clients-5.3p1-94.el6.i686.rpm             | 398 kB     00:00     
(3/3): openssh-server-5.3p1-94.el6.i686.rpm              | 310 kB     00:00     
--------------------------------------------------------------------------------
Total                                           3.1 MB/s | 969 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : openssh-5.3p1-94.el6.i686                                    1/5 
  Updating   : openssh-server-5.3p1-94.el6.i686                             2/5 
  Installing : openssh-clients-5.3p1-94.el6.i686                            3/5 
  Cleanup    : openssh-server-5.3p1-84.1.el6.i686                           4/5 
  Cleanup    : openssh-5.3p1-84.1.el6.i686                                  5/5 
  Verifying  : openssh-server-5.3p1-94.el6.i686                             1/5 
  Verifying  : openssh-clients-5.3p1-94.el6.i686                            2/5 
  Verifying  : openssh-5.3p1-94.el6.i686                                    3/5 
  Verifying  : openssh-5.3p1-84.1.el6.i686                                  4/5 
  Verifying  : openssh-server-5.3p1-84.1.el6.i686                           5/5 

Installed:
  openssh-clients.i686 0:5.3p1-94.el6                                           

Dependency Updated:
  openssh.i686 0:5.3p1-94.el6         openssh-server.i686 0:5.3p1-94.el6        

Complete!

Install Shibboleth Identity Provider

InCommon provides excellent documentation on its wiki site. The following provide links to both the IdP and SP (Service Provider) installation and configuration guides:

Shibboleth Installation
Configuration for both IdP and SP