Page History

...

• Install the tomcat init script in /etc/init.d/, and make sure tomcat is started at boot time:

  No Format
  # chkconfig --add tomcat

Install Shibboleth IdP

• Install Run the idp application installer from the our customized binary distribution, available in /mit/touchstone/builds/NIST/ and install script, by adding our local extensions and customizations to the distribution, or simply by unpacking the binary tarball from the touchstone locker into /usr/local/shibboleth-idp.To install from Internet2's binary distribution (zip file), you must add two local extension/customization packages to the distribution:
• MultiAuthnOptionLoginHandler
  This our custom login handler extension, which supports multiple authentication options (certificate, username/password, etc.). The current jar file for the extension is available in the locker, in /mit/touchstone/builds/NIST/shibboleth-idp-ext-MultiAuthnOptionLoginHandler-1.0.jar.
mitlogin
This provides the custom login page for MIT users, web deployment descriptor, etc. It is available as a tarball which will be unpacked into the idp build directory, from /mit/touchstone/builds/NIST/mitlogin.tgz.
To create a build directory, unzip the file, add our login handler jar file to the lib/ subdirectory, untar the mitlogin tarball at the top of the build tree, and run the install script. Enter idp2-mit/mit-shibboleth-identityprovider-2.x.y-bin.tgz, and the install script contained therein. For example:

No Format
# cd /tmp # rm -rf shibboleth-identityprovider-2.* # tar xzf /path/to/mit-shibboleth-identityprovider-2.1.5-bin.tgz # cd shibboleth-identityprovider-2.1.5 # ./install.sh [There should be no need to override the default responses to the installer's questions.]

By default (because of one of our customizations to the stock Internet2 distribution) this will install under /usr/local/shibboleth-idp/. The installer will not overwrite the configuration files of an existing installation. For a new installation, the installer will generate a keystore, and prompt for its password; currently we do not use this keystore, so the password does not matter. This distribution contains the standard shibboleth-identityprovider binary distribution, from the Internet2 zip file (http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/^{Image Added}), plus the following customizations:
• MultiAuthnOptionLoginHandler
  This our custom login handler extension, which supports multiple authentication options (certificate, username/password, etc.). The current jar file for the extension is available in the locker, in /mit/touchstone/builds/NIST/shibboleth-idp-ext-MultiAuthnOptionLoginHandler-1.0.jar; it is copied into the lib/ subdirectory of the binary distribution.
• mitlogin
  This provides the custom login pages for MIT users, the web deployment descriptor, etc. It is available as a tarball (/mit/touchstone/builds/NIST/idp2-mit/mitlogin.tgz) which is unpacked into the top-level directory of the binary distribution.
• vt-ldap-2.8.5.jar
  This is an updated version of the IdP's LDAP package. We currently use this in version 2.1.5 (instead of version 2.8.4 of the jar file) because the older version does not properly handle certain error conditions with the connection to the LDAP server. This should not be needed in future releases.
• The installer will create and populate /usr/local/shibboleth-idp; the web application (war) file will be in as the install target. Take the default for the hostname prompt, and enter anything for the keystore password prompt; we will override both of these in our configuration. For example (replace 2.1.5 with the appropriate version number):

  No Format

  # mkdir -p $HOME/build # cd $HOME/build # rm -rf shibboleth-identityprovider-2.1.5 # unzip /path/to/shibboleth-identityprovider-2.1.5-bin.zip # cd shibboleth-identityprovider-2.1.5 # cp /path/to/shibboleth-idp-ext-MultiAuthnOptionLoginHandler-1.0.jar lib/ # tar xzf /path/to/mitlogin.tgz # ./install.sh Buildfile: src/installer/resources/build.xml install: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Where should the Shibboleth Identity Provider software be installed? [/usr/local/shibboleth-idp] What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.mit.edu] A keystore is about to be generated for you. Please enter a password that will be used to protect it. PASSWORD ...

  This will create and populate /usr/local/shibboleth-idp; the web application (war) file will be in /usr/local/shibboleth-idp/war/idp.war. This should be copied into tomcat's webapps directory.
  The idp application, running under Tomcat, needs full access to the install directory, so make sure it is owned by the tomcat user, e.g.:

  No Format
  # chown -R tomcat:tomcat /usr/local/shibboleth-idp

  This procedure will also work when updating the software, i.e. when there is already an existing installation in /usr/local/shibboleth-idp. For example: No Format Buildfile: src/installer/resources/build.xml install: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Where should the Shibboleth Identity Provider software be installed? [/usr/local/shibboleth-idp] The directory '/usr/local/shibboleth-idp' already exists. Would you like to overwrite this Shibboleth configuration? (yes, [no]) Updating property file: /root/build/shibboleth-identityprovider-2.1.5/src/installer/resources/install.properties Copying 50 files to /usr/local/shibboleth-idp/lib Copying 5 files to /usr/local/shibboleth-idp/lib/endorsed Copying 1 file to /root/build/shibboleth-identityprovider-2.1.5/src/installer Building war: /root/build/shibboleth-identityprovider-2.1.5/src/installer/idp.war Copying 1 file to /usr/local/shibboleth-idp/war Deleting: /root/build/shibboleth-identityprovider-2.1.5/src/installer/web.xml Deleting: /root/build/shibboleth-identityprovider-2.1.5/src/installer/idp.war BUILD SUCCESSFUL Total time: 38 seconds /idp.war, but the current version of the idp.war will be available in the locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war).
• The idp application, running under Tomcat, needs full access to the install directory, so make sure it is owned by the tomcat user, e.g.To install from a pre-installed tarball, extract our distribution tar file from the touchstone locker into the /usr/local/shibboleth-idp directory:

  No Format
  #

  mkdir

  chown -

  p /usr/local/shibboleth-idp # chown

  R tomcat:tomcat /usr/local/shibboleth-idp

  # cd /usr/local/shibboleth-idp # tar xzf /path/to/usr_local_shibboleth-idp.tgz To ensure that we run the current version of the web application, download the latest idp.war file from the touchstone locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war) and copy it into /usr/local/tomcat/webapps/:

  No Format
  # cp /path/to/idp.war /usr/local/tomcat/webapps/ # chown tomcat:tomcat /usr/local/tomcat/webapps/idp.war

• Copy the idp's endorsed jar files to tomcat's endorsed dir:

  No Format
  # mkdir -p /usr/local/tomcat/endorsed # cp -p /usr/local/shibboleth-idp/lib/endorsed/*.jar /usr/local/tomcat/endorsed/ # chown -R tomcat:tomcat /usr/local/tomcat/endorsed

• Copy in the idp config files for the server, to the conf subdirectory; these include:
  • attribute-filter.xml
  • attribute-resolver.xml.in
  • authn-config.properties
  • handler.xml
  • internal.xml
  • logging.xml
  • login.config
  • relying-party.xml
  • service.xml
  • tc-config.xml (for terracotta clustering)
    You must replace %%LDAPUID%% and %%LDAPPASSWORD%% in attribute-resolver.xml.in with the principal uid (e.g. touchstone-core-service) and passord (principalCredential attribute) for accessing our LDAP server, and save the resulting file as attribute-resolver.xml. Make sure the file is not world-readable.

...