...
Install and configure Apache httpd
We use the native Red Hat RPMs (httpd 2.2).
Install needed RPMs
- Use stock httpd RPM install (standard NIST install)
- Install mod_ssl and mod_auth_kerb RPMs:
No Format # yum install mod_ssl
...
- Install the tomcat init script (from /mit/touchstone/maint/init/tomcat) in /etc/init.d/, and make sure tomcat is started at boot time:
No Format # chkconfig --add tomcat
MySQL
We use the native Red Hat RPMs (5.0), part of the standard NIST install. Start up the daemon, and secure the installation:
| No Format |
|---|
# /etc/init.d/mysqld start
# mysql_secure_installation
|
Respond to the prompts to set the root password, remove anonymous users, disallow remote root logins, and remove the test database.
Install Shibboleth IdP
- Run the idp application installer from our customized binary distribution, available in /mit/touchstone/builds/NIST/idp2-cams/cams-shibboleth-identityprovider-2.x.y-bin.tgz, and the install script contained therein. For example:
By default (because of one of our customizations to the stock Internet2 distribution) this will install underNo Format # cd /tmp # rm -rf shibboleth-identityprovider-2.* # tar xzf /path/to/cams-shibboleth-identityprovider-2.1.5-bin.tgz # cd shibboleth-identityprovider-2.1.5 # ./install.sh [There should be no need to override the default responses to the installer's questions.]
/usr/local/shibboleth-idp/. The installer will not overwrite the configuration files of an existing installation. For a new installation, the installer will generate a keystore, and prompt for its password; currently we do not use this keystore, so the password does not matter. This distribution contains the standard shibboleth-identityprovider binary distribution, from the Internet2 zip file (http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/
), plus the following customizations: - camslogin
This provides the custom login pages for CAMS users. It is available as a tarball (/mit/touchstone/builds/NIST/idp2-cams/camslogin.tgz) which is unpacked into the top-level directory of the binary distribution. - CamsLoginModule (cams-jaas-loginmodule-x.y.jar)
This is the JAAS login module for CAMS. It is available as a .jar file in /mit/touchstone/builds/NIST/cams-jaas-loginmodule-x.y.jar, where x.y is the version number (currently 1.0). It must be copied into the lib subdirectory of the binary distribution. - camsutil-1.0.jar
This is a helper package used by the login module to validate the username/password. It is available in /mit/touchstone/builds/NIST/camsutil-1.0.jar. It must be copied into the lib subdirectory of the binary distribution along with the login module jar file.
- camslogin
- The installer will create and populate /usr/local/shibboleth-idp; the web application (war) file will be in /usr/local/shibboleth-idp/war/idp.war, but the current version of the idp.war will be available in the locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war).
- The idp application, running under Tomcat, needs full access to the install directory, so make sure it is owned by the tomcat user, e.g.:
To ensure that we run the current version of the web application, download the latest idp.war file from the touchstone locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war) and copy it into /usr/local/tomcat/webapps/:No Format # chown -R tomcat:tomcat /usr/local/shibboleth-idp
No Format # cp /path/to/idp.war /usr/local/tomcat/webapps/ # chown tomcat:tomcat /usr/local/tomcat/webapps/idp.war
- Copy the idp's endorsed jar files to tomcat's endorsed dir:
No Format # mkdir -p /usr/local/tomcat/endorsed # cp -p /usr/local/shibboleth-idp/lib/endorsed/*.jar /usr/local/tomcat/endorsed/ # chown -R tomcat:tomcat /usr/local/tomcat/endorsed
- Copy in the idp config files for the server, to the conf subdirectory; these include:
- attribute-filter.xml
- attribute-resolver.xml
- handler.xml
- internal.xml
- logging.xml
- login.config
- relying-party.xml
- service.xml
- tc-config.xml (for terracotta clustering)
...