Versions Compared

Old Version 25

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 26

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
# mysql
mysql> GRANT ALL ON cams.* TO 'camsusr'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL ON cams.* TO 'camsusr'@'idp-cams-1.mit.edu' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL ON cams.* TO 'camsusr'@'idp-cams-2.mit.edu' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON cams.* TO 'shibresolver'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON cams.* TO 'shibresolver'@'idp-cams-1.mit.edu' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON cams.* TO 'shibresolver'@'idp-cams-2.mit.edu' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT, LOCK TABLES, FILE, RELOAD ON *.* TO 'backup'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON cams.ExternalUser TO 'camsldap'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Replication

See Make sure that connections are allowed to port 3306 from the peer server only. For instructions on setting up the MySQL master/slave replication, see https://wikis-mit-edu.ezproxyberklee.flo.org/confluence/display/ISDA/MySQL+Replication+Configuration+Instructions

...

Note: SELinux must be set to permissive mode in order for the SP to function properly; otherwise (without modifying policy) its Apache module will be unable to connect to shibd's Unix socket (which lives in /var/run/shibboleth/). Edit /etc/selinux/config accordingly.

Firewall

Make sure that the additional port used by the IdP are enabled in the firewall. Use the command "iptables --list -n --line-numbers" to determine the proper rule number; the following example assumes we are inserting rules beginning at number 36. Also replace 18.x.y.z with the appropriate IP address of the peer node in the cluster, not the local host.

No Format

# iptables --list -n --line-numbers
# iptables -I RH-Firewall-1-INPUT 36 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 37 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 3306 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 38 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9510 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 39 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9530 -j ACCEPT