Versions Compared

Old Version 27

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 28

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Make sure that connections are allowed to port 3306 from the peer server only (see firewall instructions below). For instructions on setting up the MySQL master/slave replication, see https://wikis-mit-edu.ezproxyberklee.flo.org/confluence/display/ISDA/MySQL+Replication+Configuration+Instructions

cams-ldap

The Cams-to-LDAP integration is done via a trigger library added to the MySQL instance, and a separate Perl daemon which propagates account changes to Moira and LDAP. Set it up as follows:

  • Install the mit-moira RPM; the daemon uses the blanche client.
  • yum install perl-LDAP (This will also bring in perl-IO-Socket-SSL and perl-Net-SSLeay as dependencies)
  • yum install perl-Convert-ASN1
  • Unpack the cams-ldap binary tarball, from the root directory:
    No Format
    
# cd /
# tar xzf /path/to/cams-ldap.tgz
  • Make sure the trigger library is configured for the run-time linker (required for mysqld to be able to load it):
    No Format
    
# echo "/usr/local/cams/lib" > /etc/ld.so.conf.d/cams-ldap.conf
# ldconfig
  • On the slave only, disable the cron job which purges the Cams Moira list:
    No Format
    
# rm /etc/cron.d/cams-ldap

Install Shibboleth IdP

  • Run the idp application installer from our customized binary distribution, available in /mit/touchstone/builds/NIST/idp2-cams/cams-shibboleth-identityprovider-2.x.y-bin.tgz, and the install script contained therein. For example:
    No Format
    # cd /tmp
# rm -rf shibboleth-identityprovider-2.*
# tar xzf /path/to/cams-shibboleth-identityprovider-2.1.5-bin.tgz
# cd shibboleth-identityprovider-2.1.5
# ./install.sh
[There should be no need to override the default responses to the installer's questions.]
    By default (because of one of our customizations to the stock Internet2 distribution) this will install under /usr/local/shibboleth-idp/. The installer will not overwrite the configuration files of an existing installation. For a new installation, the installer will generate a keystore, and prompt for its password; currently we do not use this keystore, so the password does not matter. This distribution contains the standard shibboleth-identityprovider binary distribution, from the Internet2 zip file (http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/), plus the following customizations:
    • camslogin
      This provides the custom login pages for CAMS users. It is available as a tarball (/mit/touchstone/builds/NIST/idp2-cams/camslogin.tgz) which is unpacked into the top-level directory of the binary distribution.
    • CamsLoginModule (cams-jaas-loginmodule-x.y.jar)
      This is the JAAS login module for CAMS. It is available as a .jar file in /mit/touchstone/builds/NIST/cams-jaas-loginmodule-x.y.jar, where x.y is the version number (currently 1.0). It must be copied into the lib subdirectory of the binary distribution.
    • camsutil-1.0.jar
      This is a helper package used by the login module to validate the username/password. It is available in /mit/touchstone/builds/NIST/camsutil-1.0.jar. It must be copied into the lib subdirectory of the binary distribution along with the login module jar file.
  • The installer will create and populate /usr/local/shibboleth-idp; the web application (war) file will be in /usr/local/shibboleth-idp/war/idp.war, but the current version of the idp.war will be available in the locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war).
  • The idp application, running under Tomcat, needs full access to the install directory, so make sure it is owned by the tomcat user, e.g.:
    No Format
    # chown -R tomcat:tomcat /usr/local/shibboleth-idp
    To ensure that we run the current version of the web application, download the latest idp.war file from the touchstone locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war) and copy it into /usr/local/tomcat/webapps/:
    No Format
    # cp /path/to/idp.war /usr/local/tomcat/webapps/
# chown tomcat:tomcat /usr/local/tomcat/webapps/idp.war
  • Copy the idp's endorsed jar files to tomcat's endorsed dir:
    No Format
    # mkdir -p /usr/local/tomcat/endorsed
# cp -p /usr/local/shibboleth-idp/lib/endorsed/*.jar /usr/local/tomcat/endorsed/
# chown -R tomcat:tomcat /usr/local/tomcat/endorsed
  • Copy in the idp config files for the server, to the conf subdirectory; these include:
    • attribute-filter.xml
    • attribute-resolver.xml
    • handler.xml
    • internal.xml
    • logging.xml
    • login.config
    • relying-party.xml
    • service.xml
    • tc-config.xml (for terracotta clustering)

...