Versions Compared

Old Version 46

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 47

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is under construction

Executive Summary

Version 2 of the MIT core identity provider is based on version 2.1.x of Internet2's Shibboleth IdP package. Including the IdP software itself, the following major components are required:

  • Apache httpd 2.2 (from stock RHEL httpd RPM)
  • mod_ssl (from stock RHEL mod_ssl RPM)
  • Tomcat 6.0
  • JDK 6.0 (from Sun, plus enhanced JCE and security policy)
  • Shibboleth IdP 2.1
  • terracotta 3.1
  • MySQL 5.0 (from stock RHEL RPMs)
  • Shibboleth SP 2.3.x (from Internet2 RPMs)
  • Cams web application
  • cams-ldap (CAMS/LDAP integration)

In the configuration documented below, the Apache web server will listen on the following TCP ports:

  • 80 (HTTP)
  • 443 (SSL virtual host for HTTPS)
  • 8443 (SSL virtual host for SP's back-channel SOAP calls for attributes)

The terracotta server will listen on the following TCP ports:

  • 9510
  • 9530

The MySQL server will listen on the following TCP port:

  • 3306

Note that the terracotta and MySQL listeners only need to accept connections from peer servers in the cluster, so these ports should be configured accordingly in the firewall.

The following need to be created for use by SSL and Kerberos:

  • MIT SSL server certificate (CN idp.mit.edu)
  • daemon keytab (i.e. daemon/idpe.mit.edu@ATHENA.MIT.EDU)

The following log files will be used:

  • Apache httpd log files in /var/log/httpd/:
    • ssl_access_log
    • ssl_request_log
    • ssl_error_log
    • idp-attr-query_access_log
    • idp-attr-query_request_log
    • idp-attr-query_error_log
    • access_log
    • error_log
  • Shibboleth IdP log files in /usr/local/shibboleth-idp/logs/:
    • idp-process.log
    • idp-access.log
    • idp-audit.log
  • Tomcat logs in /usr/local/tomcat/logs/
    • catalina.out
  • terracotta system logs in /usr/local/terracotta/logs/:
    • terracotta.log
    • run-dgc.cron.log
  • terracotta cluster logs in /usr/local/shibboleth-idp/cluster/:
    • client/logs-127.0.0.1/terracotta-client.log
    • server/logs/terracotta-server.log

SELinux

SELinux must run in Permissive mode. Otherwise, the Shibboleth SP Apache module will not be able to connect to the shibd socket, and mysqld will not be able to load in the shared library used by cams-ldap.

...