Versions Compared

Old Version 42

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version Current

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

This page is under construction

Executive Summary

Firewall

Make sure that the additional port used by the IdP are enabled in the firewall. Use the command "iptables --list -n --line-numbers" to determine the proper rule number; the following example assumes we are inserting rules beginning at number 36. Also replace 18.x.y.z with the appropriate IP address of the peer node in the cluster, not the local host.

No Format

# iptables --list -n --line-numbers
# iptables -I RH-Firewall-1-INPUT 36 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 37 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 3306 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 38 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9510 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 39 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9530 -j ACCEPT
# /etc/init.d/iptables save

Install and configure Apache httpd

We use the native Red Hat RPMs (httpd 2.2).

Install needed RPMs
  • Use stock httpd RPM install (standard NIST install)
  • Install mod_ssl and mod_auth_kerb RPMs:
    No Format
    
# yum install mod_ssl
Configure

Current versions of the various httpd configuration files can be obtained in the touchstone locker, in /mit/touchstone/config/idp2-cams/httpd/.

...

No Format

ServerName idp.touchstonenetwork.net:80

...

No Format

UseCanonicalName On

...

No Format

SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

...

No Format

ServerName idp.touchstonenetwork.net:443

...

No Format

SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP

...

No Format

SSLCertificateFile /etc/pki/tls/certs/idp.touchstonenetwork.net-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.touchstonenetwork.net-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem

...

No Format

SSLOptions +StrictRequire

...

No Format

CustomLog logs/ssl_request_log \
    "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

...

No Format

<Directory />
    SSLRequireSSL
</Directory>

...

No Format

RewriteEngine On
RewriteOptions inherit

...

  • cams.conf
    This adds configuration to protect Cams application resources appropriately.
  • idp-attr-query.conf
    This sets up the vhosts for back-channel attribute queries on port 8443.
  • idp-rewrite.conf
    This adds various rewrite rules for compatibility, etc.
  • proxy_ajp.conf
    Configures the AJP proxy module for the idp and cams webapps (replaces version installed by httpd).
  • ssl.conf (see above)
  • welcome.conf (see above)

Version 2 of the MIT core identity provider is based on version 2.1.x of Internet2's Shibboleth IdP package. Including the IdP software itself, the following major components are required:

  • Apache httpd 2.2 (from stock RHEL httpd RPM)
  • mod_ssl (from stock RHEL mod_ssl RPM)
  • Tomcat 6.0
  • JDK 6.0 (from Sun, plus enhanced JCE and security policy)
  • Shibboleth IdP 2.1
  • terracotta 3.1
  • MySQL 5.0 (from stock RHEL RPMs)
  • Shibboleth SP 2.3.x (from Internet2 RPMs)
  • Cams web application
  • cams-ldap (CAMS/LDAP integration)

In the configuration documented below, the Apache web server will listen on the following TCP ports:

  • 80 (HTTP)
  • 443 (SSL virtual host for HTTPS)
  • 8443 (SSL virtual host for SP's back-channel SOAP calls for attributes)

The terracotta server will listen on the following TCP ports (connections should only be allowed from the peer node(s)):

  • 9510 (client-to-server)
  • 9520 (JMX)
  • 9530 (server-to-server)

The MySQL server will listen on the following TCP port:

  • 3306

Note that the terracotta and MySQL listeners only need to accept connections from peer servers in the cluster, so these ports should be configured accordingly in the firewall.

The following certificates/keys need to be created:

  • MIT SSL server certificate (CN idp.mit.edu)
  • daemon keytab (i.e. daemon/idpe.mit.edu@ATHENA.MIT.EDU)
  • application client certificate (CN touchstone-cams.app.mit.edu)

The following log files will be used:

  • Apache httpd log files in /var/log/httpd/:
    • ssl_access_log
    • ssl_request_log
    • ssl_error_log
    • idp-attr-query_access_log
    • idp-attr-query_request_log
    • idp-attr-query_error_log
    • access_log
    • error_log
  • Shibboleth IdP log files in /usr/local/shibboleth-idp/logs/:
    • idp-process.log
    • idp-access.log
    • idp-audit.log
  • Tomcat logs in /usr/local/tomcat/logs/
    • catalina.out
  • terracotta system logs in /usr/local/terracotta/logs/:
    • terracotta.log
    • run-dgc.cron.log
  • terracotta cluster logs in /usr/local/shibboleth-idp/cluster/:
    • client/logs-127.0.0.1/terracotta-client.log
    • server/logs/terracotta-server.log

SELinux

SELinux must run in Permissive mode. Otherwise, the Shibboleth SP Apache module will not be able to connect to the shibd socket, and mysqld will not be able to load in the shared library used by cams-ldap.

To set SELinux permissive mode at boot time, change the SELINUX setting in /etc/selinux/config:

No Format

SELINUX=permissive

To set permissive mode on the running system only:

No Format

# setenforce Permissive

Firewall

Make sure that the additional port used by the IdP are enabled in the firewall. Use the command "iptables --list -n --line-numbers" to determine the proper rule number; the following example assumes we are inserting rules beginning at number 36. Also replace 18.x.y.z with the appropriate IP address of the peer node in the cluster, not the local host.

No Format

# iptables --list -n --line-numbers
# iptables -I RH-Firewall-1-INPUT 36 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 37 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 3306 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 38 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9510 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 39 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9520 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 40 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9530 -j ACCEPT
# /etc/init.d/iptables save

Install and configure Apache httpd

We use the native Red Hat RPMs (httpd 2.2).

Install needed RPMs
  • Use stock httpd RPM install (standard NIST install)
  • Install mod_ssl and mod_auth_kerb RPMs:
    No Format
    
# yum install mod_ssl
Configure

Current versions of the various httpd configuration files can be obtained

...

No Format

User-agent: *
Disallow: /

...

in the touchstone locker, in /mit/touchstone/config/

...

idp2-cams/httpd/.

...

No Format

# chkconfig httpd on

...

No Format

daily
rotate 100
compress
delaycompress

...

  • Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and make sure the paths are correct in ssl.conf and idp-attr-query.conf (see below). The key file should be readable by only the tomcat user, as the idp webapp also uses it.
  • In /etc/httpd/conf/httpd.conf, set ServerName:
    No Format
    
ServerName idp.touchstonenetwork.net:80
    and set the UseCanonicalName option to On:
    No Format
    
UseCanonicalName On
  • Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf
  • In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options:
    No Format
    
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
    within the VirtualHost block, set the ServerName:
    No Format
    
ServerName idp.touchstonenetwork.net:443
    set the SSL cipher suite:
    No Format
    
SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf:
    No Format
    
SSLCertificateFile /etc/pki/tls/certs/idp.touchstonenetwork.net-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.touchstonenetwork.net-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
    set the SSL options:
    No Format
    
SSLOptions +StrictRequire
    configure custom logging:
    No Format
    
CustomLog logs/ssl_request_log \
    "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
    ensure that all access is via SSL:
    No Format
    
<Directory />
    SSLRequireSSL
</Directory>
    ensure that all rewrite rules are inherited:
    No Format
    
RewriteEngine On
RewriteOptions inherit
  • Install these additional conf files from the touchstone locker (/mit/touchstone/config/idp2-cams/httpd) in /etc/httpd/conf.d:
    • cams.conf
      This adds configuration to protect Cams application resources appropriately.
    • idp-attr-query.conf
      This sets up the vhosts for back-channel attribute queries on port 8443.
    • idp-rewrite.conf
      This adds various rewrite rules for compatibility, etc.
    • proxy_ajp.conf
      Configures the AJP proxy module for the idp and cams webapps (replaces version installed by httpd).
    • ssl.conf (see above)
    • welcome.conf (see above)
  • Install our standard robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access:
    No Format
    
User-agent: *
Disallow: /
    Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/.
  • Make sure httpd is started at boot time:
    No Format
    
# chkconfig httpd on
  • Add the following settings to the stock /etc/logrotate.d/httpd configuration file:
    No Format
    
daily
rotate 100
compress
delaycompress
    This will cause the httpd log files in /var/log/httpd/ to be rotated daily and compressed, saving 100 days of old logs (in case we need them for quarterly metrics).

Install JDK and enhanced JCE

  • The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number):
    No Format
    
# rpm -Uvh jdk-6uNN-linux-amd64.rpm
  • To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). For example:
    No Format
    
# cd /usr/java/latest/jre/lib/ext
# cp /path/to/bcprov-jdk16-145.jar .
    (Replace the file version number as needed).
    Add it as a provider in in the JRE's lib/security/java.security, e.g.:
    No Format
    
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
    (Replace 9 with the next sequential provider number as needed).
  • We want to ensure that DNS lookups are not cached indefinitely. Set the networkaddress.cache.ttl property in java.security accordingly:
    No Format
    
networkaddress.cache.ttl=30
  • To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM).
    No Format
    
# cd /tmp
# unzip /path/to/jce_policy-6.zip
# cd jce
# cp *.jar /usr/java/latest/jre/lib/security/
  • For convenience, install shell profile scripts in /etc/profile.d that define JAVA_HOME, e.g. java.csh:
    No Format
    
setenv JAVA_HOME /usr/java/default
if ( "${path}" !~ *${JAVA_HOME}/bin* ) then
    set path = ( ${JAVA_HOME}/bin $path )
endif
    java.sh:
    No Format
    
export JAVA_HOME=/usr/java/default
if ! echo $PATH | grep -q ${JAVA_HOME}/bin ; then
    export PATH=${JAVA_HOME}/bin:$PATH
fi

Install Tomcat

  • Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in /mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz, and install under /usr/local:
    No Format
    
# cd /usr/local
# tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
# rm -f tomcat
# ln -s apache-tomcat-6.0.20.tar.gz tomcat
  • Create the tomcat user, and change the ownership of the tomcat tree:
    No Format
    
# groupadd -g 52 tomcat
# useradd -u 52 -g tomcat -c "Tomcat User" -d /usr/local/tomcat -M -s /sbin/nologin tomcat
# chown -R tomcat:tomcat /usr/local/apache-tomcat-6.0.20
  • Install our version of conf/server.xml (from /mit/touchstone/config/idp2-core/tomcat), which properly configures the AJP connector on port 8009, and disables the HTTP connector on port 8080.
  • Edit /usr/local/tomcat/conf/context.xml, and add the following Resource element within the <Context> element:
    No Format
    
     <Resource
          auth="Container"
          defaultAutoCommit="false"
          maxActive="5"
          maxIdle="2"

Install JDK and enhanced JCE

  • The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number):
    No Format
    
# rpm -Uvh jdk-6uNN-linux-amd64.rpm
  • To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). For example:
    No Format
    
# cd /usr/java/latest/jre/lib/ext
# cp /path/to/bcprov-jdk16-145.jar .
    (Replace the file version number as needed).
    Add it as a provider in in the JRE's lib/security/java.security, e.g.:
    No Format
    
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
    (Replace 9 with the next sequential provider number as needed).
  • To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM).
    No Format
    
# cd /tmp
# unzip /path/to/jce_policy-6.zip
# cd jce
# cp *.jar /usr/java/latest/jre/lib/security/
  • For convenience, install shell profile scripts in /etc/profile.d that define JAVA_HOME, e.g. java.csh:
    No Format
    
setenv JAVA_HOME /usr/java/default
if ( "${path}" !~ *${JAVA_HOME}/bin* ) then
    set path = ( ${JAVA_HOME}/bin $path )
endif
    java.sh:
    No Format
    
export JAVA_HOME=/usr/java/default
if ! echo $PATH | grep -q ${JAVA_HOME}/bin ; then
    export PATH=${JAVA_HOME}/bin:$PATH
fi

Install Tomcat

  • Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in /mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz, and install under /usr/local:
    No Format
    
# cd /usr/local
# tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
# rm -f tomcat
# ln -s apache-tomcat-6.0.20.tar.gz tomcat
  • Create the tomcat user, and change the ownership of the tomcat tree:
    No Format
    
# groupadd -g 52 tomcat
# useradd -u 52 -g tomcat -c "Tomcat User" -d /usr/local/tomcat -M -s /sbin/nologin tomcat
# chown -R tomcat:tomcat /usr/local/apache-tomcat-6.0.20
  • Install our version of conf/server.xml (from /mit/touchstone/config/idp2-core/tomcat), which properly configures the AJP connector on port 8009, and disables the HTTP connector on port 8080.
  • Edit /usr/local/tomcat/conf/context.xml, and add the following Resource element within the <Context> element:
    No Format
    
     <Resource
          auth="Container"
          defaultAutoCommit="false"
          maxActive="5"
          maxIdle="2"
          maxWait="5000"
          name="jdbc/CAMS"
          removeAbandoned="true"
          removeAbandonedTimeout="30"
          type="javax.sql.DataSource"
          validationQuery="SELECT 1"
          testOnBorrow="true"
          testWhileIdle="true"
          timeBetweenEvictionRunsMillis="10000"
          minEvictableIdleTimeMillis="60000"
          username="camsusr"
          password="XXX"
          driverClassName="com.mysql.jdbc.Driver"
          url="jdbc:mysql://idp-cams-1:3306/cams"
     />
    Set the username and password attributes as needed. Note that the url must point at the host that is the MySQL master.

...

Make sure the daemon starts at boot time:

No Format
# chkconfig mysqld on

We use master/slave replication, where all queries go against one MySQL master server (e.g. idp-cams-1), while the other server (e.g. idp-cams-2) operates in slave mode, i.e. with updates to the master replicated to the slave. Set up the master server first, before setting up replication.

...

No Format
# mysql
mysql> GRANT ALL ON cams.* TO 'camsusr'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL ON cams.* TO 'camsusr'@'idp-cams-1.mit.edu' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL ON cams.* TO 'camsusr'@'idp-cams-2.mit.edu' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON cams.* TO 'shibresolver'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON cams.* TO 'shibresolver'@'idp-cams-1.mit.edu' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON cams.* TO 'shibresolver'@'idp-cams-2.mit.edu' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT, LOCK TABLES, FILE, RELOAD ON *.* TO 'shibresolverbackup'@'idp-cams-2.mit.edulocalhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT, LOCK TABLES, FILE, RELOAD ON *cams.*ExternalUser TO 'backupcamsldap'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON cams.ExternalUser TO 'camsldap'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Replication

Make sure that connections are allowed to port 3306 from the peer server only (see firewall instructions above). For instructions on setting up the MySQL master/slave replication, see https://wikis-mit-edu.ezproxyberklee.flo.org/confluence/display/ISDA/MySQL+Replication+Configuration+InstructionsImage Removed

Maintaining the CAMS database

...

 OK, 0 rows affected (0.00 sec)

mysql> quit
Replication

Make sure that connections are allowed to port 3306 from the peer server only (see firewall instructions above). For instructions on setting up the MySQL master/slave replication, see https://wikis-mit-edu.ezproxyberklee.flo.org/confluence/display/ISDA/MySQL+Replication+Configuration+Instructions

Maintaining the CAMS database

The backup-db script should be installed in /usr/local/cams/sbin on both the master and slave servers, and run periodically from cron. It will dump all databases to a compressed timestamped file in /usr/local/cams/backup/local, and also copy this file over to the peer server's /usr/local/cams/backup/remote directory. To set up the procedure, do the following:

  • Create the /usr/local/cams/backup, /usr/local/cams/backup/local, and /usr/local/cams/backup/remote directories.
  • Create the /usr/local/cams/sbin

...

  • directory, if necessary.
  • Install the backup-db script in /usr/local/cams/

...

  • sbin on the MySQL master server.
  • Create the backup user in the database on the master, as above.
  • Create /usr/local/cams/conf/backup

...

  • .cnf, with the username and password for the backup account:
    No Format
    
[client]
user=backup
password=<password>
  • Install the cams cron file (cams.cron) as /etc/cron.d/cams. This will run the backup every 6 hours. (It also will run the /Create the /usr/local/cams/backup, /usr/local/cams/backup/local, and /usr/local/cams/backup/remote directories.Create the sbin/clean-logs script daily).

On the slave server, the check-slave-status script should also be installed in /usr/local/cams/sbin

...

; it should be run once per hour from cron. This should use a special replicatechecker account in MySQL, created as follows (this should be created on the master, after replication has been set up):

No Format

# mysql
mysql> GRANT REPLICATION CLIENT ON *.* TO 'replicatechecker'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> quit

where <password> is replaced by the password for the replicatechecker account. Next, create

...

/usr/local/cams/conf/

...

replicatechecker.cnf, with the username and password for the

...

replicatechecker account:

No Format

[client]
user=

...

replicatechecker
password=<password>

Install the cams-slave.cron file

...

as /etc/cron.d/cams

...

-slave; this will run the

...

check-slave-status script hourly.

Any problems encountered by either of these procedures will be reported via email to touchstone-support.

cams-ldap

The Cams-to-LDAP integration is done via a trigger library added to the MySQL instance, and a separate Perl daemon which propagates account changes to Moira and LDAP. Set it up as follows:

  • Install the mit-moira RPM; the daemon uses the blanche client.
  • yum install perl-LDAP (This will also bring in perl-IO-Socket-SSL and perl-Net-SSLeay as dependencies)
  • yum install perl-Convert-ASN1
  • Unpack the cams-ldap tarball (available in the builds directory in the touchstone locker), and run its install script:
    No Format
    
# mkdir /tmp/cams-ldap
# cd /tmp/cams-ldap
# tar xzf /path/to/cams-ldap.tgz
# ./install.sh
    The install script will not overwrite an existing trigger library is mysqld is running, so you may need to move it into place manually. If installing a new version of the library, you may also need to (re)apply the SQL input file which creates the necessary function and triggers (see below).

On the slave server, the check-slave-status script should also be installed in /usr/local/cams/sbin; it should be run once per hour from cron. This should use a special replicatechecker account in MySQL, created as follows (this should be created on the master, after replication has been set up):

No Format

# mysql
mysql> GRANT REPLICATION CLIENT ON *.* TO 'replicatechecker'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

mysql> quit

where <password> is replaced by the password for the replicatechecker account. Next, create /usr/local/cams/conf/replicatechecker.cnf, with the username and password for the replicatechecker account:

No Format

[client]
user=replicatechecker
password=<password>

Install the cams-slave.cron file as /etc/cron.d/cams-slave; this will run the check-slave-status script hourly.

Any problems encountered by either of these procedures will be reported via email to touchstone-support.

cams-ldap

The Cams-to-LDAP integration is done via a trigger library added to the MySQL instance, and a separate Perl daemon which propagates account changes to Moira and LDAP. Set it up as follows:

  • Install the mit-moira RPM; the daemon uses the blanche client.
  • yum install perl-LDAP (This will also bring in perl-IO-Socket-SSL and perl-Net-SSLeay as dependencies)
  • yum install perl-Convert-ASN1
  • Unpack the cams-ldap binary tarball, from the root directory: No Format # cd / # tar xzf /path/to/cams-ldap.tgz
  • Make sure the trigger library is configured for the run-time linker (required for mysqld to be able to load it):
    No Format
    # ldconfig
  • On the slave only, disable the cron job which purges the Cams Moira list:
    No Format
    # rm /etc/cron.d/cams-ldap
  • Install a daemon keytab in /usr/local/cams/ldap/keytab. It must be owned by the mysql user. The principal must be added to the from-cams-admin list, which is the owner of the from-cams list, e.g.:
    No Format
    # blanche from-cams-admin -a kerberos:daemon.idpe@ATHENA.MIT.EDU
    (For staging, add the daemon.idpe-staging principal to the list on ttsp)
  • Configure /etc/syslog.conf with the following patch; the daemon uses the LOCAL5 facility:
    No Format
    40,41c40,41
< # msql apps
< local5.info					/var/log/db
---
> # cams-ldap (originally msql apps)
> local5.*				/var/log/cams-ldap.log
    Make this change effective:
    No Format
    # kill -HUP `cat /var/run/syslogd.pid`
  • Install the configuration file /usr/local/cams/ldap/cams-ldap.conf. This file is in Perl syntax. Edit it to make sure that the usernames and passwords for DB and LDAP access are set properly ($dbuser, $dpassword, $ldap_dn, $ldap_password), and that $krb5_princ is set to the daemon principal in the keytab. Make sure that $cafile is set to point at mitCA.pem (install if not already there). Make sure the file is owned by the mysql user and only readable by the owner.
  • Make sure that the camsldap user is added to the MySQL database (see above).
  • Restart mysqld, to make sure that it can link in the trigger library.
  • Start the cams-ldap daemon, and make sure it starts at boot time:
    No Format
    # /etc/init.d/cams-ldap start
# chkconfig --add cams-ldap
    The daemon should run on both the slave and master servers; the daemon detects when it is running on the slave, and treats the trigger as a no-op.
  • Make sure the trigger function is defined properly in the database. This should be executed on the slave first; check the slave status afterward to make sure it is still running, and restart if necessary.
    No Format
    # mysql -u root -p cams < /path/tousr/local/cams/ldap/cams-ldap-trigger.sql

Install Shibboleth IdP

  • Run the idp application installer from our customized binary distribution, available in /mit/touchstone/builds/NIST/idp2-cams/cams-shibboleth-identityprovider-2.x.y-bin.tgz, and the install script contained therein. For example:
    No Format
    # cd /tmp
# rm -rf shibboleth-identityprovider-2.*
# tar xzf /path/to/cams-shibboleth-identityprovider-2.1.5-bin.tgz
# cd shibboleth-identityprovider-2.1.5
# ./install.sh
[There should be no need to override the default responses to the installer's questions.]
    By default (because of one of our customizations to the stock Internet2 distribution) this will install under /usr/local/shibboleth-idp/. The installer will not overwrite the configuration files of an existing installation. For a new installation, the installer will generate a keystore, and prompt for its password; currently we do not use this keystore, so the password does not matter. This distribution contains the standard shibboleth-identityprovider binary distribution, from the Internet2 zip file (http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/Image Removed), plus the following customizations:
    • camslogin
      This provides the custom login pages for CAMS users. It is available as a tarball (/mit/touchstone/builds/NIST/idp2-cams/camslogin.tgz) which is unpacked into the top-level directory of the binary distribution.
    • CamsLoginModule (cams-jaas-loginmodule-x.y.jar)
      This is the JAAS login module for CAMS. It is available as a .jar file in /mit/touchstone/builds/NIST/cams-jaas-loginmodule-x.y.jar, where x.y is the version number (currently 1.0). It must be copied into the lib subdirectory of the binary distribution.
    • camsutil-1.0.jar
      This is a helper package used by the login module to validate the username/password. It is available in /mit/touchstone/builds/NIST/camsutil-1.0.jar. It must be copied into the lib subdirectory of the binary distribution along with the login module jar file.
  • The installer will create and populate /usr/local/shibboleth-idp; the web application (war) file will be in /usr/local/shibboleth-idp/war/idp.war, but the current version of the idp.war will be available in the locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war).
  • The idp application, running under Tomcat, needs full access to the install directory, so make sure it is owned by the tomcat user, e.g.:
    No Format
    # chown -R tomcat:tomcat /usr/local/shibboleth-idp
    To ensure that we run the current version of the web application, download the latest idp.war file from the touchstone locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war) and copy it into /usr/local/tomcat/webapps/:
    No Format
    # cp /path/to/idp.war /usr/local/tomcat/webapps/
# chown tomcat:tomcat /usr/local/tomcat/webapps/idp.war
  • Copy the idp's endorsed jar files to tomcat's endorsed dir:
    No Format
    # mkdir -p /usr/local/tomcat/endorsed
# cp -p /usr/local/shibboleth-idp/lib/endorsed/*.jar /usr/local/tomcat/endorsed/
# chown -R tomcat:tomcat /usr/local/tomcat/endorsed
  • Copy in the idp config files for the server, to the conf subdirectory; these include:
    • attribute-filter.xml
    • attribute-resolver.xml
    • handler.xml
    • internal.xml
    • logging.xml
    • login.config
    • relying-party.xml
    • service.xml
    • tc-config.xml (for terracotta clustering)

Terracotta

(See https://spaces.internet2.edu/display/SHIB2/IdPClusterImage Removed)

The terracotta software is can be used to cluster the IdP nodes. Note that currently the Cams IdPs are not clustered, so terracotta should not be running. Each node must run the terracotta server, as well as the instrumented client (tomcat, in our case). The terracotta server operates in either the active or passive role; only one server should be in the "active/coordinator" state at a time.

...

No Format
# setenv TC_HOME /usr/local/terracotta-3.1.1
# setenv TC_INSTALL_DIR $TC_HOME
# setenv JAVA_HOME /usr/java/default
# $TC_HOME/bin/tim-get.sh install tim-vector 2.5.1 org.terracotta.modules
# $TC_HOME/bin/tim-get.sh install tim-tomcat-6.0 2.0.1
# $TC_HOME/bin/make-boot-jar.sh -f /usr/local/shibboleth-idp/conf/tc-config.xml
# chown -R tomcat:tomcat /usr/local/terracotta-3.1.1

Be sure to regenerate this jar after installing a new JDK.

...

The CAMS application needs to authenticate against our IdPs, and so requires the Shibboleth service provider (SP) software to run, as well as the IdP software.

Installation

We use the stock RHEL 5 64-bit RPMs, available from the Internet2 downloads site; the current RPMs are available in the touchstone locker downloads directory. Install the following RPMs:

...

as the IdP software.

Installation

We use the stock RHEL 5 64-bit RPMs, available from the Internet2 downloads site; the best way to install the RPMs is to use Shibboleth's yum repository, as described in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall. To configure the repository, install the repository definition file into /etc/yum.repos.d. Once the repository is configured, you can install the current RPMs, including dependencies, using yum, e.g.:

No Format

# yum install shibboleth.x86_64

...

Configuration
The SP configuration files live in /etc/shibboleth:
...