• Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs

    Date: 2009.10.26 | Category: cent os, centos, shibboleth, sp

    Internet 2 give some “creative” documentation for this procedure so I thought I’d write some that are easier to follow:


    Part 0. Planning. (2 hours)

    1. Download CentOS Netimage boot CD from http://centos.org
    2. Receive approval from the UK federation for your service.
    3. Purchase a cheep Godaddy Cert or have one ready for your service. Be aware that you will be getting 1 SSL cert to secure your resource and another SSL cert (a self signed one) to talk to the UK federation. Do not get these certificates confused!
    4. Create the appropriate DNS records to point to the IP of your resource and the IP of your SP. IE shib.yourdomain.com (your resource) should resolve to the IP of the apache server and sp.yourdomain.com (service provider) should resolve to the same IP.

    Part 1. Install (2 hours)

    First things first. Install Cent OS. You don’t need a gui or anything fancy, just a web server. Do all the blow as a root user.

    Set the your hostname in /etc/sysconfig/network & /etc/hosts to match the FQDN of your SP ie sp.yourdomain.com

    Install ntp date and set the date (you might want to add a cron job for this):

    yum install ntp.i386
    ntpdate pool.ntp.org

    NOTE: BELOW IS NOW DEFUNCT AND YOU SHOULD USE THE DOCUMENTATION HERE – although still complete the SELINUX section

    cd /root/
    curl -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/log4shib-1.0.3-1.1.i386.rpm \
    -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xerces-c-3.0.1-5.1.i386.rpm \
    -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xml-security-c-1.5.1-3.2.i386.rpm \
    -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xmltooling-1.2.2-1.i386.rpm \
    -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/opensaml-2.2.1-1.i386.rpm \
    -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/shibboleth-2.2.1-2.i386.rpm

    The above will put the files you need in /root

    Edit /etc/yum.conf (use vi or nano) copy the gpgcheck command and then comment it out to read #gpgcheck=yes, set gpgcheck=no below the commented line.

    yum -y install ntp
    /usr/sbin/ntpdate pool.ntp.org
    yum localinstall xerces-c-3.0.1-5.1.i386.rpm
    yum -y install unixODBC.i386
    rpm -ivh log4shib-1.0.3-1.1.i386.rpm
    rpm -ivh xml-security-c-1.5.1-3.2.i386.rpm
    rpm -ivh xmltooling-1.2.2-1.i386.rpm
    rpm -ivh opensaml-2.2.1-1.i386.rpm
    rpm -ivh shibboleth-2.2.1-2.i386.rpm

    The above will install the packages. Your shibboleth config will live in /etc/shibboleth


    Edit /etc/selinux/config
    Comment out SELINUX=enforcing
    Type in SELINUX=disabled

    setenforce 0

    Warning: This will disable some security options, it can be left enabled but tweeks will need to be made to the socket restrictions later on. Can someone please document this better?


    Or instead of doing above you can use system-config-securitylevel-tui to disable and restart selinux

    /usr/sbin/shibd -v

    Will return the version of shibboleth installed. If it does then:

    Related Posts

    1. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
    2. Installing shibboleth SP 2.3 on CentOS
    3. Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
    4. Configuring Apache for Shibboleth on CentOS to the ukfederation w/ Godaddy certs
    5. CentOS Netinstall 5.4 ISO installation