Archive for October, 2009
-
Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
Part 2. Shibboleth Config (6 hours)
cd /etc/shibboleth wget http://metadata.ukfederation.org.uk/ukfederation.pem wget http://metadata.ukfederation.org.uk/ukfederation-metadata.xml
Edit shibboleth2.xml
Replace all instances of sp.example.org with your Entity ID ie sp.yourdomain.comSearch for ApplicationDefaults
Add homeURL=”https://sp.domainz.com/ahomeurl” under entityID – homeURL is the first url of the resource if none is specified.
Search for <sessions
Before the default example (Reading Default example directs to a speci… ” Insert:
<SessionInitiator isDefault="true" id="UKFederation" Location="/WAYF/UKFederation" type="WAYF" defaultACSIndex="5" URL="https://wayf.ukfederation.org.uk/WAYF" />
Search for exportLocation
Under exportLocation replace http://localhost with https://localhost
Replace all instances of root@localhost with the technical support email address
Search for MetadataProvider
This bit gets messy so pay close attention…..
After the line reading Insert
<MetadataProvider type="XML" uri="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml" backingFilePath="/etc/shibboleth/ukfederation-metadata.xml" reloadInterval="14400"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/> <SignatureMetadataFilter certificate="ukfederation.pem"/> </MetadataProvider>
Search for the line Delete it or comment it out.
Directly below it paste the following:
/etc/shibboleth/sp.key /etc/shibboleth/sp.crt
Don’t forget to replace yourpassword with your key password if you have set one!
For now we are done in shibboleth2.xml
Run ./keygen.sh to generate your new key pair
mv sp-key.pem sp.key mv sp-cert.pem sp.crt
Now we must configure Apache for shibboleth
Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
Internet 2 give some “creative” documentation for this procedure so I thought I’d write some that are easier to follow:
Part 0. Planning. (2 hours)
- Download CentOS Netimage boot CD from http://centos.org
- Receive approval from the UK federation for your service.
- Purchase a cheep Godaddy Cert or have one ready for your service. Be aware that you will be getting 1 SSL cert to secure your resource and another SSL cert (a self signed one) to talk to the UK federation. Do not get these certificates confused!
- Create the appropriate DNS records to point to the IP of your resource and the IP of your SP. IE shib.yourdomain.com (your resource) should resolve to the IP of the apache server and sp.yourdomain.com (service provider) should resolve to the same IP.
Part 1. Install (2 hours)
First things first. Install Cent OS. You don’t need a gui or anything fancy, just a web server. Do all the blow as a root user.
Set the your hostname in /etc/sysconfig/network & /etc/hosts to match the FQDN of your SP ie sp.yourdomain.com
Install ntp date and set the date (you might want to add a cron job for this):
yum install ntp.i386
ntpdate pool.ntp.org
NOTE: BELOW IS NOW DEFUNCT AND YOU SHOULD USE THE DOCUMENTATION HERE – although still complete the SELINUX section
cd /root/
curl -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/log4shib-1.0.3-1.1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xerces-c-3.0.1-5.1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xml-security-c-1.5.1-3.2.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xmltooling-1.2.2-1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/opensaml-2.2.1-1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/shibboleth-2.2.1-2.i386.rpm
The above will put the files you need in /root
Edit /etc/yum.conf (use vi or nano) copy the gpgcheck command and then comment it out to read #gpgcheck=yes, set gpgcheck=no below the commented line.
yum -y install ntp
/usr/sbin/ntpdate pool.ntp.org
yum localinstall xerces-c-3.0.1-5.1.i386.rpm
yum -y install unixODBC.i386
rpm -ivh log4shib-1.0.3-1.1.i386.rpm
rpm -ivh xml-security-c-1.5.1-3.2.i386.rpm
rpm -ivh xmltooling-1.2.2-1.i386.rpm
rpm -ivh opensaml-2.2.1-1.i386.rpm
rpm -ivh shibboleth-2.2.1-2.i386.rpm
The above will install the packages. Your shibboleth config will live in /etc/shibboleth
Edit /etc/selinux/config
Comment out SELINUX=enforcingType in SELINUX=disabled
setenforce 0
Warning: This will disable some security options, it can be left enabled but tweeks will need to be made to the socket restrictions later on. Can someone please document this better?
Or instead of doing above you can use system-config-securitylevel-tui to disable and restart selinux
/usr/sbin/shibd -v
Will return the version of shibboleth installed. If it does then:
CentOS Netinstall 5.4 ISO installation
Iv’e had to install CentOS 10+ times today and I wanted to quickly document my procedure:
- Grab http://mirror.sov.uk.goscomb.net/centos/5.4/isos/i386/CentOS-5.4-i386-netinstall.iso & boot from it however you/I want.
- Select HTTP install then for server type: mirror.centos.org
- For path type: centos/5.4/os/i386
Go go gadget arms.
Is my school closed?
Schools worldwide have a free service where they can register any closure information. Authorities also use this service if their is regional closures due to poor weather or illness.
The site is My School Closures and is available at http://myschoolclosures.com
libcurl library on a shibboleth 2.2+ SP install on debian
The easiest way to install the libcurl library on debian is to run this command:
apt-get install libcurl4-openssl-dev