Internet 2 give some “creative” documentation for this procedure so I thought I’d write some that are easier to follow:
Part 0. Planning. (2 hours)
- Download CentOS Netimage boot CD from http://centos.org
- Receive approval from the UK federation for your service.
- Purchase a cheep Godaddy Cert or have one ready for your service. Be aware that you will be getting 1 SSL cert to secure your resource and another SSL cert (a self signed one) to talk to the UK federation. Do not get these certificates confused!
- Create the appropriate DNS records to point to the IP of your resource and the IP of your SP. IE shib.yourdomain.com (your resource) should resolve to the IP of the apache server and sp.yourdomain.com (service provider) should resolve to the same IP.
Part 1. Install (2 hours)
First things first. Install Cent OS. You don’t need a gui or anything fancy, just a web server. Do all the blow as a root user.
Set the your hostname in /etc/sysconfig/network & /etc/hosts to match the FQDN of your SP ie sp.yourdomain.com
Install ntp date and set the date (you might want to add a cron job for this):
yum install ntp.i386
curl -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/log4shib-1.0.3-1.1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xerces-c-3.0.1-5.1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xml-security-c-1.5.1-3.2.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xmltooling-1.2.2-1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/opensaml-2.2.1-1.i386.rpm \
The above will put the files you need in /root
Edit /etc/yum.conf (use vi or nano) copy the gpgcheck command and then comment it out to read #gpgcheck=yes, set gpgcheck=no below the commented line.
yum -y install ntp
yum localinstall xerces-c-3.0.1-5.1.i386.rpm
yum -y install unixODBC.i386
rpm -ivh log4shib-1.0.3-1.1.i386.rpm
rpm -ivh xml-security-c-1.5.1-3.2.i386.rpm
rpm -ivh xmltooling-1.2.2-1.i386.rpm
rpm -ivh opensaml-2.2.1-1.i386.rpm
rpm -ivh shibboleth-2.2.1-2.i386.rpm
The above will install the packages. Your shibboleth config will live in /etc/shibboleth
Comment out SELINUX=enforcing
Type in SELINUX=disabled
Warning: This will disable some security options, it can be left enabled but tweeks will need to be made to the socket restrictions later on. Can someone please document this better?
Or instead of doing above you can use system-config-securitylevel-tui to disable and restart selinux
Will return the version of shibboleth installed. If it does then: