Archive for the ‘janet’ Category

• Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs

  Date: 2009.10.27 | Category: janet, shibboleth, testing | Response: 1

  Part 4. Testing (2 hours)
  
  
  Shibboleth can be started using /sbin/service shibd start
  Another option is to use: service shibd restart
  If the above doesn’t work try /usr/sbin/shibd -f
  
  
  If you are going to use different commands to start shibd ensure that multiple copies are not running by doing ps aux | grep shibd
  
  
  If you see shibd -f & /usr/sbin/shibd….. then you need to kill them and start one. I recommend using service shibd start.
  
  
  Log files will be in: /var/log/shibboleth/
  
  
  Check the shibd.log file for errors using this command: cat /var/log/shibboleth/shibd.log | grep ERROR
  Your resource URL is https://shib.yourdomain.com/secure
  Try browse to it.
  If you get nothing then Apache hasn’t started properly, check the apache logs.
  You should get something that starts with the shibboleth logo OR a WAYF login screen.
  If you get the WAYF screen the things are going great, if you get the Shibboleth error message then we need to make some more configuration changes. See your logs and continue reading.
  If you get “Cannot connect to shibd process, a site adminstrator should be notified.”

  then your SELINUX restrictions have kicked in. Check by doing

  cat /var/log/audit/audit.log | grep shib

  
  

  More info on SELinux can be found here or by using the sestatus command:

  
  

  A good output should look like this:

  SELinux status: enabled

  SELinuxfs mount: /selinux

  Current mode: permissive

  Mode from config file: enforcing

  Policy version: 21

  Policy from config file: targeted

  The fix for the SELinux problem is documented on Page 1 however I recommend being a bit more brutal if your environment is hyper fussy about security.

  Once you have a working setup you can browse to http://shib.yourdomain.com/Shibboleth.sso/Metadata to get your automatically generated Metadata and proceed with the UK Federation registration process.

  When you speak to the UK Federation to approve your registration you will be asked to run this command from /etc/shibboleth

  openssl x509 -sha1 -in sp.crt -noout -fingerprint

  
  

  You will be asked to provide them with the fingerprint so keep a record of this.

  Griffin goes “meow”.

• Configuring Apache for Shibboleth on CentOS to the ukfederation w/ Godaddy certs

  Date: 2009.10.27 | Category: certificates, csr, godaddy, janet, key, openssl, shibboleth, ukfederation | Response: 1

  Part 3. Apache config. (1 hour)

  cd /etc/shibboleth
  openssl genrsa -des3 -out external.key 2048
  openssl req -new -key external.key -out external.csr
  

  The above will create a CSR request for your resource, when asked what the common name is enter something like shib.yourdomain.com - DO NOT use sp.yourdomain.com or the same common name as you used to register your SP!

  Edit the CSR and copy its contents into clipboard. Then login to your godaddy hosting account and paste the CSR request into your certificate request.

  Godaddy will do their thing then get back to you with a CRT a few files usually within 24 hours.

  When they get back to you with the files copy or download them the files to /etc/shibboleth

  Rename shib.yourdomain.com.crt to external.crt

  Rename gd_bundle.crt to external_int.crt and place it in /etc/shibboleth

  Edit /etc/httpd/conf.d/ssl.conf

  Replace

  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

  With

   SSLCertificateKeyFile /etc/shibboleth/external.key

  Replace

  SSLCertificateFile /etc/pki/tls/private/localhost.crt

  
  

  With

  SSLCertificateFile /etc/shibboleth/external.crt

  Under SSLCertificateKeyFile paste SSLCertificateChainFile /etc/shibboleth/external_int.crt

  Edit /etc/httpd/conf/httpd.conf

  Replace

   UseCanonicalName Off

  With

   UseCanonicalName On

  Find the line beginning with ServerName

  Comment it out

  Below it type ServerName shib.yourdomain.com:80

  
  

  /usr/sbin/apachectl restart

  
  /usr/sbin/apachectl start
  

  The above commands will restart Apache or start it if it hasn't already been started

  Edit  /etc/sysconfig/iptables & above all REJECT rules paste:

  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT

  /sbin/service iptables restart

  If everything restarts without any errors then:

  Continue to the testing phase

• Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs

  Date: 2009.10.27 | Category: certificates, janet, key, shibboleth, shibboleth2.xml, ssl, ukfederation | Response: 2

  Part 2. Shibboleth Config (6 hours)

  cd /etc/shibboleth
  wget http://metadata.ukfederation.org.uk/ukfederation.pem
  wget http://metadata.ukfederation.org.uk/ukfederation-metadata.xml
  

  Edit shibboleth2.xml

  Replace all instances of sp.example.org with your Entity ID ie sp.yourdomain.com

  Search for ApplicationDefaults

  Add homeURL=”https://sp.domainz.com/ahomeurl” under entityID – homeURL is the first url of the resource if none is specified.

  Search for <sessions

  Before the default example (Reading Default example directs to a speci… ” Insert:

  <SessionInitiator isDefault="true" id="UKFederation" Location="/WAYF/UKFederation"
  type="WAYF" defaultACSIndex="5"
  URL="https://wayf.ukfederation.org.uk/WAYF"
  />
  

  Search for exportLocation

  Under exportLocation replace http://localhost with https://localhost

  Replace all instances of root@localhost with the technical support email address

Search for MetadataProvider

This bit gets messy so pay close attention…..

Search for the line Delete it or comment it out.

Directly below it paste the following:

/etc/shibboleth/sp.key /etc/shibboleth/sp.crt

For now we are done in shibboleth2.xml

Run ./keygen.sh to generate your new key pair

mv sp-key.pem sp.key
mv sp-cert.pem sp.crt

Now we must configure Apache for shibboleth