John McLear » testing http://mclear.co.uk My mission: To encourage effective use of ICT in Schools. My main focus is on ages 3-11. Sat, 04 Feb 2012 14:22:04 +0000 en hourly 1 http://primaryblogger.co.uk/?v=3.3.1 Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs http://mclear.co.uk/2009/10/27/testing-shibboleth-sp-2-on-centos-to-the-ukfederation-w-godaddy-certs/ http://mclear.co.uk/2009/10/27/testing-shibboleth-sp-2-on-centos-to-the-ukfederation-w-godaddy-certs/#comments Tue, 27 Oct 2009 15:39:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/10/27/testing-shibboleth-sp-2-on-centos-to-the-ukfederation-w-godaddy-certs/ Part 4. Testing (2 hours)

Shibboleth can be started using /sbin/service shibd start
Another option is to use: service shibd restart
If the above doesn’t work try /usr/sbin/shibd -f

If you are going to use different commands to start shibd ensure that multiple copies are not running by doing ps aux | grep shibd

If you see shibd -f & /usr/sbin/shibd….. then you need to kill them and start one. I recommend using service shibd start.

Log files will be in: /var/log/shibboleth/

Check the shibd.log file for errors using this command: cat /var/log/shibboleth/shibd.log | grep ERROR
Your resource URL is https://shib.yourdomain.com/secure
Try browse to it.
If you get nothing then Apache hasn’t started properly, check the apache logs.
You should get something that starts with the shibboleth logo OR a WAYF login screen.
If you get the WAYF screen the things are going great, if you get the Shibboleth error message then we need to make some more configuration changes. See your logs and continue reading.
If you get “Cannot connect to shibd process, a site adminstrator should be notified.”
then your SELINUX restrictions have kicked in. Check by doing
cat /var/log/audit/audit.log | grep shib

More info on SELinux can be found here or by using the sestatus command:

A good output should look like this:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

The fix for the SELinux problem is documented on Page 1 however I recommend being a bit more brutal if your environment is hyper fussy about security.

Once you have a working setup you can browse to http://shib.yourdomain.com/Shibboleth.sso/Metadata to get your automatically generated Metadata and proceed with the UK Federation registration process.
When you speak to the UK Federation to approve your registration you will be asked to run this command from /etc/shibboleth
openssl x509 -sha1 -in sp.crt -noout -fingerprint

You will be asked to provide them with the fingerprint so keep a record of this.
Griffin goes “meow”.

Related Posts

  1. Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
  2. Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
  3. Configuring Apache for Shibboleth on CentOS to the ukfederation w/ Godaddy certs
]]> http://mclear.co.uk/2009/10/27/testing-shibboleth-sp-2-on-centos-to-the-ukfederation-w-godaddy-certs/feed/ 1