Installing Shibboleth IDP 3.0 Linux Envronment
The following software required to install the shibboleth IDP 3.0 in RedHat Linux:
1. Sun Java 1.8
2. Apache Tomcat 8
3. Apache Http Server 2.2
4. Shibboleth IDP 3.0
I am going to install the Apache Http Server as a root user and others all install in non-root user.
1. Sun Java 1.8
Down load the Java Files and Extract the Java. I have extracted the java in /apps/jdk1.8.0_31 directory. After extracting the set the JAVA_HOME environment variable and JAVA PATH in the bash or command line.
export JAVA_HOME=/apps/jdk1.8.0_31
export PATH=$JAVA_HOME/bin;$PATH
2. Apache Tomcat 8
Down load the Apache Tomcat 8 and Extract the Tomcat. I have extracted the tomcat in /apps/apache-tomcat-8.0.18 directory.
2.1 Create the Self Signed certificate to Enable the SSL
Go to the /apps/apache-tomcat-8.0.18/conf directory and execute the following command to create the self signed certificate to enable the SSL. The self Signed Certificate is not recommended for production.
keytool -genkey -keystore tomcat.jks -alias tomcat -keyalg RSA
You need to provide the following details while executing the above command.
1. Key Store Password
2. First and Last Name. First and Last Name is Host Name.
2.2 Configuring the server.xml to enable the SSL
Add the following connector configuration below Service section
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" scheme="https" secure="true"
SSLEnabled="true"
keystoreFile="/apps/apache-tomcat-8.0.18/conf/tomcat.jks"
keystorePass="<Replace With Your Keystore Password>" clientAuth="false"
sslProtocol="TLS"/>
2.3 Start the Tomcat
Go to the /apps/apache-tomcat-8.0.18/bin directory and run the ./startup.sh
After executing the above command it will start the tomcat server.
3. Apache Http Server
3.1 Installing the Apache Tomcat Server
Login as a root and install the apache http server and mod_ssl
yum install httpd mod_ssl
It will install the httpd and mod_ssl. I am using the default ssl configuration and certs provided by default installation. If you want to modify the SSL configuration to import the cert and you need to modify the /etc/httpd/conf.d/ssl.conf file and replace the following properties to with certs generated.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
3.2 Starting the Http Server
Execute the /etc/inid.d/httpd restart and It will restart the server.
3.3 Configuring the proxy_ajp.conf file
Create the proxy_ajp.conf file and add the following content to invoke the apache tomcat web applications using ajp protocol. My tomcat is running under same machine.
ProxyPass /idp/ ajp://localhost:8009/idp/ connectiontimeout=30 timeout=60
I have used connectiontimeout and timeout parameter because some times tomcat server delay the response and http server will throw 404 error.
I have used /idp because idp application will reside in the tomcat server. I am going to deploy the idp application in tomcat server after installing the IDP Server.
3.4 Re-starting the Http Server
Follow the step 3.2 to restart the tomcat server.
4. Shibboleth IDP 3.0
Extract the shibboleth file and I have extracted the /apps/soft/shibboleth-identity-provider-3.0.0 directory. Go to the /apps/soft/shibboleth-identity-provider-3.0.0/bin directory and execute the ./install.sh file and It will install the shibboleth 3.o as follows:
Executing the Installable File
./install.sh
Source (Distribution) Directory: [/apps/soft/shibboleth-identity-provider-3.0.0]
Choosing the Installation Directory
Enter and It will show the following option:
Installation Directory: [/opt/shibboleth-idp]
I have chosen different path because I am going to install shibboleth idp as a non-root user. My Shibboleth idp location is
/apps/shibboleth-idp
Choosing Host Name :
Hostname: [shib-idp-sandbox.example.edu]
I have selected the default host name and press enter button and it will display the following screen.
SAML EntityID: [https://shib-idp-sandbox.example.edu/idp/shibboleth]
Choosing Attribute Scope :
Attribute Scope: [example.edu]
I have selected the default attribute scope and press enter button and it will display the following screen:
Entering the TLS and Cookie Encryption Key Password:
TLS Private Key Password:
Re-enter password:
Cookie Encryption Key Password:
Re-enter password:
Warning: /apps/shibboleth-idp/bin does not exist.
Warning: /apps/shibboleth-idp/dist does not exist.
Warning: /apps/shibboleth-idp/doc does not exist.
Warning: /apps/shibboleth-idp/system does not exist.
Warning: /apps/shibboleth-idp/webapp does not exist.
Generating Signing Key, CN = shib-idp-sandbox.example.edu URI = https://shib-idp-sandbox.example.edu/idp/shibboleth ...
...done
Creating Encryption Key, CN = shib-idp-sandbox.example.edu URI = https://shib-idp-sandbox.example.edu/idp/shibboleth ...
...done
Creating TLS keystore, CN = shib-idp-sandbox.example.edu URI = https://shib-idp-sandbox.example.edu/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /apps/shibboleth-idp/war/idp.war ...
...done
Shibboleth was installed successfully.
Post Shibboleth Installation:
4.1 Setting the idp.home system variable in tomcat
Edit the /apps/apache-tomcat-8.0.18/bin/catalina.sh file and add the idp.home java system property. This property is required for loading the configuration files in the tomcat server.
JAVA_OPTS="$JAVA_OPTS -Didp.home=/apps/shibboleth-idp"
4.2 Adding the jstl-1.2.jar in the tomcat lib directory
Download the jstl-1.2.jar file and add the /apps/apache-tomcat-8.0.18/lib directory. This jar file is required for execute the velocity templates.
4.3 Deploy the idp.war file in tomcat
Create the idp.xml file in /apps/apache-tomcat-8.0.18/conf/Catalina/localhost/ directory and add the following content to deploy the idp.war file in tomcat
<Context docBase="/apps/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
antiJARLocking="false"
unpackWAR="true"
swallowOutput="true" />
4.4 Restart the tomcat
Go to the /apps/apache-tomcat-8.0.18/bin directory and execute the following commands to restart the tomcat server:
./shutdown.sh - it will stop the tomcat server
./startup.sh - it will start the tomcat server
4.5 Testing the Shibboleth Installation:
Access the shibboleth status page (https://localhost/idp/status ) and it will display the following content in the browser:
The following software required to install the shibboleth IDP 3.0 in RedHat Linux:
1. Sun Java 1.8
2. Apache Tomcat 8
3. Apache Http Server 2.2
4. Shibboleth IDP 3.0
I am going to install the Apache Http Server as a root user and others all install in non-root user.
1. Sun Java 1.8
Down load the Java Files and Extract the Java. I have extracted the java in /apps/jdk1.8.0_31 directory. After extracting the set the JAVA_HOME environment variable and JAVA PATH in the bash or command line.
export JAVA_HOME=/apps/jdk1.8.0_31
export PATH=$JAVA_HOME/bin;$PATH
2. Apache Tomcat 8
Down load the Apache Tomcat 8 and Extract the Tomcat. I have extracted the tomcat in /apps/apache-tomcat-8.0.18 directory.
2.1 Create the Self Signed certificate to Enable the SSL
Go to the /apps/apache-tomcat-8.0.18/conf directory and execute the following command to create the self signed certificate to enable the SSL. The self Signed Certificate is not recommended for production.
keytool -genkey -keystore tomcat.jks -alias tomcat -keyalg RSA
You need to provide the following details while executing the above command.
1. Key Store Password
2. First and Last Name. First and Last Name is Host Name.
2.2 Configuring the server.xml to enable the SSL
Add the following connector configuration below Service section
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" scheme="https" secure="true"
SSLEnabled="true"
keystoreFile="/apps/apache-tomcat-8.0.18/conf/tomcat.jks"
keystorePass="<Replace With Your Keystore Password>" clientAuth="false"
sslProtocol="TLS"/>
2.3 Start the Tomcat
Go to the /apps/apache-tomcat-8.0.18/bin directory and run the ./startup.sh
After executing the above command it will start the tomcat server.
3. Apache Http Server
3.1 Installing the Apache Tomcat Server
Login as a root and install the apache http server and mod_ssl
yum install httpd mod_ssl
It will install the httpd and mod_ssl. I am using the default ssl configuration and certs provided by default installation. If you want to modify the SSL configuration to import the cert and you need to modify the /etc/httpd/conf.d/ssl.conf file and replace the following properties to with certs generated.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
3.2 Starting the Http Server
Execute the /etc/inid.d/httpd restart and It will restart the server.
3.3 Configuring the proxy_ajp.conf file
Create the proxy_ajp.conf file and add the following content to invoke the apache tomcat web applications using ajp protocol. My tomcat is running under same machine.
ProxyPass /idp/ ajp://localhost:8009/idp/ connectiontimeout=30 timeout=60
I have used connectiontimeout and timeout parameter because some times tomcat server delay the response and http server will throw 404 error.
I have used /idp because idp application will reside in the tomcat server. I am going to deploy the idp application in tomcat server after installing the IDP Server.
3.4 Re-starting the Http Server
Follow the step 3.2 to restart the tomcat server.
4. Shibboleth IDP 3.0
Extract the shibboleth file and I have extracted the /apps/soft/shibboleth-identity-provider-3.0.0 directory. Go to the /apps/soft/shibboleth-identity-provider-3.0.0/bin directory and execute the ./install.sh file and It will install the shibboleth 3.o as follows:
Executing the Installable File
./install.sh
Source (Distribution) Directory: [/apps/soft/shibboleth-identity-provider-3.0.0]
Choosing the Installation Directory
Enter and It will show the following option:
Installation Directory: [/opt/shibboleth-idp]
I have chosen different path because I am going to install shibboleth idp as a non-root user. My Shibboleth idp location is
/apps/shibboleth-idp
Choosing Host Name :
Hostname: [shib-idp-sandbox.example.edu]
I have selected the default host name and press enter button and it will display the following screen.
SAML EntityID: [https://shib-idp-sandbox.example.edu/idp/shibboleth]
Choosing Attribute Scope :
Attribute Scope: [example.edu]
I have selected the default attribute scope and press enter button and it will display the following screen:
Entering the TLS and Cookie Encryption Key Password:
TLS Private Key Password:
Re-enter password:
Cookie Encryption Key Password:
Re-enter password:
Warning: /apps/shibboleth-idp/bin does not exist.
Warning: /apps/shibboleth-idp/dist does not exist.
Warning: /apps/shibboleth-idp/doc does not exist.
Warning: /apps/shibboleth-idp/system does not exist.
Warning: /apps/shibboleth-idp/webapp does not exist.
Generating Signing Key, CN = shib-idp-sandbox.example.edu URI = https://shib-idp-sandbox.example.edu/idp/shibboleth ...
...done
Creating Encryption Key, CN = shib-idp-sandbox.example.edu URI = https://shib-idp-sandbox.example.edu/idp/shibboleth ...
...done
Creating TLS keystore, CN = shib-idp-sandbox.example.edu URI = https://shib-idp-sandbox.example.edu/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /apps/shibboleth-idp/war/idp.war ...
...done
Shibboleth was installed successfully.
Post Shibboleth Installation:
4.1 Setting the idp.home system variable in tomcat
Edit the /apps/apache-tomcat-8.0.18/bin/catalina.sh file and add the idp.home java system property. This property is required for loading the configuration files in the tomcat server.
JAVA_OPTS="$JAVA_OPTS -Didp.home=/apps/shibboleth-idp"
4.2 Adding the jstl-1.2.jar in the tomcat lib directory
Download the jstl-1.2.jar file and add the /apps/apache-tomcat-8.0.18/lib directory. This jar file is required for execute the velocity templates.
4.3 Deploy the idp.war file in tomcat
Create the idp.xml file in /apps/apache-tomcat-8.0.18/conf/Catalina/localhost/ directory and add the following content to deploy the idp.war file in tomcat
<Context docBase="/apps/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
antiJARLocking="false"
unpackWAR="true"
swallowOutput="true" />
4.4 Restart the tomcat
Go to the /apps/apache-tomcat-8.0.18/bin directory and execute the following commands to restart the tomcat server:
./shutdown.sh - it will stop the tomcat server
./startup.sh - it will start the tomcat server
4.5 Testing the Shibboleth Installation:
Access the shibboleth status page (https://localhost/idp/status ) and it will display the following content in the browser:
### Operating Environment Information operating_system: Linux operating_system_version: 2.6.32-504.8.1.el6.x86_64 operating_system_architecture: amd64 jdk_version: 1.8.0_31 available_cores: 4 used_memory: 714 MB maximum_memory: 1751 MB ### Identity Provider Information idp_version: 3.0.0 start_time: 2015-02-03T15:11:50-08:00 current_time: 2015-02-04T10:55:25-08:00 uptime: 71015020 ms service: shibboleth.LoggingService last successful reload attempt: 2015-02-03T23:11:06Z service: shibboleth.ReloadableAccessControlService last successful reload attempt: 2015-02-03T23:11:09Z service: shibboleth.MetadataResolverService last successful reload attempt: 2015-02-03T23:11:08Z metadata source: ShibbolethMetadata service: shibboleth.RelyingPartyResolverService last successful reload attempt: 2015-02-03T23:11:09Z service: shibboleth.NameIdentifierGenerationService last successful reload attempt: 2015-02-03T23:11:07Z service: shibboleth.AttributeResolverService last successful reload attempt: 2015-02-03T23:11:07Z service: shibboleth.AttributeFilterService last successful reload attempt: 2015-02-03T23:11:07Z
These docs are excellent and greatly appreciated. IdP 3.0 is quite an upgrade.
ReplyDeletegreat notes, thanks
ReplyDelete