Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
clustered_shibboleth_idp_v3_federated_installation [2018/01/10 17:02]
Pekka Kuronen
clustered_shibboleth_idp_v3_federated_installation [2019/02/22 16:06] (current)
Pekka Kuronen
Line 1: Line 1:
 ====== Clustered Shibboleth IDP ====== ====== Clustered Shibboleth IDP ======
  
-**Update ​to database session storage ​and fixed consent handling**+** Update ​22.02.2019: Tomcat 8.5 / Jetty 9.4 and Shibboleth IDP 3.4.3 **
  
 Documentation for Shibboleth IDP implementation using clustered PostgreSQL BDR database. For successful SQL replication you must run the same commands on all of the nodes excluding the node_external_dsn and node_join_dsn commands which include host information. Documentation for Shibboleth IDP implementation using clustered PostgreSQL BDR database. For successful SQL replication you must run the same commands on all of the nodes excluding the node_external_dsn and node_join_dsn commands which include host information.
Line 24: Line 24:
  
   * CentOS7   * CentOS7
-  * Application server: Tomcat ​(default) or Jetty 9.3+  * Application server: Tomcat ​8.5 (default) or Jetty 9.4
   * Apache with mod_ssl   * Apache with mod_ssl
-  * Shibboleth identity provider 3.3.1-1+  * Shibboleth identity provider 3.4.3
   * eDirectory 9.0.3 LDAP -server with federation schema extensions   * eDirectory 9.0.3 LDAP -server with federation schema extensions
  
-I used Tomcat 7 from from OS repository ​because ​it is updated with minimal effort.+originally ​used Tomcat 7 from from OS repository ​but now I have to go for Tomcat 8.5 manual installation but it is easy to do when you install Tomcat 7 from repository but leave it disabled. That we we can have the OS environment more prepared for Tomcat use.
  
 ===== System preparation ===== ===== System preparation =====
Line 38: Line 38:
  
 Check /etc/hosts contains necessary information such as address for localhost or hostname for HA environment. If you define IDP using ldaps connection to a host you must have a matching hostname which is good to define in hosts file. Check /etc/hosts contains necessary information such as address for localhost or hostname for HA environment. If you define IDP using ldaps connection to a host you must have a matching hostname which is good to define in hosts file.
 +
 +We need JAVA_HOME so lets do it in profile file /​etc/​profile.d/​shibboleth.sh:​
 +
 +<​code>​
 +#!/bin/sh
 +export JAVA_HOME=/​usr/​lib/​jvm/​jre-1.8.0-openjdk
 +</​code>​
  
 File /​etc/​resolv.conf must have DNS data : File /​etc/​resolv.conf must have DNS data :
Line 90: Line 97:
 </​code>​ </​code>​
  
-==== Software ​installation ​====+==== Software ​download ​====
  
 <​code>​ <​code>​
 yum update yum update
-yum install java-1.7.0-openjdk httpd mod_ssl tomcat apr-util apr+yum install java-1.8.0-openjdk httpd mod_ssl tomcat apr-util apr 
 +</​code>​ 
 + 
 +Download the Shibboleth IDP package. Please see the latest version from [[https://​shibboleth.net/​downloads/​identity-provider/​latest/​|Shibboleth IDP downloads]]. 
 + 
 +<​code>​ 
 +wget '​http://​shibboleth.net/​downloads/​identity-provider/​latest/​shibboleth-identity-provider-3.4.3.tar.gz'​ 
 +</​code>​ 
 + 
 +We must download and install Tomcat manually since CentOS / RHEL 7 does not provide rpm source for Tomcat 8. But to make life easier we install Tomcat 7 rpm to get users and selinux preset contexts set up. 
 + 
 +<​code>​ 
 +yum install tomcat 
 +systemctl disable tomcat 
 +</​code>​ 
 + 
 +Download latest Tomcat 8.5 
 + 
 +<​code>​ 
 +wget '​http://​www.nic.funet.fi/​pub/​mirrors/​apache.org/​tomcat/​tomcat-8/​v8.5.38/​bin/​apache-tomcat-8.5.38.tar.gz'​ 
 +</​code>​ 
 + 
 +Alternatively if you want to use Jetty download it 
 + 
 +<​code>​ 
 +wget '​https://​repo1.maven.org/​maven2/​org/​eclipse/​jetty/​jetty-distribution/​9.4.15.v20190215/​jetty-distribution-9.4.15.v20190215.tar.gz'​ 
 +</​code>​ 
 + 
 +==== Tomcat 8.5 installation ==== 
 + 
 +Unpack and set directory permissions. 
 + 
 +<​code>​ 
 +cd /opt 
 +tar -xvzf /​path/​to/​tomcat-8/​v8.5.38/​bin/​apache-tomcat-8.5.38.tar.gz 
 +ln -s /​opt/​apache-tomcat-8.5.38 /​opt/​tomcat 
 +cd tomcat 
 +chown -R tomcat.tomcat /​opt/​tomcat 
 +chmod g+rwx conf 
 +chmod g+r conf/* 
 +chmod g+rwx bin 
 +chmod g+r bin/* 
 +</​code>​ 
 + 
 +Now set up a new systemd unit file for Tomcat 8. 
 + 
 +<​code>​ 
 +vim /​usr/​lib/​systemd/​system/​tomcat8.service 
 +</​code>​ 
 + 
 +Paste following contents: 
 + 
 +<​code>​ 
 +[Unit] 
 +Description=Apache Tomcat Web Application Container 
 +After=syslog.target network.target 
 + 
 +[Service] 
 +Type=forking 
 +Environment=JAVA_HOME=/​usr/​lib/​jvm/​jre 
 +Environment=CATALINA_PID=/​opt/​tomcat/​temp/​tomcat.pid 
 +Environment=CATALINA_HOME=/​opt/​tomcat 
 +Environment=CATALINA_BASE=/​opt/​tomcat 
 +Environment='​CATALINA_OPTS=-Xms2048M -Xmx4096M -server -XX:​+UseG1GC'​ 
 +Environment='​JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/​dev/​./​urandom -Didp.home=/​opt/​shibboleth-idp'​ 
 +ExecStart=/​opt/​tomcat/​bin/​startup.sh 
 +ExecStop=/​bin/​kill -15 $MAINPID 
 +User=tomcat 
 +Group=tomcat 
 + 
 +[Install] 
 +WantedBy=multi-user.target 
 +</​code>​ 
 + 
 +Set SELinux contexts 
 + 
 +<​code>​ 
 +cd /​opt/​tomcat 
 +chcon system_u:​object_r:​bin_t:​s0 chcon system_u:​object_r:​bin_t:​s0 /​opt/​apache-tomcat-8.5.38/​bin 
 +chcon -R system_u:​object_r:​etc_t:​s0 conf 
 +chcon -R system_u:​object_r:​tomcat_exec_t:​s0 bin 
 +chcon -R system_u:​object_r:​lib_t:​s0 lib 
 +chcon -R system_u:​object_r:​tomcat_log_t:​s0 logs 
 +chcon -R system_u:​object_r:​tomcat_cache_t:​s0 temp work 
 +chcon -R system_u:​object_r:​tomcat_var_lib_t:​s0 webapps 
 +chcon system_u:​object_r:​tomcat_unit_file_t:​s0 /​usr/​lib/​systemd/​system/​tomcat8.service 
 +</​code>​ 
 + 
 +Set up selinux module to allow Tomcat 8.5 startup.sh execution from /​opt/​tomcat/​bin. 
 + 
 +<​code>​ 
 +vim tomcat-startup.te 
 +</​code>​ 
 + 
 +Paste contents: 
 + 
 +<​code>​ 
 +module tomcat-startup 1.0; 
 + 
 +require { 
 +        type tomcat_exec_t;​ 
 +        type tomcat_t; 
 +        class dir search; 
 +
 + 
 +allow tomcat_t tomcat_exec_t:​dir search; 
 +</​code>​ 
 + 
 +Compile and install module 
 + 
 +<​code>​ 
 +checkmodule -M -m -o tomcat-startup.mod tomcat-startup.te 
 +semodule_package -o tomcat-startup.pp -m tomcat-startup.mod 
 +semodule -i tomcat-startup.pp
 </​code>​ </​code>​
  
-If you want to use Jetty download it+Finally allow tomcat ​to talk with Postgres
  
 <​code>​ <​code>​
-wget '​http://​central.maven.org/​maven2/​org/​eclipse/​jetty/​jetty-distribution/​9.3.20.v20170531/​jetty-distribution-9.3.20.v20170531.tar.gz'​ +setsebool ​-P tomcat_can_network_connect_db on
-wget '​https://​shibboleth.net/​downloads/​identity-provider/​latest/​shibboleth-identity-provider-3.3.1.tar.gz'​+
 </​code>​ </​code>​
  
Line 291: Line 410:
 ===== Tomcat configuration ===== ===== Tomcat configuration =====
  
-Let's use Tomcat ​since it is included in the CentOS repositories and updated along. Jetty instructions below for your information.+** Updated to Tomcat ​8.5 **
  
-Open /etc/​tomcat/​server.xml and do the following.+We use Tomcat since the environment (SELinux) is already baked for it. Untested Jetty instructions below for your information. 
 + 
 +Open /opt/tomcat/conf/server.xml and do the following.
  
 Comment out <​Connector port="​8080">​ element Comment out <​Connector port="​8080">​ element
Line 317: Line 438:
 </​code>​ </​code>​
  
-Save and close /etc/​tomcat/​server.xml+Save and close /opt/tomcat/conf/server.xml and create deployment configuration ​for idp war.
- +
-Open /​etc/​sysconfig/​tomcat and allocate enough memory to operate efficiently. This is a static allocation ​and you must leave sufficient memory ​for the host OS.+
  
 <​code>​ <​code>​
-JAVA_OPTS="​-server -Xmx4096m -Djava.security.egd=file:​/dev/./urandom"​+mkdir -/opt/tomcat/conf/​Catalina/​localhost 
 +vim /​opt/​tomcat/​conf/​Catalina/​localhost/​idp.xml
 </​code>​ </​code>​
  
-Enable ​tomcat+Paste following into the /opt/tomcat/​conf/​Catalina/​localhost/​idp.xml:​
  
 <​code>​ <​code>​
-systemctl enable tomcat +<Context docBase="/​opt/​shibboleth-idp/​war/​idp.war"​ 
-systemctl start tomcat+         privileged="​true"​ 
 +         ​antiResourceLocking="​false"​ 
 +         ​swallowOutput="​true">​ 
 +</​Context>​
 </​code>​ </​code>​
  
Line 446: Line 569:
 </​code>​ </​code>​
  
 +Not sure about this one but in case there are problems with SQL connections copy the Apache Commons database class to edit-webapp directory
 +
 +<​code>​
 +cp /​path/​to/​shibboleth-identity-provider-3.4.3/​webapp/​WEB-INF/​lib/​commons-dbcp2-2.1.1.jar /​opt/​shibboleth-idp/​edit-webapp/​WEB-INF/​lib/​
 +</​code>​
 +
 +And remember to rebuild using the build.sh command below.
  
 ===== Shibboleth IDP ===== ===== Shibboleth IDP =====
Line 451: Line 581:
 ==== Software installation ==== ==== Software installation ====
  
-Download latest IDP software from [[https://​shibboleth.net/​downloads/​identity-provider/​latest/​|Shibboleth IDP downloads]].+Unpack ​identity provider ​tar package.
  
 <​code>​ <​code>​
-mkdir /opt/src +tar -zxf wget shibboleth-identity-provider-3.4.3.tar.gz
-cd /opt/src +
-wget https://​shibboleth.net/​downloads/​identity-provider/​latest/​shibboleth-identity-provider-3.3.1.tar.gz +
-tar -zxf shibboleth-identity-provider-3.3.1.tar.gz+
 </​code>​ </​code>​
  
Line 464: Line 591:
 <​code>​ <​code>​
 wget https://​www.switch.ch/​aai/​guides/​idp/​installation/​idp-install.sh wget https://​www.switch.ch/​aai/​guides/​idp/​installation/​idp-install.sh
-sh idp-install.sh shibboleth-identity-provider-3.3.1+sh idp-install.sh shibboleth-identity-provider-3.4.3
 </​code>​ </​code>​
  
Line 834: Line 961:
  
 ==== Attribute filter ==== ==== Attribute filter ====
- 
-If your attribute filter needs to be downloaded from federation, set it writeable by tomcat user: 
- 
-<​code>​ 
-chown tomcat.tomcat /​opt/​shibboleth-idp/​conf/​haka-attribute-filter.xml 
-</​code>​ 
  
 Use file backed http resource by adding following to /​opt/​shibboleth-idp/​conf/​services.xml : Use file backed http resource by adding following to /​opt/​shibboleth-idp/​conf/​services.xml :
Line 1154: Line 1275:
 <​code>​ <​code>​
 mkdir /​opt/​shibboleth-idp/​tmp mkdir /​opt/​shibboleth-idp/​tmp
-chown tomcat.tomcat /​opt/​shibboleth-idp/tmp +chown -tomcat.tomcat /​opt/​shibboleth-idp
-chown tomcat.tomcat /​opt/​shibboleth-idp/metadata+
 </​code>​ </​code>​
  
 ===== IDP deployment ===== ===== IDP deployment =====
  
-Enable ​IDP deployment by creating a file /etc/​tomcat/​Catalina/​localhost/​idp.xml with following contents ​:+IDP is deployed with the /opt/tomcat/conf/​Catalina/​localhost/​idp.xml with each tomcat restart.  
 + 
 +In case you need to build it use command: 
 + 
 +<​code>​ 
 +JAVACMD=/​usr/​bin/​java /​opt/​shibboleth-idp/​bin/​build.sh -Didp.target.dir=/​opt/​shibboleth-idp 
 +</​code>​ 
 + 
 +And restart tomcat.
  
 <​code>​ <​code>​

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line