140 likes | 382 Views
Shibboleth: Installation and Deployment. Scott Cantor (cantor.2@osu.edu) July 29, 2002. Installation: Packaging. Alpha 1 and 2 are binary distributions. Source was made public in late July: http://middleware.internet2.edu/opensaml/cvs.html Alpha 2.5 will probably be binary with source.
E N D
Shibboleth: Installation and Deployment Scott Cantor (cantor.2@osu.edu) July 29, 2002
Installation: Packaging • Alpha 1 and 2 are binary distributions. • Source was made public in late July: • http://middleware.internet2.edu/opensaml/cvs.html • Alpha 2.5 will probably be binary with source. • Beta 1 should support “./configure; make; make install” for autoconf platforms and Visual Studio on Windows. • Even with better packaging, manual installation of servlets and Apache modules will be needed.
Installation: General • Solaris 2.x and Linux • Current Basic Requirements: Apache 1.3.26, mod_ssl 2.8.10, OpenSSL 0.9.6, Sun JDK 1.3.1, Jakarta Tomcat 3.3.1 • Binaries distributed as a tarball: $ cd /usr/local $ tar xvfz shib_alpha2_linux_rh72.tar.gz • Deploy Guide: • http://middleware.internet2.edu/shibboleth/docs/DeployGuide-alpha2.txt
Installation: General • Both origins and targets need: • SSL-enabled Apache server, equipped with a certificate signed by a club-approved CA • Jakarta Tomcat servlet engine with AJP 1.3 connector (mod_jk) • All the servlets are packaged together in a single deployment archive (shibboleth.war) that can be copied into tomcat/webapps, auto-expanded, and configured
Installation: Origin Site • Install additional supporting components: • User handles can be stored in-memory or in MySQL • User attributes can be accessed in LDAP or a restricted set (EPPN and affiliation=member) can be “echoed” by the AA • Back-end interfaces will be refined over time to simplify pluggable implementations, and use standard Java APIs like JNDI when possible
Deployment: Origin Site • Choose a name for your site, probably your best known top-level domain. • This name will be part of your club application and is configured into the HS and AA servlets (web.xml). • Special Note: Alpha-2 targets will reject attributes like EPPN if the “scope” doesn’t match the site name. This will be more flexible later.
Deployment: Origin SitePKI Requirements • The web server’s SSL certificate will protect both the HS and AA servlets. • The AA servlet path is configured to support client certificate authentication: <Location "/shibboleth/AA"> SSLVerifyClient optional SSLOptions +ExportCertData </Location> • The allowable client CAs are specified: SSLCACertificateFile /usr/local/shib/etc/ca-bundle.crt
Deployment: Origin SitePKI Requirements • The HS servlet must digitally sign its messages using a key and certificate valid for digital signature creation, signed by a club-approved CA. • Alpha-2 uses a Java keystore, which allows self-generation of a key and certificate request with the keytool command (see deploy guide). • The hostname of your HS is the first field in the certificate request. • Using the SSL server key is possible, but requires some custom Java code to import/export a private key.
Deployment: Origin SiteClub Application • Target sites are given a “registry” of trusted origin sites to protect them from rogue users. • Once names are chosen, provide the following in an e-mail (address in deploy guide): • Site Name • Complete Handle Service servlet URL • The HS hostname (went into the certificate CN) • Aliases/shorthand for your institution (used by WAYF)
Shibbolization Cookbook forOrigin Sites • Apply to the club as an origin site • currently an e-mail message with basic site information • Choose any web server that can host Java Servlet and JSP applications via Tomcat • Deploy a HS behind web initial sign-on • requires a club-trusted certificate usable for signing • web server must also use SSL if handling passwords • can store handles in-memory or in MySQL • beta version should use a “handle in cookie” design
Shibbolization Cookbook forOrigin Sites • Deploy an AA in conjunction with the HS • supports two attribute “contexts”, LDAP and Echo • Install AA plugins for attributes (Java API) • preconfigured with classes for eduPerson attributes • Establish default ARPs for community • alpha-2 comes preconfigured to release everything, hides ARP tools • alpha-2.5 expected to begin exposing ARP interface • early GUI development beginning
Shibbolization Cookbook for Destination Sites • Choose any web server (as long as it’s Apache 1.3.x, but others to follow) • Equip it with the SHIRE and SHAR modules • SHIRE is a Java servlet for the time being, so Tomcat is required • SHAR/RM are combined into mod_shib • Install SHAR plugins for attributes (C++ API) • mod_eduPerson provided
RM and Application Integration • mod_shib currently provides flexible .htaccess processing. • Attributes can be mapped to Require rules and to HTTP headers, including REMOTE_USER. • Existing basic-auth sites can be “hijacked” to use Shibboleth.
Existing Applications(from most to least integrated) • Shibbolize the application and unify intra-campus and inter-campus users • Add a second URL tree for inter-campus users • Use a Shibbolized proxy server • (The latter two might also require code changes or attribute mapping. This is all much simpler for static content.)