This page is under construction
...
Executive Summary
Version 2 of the MIT core identity provider is based on version 2.1.x of Internet2's Shibboleth IdP package. Including the IdP software itself, the following major components are required:
- Apache httpd 2.2 (from stock RHEL httpd RPM)
- mod_ssl (from stock RHEL mod_ssl RPM)
- mod_auth_kerb (from stock RHEL mod_auth_kerb RPM)
- Tomcat 6.0
- JDK 6.0 (from Sun, plus enhanced JCE and security policy)
- Shibboleth IdP 2.1
- terracotta 3.1
In the configuration documented below, the Apache web server will listen on the following TCP ports:
- 80 (HTTP)
- 443 (SSL virtual host for HTTPS)
- 446 (SSL virtual host for authenticating via user certificates)
- 447 (SSL virtual host for certificate authentication using "SSLVerifyClient require")
- 8443 (SSL virtual host for SP's back-channel SOAP calls for attributes)
The terracotta server will listen on the following TCP ports:
- 9510
- 9530
Note these listeners only need to accept connections from peer servers in the cluster, so these ports should be configured accordingly in the firewall.
The following need to be created for use by Kerberos and SSL:
- MIT SSL server certificate (CN idp.mit.edu)
- HTTP keytab (i.e. HTTP/idp.mit.edu@ATHENA.MIT.EDU)
The following log files will be used:
- Apache httpd log files in
/var/log/httpd/:- ssl_access_log
- ssl_request_log
- ssl_error_log
- idp-attr-query_access_log
- idp-attr-query_request_log
- idp-attr-query_error_log
- cert-authn-optional_access_log
- cert-authn-optional_request_log
- cert-authn-optional_error_log
- access_log
- error_log
- Shibboleth IdP log files in
/usr/local/shibboleth-idp/logs/:- idp-process.log
- idp-access.log
- idp-audit.log
- Tomcat logs in
/usr/local/tomcat/logs/- catalina.out
- terracotta system logs in
/usr/local/terracotta/logs/:- terracotta.log
- run-dgc.cron.log
- terracotta cluster logs in
/usr/local/shibboleth-idp/cluster/:- client/logs-127.0.0.1/terracotta-client.log
- server/logs/terracotta-server.log
Install and configure Apache httpd
...