You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

This page is under construction

Software

  • Apache httpd 2.2 (from stock RHEL httpd RPM)
  • mod_ssl (from stock RHEL mod_ssl RPM)
  • mod_auth_kerb (from stock RHEL mod_auth_kerb RPM)
  • Tomcat 6.0
  • JDK 6.0
  • Shibboleth IdP 2.1
  • terracotta 3.1

Install and configure Apache httpd

Install needed RPMs
  • Use stock httpd RPM install (standard NIST install)
  • Install mod_ssl and mod_auth_kerb RPMs: 
    # yum install mod_ssl
# yum install mod_auth_kerb
Configure
  • In /etc/httpd/conf/httpd.conf, set ServerName: 
    ServerName idp.mit.edu:80
    and set the UseCanonicalName option to On: 
    UseCanonicalName On
  • In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options: 
    SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
    within the VirtualHost block, set the ServerName: 
    ServerName idp.mit.edu:443
    set the SSL cipher suite: 
    SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf: 
    SSLCertificateFile /etc/pki/tls/certs/idp-staging.mit.edu-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp-staging.mit.edu-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
    set the SSL options: 
    SSLOptions +StrictRequire
    configure custom logging: 
     CustomLog logs/ssl_request_log \
          "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
    ensure that all access is via SSL: 
    <Directory />
    SSLRequireSSL
</Directory>
    ensure that all rewrite rules are inherited: 
    RewriteEngine On
RewriteOptions inherit
  • Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf
  • Install our standard robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access: 
    User-agent: *
Disallow: /
    Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/.
  • Make sure httpd is started at boot time: 
    # chkconfig httpd on

Install JDK and enhanced JCE

The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number). To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). Add it as a provider in in the JRE's lib/security/java.security, e.g.:

security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider

(Replace 9 with the next sequential provider number as needed).

To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM).

Install Tomcat

  • Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in /mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz, and install under /usr/local: 
    # cd /usr/local
# tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
# rm -f tomcat
# ln -s apache-tomcat-6.0.20.tar.gz tomcat
  • Create the tomcat user, and change the ownership of the tomcat tree: 
    # groupadd -g 52 tomcat
# useradd -u 52 -g tomcat -c "Tomcat User" -d /usr/local/tomcat tomcat
# chown -R tomcat:tomcat /usr/local/apache-tomcat-6.0.20

Install Shibboleth IdP

  • Extract our distribution tar file into the /usr/local/shibboleth-idp directory: 
    # mkdir -p /usr/local/shibboleth-idp
# chown tomcat:tomcat /usr/local/shibboleth-idp
# cd /usr/local/shibboleth-idp
# tar xzf /path/to/usr_local_shibboleth-idp.tgz
  • Copy endorsed jars to tomcat endorsed dir: 
    # mkdir -p /usr/local/tomcat/endorsed
# cp -p /usr/local/shibboleth-idp/lib/endorsed/*.jar /usr/local/tomcat/endorsed/
  • Copy in the idp config files for the server, to the conf subdirectory; these include:
    • attribute-filter.xml
    • attribute-resolver.xml.in
    • handler.xml
    • internal.xml
    • logging.xml
    • relying-party.xml
    • service.xml
    • tc-config.xml (for terracotta clustering)
      You must replace %%LDAPUID%% and %%LDAPPASSWORD%% in attribute-resolver.xml.in with the principal uid (e.g. touchstone-core-service) and passord (principalCredential attribute) for accessing our LDAP server, and save the resulting file as attribute-resolver.xml. Make sure the file is not world-readable.

Firewall

# iptables -I RH-Firewall-1-INPUT 36 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 37 -m state --state NEW -m tcp -p tcp --dport 8444 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 38 -m state --state NEW -m tcp -p tcp --dport 446 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 39 -m state --state NEW -m tcp -p tcp --dport 447 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 40 -m state --state NEW -m tcp -p tcp -s 18.9.23.26 --dport 9510 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 41 -m state --state NEW -m tcp -p tcp -s 18.9.23.26 --dport 9530 -j ACCEPT
# /etc/init.d/iptables save
  • No labels