You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

This page is under construction

Software

  • Apache httpd 2.2 (from stock RHEL httpd RPM)
  • mod_ssl (from stock RHEL mod_ssl RPM)
  • mod_auth_kerb (from stock RHEL mod_auth_kerb RPM)
  • Tomcat 6.0
  • JDK 6.0
  • Shibboleth IdP 2.1
  • terracotta 3.1

Install and configure Apache httpd

Install needed RPMs
  • Use stock httpd RPM install (standard NIST install)
  • Install mod_ssl and mod_auth_kerb RPMs:
    # yum install mod_ssl
    # yum install mod_auth_kerb
    
Configure
  • In /etc/httpd/conf/httpd.conf, set ServerName:
    ServerName idp.mit.edu:80
    
    and set the UseCanonicalName option to On:
    UseCanonicalName On
    
  • In /etc/httpd/conf.d/ssl.conf, set the SSLRandomSeed options:
    SSLRandomSeed startup file:/dev/urandom 1024
    SSLRandomSeed connect file:/dev/urandom 1024
    
    within the VirtualHost block, set the ServerName:
    ServerName idp.mit.edu:443
    
    set the SSL cipher suite:
    SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
    
    Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf:
    SSLCertificateFile /etc/pki/tls/certs/idp-staging.mit.edu-cert.pem
    SSLCertificateKeyFile /etc/pki/tls/private/idp-staging.mit.edu-key.pem
    SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
    SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
    
    set the SSL options:
    SSLOptions +StrictRequire
    
    configure custom logging:
     CustomLog logs/ssl_request_log \
              "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
    
    ensure that all access is via SSL:
    <Directory />
        SSLRequireSSL
    </Directory>
    
    ensure that all rewrite rules are inherited:
    RewriteEngine On
    RewriteOptions inherit
    
  • Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf
  • Install our standard robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access:
    User-agent: *
    Disallow: /
    
    Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/.
  • Make sure httpd is started at boot time:
    # chkconfig httpd on
    

Install JDK and enhanced JCE

The IdP uses JDK 1.6; download and install the RPM from Sun, or use the version in the downloads directory in the touchstone locker (jdk-6uNN-linux-amd64.rpm, where NN is the update number). To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). Add it as a provider in in the JRE's lib/security/java.security, e.g.:

security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider

(Replace 9 with the next sequential provider number as needed).

To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp, Other Downloads section at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM).

Install Tomcat

  • Download current Tomcat 6.0 binary distribution (tested with 6.0.20, available in /mit/touchstone/downloads/apache-tomcat-6.0.20.tar.gz, and install under /usr/local:
    # cd /usr/local
    # tar xzf /path/to/apache-tomcat-6.0.20.tar.gz
    # rm -f tomcat
    # ln -s apache-tomcat-6.0.20.tar.gz tomcat
    
  • Create the tomcat user, and change the ownership of the tomcat tree:
    # groupadd -g 52 tomcat
    # useradd -u 52 -g tomcat -c "Tomcat User" -d /usr/local/tomcat tomcat
    # chown -R tomcat:tomcat /usr/local/apache-tomcat-6.0.20
    

Install Shibboleth IdP

# mkdir -p /usr/local/shibboleth-idp
# chown tomcat:tomcat /usr/local/shibboleth-idp
# cd /usr/local/shibboleth-idp
# tar xzf /path/to/usr_local_shibboleth-idp.tgz

Copy in the idp config files for the server, to the conf subdirectory; these include:

  • attribute-filter.xml
  • attribute-resolver.xml.in
  • handler.xml
  • internal.xml
  • logging.xml
  • relying-party.xml
  • service.xml
  • tc-config.xml (for terracotta clustering)
    You must replace %%LDAPUID%% and %%LDAPPASSWORD%% in attribute-resolver.xml.in with the principal uid (e.g. touchstone-core-service) and passord (principalCredential attribute) for accessing our LDAP server, and save the resulting file as attribute-resolver.xml. Make sure the file is not world-readable.
  • No labels