Installing SP2.x under MacOS: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
No edit summary
 
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''This page is still _very_ much a work in progress.'''


==Installing/Configuring Shibboleth for OS Server 10.5.6==
==Installing/Configuring Shibboleth for OS Server 10.5.6==
Line 9: Line 8:
Open Terminal and type:
Open Terminal and type:


<tt>sudo port install curl +ssl </tt>
<tt>$ sudo port install curl +ssl </tt>


<tt>sudo port install shibboleth</tt>
<tt>$ sudo port install shibboleth</tt>


'''The installation of Shibboleth and supporting software will take some time.'''
'''The installation of Shibboleth and supporting software will take some time.'''
Line 17: Line 16:
====Retreive the Shibboleth profiles====
====Retreive the Shibboleth profiles====


<tt>cd /opt/local/</tt>
<tt>$ cd /opt/local/</tt>
 
<tt>$ sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv</tt>


<tt>sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv</tt>
Edit /opt/local/etc/macports/sources.conf and add in:
Edit /opt/local/etc/macports/sources.conf and add in:


Line 27: Line 27:


<pre>rsync://rsync.macports.org/release/ports/ [default]</pre>
<pre>rsync://rsync.macports.org/release/ports/ [default]</pre>
This enables Mac Ports access to the non-standard software repository containing Shibboleth.


====For first time installs only====
====For first time installs only====


<tt>cd /opt/local/etc/shibboleth</tt>
Duplicate the standard config files and create the key pair.
 
<tt>$ cd /opt/local/etc/shibboleth</tt>


<tt>ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"</tt>
<tt>$ ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"</tt>


<tt>sudo sh ./keygen.sh</tt>
<tt>$ sudo sh ./keygen.sh</tt>


As the default permissions for the cert files causes Shibboleth to fail they need changing:
As the default permissions for the cert files causes Shibboleth to fail they need changing:


<tt>sudo chmod 740 sp-key.pem</tt>
<tt>$ sudo chmod 740 sp-key.pem</tt>


<tt>sudo chmod 644 sp-cert.pem</tt>
<tt>$ sudo chmod 644 sp-cert.pem</tt>


====Disable Intel 64 bit architecture for Apache====
====Disabling Intel 64 bit architecture for Apache====


Shibboleth is currently not compatible with the 64 bit architecture available on some newer Macs. To check run the folling command in Terminal:
Shibboleth is currently not compatible with the 64 bit architecture available on newer Macs. To check run the following command in Terminal:


<tt>sysctl hw.optional.x86_64</tt>
<tt>$ sysctl hw.cpu64bit_capable</tt>


If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section
If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section


<tt>sudo emacs /usr/sbin/apachectl</tt>
<tt>$ sudo emacs /usr/sbin/apachectl</tt>


change HTTPD variable from:
change HTTPD variable from:
Line 78: Line 82:
====Create the Shibboleth log file====
====Create the Shibboleth log file====


<tt>sudo touch /opt/local/var/log/httpd/native.log</tt>
<tt>$ sudo touch /opt/local/var/log/httpd/native.log</tt>


<tt>sudo chown _www /opt/local/var/log/httpd/native.log</tt>
<tt>$ sudo chown _www /opt/local/var/log/httpd/native.log</tt>


====Ensure SSL is enabled for the website====
====Ensure SSL is enabled for the website====


Using Server Admin:
Using Server Admin select Web | Sites pane, choose the website and enable SSL from the security tab
 
Web | Sites pane, choose the website and enable SSL from the security tab


====Configuring Apache====
====Configuring Apache====


Add the following to the /etc/apapche2/httpd.conf file:
Add the following to the /etc/apache2/httpd.conf file:


<pre>Include /opt/local/etc/shibboleth/apache22.config</pre>
<pre>Include /opt/local/etc/shibboleth/apache22.config</pre>
Line 100: Line 102:
====Download the Shibboleth configuration templates====
====Download the Shibboleth configuration templates====


<tt>cd /opt/local/etc/shibboleth/</tt>
<tt>$ cd /opt/local/etc/shibboleth/</tt>
 
<tt>$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml</tt>
 
<tt>$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml</tt>


<tt>sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml</tt>
Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.


<tt>sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml</tt>
Once configured check the syntax with:


<tt>sudo curl https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml -o ucamfederation-idp-metadata.xml</tt>
<tt>$ /opt/local/sbin/shibd -t</tt>


Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.
A correctly configured install will return 'overall configuration is loadable, check console for non-fatal problems'. If not, check syntax and try again.


====Starting the service====
====Starting the service====
Line 114: Line 120:
Set shib to load at startup:
Set shib to load at startup:


<tt>sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>
<tt>$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>


Start Apache:
Start Apache:


<tt>sudo apachectl start</tt>
<tt>$ sudo apachectl start</tt>
 
Before you can proceed any further you will need to register you SP, at least with Raven. See [[SP registration]] for details


Test your page!  
Test your page!  
Line 124: Line 132:
====Reloading the service====
====Reloading the service====


Any changes to the shib config will require ''both'' shibd and apache to be reloaded:
Any changes to the shib config may require ''both'' shibd and apache to be reloaded:


<tt>sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>
<tt>$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>


<tt>sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>
<tt>$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>


<tt>sudo apachectl restart</tt>
<tt>$ sudo apachectl restart</tt>


You may care to script this to save your sanity when making lots of changes/testing..
You may care to script this to save your sanity when making lots of changes/testing..
====Logging====
Check the following locations for logging info:
/opt/local/var/log/shibboleth/shibd.log
/opt/local/var/log/shibboleth/transaction.log
/var/log/apache2/access.log
/var/log/apache2/error.log


====More information====
====More information====
Line 138: Line 158:
Most of this document was cribbed together from the following sources:
Most of this document was cribbed together from the following sources:


https://spaces.internet2.edu/display/SHIB2/NativeSPMacInstall
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMacInstall


https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University
https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University

Latest revision as of 15:10, 5 July 2012

Installing/Configuring Shibboleth for OS Server 10.5.6

Install MacPorts & Shibboleth

Download Mac Ports from http://www.macports.org/install.php and install the .pkg

Open Terminal and type:

$ sudo port install curl +ssl

$ sudo port install shibboleth

The installation of Shibboleth and supporting software will take some time.

Retreive the Shibboleth profiles

$ cd /opt/local/

$ sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv

Edit /opt/local/etc/macports/sources.conf and add in:

file:///opt/local/ports	[nosync]

before the line:

rsync://rsync.macports.org/release/ports/ [default]

This enables Mac Ports access to the non-standard software repository containing Shibboleth.

For first time installs only

Duplicate the standard config files and create the key pair.

$ cd /opt/local/etc/shibboleth

$ ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"

$ sudo sh ./keygen.sh

As the default permissions for the cert files causes Shibboleth to fail they need changing:

$ sudo chmod 740 sp-key.pem

$ sudo chmod 644 sp-cert.pem

Disabling Intel 64 bit architecture for Apache

Shibboleth is currently not compatible with the 64 bit architecture available on newer Macs. To check run the following command in Terminal:

$ sysctl hw.cpu64bit_capable

If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section

$ sudo emacs /usr/sbin/apachectl

change HTTPD variable from:

HTTPD='/usr/sbin/httpd'

to:

HTTPD='arch -i386 /usr/sbin/httpd'

Add the following 2 lines to the <array> element in /System/Library/LaunchDaemons/org.apache.httpd.plist:

<string>arch</string>
<string>-i386</string>

The array element should look like this when done:

	<array>
                <string>arch</string>
                <string>-i386</string>
                <string>/usr/sbin/httpd</string>
                <string>-D</string>
                <string>FOREGROUND</string>
        </array>

Create the Shibboleth log file

$ sudo touch /opt/local/var/log/httpd/native.log

$ sudo chown _www /opt/local/var/log/httpd/native.log

Ensure SSL is enabled for the website

Using Server Admin select Web | Sites pane, choose the website and enable SSL from the security tab

Configuring Apache

Add the following to the /etc/apache2/httpd.conf file:

Include /opt/local/etc/shibboleth/apache22.config

If you are not using apache v2.2 then edit the above line appropriately according to the contents of the /opt/local/etc/shibboleth/ directory.

Ensure that the ServerName directive is set correctly and UseCanonicalName is set to On

Download the Shibboleth configuration templates

$ cd /opt/local/etc/shibboleth/

$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml

$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml

Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.

Once configured check the syntax with:

$ /opt/local/sbin/shibd -t

A correctly configured install will return 'overall configuration is loadable, check console for non-fatal problems'. If not, check syntax and try again.

Starting the service

Set shib to load at startup:

$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist

Start Apache:

$ sudo apachectl start

Before you can proceed any further you will need to register you SP, at least with Raven. See SP registration for details

Test your page!

Reloading the service

Any changes to the shib config may require both shibd and apache to be reloaded:

$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist

$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist

$ sudo apachectl restart

You may care to script this to save your sanity when making lots of changes/testing..

Logging

Check the following locations for logging info:

/opt/local/var/log/shibboleth/shibd.log

/opt/local/var/log/shibboleth/transaction.log

/var/log/apache2/access.log

/var/log/apache2/error.log

More information

Most of this document was cribbed together from the following sources:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMacInstall

https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University