Installing SP2.x under MacOS: Difference between revisions
No edit summary |
No edit summary |
||
(19 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
==Installing/Configuring Shibboleth for OS Server 10.5.6== | ==Installing/Configuring Shibboleth for OS Server 10.5.6== | ||
Line 9: | Line 8: | ||
Open Terminal and type: | Open Terminal and type: | ||
<tt>sudo port install curl +ssl </tt> | <tt>$ sudo port install curl +ssl </tt> | ||
<tt>sudo port install shibboleth</tt> | <tt>$ sudo port install shibboleth</tt> | ||
'''The installation of Shibboleth and supporting software will take some time.''' | '''The installation of Shibboleth and supporting software will take some time.''' | ||
Line 17: | Line 16: | ||
====Retreive the Shibboleth profiles==== | ====Retreive the Shibboleth profiles==== | ||
<tt>cd /opt/local/</tt> | <tt>$ cd /opt/local/</tt> | ||
<tt>$ sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv</tt> | |||
Edit /opt/local/etc/macports/sources.conf and add in: | Edit /opt/local/etc/macports/sources.conf and add in: | ||
Line 27: | Line 27: | ||
<pre>rsync://rsync.macports.org/release/ports/ [default]</pre> | <pre>rsync://rsync.macports.org/release/ports/ [default]</pre> | ||
This enables Mac Ports access to the non-standard software repository containing Shibboleth. | |||
====For first time installs only==== | ====For first time installs only==== | ||
<tt>cd /opt/local/etc/shibboleth</tt> | Duplicate the standard config files and create the key pair. | ||
<tt>$ cd /opt/local/etc/shibboleth</tt> | |||
<tt>ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"</tt> | <tt>$ ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"</tt> | ||
<tt>sudo sh ./keygen.sh</tt> | <tt>$ sudo sh ./keygen.sh</tt> | ||
As the default permissions for the cert files causes Shibboleth to fail they need changing: | As the default permissions for the cert files causes Shibboleth to fail they need changing: | ||
<tt>sudo chmod 740 sp-key.pem</tt> | <tt>$ sudo chmod 740 sp-key.pem</tt> | ||
<tt>sudo chmod 644 sp-cert.pem</tt> | <tt>$ sudo chmod 644 sp-cert.pem</tt> | ||
==== | ====Disabling Intel 64 bit architecture for Apache==== | ||
Shibboleth is currently not compatible with the 64 bit architecture available on | Shibboleth is currently not compatible with the 64 bit architecture available on newer Macs. To check run the following command in Terminal: | ||
<tt>sysctl hw. | <tt>$ sysctl hw.cpu64bit_capable</tt> | ||
If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section | If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section | ||
<tt>sudo emacs /usr/sbin/apachectl</tt> | <tt>$ sudo emacs /usr/sbin/apachectl</tt> | ||
change HTTPD variable from: | change HTTPD variable from: | ||
Line 78: | Line 82: | ||
====Create the Shibboleth log file==== | ====Create the Shibboleth log file==== | ||
<tt>sudo touch /opt/local/var/log/httpd/native.log</tt> | <tt>$ sudo touch /opt/local/var/log/httpd/native.log</tt> | ||
<tt>sudo chown _www /opt/local/var/log/httpd/native.log</tt> | <tt>$ sudo chown _www /opt/local/var/log/httpd/native.log</tt> | ||
====Ensure SSL is enabled for the website==== | ====Ensure SSL is enabled for the website==== | ||
Using Server Admin | Using Server Admin select Web | Sites pane, choose the website and enable SSL from the security tab | ||
Web | Sites pane, choose the website and enable SSL from the security tab | |||
====Configuring Apache==== | ====Configuring Apache==== | ||
Add the following to the /etc/ | Add the following to the /etc/apache2/httpd.conf file: | ||
<pre>Include /opt/local/etc/shibboleth/apache22.config</pre> | <pre>Include /opt/local/etc/shibboleth/apache22.config</pre> | ||
Line 100: | Line 102: | ||
====Download the Shibboleth configuration templates==== | ====Download the Shibboleth configuration templates==== | ||
<tt>cd /opt/local/etc/shibboleth/</tt> | <tt>$ cd /opt/local/etc/shibboleth/</tt> | ||
<tt>$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml</tt> | |||
<tt>$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml</tt> | |||
Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info. | |||
Once configured check the syntax with: | |||
<tt> | <tt>$ /opt/local/sbin/shibd -t</tt> | ||
A correctly configured install will return 'overall configuration is loadable, check console for non-fatal problems'. If not, check syntax and try again. | |||
====Starting the service==== | ====Starting the service==== | ||
Line 114: | Line 120: | ||
Set shib to load at startup: | Set shib to load at startup: | ||
<tt>sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt> | <tt>$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt> | ||
Start Apache: | Start Apache: | ||
<tt>sudo apachectl start</tt> | <tt>$ sudo apachectl start</tt> | ||
Before you can proceed any further you will need to register you SP, at least with Raven. See [[SP registration]] for details | |||
Test your page! | Test your page! | ||
Line 124: | Line 132: | ||
====Reloading the service==== | ====Reloading the service==== | ||
Any changes to the shib config | Any changes to the shib config may require ''both'' shibd and apache to be reloaded: | ||
<tt>sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist</tt> | <tt>$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist</tt> | ||
<tt>sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt> | <tt>$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt> | ||
<tt>sudo apachectl restart</tt> | <tt>$ sudo apachectl restart</tt> | ||
You may care to script this to save your sanity when making lots of changes/testing.. | You may care to script this to save your sanity when making lots of changes/testing.. | ||
====Logging==== | |||
Check the following locations for logging info: | |||
/opt/local/var/log/shibboleth/shibd.log | |||
/opt/local/var/log/shibboleth/transaction.log | |||
/var/log/apache2/access.log | |||
/var/log/apache2/error.log | |||
====More information==== | ====More information==== | ||
Line 138: | Line 158: | ||
Most of this document was cribbed together from the following sources: | Most of this document was cribbed together from the following sources: | ||
https:// | https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMacInstall | ||
https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University | https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University |
Latest revision as of 15:10, 5 July 2012
Installing/Configuring Shibboleth for OS Server 10.5.6
Install MacPorts & Shibboleth
Download Mac Ports from http://www.macports.org/install.php and install the .pkg
Open Terminal and type:
$ sudo port install curl +ssl
$ sudo port install shibboleth
The installation of Shibboleth and supporting software will take some time.
Retreive the Shibboleth profiles
$ cd /opt/local/
$ sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv
Edit /opt/local/etc/macports/sources.conf and add in:
file:///opt/local/ports [nosync]
before the line:
rsync://rsync.macports.org/release/ports/ [default]
This enables Mac Ports access to the non-standard software repository containing Shibboleth.
For first time installs only
Duplicate the standard config files and create the key pair.
$ cd /opt/local/etc/shibboleth
$ ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"
$ sudo sh ./keygen.sh
As the default permissions for the cert files causes Shibboleth to fail they need changing:
$ sudo chmod 740 sp-key.pem
$ sudo chmod 644 sp-cert.pem
Disabling Intel 64 bit architecture for Apache
Shibboleth is currently not compatible with the 64 bit architecture available on newer Macs. To check run the following command in Terminal:
$ sysctl hw.cpu64bit_capable
If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section
$ sudo emacs /usr/sbin/apachectl
change HTTPD variable from:
HTTPD='/usr/sbin/httpd'
to:
HTTPD='arch -i386 /usr/sbin/httpd'
Add the following 2 lines to the <array> element in /System/Library/LaunchDaemons/org.apache.httpd.plist:
<string>arch</string> <string>-i386</string>
The array element should look like this when done:
<array> <string>arch</string> <string>-i386</string> <string>/usr/sbin/httpd</string> <string>-D</string> <string>FOREGROUND</string> </array>
Create the Shibboleth log file
$ sudo touch /opt/local/var/log/httpd/native.log
$ sudo chown _www /opt/local/var/log/httpd/native.log
Ensure SSL is enabled for the website
Using Server Admin select Web | Sites pane, choose the website and enable SSL from the security tab
Configuring Apache
Add the following to the /etc/apache2/httpd.conf file:
Include /opt/local/etc/shibboleth/apache22.config
If you are not using apache v2.2 then edit the above line appropriately according to the contents of the /opt/local/etc/shibboleth/ directory.
Ensure that the ServerName directive is set correctly and UseCanonicalName is set to On
Download the Shibboleth configuration templates
$ cd /opt/local/etc/shibboleth/
$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml
$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml
Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.
Once configured check the syntax with:
$ /opt/local/sbin/shibd -t
A correctly configured install will return 'overall configuration is loadable, check console for non-fatal problems'. If not, check syntax and try again.
Starting the service
Set shib to load at startup:
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist
Start Apache:
$ sudo apachectl start
Before you can proceed any further you will need to register you SP, at least with Raven. See SP registration for details
Test your page!
Reloading the service
Any changes to the shib config may require both shibd and apache to be reloaded:
$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist
$ sudo apachectl restart
You may care to script this to save your sanity when making lots of changes/testing..
Logging
Check the following locations for logging info:
/opt/local/var/log/shibboleth/shibd.log
/opt/local/var/log/shibboleth/transaction.log
/var/log/apache2/access.log
/var/log/apache2/error.log
More information
Most of this document was cribbed together from the following sources:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMacInstall