Installing SP2.x under Linux: Difference between revisions
(Drop prefork recommendation - the Shib wiki seems to recommend worker...) |
|||
| Line 22: | Line 22: | ||
===Debian/Ubuntu=== | ===Debian/Ubuntu=== | ||
<!-- See http://www.debian.org/distrib/packages and search for 'shib' in all distributions for help updating this--> | <!-- See http://www.debian.org/distrib/packages and search for 'shib' in all distributions for help updating this--> | ||
<!-- See http://packages.ubuntu.com/ and search for 'shib' in all distributions for help updating this--> | <!-- See http://packages.ubuntu.com/ and search for 'shib' in all distributions for help updating this--> | ||
{| class="wikitable" | |||
! distro !! release !! package !! version | |||
|- | |||
| Debian || 6 Squeeze<sup>1</sup> || libapache2-mod-shib2 || 2.3.1 | |||
|- | |||
| Debian || 7 Wheezy<sup>1</sup> || libapache2-mod-shib2 || 2.4.3 | |||
|- | |||
| Debian || 8 Jessie<sup>1</sup> || libapache2-mod-shib2 || 2.5.3 | |||
|- | |||
| Debain || 9 Stretch<sup>1</sup> || libapache2-mod-shib2 || 2.6.0 | |||
|- | |||
| Debain || 10 Buster<sup>1</sup> || libapache2-mod-shib || 3.0.4 | |||
|- | |||
| Ubuntu || 10.04 Lucid || libapache2-mod-shib2 || 2.3.1 | |||
|- | |||
| Ubuntu || 11.04 Natty || libapache2-mod-shib2 || 2.3.1 | |||
|- | |||
| Ubuntu || 11.10 Oneric || libapache2-mod-shib2 || 2.4.3 | |||
|- | |||
| Ubuntu || 12.04 Precise || libapache2-mod-shib2 || 2.4.3 | |||
|- | |||
| Ubuntu || 12.10 Quantal || libapache2-mod-shib2 || 2.4.3 | |||
|- | |||
| Ubuntu || 16.04 Xenial || libapache2-mod-shib2 || 2.5.3 | |||
|- | |||
| Ubuntu || 18.04 Bionic<sup>2</sup> || libapache2-mod-shib2 || 2.6.1 | |||
|- | |||
| Ubuntu || 18.10 Cosmic || libapache2-mod-shib || 3.0.2 | |||
|- | |||
| Ubuntu || 19.04 Disco || libapache2-mod-shib || 3.0.4 | |||
|} | |||
In all cases, the distribution-supplied version of the SP software can be | In all cases, the distribution-supplied version of the SP software can be enabled via: | ||
a2enmod shib2 | |||
Then run shib-keygen to create a key and self-signed X.509 certificate for the Shibboleth SP to use: | Then run shib-keygen to create a key and self-signed X.509 certificate for the Shibboleth SP to use: | ||
| Line 42: | Line 65: | ||
The key is stored in /etc/shibboleth/sp-key.pem and the certificate in /etc/shibboleth/sp-cert.pem. | The key is stored in /etc/shibboleth/sp-key.pem and the certificate in /etc/shibboleth/sp-cert.pem. | ||
==== Notes ==== | |||
# The backports repo contains the package from the next release. | |||
# The shibboleth packages in bionic still depend on libcurl3, while everything else in the distribution requires libcurl4 and they cannot both be installed. There are some workarounds detailed on the [https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1776489 bug tracker]. Manual compilation may be required. | |||
==Subsequent configuration== | ==Subsequent configuration== | ||
Latest revision as of 10:18, 5 June 2019
These instructions apply to installs either using RPMs provided by the Shibboleth Consortium, or using native packages available in Debian/Ubuntu. See NativeSPLinuxInstall in the Shib Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly.
These instructions assume that your web server serves a single site - virtual hosting issues are addressed elsewhere.
Installation
RPMs
Currently (June 2012) the Shib Consortium provide RPMs for Red Hat Enterprise and CentOS 5, 6 (i386 and x86_64); SUSE Linux Enterprise Server 9, 10, 11, 11-SP1 (i386 and x86_64); and OpenSUSE Linux 11.0, 11.1, 11.2, 11.3, 11.4, 12.1 (i386 and x86_64).
Follow the instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall
to install an apropriate set of RPMs.
For SLES10 and zypper it's possible to use Yum repository by adding the appropriate repository with
zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/
after which the Shibboleth software can be installed with
zypper in shibboleth
Debian/Ubuntu
| distro | release | package | version |
|---|---|---|---|
| Debian | 6 Squeeze1 | libapache2-mod-shib2 | 2.3.1 |
| Debian | 7 Wheezy1 | libapache2-mod-shib2 | 2.4.3 |
| Debian | 8 Jessie1 | libapache2-mod-shib2 | 2.5.3 |
| Debain | 9 Stretch1 | libapache2-mod-shib2 | 2.6.0 |
| Debain | 10 Buster1 | libapache2-mod-shib | 3.0.4 |
| Ubuntu | 10.04 Lucid | libapache2-mod-shib2 | 2.3.1 |
| Ubuntu | 11.04 Natty | libapache2-mod-shib2 | 2.3.1 |
| Ubuntu | 11.10 Oneric | libapache2-mod-shib2 | 2.4.3 |
| Ubuntu | 12.04 Precise | libapache2-mod-shib2 | 2.4.3 |
| Ubuntu | 12.10 Quantal | libapache2-mod-shib2 | 2.4.3 |
| Ubuntu | 16.04 Xenial | libapache2-mod-shib2 | 2.5.3 |
| Ubuntu | 18.04 Bionic2 | libapache2-mod-shib2 | 2.6.1 |
| Ubuntu | 18.10 Cosmic | libapache2-mod-shib | 3.0.2 |
| Ubuntu | 19.04 Disco | libapache2-mod-shib | 3.0.4 |
In all cases, the distribution-supplied version of the SP software can be enabled via:
a2enmod shib2
Then run shib-keygen to create a key and self-signed X.509 certificate for the Shibboleth SP to use:
shib-keygen
The key is stored in /etc/shibboleth/sp-key.pem and the certificate in /etc/shibboleth/sp-cert.pem.
Notes
- The backports repo contains the package from the next release.
- The shibboleth packages in bionic still depend on libcurl3, while everything else in the distribution requires libcurl4 and they cannot both be installed. There are some workarounds detailed on the bug tracker. Manual compilation may be required.
Subsequent configuration
After installing the software, in /etc/shibboleth:
- replace the supplied shibboleth2.xml and attribute-map.xml with Shibboleth2.xml - internal use skeleton and Attribute-map.xml - internal use skeleton respectively.
- find all occurrences of 'FIX-ME' in the new shibboleth2.xml and replace them as directed in the adjacent comments (see Editing XML and EntityIDs for useful background).
Run (as root)
/usr/sbin/shibd -t
and expect to see "overall configuration is loadable, check console for non-fatal problems". Fix any reported mistakes.
Start shibd (as root) with
/etc/init.d/shibd start
or restart it if it's already running with
/etc/init.d/shibd restart
[Note: "Starting shibd listener failed to enter listen loop" means that you were not root]. See /var/log/shibboleth/shibd.log for startup messages. The Shibboleth packages will have already set shibd to restart on boot.
(Re-)start Apache. In case of failure see /var/log/apache2/error_log
Before you can proceed any further you will need to register you SP, at least with the 'Ucam federation'. See SP registration for details.
Access http://<hostname>/secure/. You should be redirected to Raven to authenticate, be asked to accept release of your information, and then see a 404 error page from your server (because you have no content in the requested location). See /var/log/apache2/error_log, /var/log/shibboleth/shibd.log and /var/log/shibboleth/transaction.log for clues if something goes wrong. Feel free to create some content in /srv/www/htdocs/secure/ for a better demonstration.
Assuming this works, visit http://<hostname>/Shibboleth.sso/Session to check that attribute information is being released to your SP. You should see a page containing something like:
Attributes ---------- affiliation: member@cam.ac.uk;member@eresources.lib.cam.ac.uk entitlement: urn:mace:dir:entitlement:common-lib-terms eppn: fjc55@cam.ac.uk
along with other things.
You now have a web server running the Shibboleth SP software and protecting the content of http://<hostname>/secure/ by requiring an authenticated Raven login (by anyone). Where you go from here depends on what you want to do. Topics to consider include:
