Installing SP2.x under Linux: Difference between revisions
(Drop prefork recommendation - the Shib wiki seems to recommend worker...) |
|||
| Line 1: | Line 1: | ||
These instructions apply to installs either using RPMs provided by the Shibboleth Consortium, or using native packages available in Debian/Ubuntu. See [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall NativeSPLinuxInstall] in the Shib Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly. | These instructions apply to installs either using RPMs provided by the Shibboleth Consortium, or using native packages available in Debian/Ubuntu. See [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall NativeSPLinuxInstall] in the Shib Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly. | ||
These instructions assume that your web server serves a single site - [[Virtual hosting issues with Shibboleth | virtual hosting issues]] are addressed elsewhere. | |||
==Installation== | ==Installation== | ||
Revision as of 20:06, 20 June 2012
These instructions apply to installs either using RPMs provided by the Shibboleth Consortium, or using native packages available in Debian/Ubuntu. See NativeSPLinuxInstall in the Shib Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly.
These instructions assume that your web server serves a single site - virtual hosting issues are addressed elsewhere.
Installation
RPMs
Currently (June 2012) the Shib Consortium provide RPMs for Red Hat Enterprise and CentOS 5, 6 (i386 and x86_64); SUSE Linux Enterprise Server 9, 10, 11, 11-SP1 (i386 and x86_64); and OpenSUSE Linux 11.0, 11.1, 11.2, 11.3, 11.4, 12.1 (i386 and x86_64).
Follow the instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall
to install an apropriate set of RPMs.
For SLES10 and zypper it's possible to use Yum repository by adding the appropriate repository with
zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/
after which the Shibboleth software can be installed with
zypper in shibboleth
Debian/Ubuntu
Currently (June 2012) Debian includes a package of version 2.3.1 of the SP software in squeeze (stable), and a version of 2.4.3 in squeeze-backports, wheezy (testing) and sid (unstable).
Ubuntu includes a package of version 2.3.1 in lucid (10.04LTS) and natty (11.04), and a package of 2.4.3 in oneiric (11.10), precise (12.04LTS), and quantal (12.10, in development). hardy (8.04LTS) only contained a package of the now unsupported version 1.3.
In all cases, the distribution-supplied version of the SP software can be installed by installing the libapache2-mod-shib2 package and its dependencies, e.g.:
apt-get install libapache2-mod-shib2
and enabling it:
a2enmod shib2
Then run shib-keygen to create a key and self-signed X.509 certificate for the Shibboleth SP to use:
shib-keygen
The key is stored in /etc/shibboleth/sp-key.pem and the certificate in /etc/shibboleth/sp-cert.pem.
Subsequent configuration
After installing the software, in /etc/shibboleth:
- replace the supplied shibboleth2.xml and attribute-map.xml with Shibboleth2.xml - internal use skeleton and Attribute-map.xml - internal use skeleton respectively.
- find all occurrences of 'FIX-ME' in the new shibboleth2.xml and replace them as directed in the adjacent comments (see Editing XML and EntityIDs for useful background).
Run (as root)
/usr/sbin/shibd -t
and expect to see "overall configuration is loadable, check console for non-fatal problems". Fix any reported mistakes.
Start shibd (as root) with
/etc/init.d/shibd start
or restart it if it's already running with
/etc/init.d/shibd restart
[Note: "Starting shibd listener failed to enter listen loop" means that you were not root]. See /var/log/shibboleth/shibd.log for startup messages. The Shibboleth packages will have already set shibd to restart on boot.
(Re-)start Apache. In case of failure see /var/log/apache2/error_log
Before you can proceed any further you will need to register you SP, at least with the 'Ucam federation'. See SP registration for details.
Access http://<hostname>/secure/. You should be redirected to Raven to authenticate, be asked to accept release of your information, and then see a 404 error page from your server (because you have no content in the requested location). See /var/log/apache2/error_log, /var/log/shibboleth/shibd.log and /var/log/shibboleth/transaction.log for clues if something goes wrong. Feel free to create some content in /srv/www/htdocs/secure/ for a better demonstration.
Assuming this works, visit http://<hostname>/Shibboleth.sso/Session to check that attribute information is being released to your SP. You should see a page containing something like:
Attributes ---------- affiliation: member@cam.ac.uk;member@eresources.lib.cam.ac.uk entitlement: urn:mace:dir:entitlement:common-lib-terms eppn: fjc55@cam.ac.uk
along with other things.
You now have a web server running the Shibboleth SP software and protecting the content of http://<hostname>/secure/ by requiring an authenticated Raven login (by anyone). Where you go from here depends on what you want to do. Topics to consider include:
