Installing SP2.x under Linux

From RavenWiki
Revision as of 15:41, 4 March 2010 by jw35 (talk | contribs) (Installing SP2.1 under Linux moved to Installing SP2.x under Linux)
Jump to navigationJump to search

These instructions apply specifically to installs on SLES 10 using Internet2-supplied RPMs, which currently (March 2010) support CentOS 5, RHEL 4 and 5, SUSE Linux Enterprise Server 9, 10, 11, and OpenSUSE Linux 11.0 and 11.1), all in i386 and x86_64 versions. See NativeSPLinuxInstall in the Internet2 Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly.

Currently these instructions also assumes you are using the prefork version Apache - this may or may not all work with worker. We also assume that your web server serves a single site - virtual hosting issues are addressed later.

Download and install the apropriate RPMs from OpenSUSE project's Build Service at http://download.opensuse.org/repositories/security://shibboleth/. Download and install the latest RPM for each of the following (you can ignore devel, debuginfo, or docs packages):

log4shib 
xerces-c 
xml-security-c
xmltooling
opensaml 
shibboleth 

and any of their dependencies. The Build Service will act as a Yum repository, allowing various package managers to interact with it directly. Details vary between distributions and package managers, but for SLES10 and zypper the apropriate repository can be added with

zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/

after which the Shibboleth software can be installed with

zypper in shibboleth

Further information on configuring package manages can be found here and here.

After installing the software, in /etc/shibboleth:

Run (as root)

 /usr/sbin/shibd -t

and expect to see "overall configuration is loadable, check console for non-fatal problems". Fix any reported mistakes.

Start shibd (as root) with

 /etc/init.d/shibd start

[Note: "Starting shibd listener failed to enter listen loop" means that you were not root]. See /var/log/shibboleth/shibd.log for startup messages. The Shibboleth RPM will have already set shibd to restart on boot.

(Re-)start Apache. In case of failure see /var/log/apache2/error_log

Access http://<hostname>/secure/. You should be redirected to Raven to authenticate, be asked to accept release of your information, and then see a 404 error page from your server (because you have no content in the requested location). See /var/log/apache2/error_log, /var/log/shibboleth/shibd.log and /var/log/shibboleth/transaction.log for clues if something goes wrong. Feel free to create some content in /srv/www/htdocs/secure/ for a better demonstration.

Assuming this works, visit http://<hostname>/Shibboleth.sso/Session to check that attribute information is being released to your SP. You should see a page containing something like:

 Attributes
 ----------
 affiliation: member@cam.ac.uk;member@eresources.lib.cam.ac.uk
 entitlement: urn:mace:dir:entitlement:common-lib-terms
 eppn: fjc55@cam.ac.uk

You now have a web server running the Shibboleth SP software and protecting the content of http://<hostname>/secure/ by requiring an authenticated Raven login (by anyone). Where you go from here depends on what you want to do. Topics to consider include: