Installing SP2.x under Linux: Difference between revisions
No edit summary |
(Update available RPMs; add Debian/Ubuntu details) |
||
| Line 1: | Line 1: | ||
These instructions apply to installs using Internet2 | These instructions apply to installs either using RPMs provided by Internet2, or using native packages available in Debian/Ubuntu. See [https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxInstall NativeSPLinuxInstall] in the Internet2 Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly. | ||
Currently these instructions also | Currently these instructions also assume you are using the ''prefork'' version Apache - this may or may not all work with ''worker''. We also assume that your web server serves a single site - [[Virtual hosting issues with Shibboleth | virtual hosting issues]] are addressed later. | ||
Download and install the | ==Installation== | ||
===RPMs=== | |||
Currently (January 2011) Internet2 provide RPMs for support CentOS 5, RHEL 4, 5 and 6, SUSE Linux Enterprise Server 9, 10, 11 and 11_SP1, and OpenSUSE Linux 11.1, 11.2 and 11.3, all in i386 and x86_64 versions. | |||
Download and install the appropriate RPMs from OpenSUSE project's Build Service at http://download.opensuse.org/repositories/security://shibboleth/. Download and install the latest RPM for each of the following (you can ignore devel, debuginfo, or docs packages): | |||
log4shib | log4shib | ||
| Line 12: | Line 18: | ||
shibboleth | shibboleth | ||
and any of their dependencies. The Build Service will act as a Yum repository, allowing various package managers to interact with it directly. Details vary between distributions and package managers, but for SLES10 and <tt>zypper</tt> the | and any of their dependencies. The Build Service will act as a Yum repository, allowing various package managers to interact with it directly. Details vary between distributions and package managers, but for SLES10 and <tt>zypper</tt> the appropriate repository can be added with | ||
zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/ | zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/ | ||
| Line 21: | Line 27: | ||
Further information on configuring package manages can be found [https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxRPMInstall here] and [http://en.opensuse.org/Build_Service/User here]. | Further information on configuring package manages can be found [https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxRPMInstall here] and [http://en.opensuse.org/Build_Service/User here]. | ||
===Debian/Ubuntu=== | |||
Currently (January 2011) Debian includes a package of version 2.3.1 of the SP software in squeeze (testing) and sid (unstable). lenny (stable) comes with a package of version 2.0 which is unlikely to work with these instructions as they stand, but the lenny-backports distribution includes version 2.3.1. | |||
Ubuntu includes a package of version 2.3.1 in lucid (10.04LTS), maverick (10.10) and natty. karmic (9.10) contained a package of version 2.1 which is unlikely to work with these instructions as they stand. hardy (8.04LTS) only contained a package of the now unsupported version 1.3. | |||
In all cases, the distribution-supplied version of the SP software can be instaleld by installing the libapache2-mod-shib2 package and its dependancies, e.g.: | |||
apt-get install libapache2-mod-shib2 | |||
==Subsequent configuration== | |||
After installing the software, in /etc/shibboleth: | After installing the software, in /etc/shibboleth: | ||
| Line 32: | Line 50: | ||
Start shibd (as root) with | Start shibd (as root) with | ||
/etc/init.d/shibd start | /etc/init.d/shibd start | ||
[Note: "Starting shibd listener failed to enter listen loop" means that you were not root]. See /var/log/shibboleth/shibd.log for startup messages. The Shibboleth | or restart it if it's already running with | ||
etc/init.d/shibd restart | |||
[Note: "Starting shibd listener failed to enter listen loop" means that you were not root]. See /var/log/shibboleth/shibd.log for startup messages. The Shibboleth packages will have already set shibd to restart on boot. | |||
(Re-)start Apache. In case of failure see /var/log/apache2/error_log | (Re-)start Apache. In case of failure see /var/log/apache2/error_log | ||
Revision as of 14:50, 28 January 2011
These instructions apply to installs either using RPMs provided by Internet2, or using native packages available in Debian/Ubuntu. See NativeSPLinuxInstall in the Internet2 Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly.
Currently these instructions also assume you are using the prefork version Apache - this may or may not all work with worker. We also assume that your web server serves a single site - virtual hosting issues are addressed later.
Installation
RPMs
Currently (January 2011) Internet2 provide RPMs for support CentOS 5, RHEL 4, 5 and 6, SUSE Linux Enterprise Server 9, 10, 11 and 11_SP1, and OpenSUSE Linux 11.1, 11.2 and 11.3, all in i386 and x86_64 versions.
Download and install the appropriate RPMs from OpenSUSE project's Build Service at http://download.opensuse.org/repositories/security://shibboleth/. Download and install the latest RPM for each of the following (you can ignore devel, debuginfo, or docs packages):
log4shib xerces-c xml-security-c xmltooling opensaml shibboleth
and any of their dependencies. The Build Service will act as a Yum repository, allowing various package managers to interact with it directly. Details vary between distributions and package managers, but for SLES10 and zypper the appropriate repository can be added with
zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/
after which the Shibboleth software can be installed with
zypper in shibboleth
Further information on configuring package manages can be found here and here.
Debian/Ubuntu
Currently (January 2011) Debian includes a package of version 2.3.1 of the SP software in squeeze (testing) and sid (unstable). lenny (stable) comes with a package of version 2.0 which is unlikely to work with these instructions as they stand, but the lenny-backports distribution includes version 2.3.1.
Ubuntu includes a package of version 2.3.1 in lucid (10.04LTS), maverick (10.10) and natty. karmic (9.10) contained a package of version 2.1 which is unlikely to work with these instructions as they stand. hardy (8.04LTS) only contained a package of the now unsupported version 1.3.
In all cases, the distribution-supplied version of the SP software can be instaleld by installing the libapache2-mod-shib2 package and its dependancies, e.g.:
apt-get install libapache2-mod-shib2
Subsequent configuration
After installing the software, in /etc/shibboleth:
- replace the supplied shibboleth2.xml and attribute-map.xml with Shibboleth2.xml - internal use skeleton and Attribute-map.xml - internal use skeleton respectively.
- find all occurrences of 'FIX-ME' in the new shibboleth2.xml and replace them as directed in the adjacent comments (see Editing XML and EntityIDs for useful background).
Run (as root)
/usr/sbin/shibd -t
and expect to see "overall configuration is loadable, check console for non-fatal problems". Fix any reported mistakes.
Start shibd (as root) with
/etc/init.d/shibd start
or restart it if it's already running with
etc/init.d/shibd restart
[Note: "Starting shibd listener failed to enter listen loop" means that you were not root]. See /var/log/shibboleth/shibd.log for startup messages. The Shibboleth packages will have already set shibd to restart on boot.
(Re-)start Apache. In case of failure see /var/log/apache2/error_log
Access http://<hostname>/secure/. You should be redirected to Raven to authenticate, be asked to accept release of your information, and then see a 404 error page from your server (because you have no content in the requested location). See /var/log/apache2/error_log, /var/log/shibboleth/shibd.log and /var/log/shibboleth/transaction.log for clues if something goes wrong. Feel free to create some content in /srv/www/htdocs/secure/ for a better demonstration.
Assuming this works, visit http://<hostname>/Shibboleth.sso/Session to check that attribute information is being released to your SP. You should see a page containing something like:
Attributes ---------- affiliation: member@cam.ac.uk;member@eresources.lib.cam.ac.uk entitlement: urn:mace:dir:entitlement:common-lib-terms eppn: fjc55@cam.ac.uk
You now have a web server running the Shibboleth SP software and protecting the content of http://<hostname>/secure/ by requiring an authenticated Raven login (by anyone). Where you go from here depends on what you want to do. Topics to consider include:
