Installing SP2.x under Linux: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
 
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
These instructions apply to installs either using RPMs provided by Internet2, or using native packages available in Debian/Ubuntu. See [https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxInstall NativeSPLinuxInstall] in the Internet2 Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly.
These instructions apply to installs either using RPMs provided by the Shibboleth Consortium, or using native packages available in Debian/Ubuntu. See [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall NativeSPLinuxInstall] in the Shib Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly.


Currently these instructions also assume you are using the ''prefork'' version Apache - this may or may not all work with ''worker''. We also assume that your web server serves a single site - [[Virtual hosting issues with Shibboleth | virtual hosting issues]] are addressed later.
These instructions assume that your web server serves a single site - [[Virtual hosting issues with Shibboleth | virtual hosting issues]] are addressed elsewhere.


==Installation==
==Installation==
Line 7: Line 7:
===RPMs===
===RPMs===


Currently (January 2011) Internet2 provide RPMs for support CentOS 5, RHEL 4, 5 and 6, SUSE Linux Enterprise Server 9, 10, 11 and 11_SP1, and OpenSUSE Linux 11.1, 11.2 and 11.3, all in i386 and x86_64 versions.  
Currently (June 2012) the Shib Consortium provide RPMs for Red Hat Enterprise and CentOS 5, 6 (i386 and x86_64); SUSE Linux Enterprise Server 9, 10, 11, 11-SP1 (i386 and x86_64); and OpenSUSE Linux 11.0, 11.1, 11.2, 11.3, 11.4, 12.1 (i386 and x86_64).  


Download and install the appropriate RPMs from OpenSUSE project's Build Service at http://download.opensuse.org/repositories/security://shibboleth/. Download and install the latest RPM for each of the following (you can ignore devel, debuginfo, or docs packages):
Follow the instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall


log4shib
to install an apropriate set of RPMs.
xerces-c
xml-security-c
xmltooling
opensaml
shibboleth


and any of their dependencies. The Build Service will act as a Yum repository, allowing various package managers to interact with it directly. Details vary between distributions and package managers, but for SLES10 and <tt>zypper</tt> the appropriate repository can be added with
For SLES10 and <tt>zypper</tt> it's possible to use Yum repository by adding the appropriate repository with


  zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/
  zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/
Line 25: Line 20:
   
   
  zypper in shibboleth
  zypper in shibboleth
Further information on configuring package manages can be found [https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxRPMInstall here] and [http://en.opensuse.org/Build_Service/User here].


===Debian/Ubuntu===
===Debian/Ubuntu===
<!-- See http://www.debian.org/distrib/packages and search for 'shib' in all distributions for help updating this-->
<!-- See http://packages.ubuntu.com/ and search for 'shib' in all distributions for help updating this-->
{| class="wikitable"
! distro !! release !! package !! version
|-
| Debian || 6 Squeeze<sup>1</sup> || libapache2-mod-shib2 || 2.3.1
|-
| Debian || 7 Wheezy<sup>1</sup>  || libapache2-mod-shib2 || 2.4.3
|-
| Debian || 8 Jessie<sup>1</sup> || libapache2-mod-shib2 || 2.5.3
|-
| Debain || 9 Stretch<sup>1</sup> || libapache2-mod-shib2 || 2.6.0
|-
| Debain || 10 Buster<sup>1</sup> || libapache2-mod-shib || 3.0.4
|-
| Ubuntu || 10.04 Lucid || libapache2-mod-shib2 || 2.3.1
|-
| Ubuntu || 11.04 Natty || libapache2-mod-shib2 || 2.3.1
|-
| Ubuntu || 11.10 Oneric || libapache2-mod-shib2 || 2.4.3
|-
| Ubuntu || 12.04 Precise || libapache2-mod-shib2 || 2.4.3
|-
| Ubuntu || 12.10 Quantal || libapache2-mod-shib2 || 2.4.3
|-
| Ubuntu || 16.04 Xenial || libapache2-mod-shib2 || 2.5.3
|-
| Ubuntu || 18.04 Bionic<sup>2</sup> || libapache2-mod-shib2 || 2.6.1
|-
| Ubuntu || 18.10 Cosmic || libapache2-mod-shib || 3.0.2
|-
| Ubuntu || 19.04 Disco || libapache2-mod-shib || 3.0.4
|}


Currently (January 2011) Debian includes a package of version 2.3.1 of the SP software in squeeze (testing) and sid (unstable). lenny (stable) comes with a package of version 2.0 which is unlikely to work with these instructions as they stand, but the lenny-backports distribution includes version 2.3.1.
In all cases, the distribution-supplied version of the SP software can be enabled via:
 
Ubuntu includes a package of version 2.3.1 in lucid (10.04LTS), maverick (10.10) and natty. karmic (9.10) contained a package of version 2.1 which is unlikely to work with these instructions as they stand. hardy (8.04LTS) only contained a package of the now unsupported version 1.3.
 
In all cases, the distribution-supplied version of the SP software can be instaleld by installing the libapache2-mod-shib2 package and its dependencies, e.g.:
 
  apt-get install libapache2-mod-shib2
 
and enabling it:
 
a2enmod shib2


  a2enmod shib2


Then run shib-keygen to create a key and self-signed X.509 certificate for the Shibboleth SP to use:
Then run shib-keygen to create a key and self-signed X.509 certificate for the Shibboleth SP to use:
Line 48: Line 65:


The key is stored in /etc/shibboleth/sp-key.pem and the certificate in /etc/shibboleth/sp-cert.pem.
The key is stored in /etc/shibboleth/sp-key.pem and the certificate in /etc/shibboleth/sp-cert.pem.
 
 
==== Notes ====
# The backports repo contains the package from the next release.
# The shibboleth packages in bionic still depend on libcurl3, while everything else in the distribution requires libcurl4 and they cannot both be installed. There are some workarounds detailed on the [https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1776489 bug tracker]. Manual compilation may be required.
 
==Subsequent configuration==
==Subsequent configuration==


Line 67: Line 88:
(Re-)start Apache. In case of failure see /var/log/apache2/error_log
(Re-)start Apache. In case of failure see /var/log/apache2/error_log


Before you can proceed any further you will need to register you SP, at least with Raven. See [[SP registration]] for details.
Before you can proceed any further you will need to register you SP, at least with the 'Ucam federation'. See [[SP registration]] for details.


Access <nowiki>http://<hostname>/secure/</nowiki>. You should be redirected to Raven to authenticate, be asked to accept release of your information, and then see a 404 error page from your server (because you have no content in the requested location). See /var/log/apache2/error_log, /var/log/shibboleth/shibd.log and /var/log/shibboleth/transaction.log for clues if something goes wrong. Feel free to create some content in /srv/www/htdocs/secure/ for a better demonstration.  
Access <nowiki>http://<hostname>/secure/</nowiki>. You should be redirected to Raven to authenticate, be asked to accept release of your information, and then see a 404 error page from your server (because you have no content in the requested location). See /var/log/apache2/error_log, /var/log/shibboleth/shibd.log and /var/log/shibboleth/transaction.log for clues if something goes wrong. Feel free to create some content in /srv/www/htdocs/secure/ for a better demonstration.  
Line 78: Line 99:
   entitlement: urn:mace:dir:entitlement:common-lib-terms
   entitlement: urn:mace:dir:entitlement:common-lib-terms
   eppn: fjc55@cam.ac.uk
   eppn: fjc55@cam.ac.uk
along with other things.


You now have a web server running the Shibboleth SP software and protecting the content of <nowiki>http://<hostname>/secure/</nowiki> by requiring an authenticated Raven login (by anyone). Where you go from here depends on what you want to do. Topics to consider include:
You now have a web server running the Shibboleth SP software and protecting the content of <nowiki>http://<hostname>/secure/</nowiki> by requiring an authenticated Raven login (by anyone). Where you go from here depends on what you want to do. Topics to consider include:
* [[SP registration]]
* [[SSL, certificates and security with Shibboleth|Using SSL and certificates]]
* [[SSL, certificates and security with Shibboleth|Using SSL and certificates]]
* [[Configuring Shibboleth access control|Configuring access control]]
* [[Configuring Shibboleth access control|Configuring access control]]
* [[Shibboleth access control using Apache configuration files | Using Apache configuration files]]
* [[Shibboleth access control using Apache configuration files | Using Apache configuration files]]
* [[Virtual hosting issues with Shibboleth|Virtual hosting issues]]
* [[Virtual hosting issues with Shibboleth|Virtual hosting issues]]

Latest revision as of 10:18, 5 June 2019

These instructions apply to installs either using RPMs provided by the Shibboleth Consortium, or using native packages available in Debian/Ubuntu. See NativeSPLinuxInstall in the Shib Wiki for instructions on installing in other versions of Linux, and then adapt these instructions accordingly.

These instructions assume that your web server serves a single site - virtual hosting issues are addressed elsewhere.

Installation

RPMs

Currently (June 2012) the Shib Consortium provide RPMs for Red Hat Enterprise and CentOS 5, 6 (i386 and x86_64); SUSE Linux Enterprise Server 9, 10, 11, 11-SP1 (i386 and x86_64); and OpenSUSE Linux 11.0, 11.1, 11.2, 11.3, 11.4, 12.1 (i386 and x86_64).

Follow the instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall

to install an apropriate set of RPMs.

For SLES10 and zypper it's possible to use Yum repository by adding the appropriate repository with

zypper sa http://download.opensuse.org/repositories/security:/shibboleth/SLE_10/

after which the Shibboleth software can be installed with

zypper in shibboleth

Debian/Ubuntu

distro release package version
Debian 6 Squeeze1 libapache2-mod-shib2 2.3.1
Debian 7 Wheezy1 libapache2-mod-shib2 2.4.3
Debian 8 Jessie1 libapache2-mod-shib2 2.5.3
Debain 9 Stretch1 libapache2-mod-shib2 2.6.0
Debain 10 Buster1 libapache2-mod-shib 3.0.4
Ubuntu 10.04 Lucid libapache2-mod-shib2 2.3.1
Ubuntu 11.04 Natty libapache2-mod-shib2 2.3.1
Ubuntu 11.10 Oneric libapache2-mod-shib2 2.4.3
Ubuntu 12.04 Precise libapache2-mod-shib2 2.4.3
Ubuntu 12.10 Quantal libapache2-mod-shib2 2.4.3
Ubuntu 16.04 Xenial libapache2-mod-shib2 2.5.3
Ubuntu 18.04 Bionic2 libapache2-mod-shib2 2.6.1
Ubuntu 18.10 Cosmic libapache2-mod-shib 3.0.2
Ubuntu 19.04 Disco libapache2-mod-shib 3.0.4

In all cases, the distribution-supplied version of the SP software can be enabled via:

 a2enmod shib2 

Then run shib-keygen to create a key and self-signed X.509 certificate for the Shibboleth SP to use:

 shib-keygen

The key is stored in /etc/shibboleth/sp-key.pem and the certificate in /etc/shibboleth/sp-cert.pem.

Notes

  1. The backports repo contains the package from the next release.
  2. The shibboleth packages in bionic still depend on libcurl3, while everything else in the distribution requires libcurl4 and they cannot both be installed. There are some workarounds detailed on the bug tracker. Manual compilation may be required.

Subsequent configuration

After installing the software, in /etc/shibboleth:

Run (as root)

 /usr/sbin/shibd -t

and expect to see "overall configuration is loadable, check console for non-fatal problems". Fix any reported mistakes.

Start shibd (as root) with

 /etc/init.d/shibd start

or restart it if it's already running with

 /etc/init.d/shibd restart

[Note: "Starting shibd listener failed to enter listen loop" means that you were not root]. See /var/log/shibboleth/shibd.log for startup messages. The Shibboleth packages will have already set shibd to restart on boot.

(Re-)start Apache. In case of failure see /var/log/apache2/error_log

Before you can proceed any further you will need to register you SP, at least with the 'Ucam federation'. See SP registration for details.

Access http://<hostname>/secure/. You should be redirected to Raven to authenticate, be asked to accept release of your information, and then see a 404 error page from your server (because you have no content in the requested location). See /var/log/apache2/error_log, /var/log/shibboleth/shibd.log and /var/log/shibboleth/transaction.log for clues if something goes wrong. Feel free to create some content in /srv/www/htdocs/secure/ for a better demonstration.

Assuming this works, visit http://<hostname>/Shibboleth.sso/Session to check that attribute information is being released to your SP. You should see a page containing something like:

 Attributes
 ----------
 affiliation: member@cam.ac.uk;member@eresources.lib.cam.ac.uk
 entitlement: urn:mace:dir:entitlement:common-lib-terms
 eppn: fjc55@cam.ac.uk

along with other things.

You now have a web server running the Shibboleth SP software and protecting the content of http://<hostname>/secure/ by requiring an authenticated Raven login (by anyone). Where you go from here depends on what you want to do. Topics to consider include: