Installing SP2.x under MacOS: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
No edit summary
 
(41 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''This page is still _very_ much a work in progress.'''


==Installing/Configuring Shibboleth for OS Server 10.5.6==
==Installing/Configuring Shibboleth for OS Server 10.5.6==


1. Install MacPorts (v1.7.0) http://www.macports.org/install.php
====Install MacPorts & Shibboleth====
2 sudo /opt/local/bin/port selfupdate
2. Get Shib profiles:
2.1 cd /opt/local/
2.2 sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv


3. Edit /opt/local/etc/macports/sources.conf and add in:
Download Mac Ports from http://www.macports.org/install.php and install the .pkg
file:///opt/local/ports [nosync]
 
Open Terminal and type:
 
<tt>$ sudo port install curl +ssl </tt>
 
<tt>$ sudo port install shibboleth</tt>
 
'''The installation of Shibboleth and supporting software will take some time.'''
 
====Retreive the Shibboleth profiles====
 
<tt>$ cd /opt/local/</tt>
 
<tt>$ sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv</tt>
 
Edit /opt/local/etc/macports/sources.conf and add in:
 
<pre>file:///opt/local/ports [nosync]</pre>


before the line:
before the line:


rsync://rsync.macports.org/release/ports/ [default]
<pre>rsync://rsync.macports.org/release/ports/ [default]</pre>
 
This enables Mac Ports access to the non-standard software repository containing Shibboleth.
 
====For first time installs only====
 
Duplicate the standard config files and create the key pair.
 
<tt>$ cd /opt/local/etc/shibboleth</tt>
 
<tt>$ ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"</tt>
 
<tt>$ sudo sh ./keygen.sh</tt>
 
As the default permissions for the cert files causes Shibboleth to fail they need changing:


4. Install Shib
<tt>$ sudo chmod 740 sp-key.pem</tt>
4.1 sudo port install curl +ssl (ssl enabled curl required)
4.2 sudo port install shibboleth


For first time installs only:
<tt>$ sudo chmod 644 sp-cert.pem</tt>


cd /opt/local/etc/shibboleth
====Disabling Intel 64 bit architecture for Apache====
ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"
sudo sh ./keygen.sh
chmod the key files here: chmod 740 sp-key.pem, chmod 644 sp-cert.pem (default permissions appear to be wrong)


Make Apache 32 bit only:
Shibboleth is currently not compatible with the 64 bit architecture available on newer Macs. To check run the following command in Terminal:
 
<tt>$ sysctl hw.cpu64bit_capable</tt>
 
If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section
 
<tt>$ sudo emacs /usr/sbin/apachectl</tt>


sudo emacs /usr/sbin/apachectl
change HTTPD variable from:
change HTTPD variable from:


HTTPD='/usr/sbin/httpd'
<pre>HTTPD='/usr/sbin/httpd'</pre>


to:
to:


HTTPD='arch -i386 /usr/sbin/httpd'
<pre>HTTPD='arch -i386 /usr/sbin/httpd'</pre>


Add the following 2 lines to the <array> element in /System/Library/LaunchDaemons/org.apache.httpd.plist:
Add the following 2 lines to the <array> element in /System/Library/LaunchDaemons/org.apache.httpd.plist:
 
<pre>
<string>arch</string>
<string>arch</string>
<string>-i386</string>
<string>-i386</string>
 
</pre>
The array element should look like this when done:
The array element should look like this when done:
 
<pre>
<array>
<array>
                 <string>arch</string>
                 <string>arch</string>
Line 52: Line 78:
                 <string>FOREGROUND</string>
                 <string>FOREGROUND</string>
         </array>
         </array>
</pre>
====Create the Shibboleth log file====
<tt>$ sudo touch /opt/local/var/log/httpd/native.log</tt>
<tt>$ sudo chown _www /opt/local/var/log/httpd/native.log</tt>
====Ensure SSL is enabled for the website====
Using Server Admin select Web | Sites pane, choose the website and enable SSL from the security tab
====Configuring Apache====
Add the following to the /etc/apache2/httpd.conf file:


Create the log file:
<pre>Include /opt/local/etc/shibboleth/apache22.config</pre>
sudo touch /opt/local/var/log/httpd/native.log
sudo chown _www /opt/local/var/log/httpd/native.log


Grab the config files:
If you are not using apache v2.2 then edit the above line appropriately according to the contents of the /opt/local/etc/shibboleth/ directory.


cd /opt/local/etc/shibboleth/
Ensure that the ''ServerName'' directive is set correctly and ''UseCanonicalName'' is set to ''On''
sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml
sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml
sudo curl https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml -o ucamfederation-idp-metadata.xml


Edit the config files and look for the FIX-ME flags to
====Download the Shibboleth configuration templates====


Ensure SSL is enabled for the server (using default cert will work for testing)
<tt>$ cd /opt/local/etc/shibboleth/</tt>
Add the following to the /etc/apapche2/httpd.conf file:


Include /opt/local/etc/shibboleth/apache22.config
<tt>$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml</tt>


and check that ServerName is set & UseCanonicalName is set to On
<tt>$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml</tt>
 
Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.
 
Once configured check the syntax with:
 
<tt>$ /opt/local/sbin/shibd -t</tt>
 
A correctly configured install will return 'overall configuration is loadable, check console for non-fatal problems'. If not, check syntax and try again.
 
====Starting the service====


Set shib to load at startup:
Set shib to load at startup:
sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist


Start Apache
<tt>$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>
 
Start Apache:
 
<tt>$ sudo apachectl start</tt>
 
Before you can proceed any further you will need to register you SP, at least with Raven. See [[SP registration]] for details
 
Test your page!
 
====Reloading the service====
 
Any changes to the shib config may require ''both'' shibd and apache to be reloaded:
 
<tt>$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>
 
<tt>$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist</tt>
 
<tt>$ sudo apachectl restart</tt>
 
You may care to script this to save your sanity when making lots of changes/testing..
 
====Logging====
 
Check the following locations for logging info:
 
/opt/local/var/log/shibboleth/shibd.log
 
/opt/local/var/log/shibboleth/transaction.log
 
/var/log/apache2/access.log
 
/var/log/apache2/error.log
 
====More information====
 
Most of this document was cribbed together from the following sources:


sudo serveradmin start web
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMacInstall


Test your page! Any changes to the shib config will require BOTH shibd and apache to be reloaded...
https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University

Latest revision as of 15:10, 5 July 2012

Installing/Configuring Shibboleth for OS Server 10.5.6

Install MacPorts & Shibboleth

Download Mac Ports from http://www.macports.org/install.php and install the .pkg

Open Terminal and type:

$ sudo port install curl +ssl

$ sudo port install shibboleth

The installation of Shibboleth and supporting software will take some time.

Retreive the Shibboleth profiles

$ cd /opt/local/

$ sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv

Edit /opt/local/etc/macports/sources.conf and add in: 

file:///opt/local/ports	[nosync]

before the line: 

rsync://rsync.macports.org/release/ports/ [default]

This enables Mac Ports access to the non-standard software repository containing Shibboleth.

For first time installs only

Duplicate the standard config files and create the key pair.

$ cd /opt/local/etc/shibboleth

$ ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"

$ sudo sh ./keygen.sh

As the default permissions for the cert files causes Shibboleth to fail they need changing:

$ sudo chmod 740 sp-key.pem

$ sudo chmod 644 sp-cert.pem

Disabling Intel 64 bit architecture for Apache

Shibboleth is currently not compatible with the 64 bit architecture available on newer Macs. To check run the following command in Terminal:

$ sysctl hw.cpu64bit_capable

If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section

$ sudo emacs /usr/sbin/apachectl

change HTTPD variable from: 

HTTPD='/usr/sbin/httpd'

to: 

HTTPD='arch -i386 /usr/sbin/httpd'

Add the following 2 lines to the <array> element in /System/Library/LaunchDaemons/org.apache.httpd.plist: 

<string>arch</string>
<string>-i386</string>

The array element should look like this when done: 

	<array>
                <string>arch</string>
                <string>-i386</string>
                <string>/usr/sbin/httpd</string>
                <string>-D</string>
                <string>FOREGROUND</string>
        </array>

Create the Shibboleth log file

$ sudo touch /opt/local/var/log/httpd/native.log

$ sudo chown _www /opt/local/var/log/httpd/native.log

Ensure SSL is enabled for the website

Using Server Admin select Web | Sites pane, choose the website and enable SSL from the security tab

Configuring Apache

Add the following to the /etc/apache2/httpd.conf file: 

Include /opt/local/etc/shibboleth/apache22.config

If you are not using apache v2.2 then edit the above line appropriately according to the contents of the /opt/local/etc/shibboleth/ directory.

Ensure that the ServerName directive is set correctly and UseCanonicalName is set to On

Download the Shibboleth configuration templates

$ cd /opt/local/etc/shibboleth/

$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml

$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml

Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.

Once configured check the syntax with:

$ /opt/local/sbin/shibd -t

A correctly configured install will return 'overall configuration is loadable, check console for non-fatal problems'. If not, check syntax and try again.

Starting the service

Set shib to load at startup:

$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist

Start Apache:

$ sudo apachectl start

Before you can proceed any further you will need to register you SP, at least with Raven. See SP registration for details

Test your page!

Reloading the service

Any changes to the shib config may require both shibd and apache to be reloaded:

$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist

$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist

$ sudo apachectl restart

You may care to script this to save your sanity when making lots of changes/testing..

Logging

Check the following locations for logging info:

/opt/local/var/log/shibboleth/shibd.log

/opt/local/var/log/shibboleth/transaction.log

/var/log/apache2/access.log

/var/log/apache2/error.log

More information

Most of this document was cribbed together from the following sources:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMacInstall

https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University

Retrieved from "https://wiki.cam.ac.uk/wiki/raven/index.php?title=Installing_SP2.x_under_MacOS&oldid=2530"