Installing SP2.x under MacOS

From RavenWiki
Revision as of 15:46, 4 March 2010 by jw35 (talk | contribs) (Installing SP2.1 under MacOS moved to Installing SP2.x under MacOS)
Jump to navigationJump to search

This page is still a work in progress. Caveat emptor and all that...

Installing/Configuring Shibboleth for OS Server 10.5.6

Install MacPorts & Shibboleth

Download Mac Ports from http://www.macports.org/install.php and install the .pkg

Open Terminal and type:

$ sudo port install curl +ssl

$ sudo port install shibboleth

The installation of Shibboleth and supporting software will take some time.

Retreive the Shibboleth profiles

$ cd /opt/local/

$ sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv

Edit /opt/local/etc/macports/sources.conf and add in:

file:///opt/local/ports	[nosync]

before the line:

rsync://rsync.macports.org/release/ports/ [default]

This enables Mac Ports access to the non-standard software repository containing Shibboleth.

For first time installs only

Duplicate the standard config files and create the key pair.

$ cd /opt/local/etc/shibboleth

$ ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"

$ sudo sh ./keygen.sh

As the default permissions for the cert files causes Shibboleth to fail they need changing:

$ sudo chmod 740 sp-key.pem

$ sudo chmod 644 sp-cert.pem

Disabling Intel 64 bit architecture for Apache

Shibboleth is currently not compatible with the 64 bit architecture available on newer Macs. To check run the following command in Terminal:

$ sysctl hw.cpu64bit_capable

If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section

$ sudo emacs /usr/sbin/apachectl

change HTTPD variable from:

HTTPD='/usr/sbin/httpd'

to:

HTTPD='arch -i386 /usr/sbin/httpd'

Add the following 2 lines to the <array> element in /System/Library/LaunchDaemons/org.apache.httpd.plist:

<string>arch</string>
<string>-i386</string>

The array element should look like this when done:

	<array>
                <string>arch</string>
                <string>-i386</string>
                <string>/usr/sbin/httpd</string>
                <string>-D</string>
                <string>FOREGROUND</string>
        </array>

Create the Shibboleth log file

$ sudo touch /opt/local/var/log/httpd/native.log

$ sudo chown _www /opt/local/var/log/httpd/native.log

Ensure SSL is enabled for the website

Using Server Admin select Web | Sites pane, choose the website and enable SSL from the security tab

Configuring Apache

Add the following to the /etc/apache2/httpd.conf file:

Include /opt/local/etc/shibboleth/apache22.config

If you are not using apache v2.2 then edit the above line appropriately according to the contents of the /opt/local/etc/shibboleth/ directory.

Ensure that the ServerName directive is set correctly and UseCanonicalName is set to On

Download the Shibboleth configuration templates

$ cd /opt/local/etc/shibboleth/

$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml

$ sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml

Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.

Once configured check the syntax with:

$ /opt/local/sbin/shibd -t

A correctly configured install will return 'overall configuration is loadable, check console for non-fatal problems'. If not, check syntax and try again.

Starting the service

Set shib to load at startup:

$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist

Start Apache:

$ sudo apachectl start

Test your page!

Reloading the service

Any changes to the shib config may require both shibd and apache to be reloaded:

$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist

$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist

$ sudo apachectl restart

You may care to script this to save your sanity when making lots of changes/testing..

Logging

Check the following locations for logging info:

/opt/local/var/log/shibboleth/shibd.log

/opt/local/var/log/shibboleth/transaction.log

/var/log/apache2/access.log

/var/log/apache2/error.log

More information

Most of this document was cribbed together from the following sources:

https://spaces.internet2.edu/display/SHIB2/NativeSPMacInstall

https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University