Home > Open Source > Shibboleth > Shibboleth IdP 2安装手记

«

»

十一 27 2009

Print this 文章

Shibboleth IdP 2安装手记

Categories:

Open Source, Shibboleth

2009/11/27

接上一篇“在64位CentOS 5.4上安装Tomcat+OpenJDK ”,完成基础工作后,就可以开始着手安装IdP

Shibboleth是一个针对SSO的开源项目,主要应用在高校之间的Web资源共享与访问控制,以及校园间的应用系统的用户身份联合认证。2006年12月,由北京大学执行的CARSI项目即是在国内高校之间部署Shibboleth,隶属于国家863计划,目前已经有清华大学、北京邮电大学、中国电子科技大学、华南理工大学等陆续加入,建立了CARSI-Fed(也称为CERNET-Fed),其目标是最终实现中国教育科研网内跨机构用户统一身份认证、共享资源访问授权和审计系统。更多的详细信息可以参考:http://carsi.edu.cn/

宁波诺丁汉大学作为英国诺丁汉大学在中国的分校区,此次部署Shibboleth IdP的目的是为了加入UK Access Management Federation。

整个安装过程记录如下:

从官方网站http://www.internet2.edu下载IdP安装文件,解开压缩包

[root@idp ~]# jar -xf shibboleth-identityprovider-2.1.4-bin.zip
[root@idp ~]# cd shibboleth-identityprovider-2.1.4

需要复制一些jar文件至tomcat程序目录

[root@idp shibboleth-identityprovider-2.1.4]# mkdir /opt/tomcat/endorsed
[root@idp shibboleth-identityprovider-2.1.4]# cp -v lib/shibboleth-jce-1.1.0.jar /opt/tomcat/lib/
`lib/shibboleth-jce-1.1.0.jar’ -> `/opt/tomcat/lib/shibboleth-jce-1.1.0.jar’
[root@idp shibboleth-identityprovider-2.1.4]# cp shibboleth-identityprovider-2.1.4/endorsed/*.jar /opt/tomcat/endorsed/ -v
`/root/shibboleth-identityprovider-2.1.4/endorsed/resolver-2.9.1.jar’ -> `endorsed/resolver-2.9.1.jar’
`/root/shibboleth-identityprovider-2.1.4/endorsed/serializer-2.9.1.jar’ -> `endorsed/serializer-2.9.1.jar’
`/root/shibboleth-identityprovider-2.1.4/endorsed/xalan-2.7.1.jar’ -> `endorsed/xalan-2.7.1.jar’
`/root/shibboleth-identityprovider-2.1.4/endorsed/xercesImpl-2.9.1.jar’ -> `endorsed/xercesImpl-2.9.1.jar’
`/root/shibboleth-identityprovider-2.1.4/endorsed/xml-apis-2.9.1.jar’ -> `endorsed/xml-apis-2.9.1.jar’

现在可以开始安装shibboleth IdP

[root@idp shibboleth-identityprovider-2.1.4]# chmod a+x install.sh
[root@idp shibboleth-identityprovider-2.1.4]# ./install.sh
Buildfile: src/installer/resources/build.xml

install:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]

What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]
idp.nottingham.edu.cn
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
******** (为生成数字证书设置密码保护)
Updating property file: /root/shibboleth-identityprovider-2.1.4/src/installer/resources/install.properties
Created dir: /opt/shibboleth-idp
Created dir: /opt/shibboleth-idp/bin
Created dir: /opt/shibboleth-idp/conf
Created dir: /opt/shibboleth-idp/credentials
Created dir: /opt/shibboleth-idp/lib
Created dir: /opt/shibboleth-idp/lib/endorsed
Created dir: /opt/shibboleth-idp/logs
Created dir: /opt/shibboleth-idp/metadata
Created dir: /opt/shibboleth-idp/war
Generating signing and encryption key, certificate, and keystore.
Copying 5 files to /opt/shibboleth-idp/bin
Copying 8 files to /opt/shibboleth-idp/conf
Copying 1 file to /opt/shibboleth-idp/metadata
Copying 49 files to /opt/shibboleth-idp/lib
Copying 5 files to /opt/shibboleth-idp/lib/endorsed
Copying 1 file to /root/shibboleth-identityprovider-2.1.4/src/installer
Building war: /root/shibboleth-identityprovider-2.1.4/src/installer/idp.war
Copying 1 file to /opt/shibboleth-idp/war
Deleting: /root/shibboleth-identityprovider-2.1.4/src/installer/web.xml
Deleting: /root/shibboleth-identityprovider-2.1.4/src/installer/idp.war

BUILD SUCCESSFUL
Total time: 1 minute 5 seconds

至此安装程序执行成功。为配合tomcat顺利运行,进一步设置如下:
将shibboleth IdP运行日志文件链接至/var/log目录,方便管理查看

[root@idp shibboleth-identityprovider-2.1.4]# ln -s /opt/shibboleth-idp/logs /var/log/shibboleth

调整一大堆文件权限,当tomcat以普通用户启动时可以顺利运行shibboleth

[root@idp shibboleth-identityprovider-2.1.4]# cd /opt/shibboleth-idp/
[root@idp shibboleth-idp]# chown -R tomcat6. logs metadata credentials
[root@idp shibboleth-idp]# chmod 755 logs metadata
[root@idp shibboleth-idp]# chown tomcat6. conf/attribute-filter.xml
[root@idp shibboleth-idp]# chown -R tomcat6. /opt/tomcat/endorsed/
[root@idp shibboleth-idp]# chmod 660 conf/attribute-filter.xml
[root@idp shibboleth-idp]# cd credentials/
[root@idp credentials]# chown tomcat6:tomcat6 idp.key
[root@idp credentials]# chgrp root idp.{key,crt}
[root@idp credentials]# chmod 440 idp.key
[root@idp credentials]# chmod 644 idp.crt

根据官方的建议,最好是为war文件手动建立配置,这样虽然麻烦一点,但是比较直接复制war至webapps目录更便于以后管理维护。在/opt/tomcat/conf/Catalina/localhost/目录下面创建idp.xml文件,写入以下内容:

docBase=”/opt/shibboleth-idp/war/idp.war”
privileged=”true”
antiResourceLocking=”false”
antiJARLocking=”false”
unpackWAR=”false” />

编辑java安全配置文件,加入由internet2提供的shibboleth中间件。打开/usr/lib/jvm/jre/lib/security/java.security文件,在security.provider列表后面加入
security.provider.#=edu.internet2.middleware.shibboleth.DelegateToApplicationProvider
其中的#应更改为上一条记录中的对应数值加1。

编辑tomcat主配置文件,添加一段开启8443端口的配置信息:

[root@idp credentials]# vim /opt/tomcat/conf/server.xml

scheme=”https”
secure=”true”
clientAuth=”true”
sslProtocol=”TLS”
sslImplementation=”edu.internet2.middleware.shibboleth.tomcat.DelegateToApplicationJSSEImplementation”
keystoreFile=”IDP_HOME/credentials/idp.jks”
keystorePass=”PASSWORD” />

将IPD_HOME更换为shibboleth IdP安装目录,PASSWORD更改为安装时设置的证书保护密码。

接下来要做的工作就是为服务器申请一张正式的数字证书,在购买之前最好查看一下即将加入的Fedoration网站上的相关说明,UK Access Management Federation可以支持Versign, GlobalSign等。
这里可以先自己生成一张证书做为测试使用:

[root@idp credentials]# cd /etc/pki
[root@idp pki]# openssl req -new -x509 -nodes -out shibidp.crt -keyout shibidp.key
Generating a 1024 bit RSA private key
……..++++++
……………………..++++++
writing new private key to ‘shibidp.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Zhejiang
Locality Name (eg, city) [Newbury]:Ningbo
Organization Name (eg, company) [My Company Ltd]:The University of Nottingham Ningbo, China
Organizational Unit Name (eg, section) []:Information Services
Common Name (eg, your name or your server’s hostname) []:idp.nottingham.edu.cn
Email Address []:it-services@nottingham.edu.cn

编辑apache ssl配置文件/etc/http/conf.d/ssl.conf,启用刚才生成的数字证书。

重新启动tomcat, Apache,注意先后顺序

[root@idp credentials]# service tomcat restart
Stopping /opt/tomcat/bin/catalina.sh:
Using CATALINA_BASE:   /opt/tomcat
Using CATALINA_HOME:   /opt/tomcat
Using CATALINA_TMPDIR: /opt/tomcat/temp
Using JRE_HOME:       /usr/lib/jvm/java/

waiting for processes to exit
waiting for processes to exit
Starting /opt/tomcat/bin/catalina.sh:
Using CATALINA_BASE:   /opt/tomcat
Using CATALINA_HOME:   /opt/tomcat
Using CATALINA_TMPDIR: /opt/tomcat/temp
Using JRE_HOME:       /usr/lib/jvm/java/

[root@idp credentials]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

查看服务器运行状态:

[root@idp credentials]# links http://localhost/idp/status

由于默认的安全性设置,该页面只能在服务器上以访问localhost方式查看,否则会给予401错误。

标签: , , , ,

分享到:

Permanent link to this article: http://www.wardking.com/2009/11/shibboleth-idp-setup-notes/

1 条评论

  1. Ray ban polarized sunglasses

    2011/03/04 在 2:47 下午 (UTC 8) Link to this comment

    Great Blog ! Regards.

发表评论

电子邮件地址不会被公开。 必填项已被标记为 *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>