Shibboleth IdP 2安装手记

| |
27 Nov
Posted by Michael as 开源笔记| Linux
点击在新窗口中浏览此图片接上一篇“在64位CentOS 5.4上安装Tomcat+OpenJDK ”,完成基础工作后,就可以开始着手安装IdP

Shibboleth是一个针对SSO的开源项目,主要应用在高校之间的Web资源共享与访问控制,以及校园间的应用系统的用户身份联合认证。2006年12月,由北京大学执行的CARSI项目即是在国内高校之间部署Shibboleth,隶属于国家863计划,目前已经有清华大学、北京邮电大学、中国电子科技大学、华南理工大学等陆续加入,建立了CARSI-Fed(也称为CERNET-Fed),其目标是最终实现中国教育科研网内跨机构用户统一身份认证、共享资源访问授权和审计系统。更多的详细信息可以参考:http://carsi.edu.cn/

宁波诺丁汉大学作为英国诺丁汉大学在中国的分校区,此次部署Shibboleth IdP的目的是为了加入UK Access Management Federation。

整个安装过程记录如下:

从官方网站http://www.internet2.edu下载IdP安装文件,解开压缩包
引用

[root@idp ~]# jar -xf shibboleth-identityprovider-2.1.4-bin.zip
[root@idp ~]# cd shibboleth-identityprovider-2.1.4

需要复制一些jar文件至tomcat程序目录
引用

[root@idp shibboleth-identityprovider-2.1.4]# mkdir /opt/tomcat/endorsed
[root@idp shibboleth-identityprovider-2.1.4]# cp -v lib/shibboleth-jce-1.1.0.jar /opt/tomcat/lib/
`lib/shibboleth-jce-1.1.0.jar' -> `/opt/tomcat/lib/shibboleth-jce-1.1.0.jar'
[root@idp shibboleth-identityprovider-2.1.4]# cp shibboleth-identityprovider-2.1.4/endorsed/*.jar /opt/tomcat/endorsed/ -v
`/root/shibboleth-identityprovider-2.1.4/endorsed/resolver-2.9.1.jar' -> `endorsed/resolver-2.9.1.jar'
`/root/shibboleth-identityprovider-2.1.4/endorsed/serializer-2.9.1.jar' -> `endorsed/serializer-2.9.1.jar'
`/root/shibboleth-identityprovider-2.1.4/endorsed/xalan-2.7.1.jar' -> `endorsed/xalan-2.7.1.jar'
`/root/shibboleth-identityprovider-2.1.4/endorsed/xercesImpl-2.9.1.jar' -> `endorsed/xercesImpl-2.9.1.jar'
`/root/shibboleth-identityprovider-2.1.4/endorsed/xml-apis-2.9.1.jar' -> `endorsed/xml-apis-2.9.1.jar'


现在可以开始安装shibboleth IdP
引用

[root@idp shibboleth-identityprovider-2.1.4]# chmod a+x install.sh
[root@idp shibboleth-identityprovider-2.1.4]# ./install.sh
Buildfile: src/installer/resources/build.xml

install:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]

What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]
idp.nottingham.edu.cn
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
******** (为生成数字证书设置密码保护)
Updating property file: /root/shibboleth-identityprovider-2.1.4/src/installer/resources/install.properties
Created dir: /opt/shibboleth-idp
Created dir: /opt/shibboleth-idp/bin
Created dir: /opt/shibboleth-idp/conf
Created dir: /opt/shibboleth-idp/credentials
Created dir: /opt/shibboleth-idp/lib
Created dir: /opt/shibboleth-idp/lib/endorsed
Created dir: /opt/shibboleth-idp/logs
Created dir: /opt/shibboleth-idp/metadata
Created dir: /opt/shibboleth-idp/war
Generating signing and encryption key, certificate, and keystore.
Copying 5 files to /opt/shibboleth-idp/bin
Copying 8 files to /opt/shibboleth-idp/conf
Copying 1 file to /opt/shibboleth-idp/metadata
Copying 49 files to /opt/shibboleth-idp/lib
Copying 5 files to /opt/shibboleth-idp/lib/endorsed
Copying 1 file to /root/shibboleth-identityprovider-2.1.4/src/installer
Building war: /root/shibboleth-identityprovider-2.1.4/src/installer/idp.war
Copying 1 file to /opt/shibboleth-idp/war
Deleting: /root/shibboleth-identityprovider-2.1.4/src/installer/web.xml
Deleting: /root/shibboleth-identityprovider-2.1.4/src/installer/idp.war

BUILD SUCCESSFUL
Total time: 1 minute 5 seconds

至此安装程序执行成功。为配合tomcat顺利运行,进一步设置如下:
将shibboleth IdP运行日志文件链接至/var/log目录,方便管理查看
引用
[root@idp shibboleth-identityprovider-2.1.4]# ln -s /opt/shibboleth-idp/logs /var/log/shibboleth

调整一大堆文件权限,当tomcat以普通用户启动时可以顺利运行shibboleth
引用
[root@idp shibboleth-identityprovider-2.1.4]# cd /opt/shibboleth-idp/
[root@idp shibboleth-idp]# chown -R tomcat6. logs metadata credentials
[root@idp shibboleth-idp]# chmod 755 logs metadata
[root@idp shibboleth-idp]# chown tomcat6. conf/attribute-filter.xml
[root@idp shibboleth-idp]# chown -R tomcat6. /opt/tomcat/endorsed/
[root@idp shibboleth-idp]# chmod 660 conf/attribute-filter.xml
[root@idp shibboleth-idp]# cd credentials/
[root@idp credentials]# chown tomcat6:tomcat6 idp.key
[root@idp credentials]# chgrp root idp.{key,crt}
[root@idp credentials]# chmod 440 idp.key
[root@idp credentials]# chmod 644 idp.crt

根据官方的建议,最好是为war文件手动建立配置,这样虽然麻烦一点,但是比较直接复制war至webapps目录更便于以后管理维护。在/opt/tomcat/conf/Catalina/localhost/目录下面创建idp.xml文件,写入以下内容:
引用
    docBase="/opt/shibboleth-idp/war/idp.war"
    privileged="true"
    antiResourceLocking="false"
    antiJARLocking="false"
    unpackWAR="false" />

编辑java安全配置文件,加入由internet2提供的shibboleth中间件。打开/usr/lib/jvm/jre/lib/security/java.security文件,在security.provider列表后面加入
security.provider.#=edu.internet2.middleware.shibboleth.DelegateToApplicationProvider
其中的#应更改为上一条记录中的对应数值加1。

编辑tomcat主配置文件,添加一段开启8443端口的配置信息:
引用
[root@idp credentials]# vim /opt/tomcat/conf/server.xml
           scheme="https"
           secure="true"
           clientAuth="true"
           sslProtocol="TLS"
           sslImplementation="edu.internet2.middleware.shibboleth.tomcat.DelegateToApplicationJSSEImplementation"
           keystoreFile="IDP_HOME/credentials/idp.jks"
           keystorePass="PASSWORD" />

将IPD_HOME更换为shibboleth IdP安装目录,PASSWORD更改为安装时设置的证书保护密码。

接下来要做的工作就是为服务器申请一张正式的数字证书,在购买之前最好查看一下即将加入的Fedoration网站上的相关说明,UK Access Management Federation可以支持Versign, GlobalSign等。
这里可以先自己生成一张证书做为测试使用:
引用
[root@idp credentials]# cd /etc/pki
[root@idp pki]# openssl req -new -x509 -nodes -out shibidp.crt -keyout shibidp.key
Generating a 1024 bit RSA private key
........++++++
..........................++++++
writing new private key to 'shibidp.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Zhejiang
Locality Name (eg, city) [Newbury]:Ningbo
Organization Name (eg, company) [My Company Ltd]:The University of Nottingham Ningbo, China
Organizational Unit Name (eg, section) []:Information Services
Common Name (eg, your name or your server's hostname) []:idp.nottingham.edu.cn
Email Address []:it-services@nottingham.edu.cn

编辑apache ssl配置文件/etc/http/conf.d/ssl.conf,启用刚才生成的数字证书。

重新启动tomcat, Apache,注意先后顺序
引用
[root@idp credentials]# service tomcat restart
Stopping /opt/tomcat/bin/catalina.sh:
Using CATALINA_BASE:   /opt/tomcat
Using CATALINA_HOME:   /opt/tomcat
Using CATALINA_TMPDIR: /opt/tomcat/temp
Using JRE_HOME:       /usr/lib/jvm/java/

waiting for processes to exit
waiting for processes to exit
Starting /opt/tomcat/bin/catalina.sh:
Using CATALINA_BASE:   /opt/tomcat
Using CATALINA_HOME:   /opt/tomcat
Using CATALINA_TMPDIR: /opt/tomcat/temp
Using JRE_HOME:       /usr/lib/jvm/java/

[root@idp credentials]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

查看服务器运行状态:
引用
[root@idp credentials]# links http://localhost/idp/status

由于默认的安全性设置,该页面只能在服务器上以访问localhost方式查看,否则会给予401错误。
Extra Info
This entry comes from 本站原创.It has been read for 1176 times.You may Leave a comment or 引用(0) this entry.
0 Responses
发表评论
昵称

网址

电邮

打开HTML 打开UBB 表情 打开表情 隐藏 记住我 [注册]

Recent Entries
Recent Comments
Archives