标题:Shibboleth IdP 2安装手记 出处:Wardking Stuido 时间:Fri, 27 Nov 2009 16:28:12 +0000 作者:Michael 地址:http://www.wardking.com/blog/post/362/ 内容: 点击在新窗口中浏览此图片 http://www.wardking.com/blog/attachment.php?fid=476 接上一篇“在64位CentOS 5.4上安装Tomcat+OpenJDK ”,完成基础工作后,就可以开始着手安装IdP Shibboleth是一个针对SSO的开源项目,主要应用在高校之间的Web资源共享与访问控制,以及校园间的应用系统的用户身份联合认证。2006年12月,由北京大学执行的CARSI项目即是在国内高校之间部署Shibboleth,隶属于国家863计划,目前已经有清华大学、北京邮电大学、中国电子科技大学、华南理工大学等陆续加入,建立了CARSI-Fed(也称为CERNET-Fed),其目标是最终实现中国教育科研网内跨机构用户统一身份认证、共享资源访问授权和审计系统。更多的详细信息可以参考:http://carsi.edu.cn/ 宁波诺丁汉大学作为英国诺丁汉大学在中国的分校区,此次部署Shibboleth IdP的目的是为了加入UK Access Management Federation。 整个安装过程记录如下: 从官方网站http://www.internet2.edu下载IdP安装文件,解开压缩包 引用 [root@idp ~]# jar -xf shibboleth-identityprovider-2.1.4-bin.zip [root@idp ~]# cd shibboleth-identityprovider-2.1.4 需要复制一些jar文件至tomcat程序目录 引用 [root@idp shibboleth-identityprovider-2.1.4]# mkdir /opt/tomcat/endorsed [root@idp shibboleth-identityprovider-2.1.4]# cp -v lib/shibboleth-jce-1.1.0.jar /opt/tomcat/lib/ `lib/shibboleth-jce-1.1.0.jar' -> `/opt/tomcat/lib/shibboleth-jce-1.1.0.jar' [root@idp shibboleth-identityprovider-2.1.4]# cp shibboleth-identityprovider-2.1.4/endorsed/*.jar /opt/tomcat/endorsed/ -v `/root/shibboleth-identityprovider-2.1.4/endorsed/resolver-2.9.1.jar' -> `endorsed/resolver-2.9.1.jar' `/root/shibboleth-identityprovider-2.1.4/endorsed/serializer-2.9.1.jar' -> `endorsed/serializer-2.9.1.jar' `/root/shibboleth-identityprovider-2.1.4/endorsed/xalan-2.7.1.jar' -> `endorsed/xalan-2.7.1.jar' `/root/shibboleth-identityprovider-2.1.4/endorsed/xercesImpl-2.9.1.jar' -> `endorsed/xercesImpl-2.9.1.jar' `/root/shibboleth-identityprovider-2.1.4/endorsed/xml-apis-2.9.1.jar' -> `endorsed/xml-apis-2.9.1.jar' 现在可以开始安装shibboleth IdP 引用 [root@idp shibboleth-identityprovider-2.1.4]# chmod a+x install.sh [root@idp shibboleth-identityprovider-2.1.4]# ./install.sh Buildfile: src/installer/resources/build.xml install: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org] idp.nottingham.edu.cn A keystore is about to be generated for you. Please enter a password that will be used to protect it. ******** (为生成数字证书设置密码保护) Updating property file: /root/shibboleth-identityprovider-2.1.4/src/installer/resources/install.properties Created dir: /opt/shibboleth-idp Created dir: /opt/shibboleth-idp/bin Created dir: /opt/shibboleth-idp/conf Created dir: /opt/shibboleth-idp/credentials Created dir: /opt/shibboleth-idp/lib Created dir: /opt/shibboleth-idp/lib/endorsed Created dir: /opt/shibboleth-idp/logs Created dir: /opt/shibboleth-idp/metadata Created dir: /opt/shibboleth-idp/war Generating signing and encryption key, certificate, and keystore. Copying 5 files to /opt/shibboleth-idp/bin Copying 8 files to /opt/shibboleth-idp/conf Copying 1 file to /opt/shibboleth-idp/metadata Copying 49 files to /opt/shibboleth-idp/lib Copying 5 files to /opt/shibboleth-idp/lib/endorsed Copying 1 file to /root/shibboleth-identityprovider-2.1.4/src/installer Building war: /root/shibboleth-identityprovider-2.1.4/src/installer/idp.war Copying 1 file to /opt/shibboleth-idp/war Deleting: /root/shibboleth-identityprovider-2.1.4/src/installer/web.xml Deleting: /root/shibboleth-identityprovider-2.1.4/src/installer/idp.war BUILD SUCCESSFUL Total time: 1 minute 5 seconds 至此安装程序执行成功。为配合tomcat顺利运行,进一步设置如下: 将shibboleth IdP运行日志文件链接至/var/log目录,方便管理查看 引用 [root@idp shibboleth-identityprovider-2.1.4]# ln -s /opt/shibboleth-idp/logs /var/log/shibboleth 调整一大堆文件权限,当tomcat以普通用户启动时可以顺利运行shibboleth 引用 [root@idp shibboleth-identityprovider-2.1.4]# cd /opt/shibboleth-idp/ [root@idp shibboleth-idp]# chown -R tomcat6. logs metadata credentials [root@idp shibboleth-idp]# chmod 755 logs metadata [root@idp shibboleth-idp]# chown tomcat6. conf/attribute-filter.xml [root@idp shibboleth-idp]# chown -R tomcat6. /opt/tomcat/endorsed/ [root@idp shibboleth-idp]# chmod 660 conf/attribute-filter.xml [root@idp shibboleth-idp]# cd credentials/ [root@idp credentials]# chown tomcat6:tomcat6 idp.key [root@idp credentials]# chgrp root idp.{key,crt} [root@idp credentials]# chmod 440 idp.key [root@idp credentials]# chmod 644 idp.crt 根据官方的建议,最好是为war文件手动建立配置,这样虽然麻烦一点,但是比较直接复制war至webapps目录更便于以后管理维护。在/opt/tomcat/conf/Catalina/localhost/目录下面创建idp.xml文件,写入以下内容: 引用 编辑java安全配置文件,加入由internet2提供的shibboleth中间件。打开/usr/lib/jvm/jre/lib/security/java.security文件,在security.provider列表后面加入 security.provider.#=edu.internet2.middleware.shibboleth.DelegateToApplicationProvider 其中的#应更改为上一条记录中的对应数值加1。 编辑tomcat主配置文件,添加一段开启8443端口的配置信息: 引用 [root@idp credentials]# vim /opt/tomcat/conf/server.xml 将IPD_HOME更换为shibboleth IdP安装目录,PASSWORD更改为安装时设置的证书保护密码。 接下来要做的工作就是为服务器申请一张正式的数字证书,在购买之前最好查看一下即将加入的Fedoration网站上的相关说明,UK Access Management Federation可以支持Versign, GlobalSign等。 这里可以先自己生成一张证书做为测试使用: 引用 [root@idp credentials]# cd /etc/pki [root@idp pki]# openssl req -new -x509 -nodes -out shibidp.crt -keyout shibidp.key Generating a 1024 bit RSA private key ........++++++ ..........................++++++ writing new private key to 'shibidp.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:Zhejiang Locality Name (eg, city) [Newbury]:Ningbo Organization Name (eg, company) [My Company Ltd]:The University of Nottingham Ningbo, China Organizational Unit Name (eg, section) []:Information Services Common Name (eg, your name or your server's hostname) []:idp.nottingham.edu.cn Email Address []:it-services@nottingham.edu.cn 编辑apache ssl配置文件/etc/http/conf.d/ssl.conf,启用刚才生成的数字证书。 重新启动tomcat, Apache,注意先后顺序 引用 [root@idp credentials]# service tomcat restart Stopping /opt/tomcat/bin/catalina.sh: Using CATALINA_BASE: /opt/tomcat Using CATALINA_HOME: /opt/tomcat Using CATALINA_TMPDIR: /opt/tomcat/temp Using JRE_HOME: /usr/lib/jvm/java/ waiting for processes to exit waiting for processes to exit Starting /opt/tomcat/bin/catalina.sh: Using CATALINA_BASE: /opt/tomcat Using CATALINA_HOME: /opt/tomcat Using CATALINA_TMPDIR: /opt/tomcat/temp Using JRE_HOME: /usr/lib/jvm/java/ [root@idp credentials]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] 查看服务器运行状态: 引用 [root@idp credentials]# links http://localhost/idp/status 由于默认的安全性设置,该页面只能在服务器上以访问localhost方式查看,否则会给予401错误。 Generated by Bo-blog 2.1.1 Release