[[Idpv3x]]
Trace:
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:shibboleth:idpv3x [2019/01/02 14:16]
procacci@tem-tsp.eu [proxy-ajp] 		docpublic:systemes:shibboleth:idpv3x [2019/01/02 21:57] (current)
procacci@tem-tsp.eu [SSO CAS]
Line 149: Line 149:
  
 <code> <code>
-[root@idp34 certs]# grep SSLCertificat /etc/httpd/conf.d/ssl.conf+[root@idp34 certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3
 SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem
 SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key
Line 155: Line 155:
 </code> </code>
  
-enfon configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat +enfin configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat 
  
 <code> <code>
Line 172: Line 172:
  
  
-===== TLS https ===== 
  
-installation du module apache (frontal proxy ajp ) pour SSL/TLS  
  
-<code> 
-[root@idp3 ~]# yum install mod_ssl 
-Installé : 
-  mod_ssl.x86_64 1:2.4.6-40.el7.centos.1                                                                                                                                         
- 
-Terminé ! 
-</code> 
- 
-declarer le certificat et sa clé , wildcard possible 
- 
-<code> 
-[root@idp3 ~]# grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3 
-SSLCertificateFile /etc/pki/tls/certs/wild_tem-tsp_eu.crt 
-SSLCertificateKeyFile /etc/pki/tls/private/wild_digicert2015_tem-tsp.key 
-SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt 
-</code> 
- 
-test 
- 
-https://idp3.tem-tsp.eu/manager/html 
  
 ===== ntp ==== ===== ntp ====
Line 212: Line 190:
  
 <code> <code>
-[root@idp3 ~]# wget http://shibboleth.net/downloads/identity-provider/3.2.1/shibboleth-identity-provider-3.2.1.tar.gz +[root@idp34 ~]# wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz 
-[root@idp3 ~]# mkdir /opt/src +--2019-01-02 14:18:15--  https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz 
-[root@idp3 ~]# mv shibboleth-identity-provider-3.2.1.tar.gz /opt/src/ +[root@idp34 ~]# mkdir /opt/src 
-[root@idp3 src]# tar xvfz shibboleth-identity-provider-3.2.1.tar.gz  +[root@idp34 ~]# mv shibboleth-identity-provider-3.4.2.tar.gz /opt/src/ 
-[root@idp3 src]# cd shibboleth-identity-provider-3.2.1/ +[root@idp34 ~]# cd /opt/src/ ; tar xvfz shibboleth-identity-provider-3.4.2.tar.gz 
-[root@idp3 shibboleth-identity-provider-3.2.1]# ls +[root@idp34 src]# cd shibboleth-identity-provider-3.4.2 
-bin  conf  credentials  dist  doc  embedded  flows  LICENSE.txt  logs  messages  system  views  webapp +[root@idp34 shibboleth-identity-provider-3.4.2]# ls 
 +bin  conf  credentials  doc  flows  LICENSE.txt  logs  messages  metadata  system  views  webapp
 </code> </code>
  
Line 227: Line 205:
  
 <code> <code>
-[root@idp3 shibboleth-identity-provider-3.2.1]# export JAVA_HOME=/usr/lib/jvm/java +[root@idp34 shibboleth-identity-provider-3.4.2]# export JAVA_HOME=/usr/lib/jvm/java 
-[root@idp3 shibboleth-identity-provider-3.2.1]# ./bin/install.sh +[root@idp34 shibboleth-identity-provider-3.4.2]# ./bin/install.sh 
-Source (Distribution) Directory: [/opt/src/shibboleth-identity-provider-3.2.1]+Source (Distribution) Directory (press <enter> to accept default): [/opt/src/shibboleth-identity-provider-3.4.2]
  
 Installation Directory: [/opt/shibboleth-idp] Installation Directory: [/opt/shibboleth-idp]
  
-Hostname: [localhost.localdomain+Hostname: [idp34.int-evry.fr
-idp3.tem-tsp.eu +idp3.imtbstsp.eu 
-SAML EntityID: [https://idp3.tem-tsp.eu/idp/shibboleth]+SAML EntityID: [https://idp3.imtbstsp.eu/idp/shibboleth]
  
-Attribute Scope: [localdomain+Attribute Scope: [int-evry.fr
-tem-tsp.eu +imtbstsp.eu 
-Backchannel PKCS12 Password: glsecretidp+Backchannel PKCS12 Password: O gl Back d
 Re-enter password:  Re-enter password: 
-Cookie Encryption Key Password:  +Cookie Encryption Key Password: O gl Cookie d
-Password cannot be zero length +
-Cookie Encryption Key Password: glsecretidp+
 Re-enter password:  Re-enter password: 
 Warning: /opt/shibboleth-idp/bin does not exist. Warning: /opt/shibboleth-idp/bin does not exist.
 +Warning: /opt/shibboleth-idp/edit-webapp does not exist.
 Warning: /opt/shibboleth-idp/dist does not exist. Warning: /opt/shibboleth-idp/dist does not exist.
 Warning: /opt/shibboleth-idp/doc does not exist. Warning: /opt/shibboleth-idp/doc does not exist.
 Warning: /opt/shibboleth-idp/system does not exist. Warning: /opt/shibboleth-idp/system does not exist.
-Warning: /opt/shibboleth-idp/webapp does not exist. +Generating Signing Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
-Generating Signing Key, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ...+
 ...done ...done
-Creating Encryption Key, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ...+Creating Encryption Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
 ...done ...done
-Creating Backchannel keystore, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ...+Creating Backchannel keystore, CN = idpr3.imtbs-tsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
 ...done ...done
 Creating cookie encryption key files... Creating cookie encryption key files...
Line 262: Line 238:
  
 BUILD SUCCESSFUL BUILD SUCCESSFUL
 +Total time: 2 minutes 14 seconds
 +
 </code> </code>
  
Line 267: Line 245:
  
 <code> <code>
-[root@idp3 shibboleth-identity-provider-3.2.1]# ls -l /opt/shibboleth-idp/credentials/+[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /opt/shibboleth-idp/credentials/
 total 32 total 32
--rw-r--r-- 1 root root 1168 23 mai   22:14 idp-backchannel.crt +-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-backchannel.crt 
--rw-r--r-- 1 root root 2554 23 mai   22:14 idp-backchannel.p12 +-rw-r--r-- 1 root root 3399  2 janv. 14:23 idp-backchannel.p12 
--rw-r--r-- 1 root root 1164 23 mai   22:14 idp-encryption.crt +-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-encryption.crt 
--rw------- 1 root root 1675 23 mai   22:14 idp-encryption.key +-rw------- 1 root root 2455  2 janv. 14:23 idp-encryption.key 
--rw-r--r-- 1 root root 1164 23 mai   22:14 idp-signing.crt +-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-signing.crt 
--rw------- 1 root root 1675 23 mai   22:14 idp-signing.key +-rw------- 1 root root 2459  2 janv. 14:23 idp-signing.key 
--rw-r--r-- 1 root root  500 23 mai   22:14 sealer.jks +-rw-r--r-- 1 root root  502  2 janv. 14:23 sealer.jks 
--rw-r--r-- 1 root root   48 23 mai   22:14 sealer.kver+-rw-r--r-- 1 root root   47  2 janv. 14:23 sealer.kver
 </code> </code>
  
Line 282: Line 260:
  
 <code> <code>
-[root@idp3 shibboleth-identity-provider-3.2.1]# chown -R tomcat /opt/shibboleth-idp/+[root@idp34 shibboleth-identity-provider-3.4.2]# chown -R tomcat /opt/shibboleth-idp/
 </code> </code>
  
Line 298: Line 276:
 </code> </code>
  
-quelques secondes apres +quelques secondes apres grace a l'auto-deploy
  
 <code> <code>
-root@idp3 localhost]# ls -l /var/lib/tomcat/webapps/idp/+[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /var/lib/tomcat/webapps/idp/
 total 32 total 32
-drwxr-xr-x 2 tomcat tomcat 4096 25 mai   20:38 css +drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 css 
-drwxr-xr-x 2 tomcat tomcat 4096 25 mai   20:38 images +drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 images 
--rw-r--r-- 1 tomcat tomcat 1008 23 mai   22:14 index.jsp +-rw-r--r-- 1 tomcat tomcat 1008  2 janv. 14:23 index.jsp 
-drwxr-xr-x 2 tomcat tomcat 4096 25 mai   20:38 js +drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 js 
-drwxr-xr-x 2 tomcat tomcat 4096 25 mai   20:38 META-INF +drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 META-INF 
-drwxr-xr-x 5 tomcat tomcat 4096 25 mai   20:38 WEB-INF +drwxr-xr-x 5 tomcat tomcat 4096  2 janv. 14:28 WEB-INF 
--rw-r--r-- 1 tomcat tomcat 5588 23 mai   22:14 x509-prompt.jsp+-rw-r--r-- 1 tomcat tomcat 5389  2 janv. 14:23 x509-prompt.jsp 
 </code> </code>
  
Line 325: Line 304:
  
 en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info)  qui n'est pas fournie par defaut (risque de conflit avec jboss)  en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info)  qui n'est pas fournie par defaut (risque de conflit avec jboss) 
-cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.12 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .+cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
  
 <code> <code>
-[root@idp3 ~]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/ +[root@idp34 shibboleth-identity-provider-3.4.2]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/ 
-[root@idp3 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar +[root@idp34 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar 
-[root@idp3 lib]# systemctl restart tomcat+2019-01-02 14:34:08 (9,27 MB/s) - «jstl-1.2.jar» sauvegardé [414240/414240] 
 +[root@idp34 lib]# systemctl restart tomcat
 </code> </code>
  
 +Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin
 +
 +<code>
 +# vim /opt/shibboleth-idp/conf/access-control.xml
 +<code>
 +...
 + <util:map id="shibboleth.AccessControlPolicies">
 +
 +        <entry key="AccessByIPAddress">
 +            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
 +                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" />
 +        </entry>
 +        ...
 +</code>
 +
 +
 +maintenant accessible en https://idp3.imtbstsp.eu/idp/status
  
 acces status possible en shell également  acces status possible en shell également 
  
 <code> <code>
- [root@idp3 ~]#  /opt/shibboleth-idp/bin/status.sh+[root@idp34 bin]# /opt/shibboleth-idp/bin/status.sh 
 ### Operating Environment Information ### Operating Environment Information
 operating_system: Linux operating_system: Linux
-operating_system_version: 2.6.32-042stab113.21+operating_system_version: 3.10.0
 operating_system_architecture: amd64 operating_system_architecture: amd64
-jdk_version: 1.8.0_91 +jdk_version: 1.8.0_191 
-available_cores: 32 +available_cores: 12 
-used_memory: 217 MB+used_memory: 137 MB
 maximum_memory: 455 MB maximum_memory: 455 MB
  
 ### Identity Provider Information ### Identity Provider Information
-idp_version: 3.2.1 +idp_version: 3.4.2 
-start_time: 2016-06-21T10:25:36+02:00 +start_time: 2019-01-02T14:35:21Z 
-current_time: 2016-06-21T10:25:36+02:00 +current_time: 2019-01-02T14:36:42Z 
-uptime: 518 ms+uptime: 80907 ms
  
-service: shibboleth.LoggingService 
-last successful reload attempt: 2016-06-21T08:20:43Z 
-last reload attempt: 2016-06-21T08:20:43Z 
-.... 
 </code> </code>
  
-Pour l'acces en http au status il faut autorise l'IP  
  
-<code> 
-CT-a84f4e90 shibboleth-identity-provider-3.3.0# vim /opt/shibboleth-idp/conf/access-control.xml 
-<code> 
-... 
- <util:map id="shibboleth.AccessControlPolicies"> 
- 
-        <entry key="AccessByIPAddress"> 
-            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" 
-                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" /> 
-        </entry> 
-        ... 
-</code> 
  
  
Line 407: Line 387:
  
 <code> <code>
-[root@idp3 shibboleth-idp]# wget -O /opt/shibboleth-idp/credentials/metadata-federation-renater.crt https://federation.renater.fr/test/metadata-federation-renater.crt+[root@idp34]# cd /opt/shibboleth-idp/credentials/ 
 +[root@idp34 credentials]# /usr/bin/curl -https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem  
 </code> </code>
  
Line 414: Line 396:
 <code> <code>
 [root@idp3 conf]# tail -18 metadata-providers.xml [root@idp3 conf]# tail -18 metadata-providers.xml
 +         
 +         <!-- Federation de test renater -->
 +   <MetadataProvider id="RenaterTestMetadata"
 +                              xsi:type="FileBackedHTTPMetadataProvider"
 +                      backingFile="%{idp.home}/metadata/preview-sps-renater-test-metadata.xml"
 +                      metadataURL="https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml">
 +
 +                <MetadataFilter xsi:type="SignatureValidation"
 +                requireSignedRoot="true"
 +                certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem">
 +                </MetadataFilter>
 +        </MetadataProvider>
 +
                      
-    <!-- Federation de test renater --> +   
-    <MetadataProvider id="RenaterTestMetadata" +
-                      xsi:type="FileBackedHTTPMetadataProvider" +
-                      backingFile="%{idp.home}/metadata/renater-test-metadata.xml" +
-                      metadataURL="https://federation.renater.fr/test/renater-test-metadata.xml">  +
-  +
-        <MetadataFilter xsi:type="SignatureValidation" +
-            requireSignedRoot="true" +
-            certificateFile="%{idp.home}/credentials/metadata-federation-renater.crt"> +
-        </MetadataFilter> +
-        <MetadataFilter xsi:type="EntityRoleWhiteList"> +
-            <RetainedRole>md:SPSSODescriptor</RetainedRole> +
-        </MetadataFilter>+
    
     </MetadataProvider>     </MetadataProvider>
Line 437: Line 420:
  
 <code> <code>
-[root@idp3 conf]# systemctl restart tomcat.service  +[root@idp34 conf]# systemctl restart tomcat.service  
-[root@idp3 conf]# ls -../metadata/ + 
-total 6480 +[root@idp34 conf]#  ls -ltr ../metadata/ 
--rw-r--r--  1 tomcat root     12221 23 mai   22:14 idp-metadata.xml +total 31308 
--rw-r--r--  1 tomcat tomcat 6613630 21 juin  18:54 renater-test-metadata.xml+-rw-r--r-- 1 tomcat root      14590  2 janv. 14:23 idp-metadata.xml 
 +-rw-r--r-- 1 tomcat tomcat  6787283  2 janv. 14:47 preview-sps-renater-test-metadata.xml 
 </code> </code>
  
Line 451: Line 436:
  
 idp-process.log : idp-process.log :
-2016-06-21 18:55:56,043 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://federation.renater.fr/test/renater-test-metadata.xml' will occur on '2016-06-21T19:55:55.999Z' ('2016-06-21T21:55:55.999+02:00' local time) + 
-2016-06-21 18:55:56,062 - INFO [Shibboleth-Audit.Reload:241] - 20160621T165556Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||+2019-01-02 14:48:18,248 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadataNew metadata successfully loaded for 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' 
 +2019-01-02 14:48:18,250 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2019-01-02T15:33:16.891Z' ('2019-01-02T15:33:16.891Z' local time) 
 +2019-01-02 14:48:18,268 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:275] - 20190102T144818Z||||http://shibboleth.net/ns/profiles/reload-metadata||||||||| 
 + 
  
 </code> </code>
Line 663: Line 652:
 https://services.renater.fr/federation/docs/installation/idp3/chap08 https://services.renater.fr/federation/docs/installation/idp3/chap08
  
-<code> 
-[root@idp3]# cd /opt/src/ 
  
-[root@idp3 src]# git clone https://github.com/Unicon/shib-cas-authn3 shib-cas-authn3-git-master +<code> 
-Cloning into 'shib-cas-authn3-git-master'... +[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar 
-remote: Counting objects: 1172, done+[root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar 
-remote: Total 1172 (delta 0), reused 0 (delta 0), pack-reused 1172 +..
-Receiving objects: 100% (1172/1172), 991.61 KiB | 884.00 KiB/s, done+shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar 
-Resolving deltas: 100% (427/427), done.+shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar 
 +shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp 
 +..
  
-[root@idp3 src]# cp -R /opt/src/shib-cas-authn3-git-master/IDP_HOME/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/ +[root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
-[root@idp3 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/v3.0.0/shib-cas-authenticator-3.0.0.jar  +
-[root@idp3 src]# mv shib-cas-authenticator-3.0.0.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/  +
-[root@idp3 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.3.3/cas-client-core-3.3.3.jar+
  
-[root@idp3 src]# mv cas-client-core-3.3.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/+[root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/ 
 +[root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/ 
 +total 8 
 +-rw-r--r-- 1 root root 2290  2 janv. 21:23 shibcas-authn-flow.xml 
 +-rw-r--r-- 1 root root 3241  2 janv. 21:23 shibcas-authn-beans.xml
  
 +[root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar
 +[root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
 </code> </code>
  
Line 709: Line 701:
  
 <code> <code>
 +
 +[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/
 +[root@idp34 authn]# cp general-authn.xml general-authn.xml.dist
 +
 [root@idp3 authn]# diff general-authn.xml general-authn.xml.dist  [root@idp3 authn]# diff general-authn.xml general-authn.xml.dist 
 93,98d92 93,98d92
docpublic/systemes/shibboleth/idpv3x.1546438602.txt.gz · Last modified: 2019/01/02 14:16 by procacci@tem-tsp.eu
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0