Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:shibboleth:idpv3x [2019/01/02 14:25]
procacci@tem-tsp.eu [install]
+++ docpublic:systemes:shibboleth:idpv3x [2019/01/02 21:57] (current)
procacci@tem-tsp.eu [SSO CAS]
@@ Line 240: / Line 240: @@
 Total time: 2 minutes 14 seconds
-</code>
-[root@idp3 shibboleth-identity-provider-3.2.1]# export JAVA_HOME=/usr/lib/jvm/java
-[root@idp3 shibboleth-identity-provider-3.2.1]# ./bin/install.sh
-Source (Distribution) Directory: [/opt/src/shibboleth-identity-provider-3.2.1]
-Installation Directory: [/opt/shibboleth-idp]
-Hostname: [localhost.localdomain]
-idp3.tem-tsp.eu
-SAML EntityID: [https://idp3.tem-tsp.eu/idp/shibboleth]
-Attribute Scope: [localdomain]
-tem-tsp.eu
-Backchannel PKCS12 Password: glsecretidp
-Re-enter password:
-Cookie Encryption Key Password:
-Password cannot be zero length
-Cookie Encryption Key Password: glsecretidp
-Re-enter password:
-Warning: /opt/shibboleth-idp/bin does not exist.
-Warning: /opt/shibboleth-idp/dist does not exist.
-Warning: /opt/shibboleth-idp/doc does not exist.
-Warning: /opt/shibboleth-idp/system does not exist.
-Warning: /opt/shibboleth-idp/webapp does not exist.
-Generating Signing Key, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ...
-...done
-Creating Encryption Key, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ...
-...done
-Creating Backchannel keystore, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ...
-...done
-Creating cookie encryption key files...
-...done
-Rebuilding /opt/shibboleth-idp/war/idp.war ...
-...done
-BUILD SUCCESSFUL
 </code>
@@ Line 284: / Line 245: @@
 <code>
-[root@idp3 shibboleth-identity-provider-3.2.1]# ls -l /opt/shibboleth-idp/credentials/
+[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /opt/shibboleth-idp/credentials/
 total 32
--rw-r--r-- 1 root root 1168 23 mai   22:14 idp-backchannel.crt
+-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-backchannel.crt
--rw-r--r-- 1 root root 2554 23 mai   22:14 idp-backchannel.p12
+-rw-r--r-- 1 root root 3399  2 janv. 14:23 idp-backchannel.p12
--rw-r--r-- 1 root root 1164 23 mai   22:14 idp-encryption.crt
+-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-encryption.crt
--rw------- 1 root root 1675 23 mai   22:14 idp-encryption.key
+-rw------- 1 root root 2455  2 janv. 14:23 idp-encryption.key
--rw-r--r-- 1 root root 1164 23 mai   22:14 idp-signing.crt
+-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-signing.crt
--rw------- 1 root root 1675 23 mai   22:14 idp-signing.key
+-rw------- 1 root root 2459  2 janv. 14:23 idp-signing.key
--rw-r--r-- 1 root root  500 23 mai   22:14 sealer.jks
+-rw-r--r-- 1 root root  502  2 janv. 14:23 sealer.jks
--rw-r--r-- 1 root root   48 23 mai   22:14 sealer.kver
+-rw-r--r-- 1 root root   47  2 janv. 14:23 sealer.kver
 </code>
@@ Line 299: / Line 260: @@
 <code>
-[root@idp3 shibboleth-identity-provider-3.2.1]# chown -R tomcat /opt/shibboleth-idp/
+[root@idp34 shibboleth-identity-provider-3.4.2]# chown -R tomcat /opt/shibboleth-idp/
 </code>
@@ Line 315: / Line 276: @@
 </code>
-quelques secondes apres
+quelques secondes apres grace a l'auto-deploy
 <code>
-root@idp3 localhost]# ls -l /var/lib/tomcat/webapps/idp/
+[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /var/lib/tomcat/webapps/idp/
 total 32
-drwxr-xr-x 2 tomcat tomcat 4096 25 mai   20:38 css
+drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 css
-drwxr-xr-x 2 tomcat tomcat 4096 25 mai   20:38 images
+drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 images
--rw-r--r-- 1 tomcat tomcat 1008 23 mai   22:14 index.jsp
+-rw-r--r-- 1 tomcat tomcat 1008  2 janv. 14:23 index.jsp
-drwxr-xr-x 2 tomcat tomcat 4096 25 mai   20:38 js
+drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 js
-drwxr-xr-x 2 tomcat tomcat 4096 25 mai   20:38 META-INF
+drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 META-INF
-drwxr-xr-x 5 tomcat tomcat 4096 25 mai   20:38 WEB-INF
+drwxr-xr-x 5 tomcat tomcat 4096  2 janv. 14:28 WEB-INF
--rw-r--r-- 1 tomcat tomcat 5588 23 mai   22:14 x509-prompt.jsp
+-rw-r--r-- 1 tomcat tomcat 5389  2 janv. 14:23 x509-prompt.jsp
 </code>
@@ Line 342: / Line 304: @@
 en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info)  qui n'est pas fournie par defaut (risque de conflit avec jboss)
-cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.12 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
+cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
 <code>
-[root@idp3 ~]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/
+[root@idp34 shibboleth-identity-provider-3.4.2]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/
-[root@idp3 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar
+[root@idp34 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar
-[root@idp3 lib]# systemctl restart tomcat
+-01-02 14:34:08 (9,27 MB/s) - «jstl-1.2.jar» sauvegardé [414240/414240]
+[root@idp34 lib]# systemctl restart tomcat
 </code>
+Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin
+<code>
+# vim /opt/shibboleth-idp/conf/access-control.xml
+<code>
+...
+ <util:map id="shibboleth.AccessControlPolicies">
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" />
+        </entry>
+        ...
+</code>
+maintenant accessible en https://idp3.imtbstsp.eu/idp/status
 acces status possible en shell également
 <code>
- [root@idp3 ~]#  /opt/shibboleth-idp/bin/status.sh
+[root@idp34 bin]# /opt/shibboleth-idp/bin/status.sh
 ### Operating Environment Information
 operating_system: Linux
-operating_system_version: 2.6.32-042stab113.21
+operating_system_version: 3.10.0
 operating_system_architecture: amd64
-jdk_version: 1.8.0_91
+jdk_version: 1.8.0_191
-available_cores: 32
+available_cores: 12
-used_memory: 217 MB
+used_memory: 137 MB
 maximum_memory: 455 MB
 ### Identity Provider Information
-idp_version: 3.2.1
+idp_version: 3.4.2
-start_time: 2016-06-21T10:25:36+02:00
+start_time: 2019-01-02T14:35:21Z
-current_time: 2016-06-21T10:25:36+02:00
+current_time: 2019-01-02T14:36:42Z
-uptime: 518 ms
+uptime: 80907 ms
-service: shibboleth.LoggingService
-last successful reload attempt: 2016-06-21T08:20:43Z
-last reload attempt: 2016-06-21T08:20:43Z
-....
 </code>
-Pour l'acces en http au status il faut autorise l'IP
-<code>
-CT-a84f4e90 shibboleth-identity-provider-3.3.0# vim /opt/shibboleth-idp/conf/access-control.xml
-<code>
-...
- <util:map id="shibboleth.AccessControlPolicies">
-        <entry key="AccessByIPAddress">
-            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" />
-        </entry>
-        ...
-</code>
@@ Line 424: / Line 387: @@
 <code>
-[root@idp3 shibboleth-idp]# wget -O /opt/shibboleth-idp/credentials/metadata-federation-renater.crt https://federation.renater.fr/test/metadata-federation-renater.crt
+[root@idp34]# cd /opt/shibboleth-idp/credentials/
+[root@idp34 credentials]# /usr/bin/curl -O https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem
 </code>
@@ Line 431: / Line 396: @@
 <code>
 [root@idp3 conf]# tail -18 metadata-providers.xml
+         <!-- Federation de test renater -->
+   <MetadataProvider id="RenaterTestMetadata"
+                              xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/preview-sps-renater-test-metadata.xml"
+                      metadataURL="https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml">
+                <MetadataFilter xsi:type="SignatureValidation"
+                requireSignedRoot="true"
+                certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem">
+                </MetadataFilter>
+        </MetadataProvider>
-    <!-- Federation de test renater -->
-    <MetadataProvider id="RenaterTestMetadata"
-                      xsi:type="FileBackedHTTPMetadataProvider"
-                      backingFile="%{idp.home}/metadata/renater-test-metadata.xml"
-                      metadataURL="https://federation.renater.fr/test/renater-test-metadata.xml">
-        <MetadataFilter xsi:type="SignatureValidation"
-            requireSignedRoot="true"
-            certificateFile="%{idp.home}/credentials/metadata-federation-renater.crt">
-        </MetadataFilter>
-        <MetadataFilter xsi:type="EntityRoleWhiteList">
-            <RetainedRole>md:SPSSODescriptor</RetainedRole>
-        </MetadataFilter>
     </MetadataProvider>
@@ Line 454: / Line 420: @@
 <code>
-[root@idp3 conf]# systemctl restart tomcat.service
+[root@idp34 conf]# systemctl restart tomcat.service
-[root@idp3 conf]# ls -l ../metadata/
-total 6480
+[root@idp34 conf]#  ls -ltr ../metadata/
--rw-r--r--  1 tomcat root     12221 23 mai   22:14 idp-metadata.xml
+total 31308
--rw-r--r--  1 tomcat tomcat 6613630 21 juin  18:54 renater-test-metadata.xml
+-rw-r--r-- 1 tomcat root      14590  2 janv. 14:23 idp-metadata.xml
+-rw-r--r-- 1 tomcat tomcat  6787283  2 janv. 14:47 preview-sps-renater-test-metadata.xml
 </code>
@@ Line 468: / Line 436: @@
 idp-process.log :
--06-21 18:55:56,043 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://federation.renater.fr/test/renater-test-metadata.xml' will occur on '2016-06-21T19:55:55.999Z' ('2016-06-21T21:55:55.999+02:00' local time)
--06-21 18:55:56,062 - INFO [Shibboleth-Audit.Reload:241] - 20160621T165556Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||
+-01-02 14:48:18,248 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: New metadata successfully loaded for 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml'
+-01-02 14:48:18,250 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2019-01-02T15:33:16.891Z' ('2019-01-02T15:33:16.891Z' local time)
+-01-02 14:48:18,268 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:275] - 20190102T144818Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||
 </code>
@@ Line 680: / Line 652: @@
 https://services.renater.fr/federation/docs/installation/idp3/chap08
-<code>
-[root@idp3]# cd /opt/src/
-[root@idp3 src]# git clone https://github.com/Unicon/shib-cas-authn3 shib-cas-authn3-git-master
+<code>
-Cloning into 'shib-cas-authn3-git-master'...
+[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar
-remote: Counting objects: 1172, done.
+[root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar
-remote: Total 1172 (delta 0), reused 0 (delta 0), pack-reused 1172
+...
-Receiving objects: 100% (1172/1172), 991.61 KiB | 884.00 KiB/s, done.
+shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar
-Resolving deltas: 100% (427/427), done.
+shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar
+shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp
+..
-[root@idp3 src]# cp -R /opt/src/shib-cas-authn3-git-master/IDP_HOME/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/
+[root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
-[root@idp3 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/v3.0.0/shib-cas-authenticator-3.0.0.jar
-[root@idp3 src]# mv shib-cas-authenticator-3.0.0.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
-[root@idp3 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.3.3/cas-client-core-3.3.3.jar
-[root@idp3 src]# mv cas-client-core-3.3.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
+[root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/
+[root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/
+total 8
+-rw-r--r-- 1 root root 2290  2 janv. 21:23 shibcas-authn-flow.xml
+-rw-r--r-- 1 root root 3241  2 janv. 21:23 shibcas-authn-beans.xml
+[root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar
+[root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
 </code>
@@ Line 726: / Line 701: @@
 <code>
+[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/
+[root@idp34 authn]# cp general-authn.xml general-authn.xml.dist
 [root@idp3 authn]# diff general-authn.xml general-authn.xml.dist
 ,98d92

docpublic/systemes/shibboleth/idpv3x.1546439135.txt.gz · Last modified: 2019/01/02 14:25 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top