SiNotes-Grid
Thursday, June 29, 2006
Deploy Myproxy
suppose you have already installed GT4 and sorted out all the security stuff.
1) copy GLOBUS_LOCATION/share/myproxy/myproxy-server.config to GLOBUS_LOCATION/etc/, uncomment these lines:
3)run $GLOBUS_LOCATION/sbin/myproxy-server -d
If no errors found, restart myproxy-server without "-d" parameters
1) copy GLOBUS_LOCATION/share/myproxy/myproxy-server.config to GLOBUS_LOCATION/etc/, uncomment these lines:
accepted_credentials "*"2)source $GLOBUS_LOCATION/etc/globus-user-env.csh
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"
3)run $GLOBUS_LOCATION/sbin/myproxy-server -d
If no errors found, restart myproxy-server without "-d" parameters
Tuesday, May 23, 2006
globus Toolkit 4 Installation on SL4
Reference:
http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch04.html
http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch03.html#s-platform-redhat
http://www-unix.globus.org/toolkit/docs/4.0/security/myproxy/admin-index.html#s-myproxy-admin-installing
http://gdp.globus.org/gt4-tutorial/singlehtml/progtutorial_0.2.1.html
*N.B.* One thing should be pointed out is that, the installation precedure doesn't seems like totally "standard". Normally you can use whatever user to "configure" and "make " the source code, and only su to root when you "make install". But the "make" in globus toolkit already start to copy files to your installation directory!!! Make sure you have wirte access when u run "make"!
1./configure --prefix=/usr/local/globus-4.0.2 --with-buildopts="--verbose"
http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch04.html
http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch03.html#s-platform-redhat
http://www-unix.globus.org/toolkit/docs/4.0/security/myproxy/admin-index.html#s-myproxy-admin-installing
http://gdp.globus.org/gt4-tutorial/singlehtml/progtutorial_0.2.1.html
*N.B.* One thing should be pointed out is that, the installation precedure doesn't seems like totally "standard". Normally you can use whatever user to "configure" and "make " the source code, and only su to root when you "make install". But the "make" in globus toolkit already start to copy files to your installation directory!!! Make sure you have wirte access when u run "make"!
1./configure --prefix=/usr/local/globus-4.0.2 --with-buildopts="--verbose"
Monday, May 22, 2006
WebAuth Installation & Configuraiton
Suppose you already have
1.Download the src from http://webauthv3.stanford.edu/download.html
2.Configure the src using,
./configure --with-apache=/usr/local/apache20 --with-apxs=/usr/local/apache20/bin/apxs --with-kerberos=/usr/local/kerberos5 --with-ldap=/usr/local/openLDAP
3. make
4. make check
5. make install
*N.B.*
1) If you doesn't specify the ininstalltion dir using prefix, the shared lib files will be installed in /usr/local/lib
2)The kerberos and ldap config parameters are required for me, otherwise make cant find the approprate lib files. After the installation, you may still find errors when try to load mod_webauth.so in apache, sth like " cant find libwebauth.so ", that's because mod_webauth depends on this lib files, you can either copy them from /usr/local/lib/* and /usr/local/kerberos5/lib to "/usr/lib" or "httpd20/lib ".
3) If you see "Segmentation fault" error when you try to start apache and it failed, make sure your apache process have write access to keyring and other cache files defined in your mod_webauth.conf!! (Be sure to create the directory if you havn't !!)You can switch on debug for webauth module in mod_webauth.conf and check http20/logs/error_log.
4) If you can start apache but fail to access the desired webpage,check your httpd20/logs/ssl8080_error_log
5) If you see error messages like" fail to checking webAuth's certificate" it's because the webKDC is using a self-signed certificate.(http://webauth.stanford.edu/manual/mod/mod_webauth.html) You can swith off the certificate checking during test/development stage by using:
6) *IMPORTANT* When you startup apache as root, you can set the user & group you want this httpd process to run as in your httpd.conf. Actually in apache2.0.58, it's set to "nobody" by default.
Which means the apache process might have difficulty to read your webKDC keytab file if they dont have correct access right. A recommended way is to modify your httpd.conf and change the default "nobody" user to the user who have read access to webKDC keytab file.
The minimul configration of webAuth with detailed explaination can be learned from:
http://webauth.stanford.edu/conf-basic.html
An Oxford specific configration is available at :
http://www.oucs.ox.ac.uk/webauth/index.xml?style=printable
1.Download the src from http://webauthv3.stanford.edu/download.html
2.Configure the src using,
./configure --with-apache=/usr/local/apache20 --with-apxs=/usr/local/apache20/bin/apxs --with-kerberos=/usr/local/kerberos5 --with-ldap=/usr/local/openLDAP
3. make
4. make check
5. make install
*N.B.*
1) If you doesn't specify the ininstalltion dir using prefix, the shared lib files will be installed in /usr/local/lib
2)The kerberos and ldap config parameters are required for me, otherwise make cant find the approprate lib files. After the installation, you may still find errors when try to load mod_webauth.so in apache, sth like " cant find libwebauth.so ", that's because mod_webauth depends on this lib files, you can either copy them from /usr/local/lib/* and /usr/local/kerberos5/lib to "/usr/lib" or "httpd20/lib ".
3) If you see "Segmentation fault" error when you try to start apache and it failed, make sure your apache process have write access to keyring and other cache files defined in your mod_webauth.conf!! (Be sure to create the directory if you havn't !!)You can switch on debug for webauth module in mod_webauth.conf and check http20/logs/error_log.
4) If you can start apache but fail to access the desired webpage,check your httpd20/logs/ssl8080_error_log
5) If you see error messages like" fail to checking webAuth's certificate" it's because the webKDC is using a self-signed certificate.(http://webauth.stanford.edu/manual/mod/mod_webauth.html) You can swith off the certificate checking during test/development stage by using:
WebAuthWebKdcSSLCertCheck off
Or, you can also use
WebAuthWebKdcSSLCertFile conf/webauth/webkdc.cert
6) *IMPORTANT* When you startup apache as root, you can set the user & group you want this httpd process to run as in your httpd.conf. Actually in apache2.0.58, it's set to "nobody" by default.
Which means the apache process might have difficulty to read your webKDC keytab file if they dont have correct access right. A recommended way is to modify your httpd.conf and change the default "nobody" user to the user who have read access to webKDC keytab file.
The minimul configration of webAuth with detailed explaination can be learned from:
http://webauth.stanford.edu/conf-basic.html
An Oxford specific configration is available at :
http://www.oucs.ox.ac.uk/webauth/index.xml?style=printable
Thursday, May 18, 2006
Use mod_proxy to connect Apache 2.0 and Tomcat
Refererced instructions :
http://tomcat.apache.org/tomcat-4.1-doc/proxy-howto.html
1. Make sure you have already configured apache with "--enable-proxy --enable-proxy-http" parameters.
2. If you have done step1, apache 2.0.58 will automatically load mod_proxy for you when startup.(if not, load mod_proxy in your httpd.conf)
3. In the "Location" directory of httpd.conf, which you want to be forwarded to tomcat, add two lines:
ProxyPass http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
ProxyPassReverse http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
*N.B.* use "http" or "https" aproprately. In my case, tomcat and apache reside on same machine, so I chosed to let tomcat listen on port 8081 without enabling ssl.
4.In the server.xml of your tomcat, add a http connector. You don't have to remove your existing AJP13 connector if you do have one.They can function simutinously, each of which serves some of your web applications. Just put your new connector under the same "service " directory with your AJP connector":
<Connector port="8081" className="org.apache.catalina.connector.http.HttpConnector"
maxHttpHeaderSize="81920" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
proxyName="ktang.oerc.ox.ac.uk"
proxyPort="8080"/>
*N.B* There's an attribute used to limit the max header size, default is also around 8K!!(just like AJP13). The only reason I changed to mod_proxy from AJP13 is to forward bigger HTTP header size(packet), therefore change this value if you need.
4. Make sure to use filer/firewall/whatever to restrict the access to your tomcat server:8081 port for security considerations.
http://tomcat.apache.org/tomcat-4.1-doc/proxy-howto.html
1. Make sure you have already configured apache with "--enable-proxy --enable-proxy-http" parameters.
2. If you have done step1, apache 2.0.58 will automatically load mod_proxy for you when startup.(if not, load mod_proxy in your httpd.conf)
3. In the "Location" directory of httpd.conf, which you want to be forwarded to tomcat, add two lines:
ProxyPass http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
ProxyPassReverse http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
*N.B.* use "http" or "https" aproprately. In my case, tomcat and apache reside on same machine, so I chosed to let tomcat listen on port 8081 without enabling ssl.
4.In the server.xml of your tomcat, add a http connector. You don't have to remove your existing AJP13 connector if you do have one.They can function simutinously, each of which serves some of your web applications. Just put your new connector under the same "service " directory with your AJP connector":
<Connector port="8081" className="org.apache.catalina.connector.http.HttpConnector"
maxHttpHeaderSize="81920" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
proxyName="ktang.oerc.ox.ac.uk"
proxyPort="8080"/>
*N.B* There's an attribute used to limit the max header size, default is also around 8K!!(just like AJP13). The only reason I changed to mod_proxy from AJP13 is to forward bigger HTTP header size(packet), therefore change this value if you need.
4. Make sure to use filer/firewall/whatever to restrict the access to your tomcat server:8081 port for security considerations.
Tuesday, May 09, 2006
Installation and configuration of idP
After the configuration of idP, use following command to test it:
./resolvertest --idpXml=file:///usr/local/shibboleth-idp/etc/idp.xml --requester=https://ktang.oerc.ox.ac.uk/shibboleth --user=David.Wallom
* Sometime you may find tomcat has problem to load Idp servlet, some information like:
Idp servlet is not available will be displayed when user browser is directed to idp.
Make sure you start tomcat process as root, otherwise some privlige issues might be the reasons!!
* Some code of Shibboleth-idp need to be modifed before installation, otherwise.........
Monday, May 08, 2006
Installation & configuration of SP under EL4
- Reference:
- http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-debian.html
- https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LinuxNotes
N.B. Shibboleth 1.3(sp) require apache2.0.x , compiling error will occur if using apache2.2.x!!!
- 1)OpenSSL
- not needed, just use what comes with your Linux
- 2)libcurl
- (Downloaded from http://curl.haxx.se/libcurl)
- usually not needed, or use
./configure --disable-static --without-ca-bundle --enable-thread --prefix=/usr/local/shibboleth-sp - 3)log4cpp
- (*Must* download from http://shibboleth.internet2.edu/downloads/log4cpp-0.3.5rc1.tar.gz)
-
./configure --disable-static --disable-doxygen --prefix=/usr/local/shibboleth-sp - 4)Xerces-C
- (*Must* download from
http://shibboleth.internet2.edu/downloads/xerces-c-src_2_6_1.tar.gz)
- (*Must* export XERCESCROOT=/home/synew/download/shibboleth-sp/xerces-c-src_2_6_1)
-
./runConfigure -p linux -c gcc -x g++ -r pthread -b 32 -P /usr/local/shibboleth-sp - 5) XML-Security-C
- (*Must* download from
http://xml.apache.org/dist/security/c-library/xml-security-c-1.2.1.tar.gz)
- (*Must* export XERCESCROOT=/home/synew/download/shibboleth-sp/xerces-c-src_2_6_1)
-
./configure --without-xalan --prefix=/usr/local/shibboleth-sp - 6)OpenSAML
- (*Must* download from
http://shibboleth.internet2.edu/downloads/opensaml-1.1a.tar.gz)7) build shibboleth 1.3:
./configure --with-curl=/usr/local/shibboleth-sp --with-log4cpp=/usr/local/shibboleth-sp --prefix=/usr/local/shibboleth-sp -C
./configure --with-saml=/usr/local/shibboleth-sp --with-log4cpp=/usr/local/shibboleth-sp --enable-apache-20 --with-apxs2=/usr/local/apache20/bin/apxs --with-apr=/usr/local/apache20/bin/apr-config --prefix=/usr/local/shibboleth-sp -C
#########Post Configuration of SP #################################
Ref:https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/SPApacheConfiguration
Suppose apache2.0.x with mod_ssl is already successfully installed in /usr/local/apache20
1) Add the following line to the end of /usr/local/apache20/conf/httpd.conf(*Not* in any VirtualHost!!):
Include /usr/local/shibboleth-sp/etc/shibboleth/apache2.config
2)In /usr/local/apache20/conf/httpd.conf, set:
UseCanonicalName on
And uncomment ServerName:
ServerName ktang.oerc.ox.ac.uk:8080
3)To start shibboleth daemon,use
/usr/local/shibboleth-sp/sbin/shibd &
Thursday, May 04, 2006
SPIE
is the LDAP server dedicately create for SPIE project and maintained by SPIEs?
if yes, how did they populate the LDAP server?
To be authenticate through webAuth is not hard, and if we dont have access to centre LDAP
directory(if we have one), I would like create one myself for testing purpose.
Then no point to use the idP from SPIE, create my own will be more flexiable.
Q: When users are redirected to SSO handle for authencation, a handle will be generated and sent to SP within SAML assertion.Then SP daemon use this handle as a temporary reference to
query the attributes from AA handler of idP. The questions is, the SSO authZ is performed through Kerberos database, while attributes are stored in LDAP directory, how can the handler map them together so that we can find the desired attr from right person?
if yes, how did they populate the LDAP server?
To be authenticate through webAuth is not hard, and if we dont have access to centre LDAP
directory(if we have one), I would like create one myself for testing purpose.
Then no point to use the idP from SPIE, create my own will be more flexiable.
Q: When users are redirected to SSO handle for authencation, a handle will be generated and sent to SP within SAML assertion.Then SP daemon use this handle as a temporary reference to
query the attributes from AA handler of idP. The questions is, the SSO authZ is performed through Kerberos database, while attributes are stored in LDAP directory, how can the handler map them together so that we can find the desired attr from right person?
Archives
