SiNotes-Grid
Tuesday, May 02, 2006
Prepare Tomcat/mod_jk for shibboleth idP 1.3
HOWTO use JK1.2.15 to connect Tomcat5.5 and Apache2.2
1. Set up Apache 2.2 ,Tomcat 5.5 and JK1.2.15 seperately, following the instructions in
http://johnturner.com/howto/apache2-tomcat4127-jk-rh9-howto.html
a. install apache
b. install tomcat5.5
c.install mod_jk
a)download the src code of mod_jk1.2.15 from:
http://apache.rmplc.co.uk/tomcat/tomcat-connectors/jk/source/jk-1.2.15/jakarta-tomcat-connectors-1.2.15-src.tar.gz
b)cd jakarta-tomcat-connectors-1.2.15-src/jk/native
c)./buildconf.sh
d)./configure --with-apxs=/usr/local/apache/bin/apxs
e)make
f)make install
check apache2/modules, you should see mod_jk with 755 in this directory now.
2. In tomcat5/conf/,
mv server-minimul.xml server.xml
then edit server.xml:
delete the line:
Connector port="8080"
And change the port 8009 line to:
connector port="8009" protocol="AJP/1.3" address="127.0.0.1"
enableLookups="false" redirectPort="443"
tomcatAuthentication="false"
3. create a file "workers.properties" in /opt/tomcat/conf/jk/", include the following in it:
5.Enable mod_jk:
In your httpd.conf, add the following line:
Include conf/extra/mod_jk.conf
Then create a file" mod_jk.conf "in conf/extra/, including the following in it:
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /opt/tomcat/conf/jk/workers.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel emerg
JkMount /shibboleth-idp/* ajp13
JkMount /jsp-examples/* ajp13
# JkMount /cas/* ajp13
Make sure the directory for log files exist already.
6. Start Tomcat5 first, after the auto genereated file is ready, start apache2. then try to access
https://ktang.oerc.ox.ac.uk/jsp-examples
to test the setup
7. To provide kerberos users authentication to apache web server, mod_auth_kerb is required
(http://modauthkerb.sourceforge.net/install.html).
1) suppose you already have an working kerberos server, download the source code, untar it.
2)./configure --prefix=/usr/local/mod_auth_krb5 --with-krb4=no --with-krb5=/usr/local/kerberos5/ --with-apache=/usr/local/apache2/
3) make
4) make install
5) don't forget to load the new installed module in your httpd.conf!
LoadModule auth_kerb_module modules/mod_auth_kerb.so
8. Auth_kerb_module Configuration & Test
Firstly, create a service instance( and user instance if you don't have one) in KDC:
kadmin.local
ank -randky HTTP/ktang.oerc.ox.ac.uk
ktadd -k /etc/keytabs/apache.HTTP.keytab
It's recommanded to put the server key in a seperated file from other keys, and
make sure the file can be read by apache process!!
Suppose we wanna set web resources in "shibboleth-idp/SSO" (/usr/local/tomcat/webapps/shibboleth-idp/SSO) to be protected by kerberos. Users are
required to authenticate by kerberos when they try to access this dir.
The followings are added to httpd.conf for this purpose:
<Location /shibboleth-idp/SSO>
AuthType Kerberos
AuthName "Kerberos Login"
KrbSaveCredentials On
KrbMethodK5Passwd On
KrbMethodNegotiate On
Krb5Keytab "/etc/keytabs/apache.HTTP.keytab"
KrbServiceName HTTP
KrbAuthoritative On
SSLVerifyClient none
require valid-user
</Location>
*Detailed implication available in http://modauthkerb.sourceforge.net/
1. Set up Apache 2.2 ,Tomcat 5.5 and JK1.2.15 seperately, following the instructions in
http://johnturner.com/howto/apache2-tomcat4127-jk-rh9-howto.html
a. install apache
b. install tomcat5.5
c.install mod_jk
a)download the src code of mod_jk1.2.15 from:
http://apache.rmplc.co.uk/tomcat/tomcat-connectors/jk/source/jk-1.2.15/jakarta-tomcat-connectors-1.2.15-src.tar.gz
b)cd jakarta-tomcat-connectors-1.2.15-src/jk/native
c)./buildconf.sh
d)./configure --with-apxs=/usr/local/apache/bin/apxs
e)make
f)make install
check apache2/modules, you should see mod_jk with 755 in this directory now.
2. In tomcat5/conf/,
mv server-minimul.xml server.xml
then edit server.xml:
delete the line:
Connector port="8080"
And change the port 8009 line to:
connector port="8009" protocol="AJP/1.3" address="127.0.0.1"
enableLookups="false" redirectPort="443"
tomcatAuthentication="false"
3. create a file "workers.properties" in /opt/tomcat/conf/jk/", include the following in it:
# /etc/tomcat/workers.properties4. Enable ssl in your apache/tomcat configuration, details see other articles
# define a worker using ajp13
worker.list=ajp13
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
worker.ajp13.lbfactor=50
worker.ajp13.cachesize=10
worker.ajp13.cache_timeout=600
worker.ajp13.socket_keepalive=1
worker.ajp13.recycle_timeout=300
5.Enable mod_jk:
In your httpd.conf, add the following line:
Include conf/extra/mod_jk.conf
Then create a file" mod_jk.conf "in conf/extra/, including the following in it:
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /opt/tomcat/conf/jk/workers.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel emerg
JkMount /shibboleth-idp/* ajp13
JkMount /jsp-examples/* ajp13
# JkMount /cas/* ajp13
Make sure the directory for log files exist already.
6. Start Tomcat5 first, after the auto genereated file is ready, start apache2. then try to access
https://ktang.oerc.ox.ac.uk/jsp-examples
to test the setup
7. To provide kerberos users authentication to apache web server, mod_auth_kerb is required
(http://modauthkerb.sourceforge.net/install.html).
1) suppose you already have an working kerberos server, download the source code, untar it.
2)./configure --prefix=/usr/local/mod_auth_krb5 --with-krb4=no --with-krb5=/usr/local/kerberos5/ --with-apache=/usr/local/apache2/
3) make
4) make install
5) don't forget to load the new installed module in your httpd.conf!
LoadModule auth_kerb_module modules/mod_auth_kerb.so
8. Auth_kerb_module Configuration & Test
Firstly, create a service instance( and user instance if you don't have one) in KDC:
kadmin.local
ank -randky HTTP/ktang.oerc.ox.ac.uk
ktadd -k /etc/keytabs/apache.HTTP.keytab
It's recommanded to put the server key in a seperated file from other keys, and
make sure the file can be read by apache process!!
Suppose we wanna set web resources in "shibboleth-idp/SSO" (/usr/local/tomcat/webapps/shibboleth-idp/SSO) to be protected by kerberos. Users are
required to authenticate by kerberos when they try to access this dir.
The followings are added to httpd.conf for this purpose:
<Location /shibboleth-idp/SSO>
AuthType Kerberos
AuthName "Kerberos Login"
KrbSaveCredentials On
KrbMethodK5Passwd On
KrbMethodNegotiate On
Krb5Keytab "/etc/keytabs/apache.HTTP.keytab"
KrbServiceName HTTP
KrbAuthoritative On
SSLVerifyClient none
require valid-user
</Location>
*Detailed implication available in http://modauthkerb.sourceforge.net/
posted by Synew # 5:54 AM 
Archives
