SiNotes-Grid
Tuesday, May 23, 2006
globus Toolkit 4 Installation on SL4
Reference:
http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch04.html
http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch03.html#s-platform-redhat
http://www-unix.globus.org/toolkit/docs/4.0/security/myproxy/admin-index.html#s-myproxy-admin-installing
http://gdp.globus.org/gt4-tutorial/singlehtml/progtutorial_0.2.1.html
*N.B.* One thing should be pointed out is that, the installation precedure doesn't seems like totally "standard". Normally you can use whatever user to "configure" and "make " the source code, and only su to root when you "make install". But the "make" in globus toolkit already start to copy files to your installation directory!!! Make sure you have wirte access when u run "make"!
1./configure --prefix=/usr/local/globus-4.0.2 --with-buildopts="--verbose"
http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch04.html
http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch03.html#s-platform-redhat
http://www-unix.globus.org/toolkit/docs/4.0/security/myproxy/admin-index.html#s-myproxy-admin-installing
http://gdp.globus.org/gt4-tutorial/singlehtml/progtutorial_0.2.1.html
*N.B.* One thing should be pointed out is that, the installation precedure doesn't seems like totally "standard". Normally you can use whatever user to "configure" and "make " the source code, and only su to root when you "make install". But the "make" in globus toolkit already start to copy files to your installation directory!!! Make sure you have wirte access when u run "make"!
1./configure --prefix=/usr/local/globus-4.0.2 --with-buildopts="--verbose"
Monday, May 22, 2006
WebAuth Installation & Configuraiton
Suppose you already have
1.Download the src from http://webauthv3.stanford.edu/download.html
2.Configure the src using,
./configure --with-apache=/usr/local/apache20 --with-apxs=/usr/local/apache20/bin/apxs --with-kerberos=/usr/local/kerberos5 --with-ldap=/usr/local/openLDAP
3. make
4. make check
5. make install
*N.B.*
1) If you doesn't specify the ininstalltion dir using prefix, the shared lib files will be installed in /usr/local/lib
2)The kerberos and ldap config parameters are required for me, otherwise make cant find the approprate lib files. After the installation, you may still find errors when try to load mod_webauth.so in apache, sth like " cant find libwebauth.so ", that's because mod_webauth depends on this lib files, you can either copy them from /usr/local/lib/* and /usr/local/kerberos5/lib to "/usr/lib" or "httpd20/lib ".
3) If you see "Segmentation fault" error when you try to start apache and it failed, make sure your apache process have write access to keyring and other cache files defined in your mod_webauth.conf!! (Be sure to create the directory if you havn't !!)You can switch on debug for webauth module in mod_webauth.conf and check http20/logs/error_log.
4) If you can start apache but fail to access the desired webpage,check your httpd20/logs/ssl8080_error_log
5) If you see error messages like" fail to checking webAuth's certificate" it's because the webKDC is using a self-signed certificate.(http://webauth.stanford.edu/manual/mod/mod_webauth.html) You can swith off the certificate checking during test/development stage by using:
6) *IMPORTANT* When you startup apache as root, you can set the user & group you want this httpd process to run as in your httpd.conf. Actually in apache2.0.58, it's set to "nobody" by default.
Which means the apache process might have difficulty to read your webKDC keytab file if they dont have correct access right. A recommended way is to modify your httpd.conf and change the default "nobody" user to the user who have read access to webKDC keytab file.
The minimul configration of webAuth with detailed explaination can be learned from:
http://webauth.stanford.edu/conf-basic.html
An Oxford specific configration is available at :
http://www.oucs.ox.ac.uk/webauth/index.xml?style=printable
1.Download the src from http://webauthv3.stanford.edu/download.html
2.Configure the src using,
./configure --with-apache=/usr/local/apache20 --with-apxs=/usr/local/apache20/bin/apxs --with-kerberos=/usr/local/kerberos5 --with-ldap=/usr/local/openLDAP
3. make
4. make check
5. make install
*N.B.*
1) If you doesn't specify the ininstalltion dir using prefix, the shared lib files will be installed in /usr/local/lib
2)The kerberos and ldap config parameters are required for me, otherwise make cant find the approprate lib files. After the installation, you may still find errors when try to load mod_webauth.so in apache, sth like " cant find libwebauth.so ", that's because mod_webauth depends on this lib files, you can either copy them from /usr/local/lib/* and /usr/local/kerberos5/lib to "/usr/lib" or "httpd20/lib ".
3) If you see "Segmentation fault" error when you try to start apache and it failed, make sure your apache process have write access to keyring and other cache files defined in your mod_webauth.conf!! (Be sure to create the directory if you havn't !!)You can switch on debug for webauth module in mod_webauth.conf and check http20/logs/error_log.
4) If you can start apache but fail to access the desired webpage,check your httpd20/logs/ssl8080_error_log
5) If you see error messages like" fail to checking webAuth's certificate" it's because the webKDC is using a self-signed certificate.(http://webauth.stanford.edu/manual/mod/mod_webauth.html) You can swith off the certificate checking during test/development stage by using:
WebAuthWebKdcSSLCertCheck off
Or, you can also use
WebAuthWebKdcSSLCertFile conf/webauth/webkdc.cert
6) *IMPORTANT* When you startup apache as root, you can set the user & group you want this httpd process to run as in your httpd.conf. Actually in apache2.0.58, it's set to "nobody" by default.
Which means the apache process might have difficulty to read your webKDC keytab file if they dont have correct access right. A recommended way is to modify your httpd.conf and change the default "nobody" user to the user who have read access to webKDC keytab file.
The minimul configration of webAuth with detailed explaination can be learned from:
http://webauth.stanford.edu/conf-basic.html
An Oxford specific configration is available at :
http://www.oucs.ox.ac.uk/webauth/index.xml?style=printable
Thursday, May 18, 2006
Use mod_proxy to connect Apache 2.0 and Tomcat
Refererced instructions :
http://tomcat.apache.org/tomcat-4.1-doc/proxy-howto.html
1. Make sure you have already configured apache with "--enable-proxy --enable-proxy-http" parameters.
2. If you have done step1, apache 2.0.58 will automatically load mod_proxy for you when startup.(if not, load mod_proxy in your httpd.conf)
3. In the "Location" directory of httpd.conf, which you want to be forwarded to tomcat, add two lines:
ProxyPass http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
ProxyPassReverse http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
*N.B.* use "http" or "https" aproprately. In my case, tomcat and apache reside on same machine, so I chosed to let tomcat listen on port 8081 without enabling ssl.
4.In the server.xml of your tomcat, add a http connector. You don't have to remove your existing AJP13 connector if you do have one.They can function simutinously, each of which serves some of your web applications. Just put your new connector under the same "service " directory with your AJP connector":
<Connector port="8081" className="org.apache.catalina.connector.http.HttpConnector"
maxHttpHeaderSize="81920" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
proxyName="ktang.oerc.ox.ac.uk"
proxyPort="8080"/>
*N.B* There's an attribute used to limit the max header size, default is also around 8K!!(just like AJP13). The only reason I changed to mod_proxy from AJP13 is to forward bigger HTTP header size(packet), therefore change this value if you need.
4. Make sure to use filer/firewall/whatever to restrict the access to your tomcat server:8081 port for security considerations.
http://tomcat.apache.org/tomcat-4.1-doc/proxy-howto.html
1. Make sure you have already configured apache with "--enable-proxy --enable-proxy-http" parameters.
2. If you have done step1, apache 2.0.58 will automatically load mod_proxy for you when startup.(if not, load mod_proxy in your httpd.conf)
3. In the "Location" directory of httpd.conf, which you want to be forwarded to tomcat, add two lines:
ProxyPass http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
ProxyPassReverse http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
*N.B.* use "http" or "https" aproprately. In my case, tomcat and apache reside on same machine, so I chosed to let tomcat listen on port 8081 without enabling ssl.
4.In the server.xml of your tomcat, add a http connector. You don't have to remove your existing AJP13 connector if you do have one.They can function simutinously, each of which serves some of your web applications. Just put your new connector under the same "service " directory with your AJP connector":
<Connector port="8081" className="org.apache.catalina.connector.http.HttpConnector"
maxHttpHeaderSize="81920" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
proxyName="ktang.oerc.ox.ac.uk"
proxyPort="8080"/>
*N.B* There's an attribute used to limit the max header size, default is also around 8K!!(just like AJP13). The only reason I changed to mod_proxy from AJP13 is to forward bigger HTTP header size(packet), therefore change this value if you need.
4. Make sure to use filer/firewall/whatever to restrict the access to your tomcat server:8081 port for security considerations.
Tuesday, May 09, 2006
Installation and configuration of idP
After the configuration of idP, use following command to test it:
./resolvertest --idpXml=file:///usr/local/shibboleth-idp/etc/idp.xml --requester=https://ktang.oerc.ox.ac.uk/shibboleth --user=David.Wallom
* Sometime you may find tomcat has problem to load Idp servlet, some information like:
Idp servlet is not available will be displayed when user browser is directed to idp.
Make sure you start tomcat process as root, otherwise some privlige issues might be the reasons!!
* Some code of Shibboleth-idp need to be modifed before installation, otherwise.........
Monday, May 08, 2006
Installation & configuration of SP under EL4
- Reference:
- http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-debian.html
- https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LinuxNotes
N.B. Shibboleth 1.3(sp) require apache2.0.x , compiling error will occur if using apache2.2.x!!!
- 1)OpenSSL
- not needed, just use what comes with your Linux
- 2)libcurl
- (Downloaded from http://curl.haxx.se/libcurl)
- usually not needed, or use
./configure --disable-static --without-ca-bundle --enable-thread --prefix=/usr/local/shibboleth-sp - 3)log4cpp
- (*Must* download from http://shibboleth.internet2.edu/downloads/log4cpp-0.3.5rc1.tar.gz)
-
./configure --disable-static --disable-doxygen --prefix=/usr/local/shibboleth-sp - 4)Xerces-C
- (*Must* download from
http://shibboleth.internet2.edu/downloads/xerces-c-src_2_6_1.tar.gz)
- (*Must* export XERCESCROOT=/home/synew/download/shibboleth-sp/xerces-c-src_2_6_1)
-
./runConfigure -p linux -c gcc -x g++ -r pthread -b 32 -P /usr/local/shibboleth-sp - 5) XML-Security-C
- (*Must* download from
http://xml.apache.org/dist/security/c-library/xml-security-c-1.2.1.tar.gz)
- (*Must* export XERCESCROOT=/home/synew/download/shibboleth-sp/xerces-c-src_2_6_1)
-
./configure --without-xalan --prefix=/usr/local/shibboleth-sp - 6)OpenSAML
- (*Must* download from
http://shibboleth.internet2.edu/downloads/opensaml-1.1a.tar.gz)7) build shibboleth 1.3:
./configure --with-curl=/usr/local/shibboleth-sp --with-log4cpp=/usr/local/shibboleth-sp --prefix=/usr/local/shibboleth-sp -C
./configure --with-saml=/usr/local/shibboleth-sp --with-log4cpp=/usr/local/shibboleth-sp --enable-apache-20 --with-apxs2=/usr/local/apache20/bin/apxs --with-apr=/usr/local/apache20/bin/apr-config --prefix=/usr/local/shibboleth-sp -C
#########Post Configuration of SP #################################
Ref:https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/SPApacheConfiguration
Suppose apache2.0.x with mod_ssl is already successfully installed in /usr/local/apache20
1) Add the following line to the end of /usr/local/apache20/conf/httpd.conf(*Not* in any VirtualHost!!):
Include /usr/local/shibboleth-sp/etc/shibboleth/apache2.config
2)In /usr/local/apache20/conf/httpd.conf, set:
UseCanonicalName on
And uncomment ServerName:
ServerName ktang.oerc.ox.ac.uk:8080
3)To start shibboleth daemon,use
/usr/local/shibboleth-sp/sbin/shibd &
Thursday, May 04, 2006
SPIE
is the LDAP server dedicately create for SPIE project and maintained by SPIEs?
if yes, how did they populate the LDAP server?
To be authenticate through webAuth is not hard, and if we dont have access to centre LDAP
directory(if we have one), I would like create one myself for testing purpose.
Then no point to use the idP from SPIE, create my own will be more flexiable.
Q: When users are redirected to SSO handle for authencation, a handle will be generated and sent to SP within SAML assertion.Then SP daemon use this handle as a temporary reference to
query the attributes from AA handler of idP. The questions is, the SSO authZ is performed through Kerberos database, while attributes are stored in LDAP directory, how can the handler map them together so that we can find the desired attr from right person?
if yes, how did they populate the LDAP server?
To be authenticate through webAuth is not hard, and if we dont have access to centre LDAP
directory(if we have one), I would like create one myself for testing purpose.
Then no point to use the idP from SPIE, create my own will be more flexiable.
Q: When users are redirected to SSO handle for authencation, a handle will be generated and sent to SP within SAML assertion.Then SP daemon use this handle as a temporary reference to
query the attributes from AA handler of idP. The questions is, the SSO authZ is performed through Kerberos database, while attributes are stored in LDAP directory, how can the handler map them together so that we can find the desired attr from right person?
Tuesday, May 02, 2006
Prepare Tomcat/mod_jk for shibboleth idP 1.3
HOWTO use JK1.2.15 to connect Tomcat5.5 and Apache2.2
1. Set up Apache 2.2 ,Tomcat 5.5 and JK1.2.15 seperately, following the instructions in
http://johnturner.com/howto/apache2-tomcat4127-jk-rh9-howto.html
a. install apache
b. install tomcat5.5
c.install mod_jk
a)download the src code of mod_jk1.2.15 from:
http://apache.rmplc.co.uk/tomcat/tomcat-connectors/jk/source/jk-1.2.15/jakarta-tomcat-connectors-1.2.15-src.tar.gz
b)cd jakarta-tomcat-connectors-1.2.15-src/jk/native
c)./buildconf.sh
d)./configure --with-apxs=/usr/local/apache/bin/apxs
e)make
f)make install
check apache2/modules, you should see mod_jk with 755 in this directory now.
2. In tomcat5/conf/,
mv server-minimul.xml server.xml
then edit server.xml:
delete the line:
Connector port="8080"
And change the port 8009 line to:
connector port="8009" protocol="AJP/1.3" address="127.0.0.1"
enableLookups="false" redirectPort="443"
tomcatAuthentication="false"
3. create a file "workers.properties" in /opt/tomcat/conf/jk/", include the following in it:
5.Enable mod_jk:
In your httpd.conf, add the following line:
Include conf/extra/mod_jk.conf
Then create a file" mod_jk.conf "in conf/extra/, including the following in it:
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /opt/tomcat/conf/jk/workers.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel emerg
JkMount /shibboleth-idp/* ajp13
JkMount /jsp-examples/* ajp13
# JkMount /cas/* ajp13
Make sure the directory for log files exist already.
6. Start Tomcat5 first, after the auto genereated file is ready, start apache2. then try to access
https://ktang.oerc.ox.ac.uk/jsp-examples
to test the setup
7. To provide kerberos users authentication to apache web server, mod_auth_kerb is required
(http://modauthkerb.sourceforge.net/install.html).
1) suppose you already have an working kerberos server, download the source code, untar it.
2)./configure --prefix=/usr/local/mod_auth_krb5 --with-krb4=no --with-krb5=/usr/local/kerberos5/ --with-apache=/usr/local/apache2/
3) make
4) make install
5) don't forget to load the new installed module in your httpd.conf!
LoadModule auth_kerb_module modules/mod_auth_kerb.so
8. Auth_kerb_module Configuration & Test
Firstly, create a service instance( and user instance if you don't have one) in KDC:
kadmin.local
ank -randky HTTP/ktang.oerc.ox.ac.uk
ktadd -k /etc/keytabs/apache.HTTP.keytab
It's recommanded to put the server key in a seperated file from other keys, and
make sure the file can be read by apache process!!
Suppose we wanna set web resources in "shibboleth-idp/SSO" (/usr/local/tomcat/webapps/shibboleth-idp/SSO) to be protected by kerberos. Users are
required to authenticate by kerberos when they try to access this dir.
The followings are added to httpd.conf for this purpose:
<Location /shibboleth-idp/SSO>
AuthType Kerberos
AuthName "Kerberos Login"
KrbSaveCredentials On
KrbMethodK5Passwd On
KrbMethodNegotiate On
Krb5Keytab "/etc/keytabs/apache.HTTP.keytab"
KrbServiceName HTTP
KrbAuthoritative On
SSLVerifyClient none
require valid-user
</Location>
*Detailed implication available in http://modauthkerb.sourceforge.net/
1. Set up Apache 2.2 ,Tomcat 5.5 and JK1.2.15 seperately, following the instructions in
http://johnturner.com/howto/apache2-tomcat4127-jk-rh9-howto.html
a. install apache
b. install tomcat5.5
c.install mod_jk
a)download the src code of mod_jk1.2.15 from:
http://apache.rmplc.co.uk/tomcat/tomcat-connectors/jk/source/jk-1.2.15/jakarta-tomcat-connectors-1.2.15-src.tar.gz
b)cd jakarta-tomcat-connectors-1.2.15-src/jk/native
c)./buildconf.sh
d)./configure --with-apxs=/usr/local/apache/bin/apxs
e)make
f)make install
check apache2/modules, you should see mod_jk with 755 in this directory now.
2. In tomcat5/conf/,
mv server-minimul.xml server.xml
then edit server.xml:
delete the line:
Connector port="8080"
And change the port 8009 line to:
connector port="8009" protocol="AJP/1.3" address="127.0.0.1"
enableLookups="false" redirectPort="443"
tomcatAuthentication="false"
3. create a file "workers.properties" in /opt/tomcat/conf/jk/", include the following in it:
# /etc/tomcat/workers.properties4. Enable ssl in your apache/tomcat configuration, details see other articles
# define a worker using ajp13
worker.list=ajp13
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
worker.ajp13.lbfactor=50
worker.ajp13.cachesize=10
worker.ajp13.cache_timeout=600
worker.ajp13.socket_keepalive=1
worker.ajp13.recycle_timeout=300
5.Enable mod_jk:
In your httpd.conf, add the following line:
Include conf/extra/mod_jk.conf
Then create a file" mod_jk.conf "in conf/extra/, including the following in it:
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /opt/tomcat/conf/jk/workers.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel emerg
JkMount /shibboleth-idp/* ajp13
JkMount /jsp-examples/* ajp13
# JkMount /cas/* ajp13
Make sure the directory for log files exist already.
6. Start Tomcat5 first, after the auto genereated file is ready, start apache2. then try to access
https://ktang.oerc.ox.ac.uk/jsp-examples
to test the setup
7. To provide kerberos users authentication to apache web server, mod_auth_kerb is required
(http://modauthkerb.sourceforge.net/install.html).
1) suppose you already have an working kerberos server, download the source code, untar it.
2)./configure --prefix=/usr/local/mod_auth_krb5 --with-krb4=no --with-krb5=/usr/local/kerberos5/ --with-apache=/usr/local/apache2/
3) make
4) make install
5) don't forget to load the new installed module in your httpd.conf!
LoadModule auth_kerb_module modules/mod_auth_kerb.so
8. Auth_kerb_module Configuration & Test
Firstly, create a service instance( and user instance if you don't have one) in KDC:
kadmin.local
ank -randky HTTP/ktang.oerc.ox.ac.uk
ktadd -k /etc/keytabs/apache.HTTP.keytab
It's recommanded to put the server key in a seperated file from other keys, and
make sure the file can be read by apache process!!
Suppose we wanna set web resources in "shibboleth-idp/SSO" (/usr/local/tomcat/webapps/shibboleth-idp/SSO) to be protected by kerberos. Users are
required to authenticate by kerberos when they try to access this dir.
The followings are added to httpd.conf for this purpose:
<Location /shibboleth-idp/SSO>
AuthType Kerberos
AuthName "Kerberos Login"
KrbSaveCredentials On
KrbMethodK5Passwd On
KrbMethodNegotiate On
Krb5Keytab "/etc/keytabs/apache.HTTP.keytab"
KrbServiceName HTTP
KrbAuthoritative On
SSLVerifyClient none
require valid-user
</Location>
*Detailed implication available in http://modauthkerb.sourceforge.net/
Archives
