Transcript Shibboleth: Installation and Deployment

Shibboleth: Installation and Deployment
Scott Cantor ([email protected])
July 29, 2002
Installation: Packaging
Alpha 1 and 2 are binary distributions.
Source was made public in late July:
http://middleware.internet2.edu/opensaml/cvs.html
Alpha 2.5 will probably be binary with source.
Beta 1 should support “./configure; make; make
install” for autoconf platforms and Visual Studio
on Windows.
Even with better packaging, manual installation
of servlets and Apache modules will be needed.
2
Installation: General
Solaris 2.x and Linux
Current Basic Requirements:
Apache 1.3.26, mod_ssl 2.8.10, OpenSSL 0.9.6, Sun
JDK 1.3.1, Jakarta Tomcat 3.3.1
Binaries distributed as a tarball:
$ cd /usr/local
$ tar xvfz shib_alpha2_linux_rh72.tar.gz
Deploy Guide:
http://middleware.internet2.edu/shibboleth/docs/DeployGuide-alpha2.txt
3
Installation: General
Both origins and targets need:
• SSL-enabled Apache server, equipped with a
certificate signed by a club-approved CA
• Jakarta Tomcat servlet engine with AJP 1.3 connector
(mod_jk)
All the servlets are packaged together in a
single deployment archive (shibboleth.war)
that can be copied into tomcat/webapps,
auto-expanded, and configured
4
Installation: Origin Site
Install additional supporting components:
• User handles can be stored in-memory or in MySQL
• User attributes can be accessed in LDAP or a
restricted set (EPPN and affiliation=member) can be
“echoed” by the AA
Back-end interfaces will be refined over time
to simplify pluggable implementations, and
use standard Java APIs like JNDI when
possible
5
Deployment: Origin Site
Choose a name for your site, probably
your best known top-level domain.
This name will be part of your club
application and is configured into the HS
and AA servlets (web.xml).
Special Note: Alpha-2 targets will reject
attributes like EPPN if the “scope” doesn’t
match the site name. This will be more
flexible later.
6
Deployment: Origin Site
PKI Requirements
The web server’s SSL certificate will protect both
the HS and AA servlets.
The AA servlet path is configured to support
client certificate authentication:
<Location "/shibboleth/AA">
SSLVerifyClient optional
SSLOptions +ExportCertData
</Location>
The allowable client CAs are specified:
SSLCACertificateFile /usr/local/shib/etc/ca-bundle.crt
7
Deployment: Origin Site
PKI Requirements
The HS servlet must digitally sign its messages
using a key and certificate valid for digital signature
creation, signed by a club-approved CA.
Alpha-2 uses a Java keystore, which allows selfgeneration of a key and certificate request with the
keytool command (see deploy guide).
The hostname of your HS is the first field in the
certificate request.
Using the SSL server key is possible, but requires
some custom Java code to import/export a private
key.
8
Deployment: Origin Site
Club Application
Target sites are given a “registry” of trusted
origin sites to protect them from rogue users.
Once names are chosen, provide the
following in an e-mail (address in deploy
guide):
• Site Name
• Complete Handle Service servlet URL
• The HS hostname (went into the certificate CN)
• Aliases/shorthand for your institution (used by WAYF)
9
Shibbolization Cookbook for
Origin Sites
•Apply to the club as an origin site
• currently an e-mail message with basic site information
•Choose any web server that can host Java
Servlet and JSP applications via Tomcat
•Deploy a HS behind web initial sign-on
• requires a club-trusted certificate usable for signing
• web server must also use SSL if handling passwords
• can store handles in-memory or in MySQL
• beta version should use a “handle in cookie” design
10
Shibbolization Cookbook for
Origin Sites
•Deploy an AA in conjunction with the HS
• supports two attribute “contexts”, LDAP and Echo
•Install AA plugins for attributes (Java API)
• preconfigured with classes for eduPerson attributes
•Establish default ARPs for community
• alpha-2 comes preconfigured to release everything,
hides ARP tools
• alpha-2.5 expected to begin exposing ARP interface
• early GUI development beginning
11
Shibbolization Cookbook for
Destination Sites
•Choose any web server (as long as it’s
Apache 1.3.x, but others to follow)
•Equip it with the SHIRE and SHAR modules
• SHIRE is a Java servlet for the time being, so Tomcat is
required
• SHAR/RM are combined into mod_shib
• Install SHAR plugins for attributes (C++ API)
• mod_eduPerson provided
12
RM and Application Integration
mod_shib currently provides flexible
.htaccess processing.
Attributes can be mapped to Require
rules and to HTTP headers, including
REMOTE_USER.
Existing basic-auth sites can be
“hijacked” to use Shibboleth.
13
Existing Applications
(from most to least integrated)
•Shibbolize the application and unify
intra-campus and inter-campus users
•Add a second URL tree for intercampus users
•Use a Shibbolized proxy server
(The latter two might also require code
changes or attribute mapping. This is all
much simpler for static content.)
14