IdP3 unter FreeBSD 10.1 ======================= Generell unter FreeBSD 10.1: - Apache / Tomcat (neu)starten über rc.d: /usr/local/etc/rc.d/apache start|stop|restart (analog .../rc.d/tomcat8) - Apache und Tomcat laufen unter dem Nutzer:Gruppe www:www pkg update -f ... pkg install apache24-2.4.12 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. Updating database digests format: 100% The following 9 package(s) will be affected (of 0 checked): New packages to be INSTALLED: apache24: 2.4.12 expat: 2.1.0_2 perl5: 5.20.2_4 pcre: 8.37_1 apr: 1.5.2.1.5.4 gdbm: 1.11_2 indexinfo: 0.2.3 gettext-runtime: 0.19.4 db5: 5.3.28_2 The process will require 130 MiB more space. 31 MiB to be downloaded. Proceed with this action? [y/N]: y ... vi /etc/rc.conf apache24_enable="yes" hostname="idp.uni.de" ... # Das erste Mal Apache starten /usr/local/etc/rc.d/apache24 onestart ... vi httpd.conf # folgende Anpassungen: ### #Listen 80 LoadModule socache_shmcb_module libexec/apache24/mod_socache LoadModule ssl_module libexec/apache24/mod_ssl.so LoadModule proxy_module libexec/apache24/mod_proxy.so LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so ServerName idp.uni.de # # AllowOverride none # Require all denied # # CustomLog "/var/log/httpd-access.log" common #Include etc/apache24/extra/httpd-ssl.conf Vhost in extra-Conf erstellen: $cat /usr/local/etc/apache24/Includes/idp-vhost.conf SSLStaplingCache shmcb:/tmp/stapling_cache(102400) ServerName idp.uni.de:80 RedirectMatch permanent ^/(.*)$ https://idp.uni.de/$1 ################################################ # # SingleSignOnService auf Port 443 # Listen xxx.xxx.xxx.xxx:443 ServerName idp.uni.de:443 Header add Strict-Transport-Security "max-age=15768000" SSLEngine on SSLCertificateFile /usr/local/etc/ssl/idp_cert.pem SSLCertificateKeyFile /usr/local/etc/ssl/idp_privkey.pem SSLCACertificateFile /usr/local/etc/ssl/dfn_global_chain.pem AddDefaultCharset UTF-8 SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!DSS:!SEED:!ECDSA:!CAMELLIA' SSLUseStapling on SSLStaplingReturnResponderErrors off Require all granted ProxyPass ajp://localhost:8009/idp Header always append X-FRAME-OPTIONS "DENY" ################################################ # # ArtifactResolutionService und AttributeService # # https://idp.beispiel-uni.de:8443/idp/profile/SAML2/SOAP/ArtifactResolution # https://idp.beispiel-uni.de:8443/idp/profile/SAML1/SOAP/ArtifactResolution # # https://idp.beispiel-uni.de:8443/idp/profile/SAML2/SOAP/AttributeQuery # https://idp.beispiel-uni.de:8443/idp/profile/SAML1/SOAP/AttributeQuery # Listen xxx.xxx.xxx.xxx:8443 #Listen [IDP-IPv6-ADRESSE]:8443 ServerName idp.uni.de:8443 Header add Strict-Transport-Security "max-age=15768000" SSLEngine on SSLCertificateFile /usr/local/etc/ssl/idp_cert.pem SSLCertificateKeyFile /usr/local/etc/ssl/idp_privkey.pem SSLCACertificateFile /usr/local/etc/ssl/dfn_global_chain.pem SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!DSS:!SEED:!ECDSA:!CAMELLIA' SSLVerifyClient optional_no_ca SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData SSLUseStapling on SSLStaplingReturnResponderErrors off Require all granted ProxyPass ajp://localhost:8009/idp ... # Passwortschutz des Zertifikates entfernen: openssl rsa -in privkey.pem -out idp_privkey.pem Enter pass phrase for privkey.pem: writing RSA key ... /usr/local/etc/rc.d/apache24 restart Performing sanity check on apache24 configuration: Syntax OK Stopping apache24. Waiting for PIDS: 76559. Performing sanity check on apache24 configuration: Syntax OK Starting apache24. ... # Installation Tomcat8, openjdk7 pkg install tomcat8-8.0.18 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 33 package(s) will be affected (of 0 checked): New packages to be INSTALLED: tomcat8: 8.0.18 openjdk: 7.80.15,1 libXtst: 1.2.2_3 recordproto: 1.14.2 libXi: 1.7.4_1,1 xproto: 7.0.27 libXfixes: 5.0.1_3 libX11: 1.6.2_3,1 libxcb: 1.11_1 libXdmcp: 1.1.2 libXau: 1.0.8_3 libxml2: 2.9.2_2 libpthread-stubs: 0.3_6 kbproto: 1.0.6 fixesproto: 5.0 libXext: 1.3.3_1,1 xextproto: 7.3.0 inputproto: 2.3.1 libXrender: 0.9.8_3 renderproto: 0.11.1 libXt: 1.1.4_3,1 libSM: 1.2.2_3,1 libICE: 1.0.9_1,1 fontconfig: 2.11.1,1 freetype2: 2.5.5 dejavu: 2.35 mkfontscale: 1.1.2 libfontenc: 1.1.2_3 mkfontdir: 1.0.7 javavmwrapper: 2.5 java-zoneinfo: 2015.e_1 alsa-lib: 1.0.29 jakarta-commons-daemon: 1.0.15 The process will require 201 MiB more space. 65 MiB to be downloaded. Proceed with this action? [y/N]: y ... Message for dejavu-2.35: Make sure that the freetype module is loaded. If it is not, add the following line to the "Modules" section of your X Windows configuration file: Load "freetype" Add the following line to the "Files" section of X Windows configuration file: FontPath "/usr/local/share/fonts/dejavu/" Note: your X Windows configuration file is typically /etc/X11/XF86Config if you are using XFree86, and /etc/X11/xorg.conf if you are using X.Org. Message for openjdk-7.80.15,1: ====================================================================== This OpenJDK implementation requires fdescfs(5) mounted on /dev/fd and procfs(5) mounted on /proc for some functionality. If you have not done it yet, please do the following: mount -t fdescfs fdesc /dev/fd mount -t procfs proc /proc To make it permanent, you need the following lines in /etc/fstab: fdesc /dev/fd fdescfs rw 0 0 proc /proc procfs rw 0 0 ====================================================================== ... # Installation JCE pkg install cryptix-jce-20050328_2 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: cryptix-jce: 20050328_2 The process will require 474 KiB more space. 426 KiB to be downloaded. Proceed with this action? [y/N]: y ... # Installation MySQL pkg install mysql56-server-5.6.24 mysql56-client-5.6.24_1 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 3 package(s) will be affected (of 0 checked): New packages to be INSTALLED: mysql56-server: 5.6.24 mysql56-client: 5.6.24_1 libedit: 3.1.20150325_1 The process will require 129 MiB more space. 10 MiB to be downloaded. Proceed with this action? [y/N]: y Message for mysql56-server-5.6.24: ************************************************************************ Remember to run mysql_upgrade the first time you start the MySQL server after an upgrade from an earlier version. ************************************************************************ ... vi /etc/rc.conf mysql_enable="YES" ... # Installation wget pkg install wget-1.16.3 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: wget: 1.16.3 libidn: 1.29 The process will require 3 MiB more space. 709 KiB to be downloaded. Proceed with this action? [y/N]: y ... # Installation openssl pkg install openssl-1.0.2_3 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: openssl: 1.0.2_3 The process will require 11 MiB more space. 3 MiB to be downloaded. Proceed with this action? [y/N]: y Message for openssl-1.0.2_3: Copy /usr/local/openssl/openssl.cnf.sample to /usr/local/openssl/openssl.cnf and edit it to fit your needs. ... # Holen von IdP3 Version 3.1.2 Quellen fuer spaeteres Update wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.1.2.tar.gz gzip -d shibb... tar xf shibb... ... # Installation bash pkg install bash-4.3.39 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: bash: 4.3.39 The process will require 7 MiB more space. 1 MiB to be downloaded. Proceed with this action? [y/N]: y ... # in install.sh Pfad zu Bash anpassen view ./install.sh ### #! /usr/local/bin/bash ... # Java Home angeben setenv JAVA_HOME /usr/local/ ... # Installation IdP3!: $/usr/local/shibboleth-identity-provider-3.1.1/bin # ./install.sh Source (Distribution) Directory: [/usr/local/shibboleth-identity-provider-3.1.1] Installation Directory: [/opt/shibboleth-idp] /usr/local/shibboleth-idp Hostname: [idp.uni.de] SAML EntityID: [https://idp.uni.de/idp/shibboleth] Attribute Scope: [uni.de] TLS Private Key Password: Re-enter password: Cookie Encryption Key Password: Re-enter password: Warning: /usr/local/shibboleth-idp/bin does not exist. Warning: /usr/local/shibboleth-idp/dist does not exist. Warning: /usr/local/shibboleth-idp/doc does not exist. Warning: /usr/local/shibboleth-idp/system does not exist. Warning: /usr/local/shibboleth-idp/webapp does not exist. Generating Signing Key, CN = idp.uni.de URI = https://idp.uni.de/idp/shibboleth ... ...done Creating Encryption Key, CN = idp.uni.de URI = https://idp.uni.de/idp/shibboleth ... ...done Creating TLS keystore, CN = idp.uni.de URI = https://idp.uni.de/idp/shibboleth ... ...done Creating cookie encryption key files... ...done Rebuilding /usr/local/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 5 minutes 53 seconds ... # Zugriffsrechte setzen cd /opt/shibboleth-idp chown -R www metadata logs chgrp -R www conf chmod -R g+r conf chown www credentials/sealer.* ... # Installation mysql-connector-java pkg install mysql-connector-java-5.1.35 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: mysql-connector-java: 5.1.35 log4j: 1.2.17 The process will require 30 MiB more space. 3 MiB to be downloaded. Proceed with this action? [y/N]: y ... # JAR-File für die Java Server Tag Library herunterladen und ablegen cd /usr/local/apache-tomcat-8.0/lib/ wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar --no-check-certificate ... - Anpassung der Tomcat-Startparameter unter /usr/local/etc/rc.d/tomcat8: .. tomcat8_java_opts="-Djava.awt.headless=true -Xms1024m -Xmx6144m -XX:MaxPermSize=1024m -Didp.home=/usr/local/shibboleth-idp -XX:+UseConcMarkSweepGC -Djava.security.egd=file:/dev/./urandom" ... - idp.xml (unter Debian: /etc/tomcat8/Catalina/localhost/idp.xml) liegt bei freeBSD in in /usr/local/apache-tomcat-8.0/work/Catalina/localhost/ - unser idp wurde nach /usr/local/shibboleth-idp installiert, daher: $cat /usr/local/apache-tomcat-8.0/conf/Catalina/localhost/idp.xml ... # Zugriff auf Statusseite cd /usr/local/shibboleth-idp/conf/ cp access-control.xml access-control.xml.std view access-control.xml ### ### ...