IdP3 unter FreeBSD 10.1
=======================
Generell unter FreeBSD 10.1:
- Apache / Tomcat (neu)starten über rc.d: /usr/local/etc/rc.d/apache start|stop|restart (analog .../rc.d/tomcat8)
- Apache und Tomcat laufen unter dem Nutzer:Gruppe www:www
pkg update -f
...
pkg install apache24-2.4.12
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Updating database digests format: 100%
The following 9 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
apache24: 2.4.12
expat: 2.1.0_2
perl5: 5.20.2_4
pcre: 8.37_1
apr: 1.5.2.1.5.4
gdbm: 1.11_2
indexinfo: 0.2.3
gettext-runtime: 0.19.4
db5: 5.3.28_2
The process will require 130 MiB more space.
31 MiB to be downloaded.
Proceed with this action? [y/N]: y
...
vi /etc/rc.conf
apache24_enable="yes"
hostname="idp.uni.de"
...
# Das erste Mal Apache starten
/usr/local/etc/rc.d/apache24 onestart
...
vi httpd.conf
# folgende Anpassungen:
###
#Listen 80
LoadModule socache_shmcb_module libexec/apache24/mod_socache
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
ServerName idp.uni.de
#
# AllowOverride none
# Require all denied
#
# CustomLog "/var/log/httpd-access.log" common
#Include etc/apache24/extra/httpd-ssl.conf
Vhost in extra-Conf erstellen:
$cat /usr/local/etc/apache24/Includes/idp-vhost.conf
SSLStaplingCache shmcb:/tmp/stapling_cache(102400)
ServerName idp.uni.de:80
RedirectMatch permanent ^/(.*)$ https://idp.uni.de/$1
################################################
#
# SingleSignOnService auf Port 443
#
Listen xxx.xxx.xxx.xxx:443
ServerName idp.uni.de:443
Header add Strict-Transport-Security "max-age=15768000"
SSLEngine on
SSLCertificateFile /usr/local/etc/ssl/idp_cert.pem
SSLCertificateKeyFile /usr/local/etc/ssl/idp_privkey.pem
SSLCACertificateFile /usr/local/etc/ssl/dfn_global_chain.pem
AddDefaultCharset UTF-8
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!DSS:!SEED:!ECDSA:!CAMELLIA'
SSLUseStapling on
SSLStaplingReturnResponderErrors off
Require all granted
ProxyPass ajp://localhost:8009/idp
Header always append X-FRAME-OPTIONS "DENY"
################################################
#
# ArtifactResolutionService und AttributeService
#
# https://idp.beispiel-uni.de:8443/idp/profile/SAML2/SOAP/ArtifactResolution
# https://idp.beispiel-uni.de:8443/idp/profile/SAML1/SOAP/ArtifactResolution
#
# https://idp.beispiel-uni.de:8443/idp/profile/SAML2/SOAP/AttributeQuery
# https://idp.beispiel-uni.de:8443/idp/profile/SAML1/SOAP/AttributeQuery
#
Listen xxx.xxx.xxx.xxx:8443
#Listen [IDP-IPv6-ADRESSE]:8443
ServerName idp.uni.de:8443
Header add Strict-Transport-Security "max-age=15768000"
SSLEngine on
SSLCertificateFile /usr/local/etc/ssl/idp_cert.pem
SSLCertificateKeyFile /usr/local/etc/ssl/idp_privkey.pem
SSLCACertificateFile /usr/local/etc/ssl/dfn_global_chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!DSS:!SEED:!ECDSA:!CAMELLIA'
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
SSLUseStapling on
SSLStaplingReturnResponderErrors off
Require all granted
ProxyPass ajp://localhost:8009/idp
...
# Passwortschutz des Zertifikates entfernen:
openssl rsa -in privkey.pem -out idp_privkey.pem
Enter pass phrase for privkey.pem:
writing RSA key
...
/usr/local/etc/rc.d/apache24 restart
Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 76559.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
...
# Installation Tomcat8, openjdk7
pkg install tomcat8-8.0.18
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 33 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
tomcat8: 8.0.18
openjdk: 7.80.15,1
libXtst: 1.2.2_3
recordproto: 1.14.2
libXi: 1.7.4_1,1
xproto: 7.0.27
libXfixes: 5.0.1_3
libX11: 1.6.2_3,1
libxcb: 1.11_1
libXdmcp: 1.1.2
libXau: 1.0.8_3
libxml2: 2.9.2_2
libpthread-stubs: 0.3_6
kbproto: 1.0.6
fixesproto: 5.0
libXext: 1.3.3_1,1
xextproto: 7.3.0
inputproto: 2.3.1
libXrender: 0.9.8_3
renderproto: 0.11.1
libXt: 1.1.4_3,1
libSM: 1.2.2_3,1
libICE: 1.0.9_1,1
fontconfig: 2.11.1,1
freetype2: 2.5.5
dejavu: 2.35
mkfontscale: 1.1.2
libfontenc: 1.1.2_3
mkfontdir: 1.0.7
javavmwrapper: 2.5
java-zoneinfo: 2015.e_1
alsa-lib: 1.0.29
jakarta-commons-daemon: 1.0.15
The process will require 201 MiB more space.
65 MiB to be downloaded.
Proceed with this action? [y/N]: y
...
Message for dejavu-2.35:
Make sure that the freetype module is loaded. If it is not, add the following
line to the "Modules" section of your X Windows configuration file:
Load "freetype"
Add the following line to the "Files" section of X Windows configuration file:
FontPath "/usr/local/share/fonts/dejavu/"
Note: your X Windows configuration file is typically /etc/X11/XF86Config
if you are using XFree86, and /etc/X11/xorg.conf if you are using X.Org.
Message for openjdk-7.80.15,1:
======================================================================
This OpenJDK implementation requires fdescfs(5) mounted on /dev/fd and
procfs(5) mounted on /proc for some functionality.
If you have not done it yet, please do the following:
mount -t fdescfs fdesc /dev/fd
mount -t procfs proc /proc
To make it permanent, you need the following lines in /etc/fstab:
fdesc /dev/fd fdescfs rw 0 0
proc /proc procfs rw 0 0
======================================================================
...
# Installation JCE
pkg install cryptix-jce-20050328_2
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
cryptix-jce: 20050328_2
The process will require 474 KiB more space.
426 KiB to be downloaded.
Proceed with this action? [y/N]: y
...
# Installation MySQL
pkg install mysql56-server-5.6.24 mysql56-client-5.6.24_1
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 3 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
mysql56-server: 5.6.24
mysql56-client: 5.6.24_1
libedit: 3.1.20150325_1
The process will require 129 MiB more space.
10 MiB to be downloaded.
Proceed with this action? [y/N]: y
Message for mysql56-server-5.6.24:
************************************************************************
Remember to run mysql_upgrade the first time you start the MySQL server
after an upgrade from an earlier version.
************************************************************************
...
vi /etc/rc.conf
mysql_enable="YES"
...
# Installation wget
pkg install wget-1.16.3
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
wget: 1.16.3
libidn: 1.29
The process will require 3 MiB more space.
709 KiB to be downloaded.
Proceed with this action? [y/N]: y
...
# Installation openssl
pkg install openssl-1.0.2_3
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
openssl: 1.0.2_3
The process will require 11 MiB more space.
3 MiB to be downloaded.
Proceed with this action? [y/N]: y
Message for openssl-1.0.2_3:
Copy /usr/local/openssl/openssl.cnf.sample to /usr/local/openssl/openssl.cnf
and edit it to fit your needs.
...
# Holen von IdP3 Version 3.1.2 Quellen fuer spaeteres Update
wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.1.2.tar.gz
gzip -d shibb...
tar xf shibb...
...
# Installation bash
pkg install bash-4.3.39
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
bash: 4.3.39
The process will require 7 MiB more space.
1 MiB to be downloaded.
Proceed with this action? [y/N]: y
...
# in install.sh Pfad zu Bash anpassen
view ./install.sh
###
#! /usr/local/bin/bash
...
# Java Home angeben
setenv JAVA_HOME /usr/local/
...
# Installation IdP3!:
$/usr/local/shibboleth-identity-provider-3.1.1/bin # ./install.sh
Source (Distribution) Directory: [/usr/local/shibboleth-identity-provider-3.1.1]
Installation Directory: [/opt/shibboleth-idp]
/usr/local/shibboleth-idp
Hostname: [idp.uni.de]
SAML EntityID: [https://idp.uni.de/idp/shibboleth]
Attribute Scope: [uni.de]
TLS Private Key Password:
Re-enter password:
Cookie Encryption Key Password:
Re-enter password:
Warning: /usr/local/shibboleth-idp/bin does not exist.
Warning: /usr/local/shibboleth-idp/dist does not exist.
Warning: /usr/local/shibboleth-idp/doc does not exist.
Warning: /usr/local/shibboleth-idp/system does not exist.
Warning: /usr/local/shibboleth-idp/webapp does not exist.
Generating Signing Key, CN = idp.uni.de URI = https://idp.uni.de/idp/shibboleth ...
...done
Creating Encryption Key, CN = idp.uni.de URI = https://idp.uni.de/idp/shibboleth ...
...done
Creating TLS keystore, CN = idp.uni.de URI = https://idp.uni.de/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /usr/local/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 5 minutes 53 seconds
...
# Zugriffsrechte setzen
cd /opt/shibboleth-idp
chown -R www metadata logs
chgrp -R www conf
chmod -R g+r conf
chown www credentials/sealer.*
...
# Installation mysql-connector-java
pkg install mysql-connector-java-5.1.35
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
mysql-connector-java: 5.1.35
log4j: 1.2.17
The process will require 30 MiB more space.
3 MiB to be downloaded.
Proceed with this action? [y/N]: y
...
# JAR-File für die Java Server Tag Library herunterladen und ablegen
cd /usr/local/apache-tomcat-8.0/lib/
wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar --no-check-certificate
...
- Anpassung der Tomcat-Startparameter unter /usr/local/etc/rc.d/tomcat8:
..
tomcat8_java_opts="-Djava.awt.headless=true -Xms1024m -Xmx6144m -XX:MaxPermSize=1024m -Didp.home=/usr/local/shibboleth-idp -XX:+UseConcMarkSweepGC -Djava.security.egd=file:/dev/./urandom"
...
- idp.xml (unter Debian: /etc/tomcat8/Catalina/localhost/idp.xml) liegt bei freeBSD in in /usr/local/apache-tomcat-8.0/work/Catalina/localhost/
- unser idp wurde nach /usr/local/shibboleth-idp installiert, daher:
$cat /usr/local/apache-tomcat-8.0/conf/Catalina/localhost/idp.xml
...
# Zugriff auf Statusseite
cd /usr/local/shibboleth-idp/conf/
cp access-control.xml access-control.xml.std
view access-control.xml
###
###
...