Installing Shibboleth 1.3 on Redhat AS 3.0 using pubcookie for authentication


Table of Contents

Introduction
Purpose
About Shibboleth
Skill Sets required
Equipment required
Assumptions
Document Conventions
Installation
Prior Configuration
Firewall settings
NTP setup
Apache Installation
Pubcookie installation
Installing and configuring Java
Installing Apache Tomcat
Installing Shibboleth
Polishing the install
Things to think about

Introduction

Shibboleth is a project conceived by a consortia of American educational institutes (Internet2/MACE) to solve the problem of authentication of users to resources provided by lots of external companies and institutes. For more details see http://shibboleth.internet2.edu/

Purpose

The purpose of this document is to lower the skill set required to install Shibboleth . This document follows the previous guide: 'Installing Pubcookie on Redhat AS 3.0 and authenticating against Windows Active Directory' available from http://iamsect.ncl.ac.uk/.

It is not the intention of this guide to give a full overview of how to install Redhat AS3.0. The Redhat installation documentation is good and should be used. This guide will focus on administration from the command line as most web servers run "headless" (i.e. no monitor, no windows, no graphical interface) so are only administrable by command line. Command line is available in all graphical environments.

About Shibboleth

Shibboleth is a single sign on project that has come out of a federation of higher education establishments in the United States called Internet2. It is now being viewed as the replacement for Athens login in the U.K.

Skill Sets required

In order to Install and manage a pubcookie server you will need to be able to access the following skills:

  1. A reasonable working knowledge of the Linux (or Unix) Command Line Interface (CLI);

  2. Knowledge of how to use the apache web server, either the 2.0.* or 1.3.* versions;

  3. Familiarity with the concepts of https communication (certificates, keys and the like);

  4. Familiarity with fire walls or access to someone who is familiar, in particular with Linux iptables style firewall;

  5. Most importantly a willingness to read around subject areas, man pages, google, and mailing lists.

Equipment required

In order to be able to install a Shibboleth origin (identity provider) you will require the following:

  1. A subscription to the Redhat network for at least one slot for Redhat AS3.0;

  2. A standard "x86" server (i.e. A standard server with standard Intel or AMD chip set as sold by Dell etc);

  3. The ability to synchronise system time against a network time protocol (NTP) server;

  4. A SSL server certificate for the web server, the certificate must be valid and be signed by Certificate Authority (CA) e.g. Thawte or Verisign;

  5. Root user access to the server;

  6. A preexisting pubcookie login server installation as detailed in a previous document.

Note

While this install guide is based on an install on Redhat AS3.0, much of it is still applicable to other Linux distributions.

Assumptions

For the purpose of this guide we will assume that your institution has a web presence called "example.edu" and that your Shibboleth server will be called "shib.example.edu". We will also assume that you call your secure serving SSL key shib.example.edu.key and you call the signed certificate file you get back from your certificate authority shib.example.edu.crt.signed

Document Conventions

Code listings are provided within boxes like this:

$ echo hello world

File contents are provided within boxes like this:

The contents of a file

Some commands can be executed as a normal user, others are required to be executed with super-user privileges. You can follow this guide entirely as the super-user, or you could be a normal user for a number of steps. For the latter case, switching between users and managing resulting permission issues is an exercise left to the reader.

To indicate which category a given command falls into, the standard bourne-shell delimiters are used, '$' for normal user, '#' for superuser:

$ echo normal user command
# echo super user command