Mercurial > hg > LGDataverses

view doc/shib/shib.md @ 14:be7787c36e58 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
new: nofity LGSercies for deleted files
author Zoe Hong <zhong@mpiwg-berlin.mpg.de>
date Mon, 02 Nov 2015 16:41:23 +0100
parents a50cf11e5178
children
line wrap: on
line source

# Shib setup

FIXME: merge with what's in the Installation Guide: http://guides.dataverse.org/en/latest/installation 

## Install Apache and mod shib

## Set up a valid SSL cert

See also notes on setting up the SSL cert for https://apitest.dataverse.org at https://github.com/IQSS/dataverse/tree/master/scripts/deploy/apitest.dataverse.org

### Create a private key

    [root@dvn-vm3 ~]# openssl genrsa -out /root/cert/shibtest.dataverse.org.key 2048
    Generating RSA private key, 2048 bit long modulus
    ..............................................................................................................+++
    ..............................................................................................................................+++
    e is 65537 (0x10001)

### Put private key where Apache can see it and secure it

    [root@dvn-vm3 ~]# cp /root/cert/shibtest.dataverse.org.key /etc/pki/tls/private
    [root@dvn-vm3 ~]# chmod 600 /etc/pki/tls/private/shibtest.dataverse.org.key
    [root@dvn-vm3 ~]# chown root:root /etc/pki/tls/private/shibtest.dataverse.org.key

### Back up the private key

Keep it secret. Keep it safe.

### Create a CSR using the private key

    [root@dvn-vm3 ~]# openssl req -new -key /root/cert/shibtest.dataverse.org.key -out /root/cert/shibtest.dataverse.org.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:US
    State or Province Name (full name) []:Massachusetts
    Locality Name (eg, city) [Default City]:Cambridge
    Organization Name (eg, company) [Default Company Ltd]:Harvard College
    Organizational Unit Name (eg, section) []:IQSS
    Common Name (eg, your name or your server's hostname) []:shibtest.dataverse.org
    Email Address []:support@dataverse.org

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    [root@dvn-vm3 ~]#

### Use CSR to request a cert from a certificate authority (CA)

Upload /root/cert/shibtest.dataverse.org.csr to https://cert-manager.com/customer/InCommon

Wait for the SSL cert to be approved.

### When the cert has been approved, download and install it and the certificate chain and set open permissions

    [root@dvn-vm3 ~]# chmod 644 /etc/pki/tls/certs/shibtest.dataverse.org.crt
    [root@dvn-vm3 ~]# chmod 644 /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt

### Re-configure Apache to use the new cert

    [root@dvn-vm3 ~]# vim /etc/httpd/conf.d/ssl.conf
    [root@dvn-vm3 ~]# grep shibtest /etc/httpd/conf.d/ssl.conf
    ServerName shibtest.dataverse.org:443
    SSLCertificateFile /etc/pki/tls/certs/shibtest.dataverse.org.crt
    SSLCertificateKeyFile /etc/pki/tls/private/shibtest.dataverse.org.key
    SSLCertificateChainFile /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt
    [root@dvn-vm3 ~]# service httpd restart
    Stopping httpd:                                            [  OK  ]
    Starting httpd:                                            [  OK  ]
    [root@dvn-vm3 ~]#

Now https://shibtest.dataverse.org shouldn't give any browser warnings or `curl` errors.

## Force HTTPS with Apache

Use https://github.com/IQSS/dataverse/blob/auth/conf/httpd/conf.d/dataverse.conf as a template and make sure `RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]` is active.

Run `service httpd restart`.

## Update/verify files under /etc/shibboleth

For /etc/shibboleth/shibboleth2.xml use the version from https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/shibboleth2.xml but replace "pdurbin.pagekite.me" with the "shibtest.dataverse.org".

Put https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/dataverse-idp-metadata.xml at /etc/shibboleth/dataverse-idp-metadata.xml

Put https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/attribute-map.xml at 

After making these changes, run `service shibd restart` and `service httpd restart`.

## Upload metadata to TestShib IdP

    curl https://shibtest.dataverse.org/Shibboleth.sso/Metadata > /tmp/shibtest.dataverse.org

Upload /tmp/shibtest.dataverse.org to http://testshib.org/register.html

## Test login to TestShib IdP

Select the TestShib IdP from the login page at https://shibtest.dataverse.org