Mercurial > hg > LGDataverses
view doc/shib/shib.md @ 14:be7787c36e58 default tip
new: nofity LGSercies for deleted files
author | Zoe Hong <zhong@mpiwg-berlin.mpg.de> |
---|---|
date | Mon, 02 Nov 2015 16:41:23 +0100 |
parents | a50cf11e5178 |
children |
line wrap: on
line source
# Shib setup FIXME: merge with what's in the Installation Guide: http://guides.dataverse.org/en/latest/installation ## Install Apache and mod shib ## Set up a valid SSL cert See also notes on setting up the SSL cert for https://apitest.dataverse.org at https://github.com/IQSS/dataverse/tree/master/scripts/deploy/apitest.dataverse.org ### Create a private key [root@dvn-vm3 ~]# openssl genrsa -out /root/cert/shibtest.dataverse.org.key 2048 Generating RSA private key, 2048 bit long modulus ..............................................................................................................+++ ..............................................................................................................................+++ e is 65537 (0x10001) ### Put private key where Apache can see it and secure it [root@dvn-vm3 ~]# cp /root/cert/shibtest.dataverse.org.key /etc/pki/tls/private [root@dvn-vm3 ~]# chmod 600 /etc/pki/tls/private/shibtest.dataverse.org.key [root@dvn-vm3 ~]# chown root:root /etc/pki/tls/private/shibtest.dataverse.org.key ### Back up the private key Keep it secret. Keep it safe. ### Create a CSR using the private key [root@dvn-vm3 ~]# openssl req -new -key /root/cert/shibtest.dataverse.org.key -out /root/cert/shibtest.dataverse.org.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Massachusetts Locality Name (eg, city) [Default City]:Cambridge Organization Name (eg, company) [Default Company Ltd]:Harvard College Organizational Unit Name (eg, section) []:IQSS Common Name (eg, your name or your server's hostname) []:shibtest.dataverse.org Email Address []:support@dataverse.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@dvn-vm3 ~]# ### Use CSR to request a cert from a certificate authority (CA) Upload /root/cert/shibtest.dataverse.org.csr to https://cert-manager.com/customer/InCommon Wait for the SSL cert to be approved. ### When the cert has been approved, download and install it and the certificate chain and set open permissions [root@dvn-vm3 ~]# chmod 644 /etc/pki/tls/certs/shibtest.dataverse.org.crt [root@dvn-vm3 ~]# chmod 644 /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt ### Re-configure Apache to use the new cert [root@dvn-vm3 ~]# vim /etc/httpd/conf.d/ssl.conf [root@dvn-vm3 ~]# grep shibtest /etc/httpd/conf.d/ssl.conf ServerName shibtest.dataverse.org:443 SSLCertificateFile /etc/pki/tls/certs/shibtest.dataverse.org.crt SSLCertificateKeyFile /etc/pki/tls/private/shibtest.dataverse.org.key SSLCertificateChainFile /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt [root@dvn-vm3 ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@dvn-vm3 ~]# Now https://shibtest.dataverse.org shouldn't give any browser warnings or `curl` errors. ## Force HTTPS with Apache Use https://github.com/IQSS/dataverse/blob/auth/conf/httpd/conf.d/dataverse.conf as a template and make sure `RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]` is active. Run `service httpd restart`. ## Update/verify files under /etc/shibboleth For /etc/shibboleth/shibboleth2.xml use the version from https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/shibboleth2.xml but replace "pdurbin.pagekite.me" with the "shibtest.dataverse.org". Put https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/dataverse-idp-metadata.xml at /etc/shibboleth/dataverse-idp-metadata.xml Put https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/attribute-map.xml at After making these changes, run `service shibd restart` and `service httpd restart`. ## Upload metadata to TestShib IdP curl https://shibtest.dataverse.org/Shibboleth.sso/Metadata > /tmp/shibtest.dataverse.org Upload /tmp/shibtest.dataverse.org to http://testshib.org/register.html ## Test login to TestShib IdP Select the TestShib IdP from the login page at https://shibtest.dataverse.org