![(please configure the [header_logo] section in trac.ini)](/trac/systems/chrome/common/arcs-general.png)
Installing Apache
This following section only applies if you want to protect some of your datasets. It uses the mod_shib module for Apache.
Install Apache (if it is not already installed) using yum (from Jetty's docuementation
yum install httpd
Enable the mod_proxy module by editing the httpd config
vim /etc/httpd/conf/httpd.conf
Make sure that the following line is uncommented:
LoadModule proxy_module modules/mod_proxy.so
Proceed to add the following lines in the configuration file
ServerName srbdev.sf.utas.edu.au ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /thredds http://localhost:8080/thredds ProxyPreserveHost On
Modify the $JETTY_HOME/etc/jetty.xml file. This will only allow Jetty to listen to port 8080 on localhost. Note that we have added the headerBufferSize element in the connector tag. This is 4k by default. Without increasing the header size, we were getting a HTTP 413 error.
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<!--<Set name="host"><SystemProperty name="jetty.host" /></Set> -->
<Set name="host">localhost</Set>
<Set name="port">8080</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">8443</Set>
<Set name="lowResourcesConnections">5000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
<Set name="headerBufferSize">8096</Set>
</New>
</Arg>
</Call>
* The forwarding will not work if you have the default SELinux settings.
/usr/sbin/setsebool httpd_can_network_connect 1
Shibboleth Service Provider
This will allow you to protect part of your website, based on mod_shib in Apache. (Based on http://www.bestgrid.org/index.php/Configuring_a_Shibboleth_SP_from_RPMs)
Obtaining certificates
You will need 2 certificates - one for the HTTP frontend, and the other for the Idp-SP back-channel. The end user will only see the first certificate. If you do not want warning messages, then get an ipsCA certificate - recommended for production servers. Otherwise, generate your own:
Front-channel certificate
When you install mod_ssl for Apache, a certificate and key pair will be generated. If you are getting IPSCA certificates, refer to the Install and configure mod_ssl for where to put them.
Back-channel certificate
To obtain the back-channel certificate, you will need to apply one from AusCert.
Download the request config file:
cd /etc/certs wget http://esecurity.edu.au/docs/openssl_shiblvl3ca_certs.cnf
DO NOT SPECIFY A PASSWORD IN THE CNF FILE
Modify the file with your server's fully qualified domain name and IP. openssl_shiblvl3ca_certs.cnf is an example of how to modify the file (for srbdev.sf.utas.edu.au)
Generate a certificate request:
openssl req -new -config openssl_shiblvl3ca_certs.cnf -out srbdev.sf.utas.edu.au_esecurity.csr
Send an email to Auscert with the csr file as an attachment. You will also need to fill out the following information in the body of the email:
E-Mail (for the certificate management - alias or person) Name FQDN of the Host for this certificate (ie. srbdev.sf.utas.edu.au) IP address of host (all IP address if multi-homed) DNS name (all DNS names of this host) User Data (Person requesting Certificate) Name (First and Last name) Email (Official Institution work email) Department (Full Institution and Department) Telephone (+61...)
You should get a certificate emailed back to you. Place this in /etc/certs
Install and configure mod_ssl
To installed mod_ssl for Apache, simply use yum
yum install mod_ssl
If you have a different setup of key/certificate pair, put the key in the directory:
/etc/pki/tls/private/
And put the certificate in:
/etc/pki/tls/certs/
And finally, modify the ssl configuration file /etc/httpd/conf.d/ssl.conf to point to these certificates:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Registering your host and service with the Federation
- You must register your host and service provider with the Federation. Doing so will mean your service metadata will be stored centrally, and be automatically updated with various IdPs?.
- If you do not have an account, register yourself on this page:
http://www.federation.org.au/FedManager/jsp/registerUser.jsp
- Once you have logged in, click on "Add Host" (It's in "Admin Details" table). For srbdev.sf.utas.edu.au, I've put in the following details:
Name: srbdev Display Name: srbdev.sf.utas.edu.au Host Entity ID: urn:mace:federation.org.au:testfed:srbdev.sf.utas.edu.au Organization Street Address: University of Tasmania, Churchill Avenue, Sandy Bay Organization Website: http://www.arcs.org.au
The Host Entity ID is always "urn:mace:federation.org.au:testfed" followed by ":<hostname>" if you want to be part of the federation.org.au Federation.
- For SP you would like to host on this server, you will need to add it to the Federation too. After you have added a host, you should see another table. Click on "Add SP". The following is an example of what I have filled in:
Certificate CN: srbdev.sf.utas.edu.au Artifact Consumer Service URL: <tab complete - https://srbdev.sf.utas.edu.au/Shibboleth.sso/SAML/Artifact> Assertion Consumer Service URL: <tab complete - https://srbdev.sf.utas.edu.au/Shibboleth.sso/SAML/POST> Service URL: https://srbdev.sf.utas.edu.au/thredds/ Service Information URL: <empty> Federation Level: 1 Description: THREDDS Data Server Long Description: THREDDS Data Server - OPeNDAP, WCS, WMS and NetCDF Substter Add Certificate: <empty>
* Select "AAF Floor of Trust". Or if your datasets requires a higher level of trust, select LEVEL 3.
* By default, all IdPs in the federation will be able to access this service. You can also specify a list of authorized IdPs. It's probably a good idea to accept all IdPs.
You should get a confirmation from MAMS once your SP is registered. Note that level 1 is selected. Your SP will not be functioning until your metadata has been refreshed with user's IdPs. This only occurs after you have gotten the confirmation from MAMS. The time it takes will depend on how often this is done by the IdP. For example, the ARCS OpenIdP is updated hourly.
Installing Shibboleth packages
- Grab packages for Shibboleth from shibboleth.internet2.edu. This will installed mod_shib for Apache. As root:
wget -r -np http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/1.3.1/RPMS/i386/RHE/5/ cd shibboleth.internet2.edu/downloads/shibboleth/cppsp/1.3.1/RPMS/i386/RHE/5 rpm -Uvh *.rpm
Once installed, this will create a set of Shibboleth directories. You will need to modify the Shibboleth configuration file in
/etc/shibboleth/shibboleth.xml
You will need to modify a number of elements:
--------------------------------------------------------------------------------------------------
SPConfig/Local/RequestMapProvider/RequestMap/Host:
<Host name="srbdev.sf.utas.edu.au" redirectToSSL="443">
<Path name="thredds" authType="shibboleth" requireSession="true" exportAssertion="true" />
</Host>
--------------------------------------------------------------------------------------------------
SPConfig/Local/RequestMapProvider/Implementation/ISAPI/Site:
<Site id="1" name="srbdev.sf.utas.edu.au"/>
--------------------------------------------------------------------------------------------------
SPConfig/Applications (notice that it's pointing to level1 and the providerId should be the
same as what you have registered your "Host Entity ID"):
<Applications id="default" providerId="urn:mace:federation.org.au:testfed:srbdev.sf.utas.edu.au"
homeURL="https://srbdev.sf.utas.edu.au/index.html"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
--------------------------------------------------------------------------------------------------
SPConfig/CredentialProvider:
<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
<FileResolver Id="defcreds">
<Key>
<Path>/etc/certs/srbdev-backchannel.key</Path>
</Key>
<Certificate>
<Path>/etc/certs/srbdev.sf.utas.edu.au.crt</Path>
</Certificate>
</FileResolver>
</Credentials>
</CredentialsProvider>
--------------------------------------------------------------------------------------------------
SPConfig/Applications/SessionInitiator:
<SessionInitiator isDefault="true" id="MAMS-Fed" Location="/WAYF/level-1.federation.org.au"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://www.federation.org.au/level-1-wayf/WAYF"
wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
--------------------------------------------------------------------------------------------------
SPConfig/Applicatons/Sessions/mdAssertionConsumerService:
<md:AssertionConsumerService Location="/SAML/POST" index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
--------------------------------------------------------------------------------------------------
SPConfig/Applications/Errors/@supportContact:
supportContact="pauline.mak@arcs.org.au"
--------------------------------------------------------------------------------------------------
SPConfig/Applications/MetadataProvider (you will need to download this metadata.xml file!):
<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="/etc/shibboleth/level-1-metadata.xml"/>
- Download the metadata.xml file:
wget http://www.federation.org.au/level-1/level-1-metadata.xml
- Now modify Apache config to protect the thredds directory. In /etc/httpd/conf.d/shib.conf, add the following chunk. At the moment, this has been set to valid-user. You may want to change that depending on the access restrictions per dataset.
<Location /thredds> AuthType shibboleth ShibRequireSession On require valid-user </Location>
- Start the services: root:
/etc/init.d/shibd start java -DSTOP.PORT=8079 -DSTOP.KEY=secret -jar start.jar $JETTY_HOME/etc/jetty-setuid.xml $JETTY_HOME/etc/jetty.xml /etc/init.d/httpd restart
- The installation and configuration process should be complete! Now browse to the THREDDS front page:
http://srbdev.sf.utas.edu.au/thredds
- This should now point to you to the WAYF page.
