Installing CASshib and configuring ASI to use it

These intructions are incomplete. No fully working system has been set up with them. They should only be used as a rough guide.

These instructions are for setting up a Shibboleth test environment using openidp.feide.no as the identity provider.

1. Install the following packages (in Ubuntu)

• apache2-mpm-worker (or -prefork or -event)
• libapache2-mod-gnutls
• libapache2-mod-shib2
• tomcat6

1. Create certificates. You can do this in the server or in another computer.

   These instructions are partially based on the instructions and scripts in http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500

   mkdir cert_tmp_dir && cd crt_tmp_dir
   cp /etc/ssl/openssl.cnf .
   export OPENSSL_CONF=./openssl.cnf

   Edit openssl.cnf:

   • under [ CA_default ]:
     • dir = .
     • new_certs_dir = $dir
     • copy_extensions = copy (optional, needed for DNS aliases)
   • under [ policy_match ]:
     • stateOrProvinceName = optional
   • under [ req ]:
     • req_extensions = v3_req (optional, needed for DNS aliases)
   • under [ v3_req ]:
     • subjectAltName = "DNS:1st.dns.alias, DNS:2nd.dns.alias, ..." (optional, add the server's alternate domain names here)

   Create a CA:

   (umask 077; openssl genrsa -out ca.key)
   openssl req -new -key ca.key -out ca.csr
   openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
   touch index.txt
   echo FACE > serial

   Create a server key and sign it with the CA's key. Enter the server's fully qualified domain name in the Common Name field.

   (umask 077; openssl genrsa -out server1.key)
   openssl req -new -key server1.key -out server1.csr
   openssl ca -in server1.csr -cert ca.crt -keyfile ca.key -out server1.crt

   Convert the keys and certificates to Java keystore format. You can add several key/certificate pairs to the keystore by giving multiple -in and -inkey arguments to the first command.

   (umask 077; openssl pkcs12 -export \
                       -in server1.crt -inkey server1.key \
                       -out keystore.pkcs12 )
   (umask 077; openssl pkcs12 -export \
                       -in ca.crt -inkey ca.key -name test_CA \
                       -out keystore_ca.pkcs12 )
   (umask 077; keytool -importkeystore \
                       -srckeystore keystore.pkcs12 -srcstoretype PKCS12 \
                       -destkeystore keystore.jks -deststoretype JKS )
   keytool -importkeystore \
           -srckeystore keystore.pkcs12 -srcstoretype PKCS12 \
           -destkeystore keystore.jks

   Copy ca.crt, server1.crt, server1.key and keystore.jks to the server. Make sure that server1.key and keystore.jks have proper permissions (not world-readable). Import the keystore into default Java keystore in the server. The default keystore password is changeit.

   sudo keytool -importkeystore \
                -srckeystore some/path/keystore.jks -srcstoretype JKS \
                -destkeystore /etc/ssl/certs/java/cacerts

2. Edit /etc/tomcat6/server.xml

   • comment out all <Connector> elements

   • add a Connector element:

     <Connector port="8765" protocol="AJP/1.3"
                enableLookups="false"
                tomcatAuthentication="false"
                address="127.0.0.1" />

   • optionally add another Connector for debugging purposes:

     <Connector port="8585" protocol="HTTP/1.1"
                connectionTimeout="20000"
                address="127.0.0.1" />

   • double-check that there are no uncommented Connector elements without address="127.0.0.1"

   • see the following link for more information: http://code.google.com/p/casshib/wiki/ShibbolethApacheTomcatInstallationAndConfigurationForCASShib#Tomcat_Configuration

3. Configure Apache to use Shibboleth and act as a reverse proxy forwarding requests to Tomcat. These instructions are for Ubuntu, which uses a heavily customized layout for Apache configuration files.

   • disable all sites (sudo a2dissite <site-name>) and enable the site default-ssl (sudo a2ensite default-ssl)

   • enable required modules: sudo a2enmod gnutls proxy proxy_ajp shib2

   • edit /etc/apache2/ports.conf and comment out the following lines:

     NameVirtualHost *:80
     Listen 80

   • replace the contents of the file /etc/apache2/sites-enabled/default-ssl with the following:

     <VirtualHost _default_:443>
         ServerName https://your.hostname:443
     
         GnuTLSEnable on
         GnuTLSPriorities NORMAL
     
         GnuTLSCertificateFile /some/path/server1.crt
         GnuTLSKeyFile /some/path/server1.key
         GnuTLSClientCAFile /some/path/ca.crt
     
         # Serve these files directly
         ProxyPass /shibboleth-sp !
         Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
         Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
     
         # This is a kludge needed to make openidp.feide.no IdP
         # work. Openidp.feide.no wants to download the Shibboleth SP
         # metadata from the URL in SAML entityID. However, CASshib uses
         # the login page's URL as entityID. To solve this we'll use
         # mod_rewrite to detect requests from openidp.feide.no's IP
         # address block and redirect these requests to the metadata URL.
         RewriteEngine On
         RewriteCond %{REMOTE_ADDR} ^158\.38\.130\.
         RewriteRule    ^/(?!casshib/)([^/]+)/?$ https://your.hostname/casshib/shib/$1/Shibboleth.sso/Metadata [R,L]
         RewriteCond %{REMOTE_ADDR} ^158\.38\.130\.
         RewriteRule    ^/casshib/(?!shib)([^/]+)/?$ https://your.hostname/casshib/shib/$1/Shibboleth.sso/Metadata [R,L]
     
         ProxyRequests Off
         <Proxy *>
             Order deny,allow
             Allow from all
         </Proxy>
     
         # always keep the host header
         ProxyPreserveHost On
     
         ProxyPass / ajp://localhost:8765/
     
         UseCanonicalName On
     
         # Protect the login and Shibboleth.sso URLs.
         <LocationMatch "/casshib/shib/[^/]*/(login|Shibboleth.sso(/[^/]*)?)">
             AuthType shibboleth
             ShibRequireSession On
             ShibUseHeaders On
             require valid-user
         </LocationMatch>
     
     </VirtualHost>

4. Restart Tomcat and Apache

5. Get IdP metadata by some means and put the metadata file in a suitable place on the server.

   wget -O /some/path/openidp.feide.no-metadata.xml https://openidp.feide.no/simplesaml/saml2/idp/metadata.php

6. Edit the file /etc/shibboleth/shibboleth2.xml

   • if <RequestMapper type="Native"> exists, delete or comment out it and its contents

   • add the following under the root element (<SPConfig>):

         <RequestMapper type="Native">
             <RequestMap applicationId="default">
                 <!-- the attribute 'name' must match the hostname in Apache's ServerName directive: -->
                 <Host name="your.hostname" port="443" scheme="https">
                     <!-- add a PathRegex element for each service: -->
                     <PathRegex regex="casshib/shib/app1" applicationId="app1" authType="shibboleth" requireSession="true"/>
                     ...
                 </Host>
             </RequestMap>
         </RequestMapper>

   • edit the element <ApplicationDefaults>:

         <ApplicationDefaults id="default" policyId="default"
                              entityID="https://your.hostname/BOGUS_SERVICE"
                              homeURL="https://your.hostname/BOGUS_SERVICE"
                              REMOTE_USER="shibattr-uid"
                              signing="false" encryption="false">

     • Under the element, add ApplicationOverride for each service:

           <ApplicationDefaults id="default" ...>
               ...existing elements...
       
               <ApplicationOverride id="app1"
                                    entityID="https://your.hostname/casshib/app1"
                                    homeURL="https://app1.url/"
                                    REMOTE_USER="shibattr-uid">
                   <!-- NOTE the cookieProps path is different for each service.
                        The handlerURL needs to fall within the path of the cookie. -->
                   <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                             handlerURL="/casshib/shib/app1/Shibboleth.sso" handlerSSL="true"
                             exportLocation="/casshib/shib/app1/Shibboleth.sso/GetAssertion" 
                             idpHistory="false" idpHistoryDays="7"
                             cookieProps="; path=/casshib/shib/app1">
                   </Sessions>
               </ApplicationOverride>
               ...
           </ApplicationDefaults>

     • Under <ApplicationDefaults> / <Sessions>, comment out existing <SSO> elements and add an SSO element for your IdP:

       <SSO entityID="https://openidp.feide.no">
         SAML2 SAML1
       </SSO>

     • Add a MetadataProvider element for your IdP (also under <ApplicationDefaults>):

       <MetadataProvider type="XML" file="/some/path/openidp.feide.no-metadata.xml"/>

7. Run the following commands:

   sudo sed -i -e 's/\bid="/id="shibattr-/' /etc/shibboleth/attribute-map.xml
   sudo sed -i -e 's/\b\(attributeID="\)\([^\*]\)/\1shibattr-\2/' /etc/shibboleth/attribute-policy.xml

8. Edit /etc/shibboleth/attribute-map.xml:

   • Add the following under the top level element (<Attributes>):

         <!-- for openidp.feide.no: -->
         <Attribute name="uid" id="shibattr-uid"/>

9. Restart shibd

10. Download CASshib

11. Extract the package and copy the file casshib-server-x.x.xx/modules/casshib-server-webapp-x.x.xx.war to /var/lib/tomcat6/webapps/casshib.war (as root). Tomcat should automatically extract the package to the subdirectory casshib.

12. Edit the file /var/lib/tomcat6/webapps/casshib/WEB-INF/classes/casshib-service-registrations.xml:

    • add a <service> element under <casShibServiceRegistrations>:

      <service id="https://idp03.aalto.fi/idp/shibboleth"
               appname="name"
               passcode="96306" />

      TODO: explain where the id attribute comes from

TODO: callback and ASI configuration