...
Make sure that connections are allowed to port 3306 from the peer server only (see firewall instructions above). For instructions on setting up the MySQL master/slave replication, see https://wikis.mit.edu/confluence/display/ISDA/MySQL+Replication+Configuration+Instructions
Maintaining the CAMS database
...
- Run the idp application installer from our customized binary distribution, available in /mit/touchstone/builds/NIST/idp2-cams/cams-shibboleth-identityprovider-2.x.y-bin.tgz, and the install script contained therein. For example:
By default (because of one of our customizations to the stock Internet2 distribution) this will install underNo Format # cd /tmp # rm -rf shibboleth-identityprovider-2.* # tar xzf /path/to/cams-shibboleth-identityprovider-2.1.5-bin.tgz # cd shibboleth-identityprovider-2.1.5 # ./install.sh [There should be no need to override the default responses to the installer's questions.]
/usr/local/shibboleth-idp/. The installer will not overwrite the configuration files of an existing installation. For a new installation, the installer will generate a keystore, and prompt for its password; currently we do not use this keystore, so the password does not matter. This distribution contains the standard shibboleth-identityprovider binary distribution, from the Internet2 zip file (http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/), plus the following customizations: - camslogin
This provides the custom login pages for CAMS users. It is available as a tarball (/mit/touchstone/builds/NIST/idp2-cams/camslogin.tgz) which is unpacked into the top-level directory of the binary distribution. - CamsLoginModule (cams-jaas-loginmodule-x.y.jar)
This is the JAAS login module for CAMS. It is available as a .jar file in /mit/touchstone/builds/NIST/cams-jaas-loginmodule-x.y.jar, where x.y is the version number (currently 1.0). It must be copied into the lib subdirectory of the binary distribution. - camsutil-1.0.jar
This is a helper package used by the login module to validate the username/password. It is available in /mit/touchstone/builds/NIST/camsutil-1.0.jar. It must be copied into the lib subdirectory of the binary distribution along with the login module jar file.
- camslogin
- The installer will create and populate /usr/local/shibboleth-idp; the web application (war) file will be in /usr/local/shibboleth-idp/war/idp.war, but the current version of the idp.war will be available in the locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war).
- The idp application, running under Tomcat, needs full access to the install directory, so make sure it is owned by the tomcat user, e.g.:
To ensure that we run the current version of the web application, download the latest idp.war file from the touchstone locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war) and copy it into /usr/local/tomcat/webapps/:No Format # chown -R tomcat:tomcat /usr/local/shibboleth-idp
No Format # cp /path/to/idp.war /usr/local/tomcat/webapps/ # chown tomcat:tomcat /usr/local/tomcat/webapps/idp.war
- Copy the idp's endorsed jar files to tomcat's endorsed dir:
No Format # mkdir -p /usr/local/tomcat/endorsed # cp -p /usr/local/shibboleth-idp/lib/endorsed/*.jar /usr/local/tomcat/endorsed/ # chown -R tomcat:tomcat /usr/local/tomcat/endorsed
- Copy in the idp config files for the server, to the conf subdirectory; these include:
- attribute-filter.xml
- attribute-resolver.xml
- handler.xml
- internal.xml
- logging.xml
- login.config
- relying-party.xml
- service.xml
- tc-config.xml (for terracotta clustering)
Terracotta
(See https://spaces.internet2.edu/display/SHIB2/IdPCluster)
The terracotta software can be used to cluster the IdP nodes. Note that currently the Cams IdPs are not clustered, so terracotta should not be running. Each node must run the terracotta server, as well as the instrumented client (tomcat, in our case). The terracotta server operates in either the active or passive role; only one server should be in the "active/coordinator" state at a time.
...
We use the stock RHEL 5 64-bit RPMs, available from the Internet2 downloads site; the best way to install the RPMs is to use Shibboleth's yum repository, as described in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall. To configure the repository, install the repository definition file into /etc/yum.repos.d. Once the repository is configured, you can install the current RPMs, including dependencies, using yum, e.g.:
...