Skip to content
Permalink
v4.6.1
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Shib setup

FIXME: merge with what's in the Installation Guide: http://guides.dataverse.org/en/latest/installation

Install Apache and mod shib

Set up a valid SSL cert

Create a private key

[root@dvn-vm3 ~]# openssl genrsa -out /root/cert/shibtest.dataverse.org.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................................+++
..............................................................................................................................+++
e is 65537 (0x10001)

Put private key where Apache can see it and secure it

[root@dvn-vm3 ~]# cp /root/cert/shibtest.dataverse.org.key /etc/pki/tls/private
[root@dvn-vm3 ~]# chmod 600 /etc/pki/tls/private/shibtest.dataverse.org.key
[root@dvn-vm3 ~]# chown root:root /etc/pki/tls/private/shibtest.dataverse.org.key

Back up the private key

Keep it secret. Keep it safe.

Create a CSR using the private key

[root@dvn-vm3 ~]# openssl req -new -key /root/cert/shibtest.dataverse.org.key -out /root/cert/shibtest.dataverse.org.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Cambridge
Organization Name (eg, company) [Default Company Ltd]:Harvard College
Organizational Unit Name (eg, section) []:IQSS
Common Name (eg, your name or your server's hostname) []:shibtest.dataverse.org
Email Address []:support@dataverse.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@dvn-vm3 ~]#

Use CSR to request a cert from a certificate authority (CA)

Upload /root/cert/shibtest.dataverse.org.csr to https://cert-manager.com/customer/InCommon

Wait for the SSL cert to be approved.

When the cert has been approved, download and install it and the certificate chain and set open permissions

[root@dvn-vm3 ~]# chmod 644 /etc/pki/tls/certs/shibtest.dataverse.org.crt
[root@dvn-vm3 ~]# chmod 644 /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt

Re-configure Apache to use the new cert

[root@dvn-vm3 ~]# vim /etc/httpd/conf.d/ssl.conf
[root@dvn-vm3 ~]# grep shibtest /etc/httpd/conf.d/ssl.conf
ServerName shibtest.dataverse.org:443
SSLCertificateFile /etc/pki/tls/certs/shibtest.dataverse.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/shibtest.dataverse.org.key
SSLCertificateChainFile /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt
[root@dvn-vm3 ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@dvn-vm3 ~]#

Now https://shibtest.dataverse.org shouldn't give any browser warnings or curl errors.

Force HTTPS with Apache

Use https://github.com/IQSS/dataverse/blob/auth/conf/httpd/conf.d/dataverse.conf as a template and make sure RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] is active.

Run service httpd restart.

Update/verify files under /etc/shibboleth

For /etc/shibboleth/shibboleth2.xml use the version from https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/shibboleth2.xml but replace "pdurbin.pagekite.me" with the "shibtest.dataverse.org".

Put https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/dataverse-idp-metadata.xml at /etc/shibboleth/dataverse-idp-metadata.xml

Put https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/attribute-map.xml at

After making these changes, run service shibd restart and service httpd restart.

Upload metadata to TestShib IdP

curl https://shibtest.dataverse.org/Shibboleth.sso/Metadata > /tmp/shibtest.dataverse.org

Upload /tmp/shibtest.dataverse.org to http://testshib.org/register.html

Test login to TestShib IdP

Select the TestShib IdP from the login page at https://shibtest.dataverse.org