Skip to content

Latest commit

 

History

History
101 lines (68 loc) · 4.36 KB

shib.md

File metadata and controls

101 lines (68 loc) · 4.36 KB

Shib setup

FIXME: merge with what's in the Installation Guide: http://guides.dataverse.org/en/latest/installation

Install Apache and mod shib

Set up a valid SSL cert

Create a private key

[root@dvn-vm3 ~]# openssl genrsa -out /root/cert/shibtest.dataverse.org.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................................+++
..............................................................................................................................+++
e is 65537 (0x10001)

Put private key where Apache can see it and secure it

[root@dvn-vm3 ~]# cp /root/cert/shibtest.dataverse.org.key /etc/pki/tls/private
[root@dvn-vm3 ~]# chmod 600 /etc/pki/tls/private/shibtest.dataverse.org.key
[root@dvn-vm3 ~]# chown root:root /etc/pki/tls/private/shibtest.dataverse.org.key

Back up the private key

Keep it secret. Keep it safe.

Create a CSR using the private key

[root@dvn-vm3 ~]# openssl req -new -key /root/cert/shibtest.dataverse.org.key -out /root/cert/shibtest.dataverse.org.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Cambridge
Organization Name (eg, company) [Default Company Ltd]:Harvard College
Organizational Unit Name (eg, section) []:IQSS
Common Name (eg, your name or your server's hostname) []:shibtest.dataverse.org
Email Address []:support@dataverse.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@dvn-vm3 ~]#

Use CSR to request a cert from a certificate authority (CA)

Upload /root/cert/shibtest.dataverse.org.csr to https://cert-manager.com/customer/InCommon

Wait for the SSL cert to be approved.

When the cert has been approved, download and install it and the certificate chain and set open permissions

[root@dvn-vm3 ~]# chmod 644 /etc/pki/tls/certs/shibtest.dataverse.org.crt
[root@dvn-vm3 ~]# chmod 644 /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt

Re-configure Apache to use the new cert

[root@dvn-vm3 ~]# vim /etc/httpd/conf.d/ssl.conf
[root@dvn-vm3 ~]# grep shibtest /etc/httpd/conf.d/ssl.conf
ServerName shibtest.dataverse.org:443
SSLCertificateFile /etc/pki/tls/certs/shibtest.dataverse.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/shibtest.dataverse.org.key
SSLCertificateChainFile /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt
[root@dvn-vm3 ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@dvn-vm3 ~]#

Now https://shibtest.dataverse.org shouldn't give any browser warnings or curl errors.

Force HTTPS with Apache

Use https://github.com/IQSS/dataverse/blob/auth/conf/httpd/conf.d/dataverse.conf as a template and make sure RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] is active.

Run service httpd restart.

Update/verify files under /etc/shibboleth

For /etc/shibboleth/shibboleth2.xml use the version from https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/shibboleth2.xml but replace "pdurbin.pagekite.me" with the "shibtest.dataverse.org".

Put https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/dataverse-idp-metadata.xml at /etc/shibboleth/dataverse-idp-metadata.xml

Put https://github.com/IQSS/dataverse/blob/auth/conf/vagrant/etc/shibboleth/attribute-map.xml at

After making these changes, run service shibd restart and service httpd restart.

Upload metadata to TestShib IdP

curl https://shibtest.dataverse.org/Shibboleth.sso/Metadata > /tmp/shibtest.dataverse.org

Upload /tmp/shibtest.dataverse.org to http://testshib.org/register.html

Test login to TestShib IdP

Select the TestShib IdP from the login page at https://shibtest.dataverse.org