Introduction

Basic guidelines concerning the Single Sign On mechanism integrated in the DDV server.

Useful links

Windows Single Sign On (SSO) / CERN Authentication integration on Scientific Linux CERN / Apache and
http://linux.web.cern.ch/linux/scientific6/docs/shibboleth.shtml
Obtain certificates from CERN Grid Certification Authority
https://gridca.cern.ch/gridca/
Procedure to Install an Cern SSL Host Certificate on Apache SLC6
https://twiki.cern.ch/twiki/bin/view/LinuxSupport/ConfigureApacheSSLonSLC
Singe Sign On Management
https://sso-management.web.cern.ch/sso-management/SSO/ListSSOApplications.aspx
SSO registration form
https://sso-management.web.cern.ch/sso-management/SSO/RegisterApplication.aspx

Step1: integration in linux.

Follow
http://linux.web.cern.ch/linux/scientific6/docs/shibboleth.shtml

Replace somehost.cern.ch with e.g. pcaticstest04.cern.ch
Try to avoid aliases in this phase, they may cause problems.

Configure properly shibboleth apache configuration

 SSLRequireSSL   # The modules only work using HTTPS 
 AuthType shibboleth
 ShibUseHeaders On 
 ShibRequireSession On
 ShibRequireAll On
 ShibExportAssertion Off 
 Require valid-user
This should go under the "Location" tag.

BE SURE that

ShibUseHeaders On 
is part of the configuration so that headers are passed.

Step2: ADFS Application registration

Go here:
https://sso-management.web.cern.ch/sso-management/SSO/RegisterApplication.aspx
and pass
Application Name unique, e.g. atlas-ddv-newTest
URL, as declared in saml: e.g. https://pcaticstest04.cern.ch
name and email for contact

In URL, give the host name not the alias, alias may cause problems

Step3: installation of certificates

Follow these rules:
https://twiki.cern.ch/twiki/bin/view/LinuxSupport/ConfigureApacheSSLonSLC

- Be sure that you have installed in the browser the CERN Certification Authority Root certificate
- Be sure that you have installed in the browser the CERN Trusted Certification Authority certificate
- Be sure that you have installed in the browser a user certificate
(You can check that they are installed under Certificates > View Certificates > Your Certificates / Authority Certificates TRY THIS ON WINDOWS IE. Other browsers had problems (crosschecked with linux support too).
DOWNLOAD THE "DER" version of files (the other version did not work)

In the end you will need the ssl configuration :

SSLCertificateFile /etc/pki/tls/certs/newcert.cer
SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
SSLCertificateChainFile /etc/pki/tls/certs/certchain.p7b

working examle of ddv-test.conf file (under /etc/httpd/conf.d )



 SSLRequireSSL   # The modules only work using HTTPS                                                                                                                                                                                                                                               
 AuthType shibboleth
 ShibUseHeaders On
 ShibRequireSession On
 ShibRequireAll On
 ShibExportAssertion Off
 Require valid-user
 
                                                                                                                                                                                                                                                                        

ProxyPass / ajp://atlas-ddv-pilot.cern.ch:8080/war/
ProxyPassReverse / ajp://atlas-ddv-pilot.cern.ch:8080/war/

TraceEnable Off

SSLCertificateFile /etc/pki/tls/certs/newcert.cer                                                                                                                                                                                                                                                 
SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem                                                                                                                                                                                                                                            
SSLCertificateChainFile /etc/pki/tls/certs/user.p7b                                                                                                                                                                                                                                               

ProxyIOBufferSize 20000
LimitRequestFieldsize 18000

working examle of tomcat configuration file

We need to change only connector. Rest do not touch!
    Connector port="8080" protocol="AJP/1.3" packetSize="20000" redirectPort="8443" 

Restart services

- Restart shibboleth, apache
 /sbin/service shibd restart
 /sbin/service httpd restart

or faster

 /sbin/service shibd restart ;  /sbin/service httpd restart

Summary of changes to be done in case DDV has to be used in a SLC5 project (here was MOON from EN/ICE)

changes in Tomact server:

conf/server.xml   (default)

<
Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" 
/

>

<
Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
/
>


conf/server.xml   (DDV)
<
!
-- connector port 8080 is commented --
>
   --
>




changes in /etc/httpd/conf.d:

atlas-ddv-dev.conf 
(1.modified for your needs (e.g. instead of atlas-ddv-dev.cern.ch -> moon-ddv.cern.ch)
 2.added under /etc/httpd/conf.d
 - It specifies proxy, valid users etc.
 - probably to be added by administrators)


   ServerName atlas-ddv-dev.cern.ch
   # This secures the server from being used as a third party proxy server
   ProxyRequests Off

   ProxyVia On

   ProxyPass / http://atlas-ddv-dev.cern.ch:12721/
   ProxyPassReverse / http://atlas-ddv-dev.cern.ch:12721/
   #ProxyPassReverseCookiePath / /
   
   ProxyPreserveHost On
   ProxyTimeout 360
   Timeout 360

   ### for Computer.Security @ CERN
   RewriteEngine on

   #RewriteLog "/var/log/apache/rewrite.log"
   #RewriteLogLevel 3

   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
   RewriteCond %{SERVER_PORT}s !^443$
   RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]




   ServerName atlas-ddv-dev.cern.ch
   Alias      atlas-ddv-dev atlas-ddv-dev.cern.ch

   SSLEngine On
   SSLProtocol all -SSLv2

   #AB SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
   #SB SSLCipherSuite HIGH:MEDIUM:-LOW:-SSLv2
   SSLCipherSuite     HIGH:MEDIUM:!ADH:@STRENGTH:-LOW:-SSLv2

   # This secures the server from being used as a third party proxy server
   ProxyRequests Off

   ProxyVia On
   SSLCertificateFile    /etc/grid-security/hostcert.pem
   SSLCertificateKeyFile /etc/grid-security/hostkey.pem

   ProxyPass / ajp://atlas-ddv-dev.cern.ch:8080/DDV/
   ProxyPassReverse / ajp://atlas-ddv-dev.cern.ch:8080/DDV/

   ProxyPreserveHost On   
   ProxyTimeout 360
   Timeout 360

   ### for Computer.Security @ CERN
   RewriteEngine on
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
   RewriteCond %{REQUEST_URI} ^/$
   RewriteRule ^/$ /DDV.html [NE,R,L]

   
       AuthType shibboleth
       ShibRequireSession On
       require valid-user

       #headers for user login info in DDV
       ShibUseHeaders On

       #for e-groups:
       #Require adfs-group "atlas-readaccess-active-members", "atlas-external-operation"
   






# Header information ######################
#  added for DDV needs

  ProxyIOBufferSize 40000

# seems that next line is not really needed

  LimitRequestFieldsize 18000

###########################################






shibboleth2.xml (some information was added by our administrators)
   <
RequestMapper type="Native">
        
            <
!--
            The example requires a session for documents in /secure on the containing host with http and
            https on the default ports. Note that the name and port in the  elements MUST match
            Apache's ServerName and Port directives or the IIS Site name in the  element
            below.
            --
>
            
            
        
    


....

  <
saml:Audience>https://atlas-ddv-dev.cern.ch/Shibboleth.sso/ADFS

...
  <
ApplicationOverride id="atlas-ddv-dev" entityID="https://atlas-ddv-dev.cern.ch/Shibboleth.sso/ADFS"/
>


Major updates:
-- CharilaosTsarouchas - 12-Jun-2012

Responsible: CharilaosTsarouchas
Last reviewed by: Never reviewed

#Alias /data/tsarouch/DDViewer/SoftwareUsed/Eclipse/runspace/apache-tomcat-6.0.20/webapps/war /var/www/html

Topic attachments
I Attachment History Action Size Date Who Comment
PDFpdf shib.conf.pdf r1 manage 19.1 K 2012-06-26 - 17:05 CharilaosTsarouchas  
Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r11 - 2019-11-01 - SlavaKhomutnikov
No permission to view Atlas.WebLeftBar
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Atlas All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback