lets set up some tomcat stuff
The manager tool allows us to deploy packages but we want ot lock it down a bit...
first we set who has access...
locate the tomcat-users.xml usually located in /etc/tomcat7/tomcat-users.xml
add...
just before the closing tag
You can go to <your url="">:8080/manager/html and log in using this info to manage tomcat apps thopugh we aren't ready for that yet.</your>
Set up the apache elements as we are hosting SSH through apache.
edit /etc/libapache2-mod-jk/workers.properties
Now edit the site configuration for the jktomcat site on apache. You can name htis file anything but locations are important.
create a file in /etc/apache2/sites-available
we will call ours jktomcat
paste in
NameVirtualHost *:80
NameVirtualHost *:443
<ifmodule worker.c="">
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</ifmodule>
<virtualhost *:80="">
ServerName <your server="" name="">
RewriteEngine On
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R,L]
UseCanonicalName Off
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
</your></virtualhost>
<virtualhost *:443="">
ServerName ec2-54-208-211-204.compute-1.amazonaws.com
DocumentRoot /var/www
UseCanonicalName Off
<locationmatch "="" *="" *\.xhtml"="">
AuthType shibboleth
ShibRequireSession On
require shibboleth
</locationmatch>
RedirectMatch ^/manager[/]$ /manager/html/
JkMount /manager ajp13_worker
JkMount /manager/* ajp13_worker
RedirectMatch ^/host-manager[/]$ /host-manager/html
JkMount /host-manager ajp13_worker
JkMount /host-manager/* ajp13_worker
JkMount /entitlement-service-* ajp13_worker
JkMount /entitlement-service-*/* ajp13_worker
JkMount /registry-service-* ajp13_worker
JkMount /registry-service-*/* ajp13_worker
JkMount /registry-service-*/*/* ajp13_worker
JkUnMount /shibboleth-sp* ajp13_worker
JkUnMount /Shibboleth.sso* ajp13_worker
JkUnMount /SSORedirect* ajp13_worker
JkUnMount /xml* ajp13_worker
JkEnvVar Shib-Identity-Provider
JkEnvVar uid
JkEnvVar givenName
JkEnvVar sn
JkEnvVar mail
SSLEngine On
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# SSLCertificateChainFile /etc/ssl/certs/sf_bundle.crt
</virtualhost>
<location server-status="">
SetHandler server-status
Order Deny,Allow
Deny from all
#edit the line below to where you want access to the server-status from
Allow from compute-1.amazonaws.com
</location>
<directory var="" www="">
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</directory>
You will want to update to actual certs when you get them.
Now we set up the shibboleth file. In /etc/shibboleth/shibboleth2.xml alter and paste the following.
In general the IDPID for NTER will be https://login.nterlearning.org/idp/shibboleth
if you are on the NTER team obviously this sentence will be omitted from public documentation and the IDPID will be https://login.ntersupport.com/idp/shibboleth
You will need to change the snakeoil to yoru own cert. our host is registry.ntersupport.com or registry.nterlearning.org
this is the file you will give to the IdP to add to it's federation data set
then copy the idp-metadata-public.xml from login.ntersupport.com /opt/shibboleth-idp/metada to the /etc/shibboleth/partner-metadata.xml in registry.ntersupport.com (or whatever your machine is, the one we've been working on)
More tomcat config
get the registry and entitlement applications
In /var/lib/tomcat7/conf/Catalina/localhost/
create two files...
registry-service-1.1.xml
and
entitlement-service-1.1.xml
then in those files place the following, respectively.
THis tells the system to grab the registry service 1.1.4 from ext-webapps and move it to webapps called registry1.1 when you start the app from the manager (configured above)
Note becasue these apps are very memory intensive we need to alter the startup for tomcat7.
in
/etc/init.d/tomcat7/
just after t he line "set -e"
add the following...
There are a bunch of configuration elements which are required for these two WARs to run. Also, they can be moved to a generic location so they are not overwritten on build.
in /var/lib/tomcat7/conf/nter.properties modify and add the following
#
# Entitlement Service
#
entitlement.db.user=<user>
entitlement.db.password=<password>
entitlement.db.driver=com.mysql.jdbc.Driver
entitlement.db.url=jdbc:mysql://localhost/ENTITLEMENT_DB?useUnicode=true
entitlement.db.validation=select 1 from mysql.user
#entitlement.idp.wsdl.url=https://login.nterlearning.org/nter-user-mgmt-service-1.7/service s/IdentityService?wsdl
entitlement.idp.wsdl.url=https://login.ntersupport.com/nter-user-mgmt-service-1.7/services/ IdentityService?wsdl
entitlement.idp.email=admin@nterlearning.org
entitlement.idp.password=<password>
# Default ADMIN user - Create an 'Admin' entitlement for realm '/'
entitlement.admin.email=admin@nterlearning.org
#
# Service Registry
#
registry.db.user=<user>
registry.db.password=<password>
registry.db.driver=com.mysql.jdbc.Driver
registry.db.url=jdbc:mysql://localhost/REGISTRY_DB?useUnicode=true
registry.db.validation=select 1 from mysql.user
registry.idp.wsdl.url=https://login.ntersupport.com/nter-user-mgmt-service-1.7/services/Ide ntityService?wsdl
registry.idp.email=admin@nterlearning.org
registry.idp.password=<password>
# Default Admin user for realm NTER_REGISTRY
registry.admin.email=admin@nterlearning.org
# Default blacklist status {"Unspecified", "Active", "Inactive", "Blacklist"}
registry.default.blacklist.status=Blacklist
# Connect to Entitlement Service
registry.realm=NTER_REGISTRY
# Entitlement service calls
# WARNING!!!
# Do not use the localhost:8086 version of registry.entitlement.wsdl.url.
# It causes very slow page loads on the order of minutes for the wep app.
# this evidently bypasses Shibboleth and results in numerous retries to validate
#registry.entitlement.wsdl.url=https://localhost:8086/entitlement-service-1.1/se tlementAPI?wsdl
registry.entitlement.wsdl.url=https://registry.ntersupport.com/entitlement-servi ices/EntitlementAPI?wsdl
registry.entitlement.email=admin@nterlearning.org
registry.entitlement.password=<password>
# Commerce entitlement for new institution, leave empty to disable commerce
#registry.commerce.realm=NTER_COMMERCE#commented out by JAM june 16, 2014
</password></password></password></user></password></password></user>
then
sudo chown :tomcat7 nter.properties
we need to create some database elements as the script doesn;t do it automaticatlly.
log into mysql in the console and paste in the following:
now we remove the default apache site, enable our and enable required mosd then rewstart everything...
sudo a2dissite 000-default
sudo a2enmod ssl shibd2
sudo a2ensite jktomcat
sudo service shibd restart
sudo service apache2 restart
sudo service shibd restart
sudo service apache2 tomcat7
You will then go to the url for the tomcat managetr http://registry.ntersupport.com/manager/
login using the data specified in tomcat-users.xml above.
you should see entries for the two services.
click start on the registry then the entitlement.
test
Last edit: Jeff Masiello 2014-08-25
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Note: there are some discrepancies between the earlier version and this one. the login IDP and wsurl and such. We are still figuring out how the system works so feel free to comment.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
further, a lot of the original documentation refers to dev servers, bad. They no longer exist and shouldn't be used in production anyway. (ok they exist in a completely different location but still...)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Word Document
Note: This sis an older document but still a good read. See below for more updated information.
Last edit: Jeff Masiello 2014-08-25
This is actually Registry and Entitlement. They seem very tightly coupled and I't not sure why they are separate entities.
Recommend Ubuntu 12.04 LTS 64-bit EBS backed
During this process you will be prompted to enter the MySQL server password twice. Choose a secure password and enter it when prompted.
all the apps are installed, now we need to configure things...
Always good to set Environment Variables...
lets set up some tomcat stuff
The manager tool allows us to deploy packages but we want ot lock it down a bit...
first we set who has access...
locate the tomcat-users.xml usually located in /etc/tomcat7/tomcat-users.xml
add...
just before the closing tag
You can go to <your url="">:8080/manager/html and log in using this info to manage tomcat apps thopugh we aren't ready for that yet.</your>
Set up the apache elements as we are hosting SSH through apache.
edit /etc/libapache2-mod-jk/workers.properties
Now edit the site configuration for the jktomcat site on apache. You can name htis file anything but locations are important.
create a file in /etc/apache2/sites-available
we will call ours jktomcat
paste in
NameVirtualHost *:80 NameVirtualHost *:443 <ifmodule worker.c=""> StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </ifmodule> <virtualhost *:80=""> ServerName <your server="" name=""> RewriteEngine On RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R,L] UseCanonicalName Off ServerAdmin webmaster@localhost DocumentRoot /var/www/ </your></virtualhost> <virtualhost *:443=""> ServerName ec2-54-208-211-204.compute-1.amazonaws.com DocumentRoot /var/www UseCanonicalName Off <locationmatch "="" *="" *\.xhtml"=""> AuthType shibboleth ShibRequireSession On require shibboleth </locationmatch> RedirectMatch ^/manager[/]$ /manager/html/ JkMount /manager ajp13_worker JkMount /manager/* ajp13_worker RedirectMatch ^/host-manager[/]$ /host-manager/html JkMount /host-manager ajp13_worker JkMount /host-manager/* ajp13_worker JkMount /entitlement-service-* ajp13_worker JkMount /entitlement-service-*/* ajp13_worker JkMount /registry-service-* ajp13_worker JkMount /registry-service-*/* ajp13_worker JkMount /registry-service-*/*/* ajp13_worker JkUnMount /shibboleth-sp* ajp13_worker JkUnMount /Shibboleth.sso* ajp13_worker JkUnMount /SSORedirect* ajp13_worker JkUnMount /xml* ajp13_worker JkEnvVar Shib-Identity-Provider JkEnvVar uid JkEnvVar givenName JkEnvVar sn JkEnvVar mail SSLEngine On SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # SSLCertificateChainFile /etc/ssl/certs/sf_bundle.crt </virtualhost> <location server-status=""> SetHandler server-status Order Deny,Allow Deny from all #edit the line below to where you want access to the server-status from Allow from compute-1.amazonaws.com </location> <directory var="" www=""> Options +FollowSymLinks AllowOverride All order allow,deny allow from all </directory>You will want to update to actual certs when you get them.
Now we set up the shibboleth file. In /etc/shibboleth/shibboleth2.xml alter and paste the following.
In general the IDPID for NTER will be
https://login.nterlearning.org/idp/shibboleth
if you are on the NTER team obviously this sentence will be omitted from public documentation and the IDPID will be https://login.ntersupport.com/idp/shibboleth
alter the attribute-map.xml in the same directory and either uncomment or add
then run
You will need to change the snakeoil to yoru own cert. our host is registry.ntersupport.com or registry.nterlearning.org
this is the file you will give to the IdP to add to it's federation data set
then copy the idp-metadata-public.xml from login.ntersupport.com /opt/shibboleth-idp/metada to the /etc/shibboleth/partner-metadata.xml in registry.ntersupport.com (or whatever your machine is, the one we've been working on)
More tomcat config
get the registry and entitlement applications
In /var/lib/tomcat7/conf/Catalina/localhost/
create two files...
registry-service-1.1.xml
and
entitlement-service-1.1.xml
then in those files place the following, respectively.
THis tells the system to grab the registry service 1.1.4 from ext-webapps and move it to webapps called registry1.1 when you start the app from the manager (configured above)
Note becasue these apps are very memory intensive we need to alter the startup for tomcat7.
in
/etc/init.d/tomcat7/
just after t he line "set -e"
add the following...
There are a bunch of configuration elements which are required for these two WARs to run. Also, they can be moved to a generic location so they are not overwritten on build.
in /var/lib/tomcat7/conf/nter.properties modify and add the following
# # Entitlement Service # entitlement.db.user=<user> entitlement.db.password=<password> entitlement.db.driver=com.mysql.jdbc.Driver entitlement.db.url=jdbc:mysql://localhost/ENTITLEMENT_DB?useUnicode=true entitlement.db.validation=select 1 from mysql.user #entitlement.idp.wsdl.url=https://login.nterlearning.org/nter-user-mgmt-service-1.7/service s/IdentityService?wsdl entitlement.idp.wsdl.url=https://login.ntersupport.com/nter-user-mgmt-service-1.7/services/ IdentityService?wsdl entitlement.idp.email=admin@nterlearning.org entitlement.idp.password=<password> # Default ADMIN user - Create an 'Admin' entitlement for realm '/' entitlement.admin.email=admin@nterlearning.org # # Service Registry # registry.db.user=<user> registry.db.password=<password> registry.db.driver=com.mysql.jdbc.Driver registry.db.url=jdbc:mysql://localhost/REGISTRY_DB?useUnicode=true registry.db.validation=select 1 from mysql.user registry.idp.wsdl.url=https://login.ntersupport.com/nter-user-mgmt-service-1.7/services/Ide ntityService?wsdl registry.idp.email=admin@nterlearning.org registry.idp.password=<password> # Default Admin user for realm NTER_REGISTRY registry.admin.email=admin@nterlearning.org # Default blacklist status {"Unspecified", "Active", "Inactive", "Blacklist"} registry.default.blacklist.status=Blacklist # Connect to Entitlement Service registry.realm=NTER_REGISTRY # Entitlement service calls # WARNING!!! # Do not use the localhost:8086 version of registry.entitlement.wsdl.url. # It causes very slow page loads on the order of minutes for the wep app. # this evidently bypasses Shibboleth and results in numerous retries to validate #registry.entitlement.wsdl.url=https://localhost:8086/entitlement-service-1.1/se tlementAPI?wsdl registry.entitlement.wsdl.url=https://registry.ntersupport.com/entitlement-servi ices/EntitlementAPI?wsdl registry.entitlement.email=admin@nterlearning.org registry.entitlement.password=<password> # Commerce entitlement for new institution, leave empty to disable commerce #registry.commerce.realm=NTER_COMMERCE#commented out by JAM june 16, 2014 </password></password></password></user></password></password></user>then
we need to create some database elements as the script doesn;t do it automaticatlly.
log into mysql in the console and paste in the following:
now we remove the default apache site, enable our and enable required mosd then rewstart everything...
You will then go to the url for the tomcat managetr
http://registry.ntersupport.com/manager/
login using the data specified in tomcat-users.xml above.
you should see entries for the two services.
click start on the registry then the entitlement.
test
Last edit: Jeff Masiello 2014-08-25
Note: there are some discrepancies between the earlier version and this one. the login IDP and wsurl and such. We are still figuring out how the system works so feel free to comment.
further, a lot of the original documentation refers to dev servers, bad. They no longer exist and shouldn't be used in production anyway. (ok they exist in a completely different location but still...)