HOWTO Upgrade Shibboleth IdP from V2 to V3 on
Transcript
HOWTO Upgrade Shibboleth IdP from V2 to V3 on
HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 13 Maggio 2016 Authors: Marco Malavolti 1 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux Indice 1) Introduzione...............................................................................................................................................3 2) Pacchetti richiesti.......................................................................................................................................3 3) Software pre-esistente................................................................................................................................3 4) Installazione...............................................................................................................................................4 4.1) Scaricare e installare il nuovo Shibboleth IdP v3.2.1........................................................................4 4.2) Configurare il nuovo IdP salvaguardando le vecchie configurazioni................................................4 2 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 1 Introduzione Questo è un tutorial per gli utenti che vogliono aggiornare il proprio Identity Provider Shibboleth da una versione 2.x a una versione 3.x su una macchina Ubuntu Linux dotata di una configurazione in cui un server Apache2 è posto come front-end a un server Tomcat che esegue il software Shibboleth. In particolare, in questo tutorial, verrà aggiornato uno Shibboleth Identity Provider su una macchina Ubuntu 12.04 con il proprio sistema OpenLDAP per la gestione delle identità utente. 2 Pacchetti richiesti • • • • ntp vim Java 7 JDK (Oracle o OpenJDK) wget 3 Software pre-esistente • • • Shibboleth Identity Provider v2.x Tomcat (7 o 8) (Apache2) 3 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 4 Installazione 4.1 Scaricare e installare il nuovo Shibboleth IdP v3.2.1 1. Assicurarsi che nessuna altra istanza di Tomcat sia avviata: • ps aux | grep tomcat 2. Nel caso vi siano processi Tomcat in esecuzione terminarli: • service tomcat7 stop OR kill -9 #ID-ISTANZA-TOMCAT# 3. Assicurarsi di usare la JAVA ORACLE JDK o la OpenJDK Development Kit (JDK) 7 o 8: • sudo update-alternatives --config java 4. Scaricare e installare il nuovo Shibboleth IdP v3.2.1: • • • • • • cd /usr/local/src wget http://shibboleth.net/downloads/identity-provider/latest/shibbolethidentity-provider-3.2.1.tar.gz tar xzvf shibboleth-identity-provider-3.2.1.tar.gz cd shibboleth-identity-provider-3.2.1 hostname -f (per tenere presente il vostro FQDN) ./bin/install.sh (seguire le istruzioni mantenendo le locazioni di installazione dello shibboleth v2) (I vecchi file di configurazione dello shibboleth IdP verranno salvate in una cartella “conf.v2” della cartella di installazione) 4.2 Configurare il nuovo IdP salvaguardando le vecchie configurazioni 1. L'EntityID presente nei metadati del “vecchio” IdP DEVE ESSERE UGUALE a quello inserito nei metadati del “nuovo” IdP in idp-metadata.xml. Verificare il valore dell'EntityID dalla linea # Set the entityID of the IdP idp.entityID= https://... del file di configurazione /opt/shibboleth-idp/conf/idp.properties. 2. Modificare i permessi in modo opportuno (N== 7 o 8): • chown -R tomcatN /opt/shibboleth-idp/logs/ • chown -R tomcatN /opt/shibboleth-idp/metadata/ • chown -R tomcatN /opt/shibboleth-idp/credentials/ • chown -R tomcatN /opt/shibboleth-idp/conf/ 4 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 3. Impostare il Context Switch per il deploy dell'applicazione dell'IdP: • vim /etc/tomcatN/Catalina/localhost/idp.xml <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" swallowOutput="true" /> 4. Installare i MySQL JDBC Driver (solo se non già presente): • sudo apt-get install libmysql-java 5. Inserire le librerie MySQL JDBC al posto giusto: • • • • • cd ln ln cd ln /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ -s /usr/share/java/mysql-connector-java.jar -s /usr/share/tomcatN/lib/tomcat-jdbc.jar /usr/share/tomcatN/lib/ -s /usr/share/java/mysql-connector-java.jar 6. Installare le librerie Common DBCP2 utilizzate per la generazione del nuovo saml-id: • cd /usr/local/src/ • wget http://mirrors.muzzy.it/apache//commons/dbcp/binaries/commonsdbcp2-2.1.1-bin.tar.gz • tar xzvf commons-dbcp2-2.1.1-bin.tar.gz ; cd commons-dbcp2-2.1.1/ • cp commons-dbcp2-2.1.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ 7. Installare le librerie Tomcat Common Pool utilizzate per la generazione del nuovo saml-id: • cd /usr/local/src/ • wget http://mirror.nohup.it/apache//commons/pool/binaries/commons-pool22.4.2-bin.tar.gz • tar xzvf commons-pool2-2.4.2-bin.tar.gz ; cd commons-pool2-2.4.2/ • cp commons-pool2-2.4.2.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ 8. Buildare il nuovo idp.war con le nuove librerie: • cd /opt/shibboleth-idp/ ; ./bin/build.sh 9. Creare un nuovo DB MySQL compatibile con la nuova versione dell'IdP: • mysql -u root -p • mysql> SET NAMES 'utf8'; • mysql> SET CHARACTER SET utf8; • mysql> CHARSET utf8; • mysql> CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8; • mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY 'yourPassword'; • mysql> USE shibboleth; • mysql> CREATE TABLE shibpid 5 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux -> ( -> localEntity VARCHAR(255) NOT NULL, -> peerEntity VARCHAR(255) NOT NULL, -> persistentId VARCHAR(50) NOT NULL, -> principalName VARCHAR(50) NOT NULL, -> localId VARCHAR(50) NOT NULL, -> peerProvidedId VARCHAR(50) NULL, -> creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, -> deactivationDate TIMESTAMP NULL default NULL, -> PRIMARY KEY (localEntity, peerEntity, persistentId) -> ); • mysql> CREATE TABLE StorageRecords -> ( -> context VARCHAR(255) NOT NULL, -> id VARCHAR(255) NOT NULL, -> expires BIGINT(20) DEFAULT NULL, -> value LONGTEXT NOT NULL, -> version BIGINT(20) NOT NULL, -> PRIMARY KEY (context, id) -> ); • quit; 10. Creare un utente “idem” con password “demo” in grado di accedere e modificare il DB “shibboleth”: (sia l’utente “idem” che la password “demo” vanno decisi personalmente dall’installatore) • mysql -u root -p • mysql> USE mysql; • mysql> CREATE USER idem; • mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO 'idem'@'localhost' IDENTIFIED BY 'demo'; • mysql> FLUSH PRIVILEGES; • mysql> quit; 11. Riavviare il server mysql: • service mysql restart 12. Eseguire un DUMP della tabella shibpid del DB “userdb” e del DB “shibboleth”: • cd /tmp • • mysqldump -u root -p userdb shibpid > userdb_shibpid.sql mysqldump -u root -p shibboleth shibpid > shibboleth_shibpid.sql 6 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 13. Importare i valori precedenti nel nuovo DB “shibboleth” facendo attenzione che l'ordine dei campi della vecchia tabella “userdb.shibpid” combaci esattamente con quello della nuova “shibboleth.shibpid” prima di eseguire l'importazione. DEVONO COMBACIARE perchè da esso dipende la popolazione del nuovo DB “shibboleth”. Per un facile l'importazione seguire i seguenti passi con il file “userdb_shibpid.sql”: a) Modificare il nome del DB presente nelle prime linee del DUMP in “shibboleth”. b) Dal DUMP “shibboleth_shibpid.sql” copiare la parte relativa a “Table structure for table `shibpid`” e inserirla nel “userdb_shibpid.sql” sotto a quello già presente. c) Modificare l'ordine dei campi della porzione di codice incollata di “shibboleth.shibpid” in modo che combaci esattamente con quanto trovato nella precedente tabella “shibpid” di “userdb”. d) Cancellare la “Table structure for table `shibpid`” di “userdb”. e) Salvare e importare i valori nel nuovo DB “shibboleth”: ◦ mysql -u root -p shibboleth < userdb_shibpid.sql 7 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 14. Abilitare il JPAStorageService per lo StorageService: • vim /opt/shibboleth-idp/conf/global.xml (aggiungere in coda il seguente frammento di codice modificato opportunamente la username e la password di accesso al DB “shibboleth”) <bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/> <bean id="shibboleth.JPAStorageService.entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="packagesToScan" value="org.opensaml.storage.impl"/> <property name="dataSource" ref="shibboleth.JPAStorageService.DataSource"/> <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/> <property name="jpaDialect"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> </property> </bean> <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> <property name="database" value="MYSQL" /> </bean> <bean id="shibboleth.JPAStorageService.DataSource" class="org.apache.tomcat.jdbc.pool.DataSource" destroy-method="close" lazy-init="true" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth? autoReconnect=true&sessionVariables=wait_timeout=31536000" p:validationQuery="SELECT 1;" p:username="idem" p:password="demo"/> • Modificare le proprietà dell’IdP in modo opportuno: ◦ vim /opt/shibboleth-idp/conf/idp.properties idp.session.StorageService = shibboleth.JPAStorageService idp.consent.StorageService = shibboleth.JPAStorageService idp.replayCache.StorageService = shibboleth.JPAStorageService idp.artifact.StorageService = shibboleth.JPAStorageService 8 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 15. Abilitare completamente il supporto SAML2 sull'idp-metadata.xml disabilitando il supporto a SAML v1.x perchè deprecato: • vim /opt/shibboleth-idp/metadata/idp-metadata.xml DA RIMUOVERE LE STRINGHE: – urn:oasis:names:tc:SAML:1.1:protocol – urn:mace:shibboleth:1.0 – Intero endpoint con Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" (e modificare opportunamente l'index del successivo) – <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> – Intero endpoint con Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" (e modificare opportunamente l'index del successivo) – 8443 (ovunque perchè tale porta non viene più usata) NELLA SEZIONE DEDICATA ALL'ATTRIBUTE-AUTHORITY: – Sostituire "urn:oasis:names:tc:SAML:1.1:protocol" con "urn:oasis:names:tc:SAML:2.0:protocol", decommentare l'AttributeService SAML2 e commentare/rimuovere quello SAMLv1. 16. Configuriamo l’IdP per recuperare i metadati della IDEM Test Federation: • cd /opt/shibboleth-idp/conf • cp metadata-providers.xml metadata-providers.xml.old • cp /opt/shibboleth-idp/dist/conf/metadata-providers.xml.dist metadataproviders.xml • vim metadata-providers.xml <MetadataProvider id="URLMD-IDEM-Federation" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml" metadataURL="http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml"> <!-Verify the signature on the root element of the metadata aggregate using a trusted metadata signing certificate. --> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/idem_signer_2019.pem"/> <!-Require a validUntil XML attribute on the root element and make sure its value is no more than 14 days into the future. --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/> <!-- Consume all SP metadata in the aggregate --> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider> 9 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 17. Inserire il certificato di firma dei metadati in /opt/shibboleth-idp/metadata/idem_signer_2019.pem • wget https://idem.garr.it/documenti/doc_download/321-idem-metadata-signer2019 -O /opt/shibboleth-idp/metadata/idem_signer_2019.pem 18. Configurare l’Autenticazione per i propri utenti con un server openLDAP: • cd /opt/shibboleth-idp/conf/ • cp ldap.properties ldap.properties.old • cp /opt/shibboleth-idp/dist/conf/ldap.properties.dist ldap.properties • vim /opt/shibboleth-idp/conf/ldap.properties (con le soluzioni *TLS ricordarsi di inserire il certificato server dell’LDAP in /opt/shibboleth-idp/credentials e assegnargli i giusti permessi 'chown tomcatN ldap-server.crt') ◦ Soluzione 1 - LDAP con STARTTLS: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.garr.it:389 idp.authn.LDAP.useStartTLS = true idp.authn.LDAP.useSSL = false idp.authn.LDAP.sslConfig = certificateTrust idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### ◦ Soluzione 2 - LDAP con TLS/SSL: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldaps://ldap.example.garr.it idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = true idp.authn.LDAP.sslConfig = certificateTrust idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### ◦ Soluzione 3 - LDAP in chiaro: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.garr.it:389 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### Se si utilizza la soluzione 3 “in chiaro” ricordarsi di commentare il codice che utilizza il “trustCertificates” nell' attribute-resolver-full.xml”: 10 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux </dc:FilterTemplate> <!-- <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>% {idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> --> </resolver:DataConnector> UTILITA’ PER AMMINISTRATORI DI OPENLDAP: ◦ ldapsearch -H ldap:// -x -b "dc=example,dc=garr,dc=it" -LLL dn ▪ il baseDN ==> ou=people, dc=example,dc=garr,dc=it (ramo contenente gli utenti registrati) il bindDN ==> cn=admin,dc=example,dc=garr,dc=it (ramo dell’utente in grado di leggere e fare query sull’LDAP) • Arricchire l’ idp-process.log con gli errori di autenticazione sull’LDAP: ◦ vim /opt/shibboleth-idp/conf/logback.xml <!-- Logs LDAP related messages --> <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> <!-- Logs on LDAP user authentication --> <logger name="org.ldaptive.auth.Authenticator" level="INFO" /> • Definire gli attributi supportarti dall’IdP: ◦ vim /opt/shibboleth-idp/conf/services.xml <value>%{idp.home}/conf/attribute-resolver.xml</value> deve diventare: <value>%{idp.home}/conf/attribute-resolver-full.xml</value> ◦ vim /opt/shibboleth-idp/conf/attribute-resolver-full.xml ▪ Decommentare le aree: • • • Schema: Core Schema attributes Schema: InetOrgPerson attributes Schema: eduPerson attributes ▪ Decommentare l’ LDAP Connector già configurato attraverso ldap.properties ▪ Abilitare il nuovo metodo di generazione del persistent-id (sostituto dell’attributo eduPersonTargetedID): • vim /opt/shibboleth-idp/conf/saml-nameid.properties (il sourceAttribute deve essere un attributo, o una lista di attributi i cui valori sono separati da virgole, che identifica univocamente il soggetto dell’identificatore persistente. Deve essere STABILE, PERMANENTE e NON-RIASSEGNABILE.) 11 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux # Comment out to disable legacy NameID generation via Attribute Resolver #idp.nameid.saml2.legacyGenerator= shibboleth.LegacySAML2NameIDGenerator #idp.nameid.saml1.legacyGenerator= shibboleth.LegacySAML1NameIdentifierGenerator idp.persistentId.sourceAttribute = uid … idp.persistentId.algorithm = SHA idp.persistentId.salt = ## VALORE SALT COPIATO DAL PRECEDENTE ATTRIBUTE RESOLVER ## … idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.dataSource = PersistentIdDataSource … idp.persistentId.store = MyPersistentIdStore idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator • vim /opt/shibboleth-idp/conf/saml-nameid.xml Rimuovere il commento a: <ref bean="shibboleth.SAML2PersistentGenerator" /> Aggiungere in testa (subito dopo il primo commento): <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. --> <bean id="MyDataSource" class="org.apache.commons.dbcp2.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true" p:username="idem" p:password="demo" p:maxIdle="5" p:maxWaitMillis="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> <!-- A "store" bean suitable for use in the idp.persistentId.store property. --> <bean id="MyPersistentIdStore" parent="shibboleth.JDBCPersistentIdStore" p:dataSource-ref="MyDataSource" p:queryTimeout="PT2S" p:retryableErrors="#{{'23000'}}" /> ▪ Modificare il subject-c14n per la gestione del SAML2 Persistent ID : • vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml ◦ Rimuovere il commento al bean “c14n/SAML2Persistent” ▪ Modificare il Default RelyingParty per rilasciare il persistent-id a tutti in modo predefinito: • • • • cd /opt/shibboleth-idp/conf cp relying-party.xml relying-party.xml.old cp /opt/shibboleth-idp/dist/conf/relying-party.xml.dist relying-party.xml vim /opt/shibboleth-idp/conf/relying-party.xml 12 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean> 19. Tradurre le pagine di Login, del Consenso Informato sul rilascio degli attributi utente, dei Termini d’Uso dell’IdP e di errore nella lingua preferita: • Aprire la pagina contenente i file tradotti: CLICCA QUI • Recuperare i 3 file della propria lingua e inserirli in /opt/shibboleth-idp/messages 20. Rimuovere la cartella “endorsed” da Tomcat (se presenti): • rm -f /usr/share/tomcatN/endorsed 21. Abilitare l'ajp connector sulla porta 8009 (se non già abilitato): • vim /etc/tomcatN/server.xml <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" /> 22. Abilitare l'uso dei più recente file “relying-party.xml” e “metadata-providers.xml”: • vim $IDP_HOME/conf/services.properties ... idp.service.relyingparty.resources= shibboleth.RelyingPartyResolverResources ... 23. Sistemare il nome dei certificati usati dall'IdP nei metadati: • • • • • cd ln ln ln ln /opt/shibboleth-idp/credentials -s idp.crt idp-signing.crt -s idp.crt idp-encryption.crt -s idp.key idp-signing.key -s idp.key idp-encryption.key 13 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 24. Avviare Tomcat e controllare che la pagina dei metadati dell'IdP appaia: • service tomcatN start • https://#YOUR.IDP.FQDN#/idp/shibboleth 25. Provate ad eseguire una login su https://sp24-test.garr.it/secure e, se tutto vi torna, potete cancellare il vecchio DB “userdb” dal server mysql. 14 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 31 Luglio 2015 Authors: Marco Malavolti, Andrea Biancini 15 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux Index 1) Introduction.............................................................................................................................................17 2) Packages required ...................................................................................................................................17 3) Software required.....................................................................................................................................17 4) Installtion.................................................................................................................................................18 4.1) Download and install the new Shibboleth IdP v3.2.1......................................................................18 4.2) Configure the new IdP without break the previous IdP...................................................................18 16 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 1 Introduction This is an HOWTO for that users that want upgrade their Identity Provider Shibboleth from version 2.x to version 3.x on a Ubuntu Linux machine provided by a configuration where the Apache2 server is placed as frontend of a Tomcat Server that deploies the IdP application. In this HOWTO we will upgrade a Shibboleth Identity Provider on a Ubuntu 12.04 machine with its own local OpenLDAP system used to manage the users. 2 Packages required • • • • ntp vim Java 7 JDK (Oracle o OpenJDK) wget 3 Software required • • • Shibboleth Identity Provider v2.x Tomcat (7 o 8) (Apache2) 17 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 4 Installtion 4.1 Download and install the new Shibboleth IdP v3.2.1 1. Be sure that any other Tomcat instance is running: • ps aux | grep tomcat 2. If Tomcat is running, stop it with: • service tomcat7 stop OR kill -9 #ID-ISTANZA-TOMCAT# 3. Be sure to use JAVA ORACLE JDK or OpenJDK Development Kit (JDK) 7 or 8: • sudo update-alternatives --config java 4. Download and install Shibboleth IdP v3.2.1: • • • • • • cd /usr/local/src wget http://shibboleth.net/downloads/identity-provider/latest/shibbolethidentity-provider-3.2.1.tar.gz tar xzvf shibboleth-identity-provider-3.2.1.tar.gz cd shibboleth-identity-provider-3.2.1 hostname -f (to remember your FQDN) ./bin/install.sh (follow the instructions and maintain the same installation's location of the IdP v2.x) (The old configuration's files will be stored in the directory “conf.v2” inside the IdP installation path) 4.2 Configure the new IdP without break the previous IdP 1. The EntityID of the new IdP MUST BE EQUAL to the older IdP. Verify it on idpmetadata.xml and on idp.properties file: # Set the entityID of the IdP idp.entityID= https://... 2. Change the privileges in the right way (N== 7 o 8): • chown -R tomcatN /opt/shibboleth-idp/logs/ • chown -R tomcatN /opt/shibboleth-idp/metadata/ • chown -R tomcatN /opt/shibboleth-idp/credentials/ • chown -R tomcatN /opt/shibboleth-idp/conf/ 18 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 3. Set the Context Switch to deploy IdP application: • vim /etc/tomcatN/Catalina/localhost/idp.xml <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" swallowOutput="true" /> 4. Install MySQL JDBC Driver (only if present): • sudo apt-get install libmysql-java 5. Insert the MySQL JDBC libraries at the right place: • • • • • cd ln ln cd ln /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ -s /usr/share/java/mysql-connector-java.jar -s /usr/share/tomcatN/lib/tomcat-jdbc.jar /usr/share/tomcatN/lib/ -s /usr/share/java/mysql-connector-java.jar 6. Install the Common DBCP2 libraries useful to generate saml-id: • cd /usr/local/src/ • wget http://mirrors.muzzy.it/apache//commons/dbcp/binaries/commonsdbcp2-2.1.1-bin.tar.gz • tar xzvf commons-dbcp2-2.1.1-bin.tar.gz ; cd commons-dbcp2-2.1.1/ • cp commons-dbcp2-2.1.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ 7. Install Tomcat Common Pool libraries useful to generate saml-id: • cd /usr/local/src/ • wget http://mirror.nohup.it/apache//commons/pool/binaries/commons-pool22.4.2-bin.tar.gz • tar xzvf commons-pool2-2.4.2-bin.tar.gz ; cd commons-pool2-2.4.2/ • cp commons-pool2-2.4.2.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ 8. Build idp.war with the new libraries: • cd /opt/shibboleth-idp/ ; ./bin/build.sh 9. Create a new DB MySQL compliant with the new IdP: • mysql -u root -p • mysql> SET NAMES 'utf8'; • mysql> SET CHARACTER SET utf8; • mysql> CHARSET utf8; • mysql> CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8; • mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY 'yourPassword'; • mysql> USE shibboleth; • mysql> CREATE TABLE shibpid 19 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux -> ( -> localEntity VARCHAR(255) NOT NULL, -> peerEntity VARCHAR(255) NOT NULL, -> persistentId VARCHAR(50) NOT NULL, -> principalName VARCHAR(50) NOT NULL, -> localId VARCHAR(50) NOT NULL, -> peerProvidedId VARCHAR(50) NULL, -> creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, -> deactivationDate TIMESTAMP NULL default NULL, -> PRIMARY KEY (localEntity, peerEntity, persistentId) -> ); • mysql> CREATE TABLE StorageRecords -> ( -> context VARCHAR(255) NOT NULL, -> id VARCHAR(255) NOT NULL, -> expires BIGINT(20) DEFAULT NULL, -> value LONGTEXT NOT NULL, -> version BIGINT(20) NOT NULL, -> PRIMARY KEY (context, id) -> ); • quit; 10. Create a new “idem” user with password “demo” useful to access and modify the “shibboleth” DB: (the user “idem” and the password “demo” MUST BE CHANGED) • mysql -u root -p • mysql> USE mysql; • mysql> CREATE USER idem; • mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO 'idem'@'localhost' IDENTIFIED BY 'demo'; • mysql> FLUSH PRIVILEGES; • mysql> quit; 11. Restart mysql server: • service mysql restart 12. Save a DUMP of the “shibpid” table of the “userdb” DB and of the “shibboleth” DB: • cd /tmp • • mysqldump -u root -p userdb shibpid > userdb_shibpid.sql mysqldump -u root -p shibboleth shibpid > shibboleth_shibpid.sql 20 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 13. Import the previous values of userdb.shibpid table to the new one shibboleth.shibpid. Be careful on the order of the fields! They MUST BE IN THE SAME ORDER! Follow these instructions to help yourself to avoid mistakes: a) vim userdb_shibpid.sql b) Change the DB name into “shibboleth”. You can find it at the first lines of the DUMP. c) From the “shibboleth_shibpid.sql” DUMP copy all the code for “Table structure for table `shibpid`” and put it into “userdb_shibpid.sql” under that already existing. d) Change the order of the fields of the code just pasted in the way that the fields of “userdb_shibpid” e “shibboleth_shibpid” are in the same order. e) Delete the “Table structure for table `shibpid`” of “userdb”. f) Save and import the values into the new “shibboleth” DB: ◦ mysql -u root -p shibboleth < userdb_shibpid.sql 21 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 14. Enable JPAStorageService for StorageService: • vim /opt/shibboleth-idp/conf/global.xml (add the following code, with the right parameters for the database “shibboleth”, at the tail) <bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/> <bean id="shibboleth.JPAStorageService.entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="packagesToScan" value="org.opensaml.storage.impl"/> <property name="dataSource" ref="shibboleth.JPAStorageService.DataSource"/> <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/> <property name="jpaDialect"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> </property> </bean> <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> <property name="database" value="MYSQL" /> </bean> <bean id="shibboleth.JPAStorageService.DataSource" class="org.apache.tomcat.jdbc.pool.DataSource" destroy-method="close" lazy-init="true" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth? autoReconnect=true&sessionVariables=wait_timeout=31536000" p:validationQuery="SELECT 1;" p:username="idem" p:password="demo"/> • Change the IdP properties in the right way: ◦ vim /opt/shibboleth-idp/conf/idp.properties idp.session.StorageService = shibboleth.JPAStorageService idp.consent.StorageService = shibboleth.JPAStorageService idp.replayCache.StorageService = shibboleth.JPAStorageService idp.artifact.StorageService = shibboleth.JPAStorageService 22 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 15. Enable the SAML2 support by changing the idp-metadata.xml and disable the SAML v1.x deprecated support: • vim /opt/shibboleth-idp/metadata/idp-metadata.xml DA RIMUOVERE LE STRINGHE: – urn:oasis:names:tc:SAML:1.1:protocol – urn:mace:shibboleth:1.0 – Intero endpoint con Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" (e modificare opportunamente l'index del successivo) – <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> – Intero endpoint con Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" (e modificare opportunamente l'index del successivo) – 8443 (ovunque perchè tale porta non viene più usata) NELLA SEZIONE DEDICATA ALL'ATTRIBUTE-AUTHORITY: – Sostituire "urn:oasis:names:tc:SAML:1.1:protocol" con "urn:oasis:names:tc:SAML:2.0:protocol", decommentare l'AttributeService SAML2 e commentare/rimuovere quello SAMLv1. 16. Configure the IdP to retrieve the IDEM Test Federation metadata: • cd /opt/shibboleth-idp/conf • cp metadata-providers.xml metadata-providers.xml.old • cp /opt/shibboleth-idp/dist/conf/metadata-providers.xml.dist metadataproviders.xml • vim metadata-providers.xml <MetadataProvider id="URLMD-IDEM-Federation" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml" metadataURL="http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml"> <!-Verify the signature on the root element of the metadata aggregate using a trusted metadata signing certificate. --> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/idem_signer_2019.pem"/> <!-Require a validUntil XML attribute on the root element and make sure its value is no more than 14 days into the future. --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/> <!-- Consume all SP metadata in the aggregate --> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider> 23 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 17. Insert IDEM's signing certificate in /opt/shibboleth-idp/metadata/idem_signer_2019.pem • wget https://idem.garr.it/documenti/doc_download/321-idem-metadata-signer2019 -O /opt/shibboleth-idp/metadata/idem_signer_2019.pem 18. Configure the Autentication for the openLDAP server: • cd /opt/shibboleth-idp/conf/ • cp ldap.properties ldap.properties.old • cp /opt/shibboleth-idp/dist/conf/ldap.properties.dist ldap.properties • vim /opt/shibboleth-idp/conf/ldap.properties (with the *TLS solution, remember to put the LDAP certificate into /opt/shibboleth-idp/credentials and to give the right privilegies to tomcat8 user 'chown tomcatN ldap-server.crt') ◦ Solution 1: LDAP with STARTTLS: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.garr.it:389 idp.authn.LDAP.useStartTLS = true idp.authn.LDAP.useSSL = false idp.authn.LDAP.sslConfig = certificateTrust idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### ◦ Solution 2: LDAP with TLS/SSL: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldaps://ldap.example.garr.it idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = true idp.authn.LDAP.sslConfig = certificateTrust idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### ◦ Solution 3: LDAP plain: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.garr.it:389 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### If you decide to use the solution 3, you have to remove the following code from your attribute-resolver-full.xml”: 24 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux </dc:FilterTemplate> <!-- <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>% {idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> --> </resolver:DataConnector> UTILITY FOR OPENLDAP ADMINISTRATOR: ◦ ldapsearch -H ldap:// -x -b "dc=example,dc=garr,dc=it" -LLL dn ▪ baseDN ==> ou=people, dc=example,dc=garr,dc=it (branch containing the registered users) ▪ il bindDN ==> cn=admin,dc=example,dc=garr,dc=it (distinguished name for the user that can made queries on the LDAP) • Enrich idp-process.log with the authentication error produced on the LDAP: ◦ vim /opt/shibboleth-idp/conf/logback.xml <!-- Logs LDAP related messages --> <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> <!-- Logs on LDAP user authentication --> <logger name="org.ldaptive.auth.Authenticator" level="INFO" /> • Define the attributes supported by the IdP: ◦ vim /opt/shibboleth-idp/conf/services.xml <value>%{idp.home}/conf/attribute-resolver.xml</value> deve diventare: <value>%{idp.home}/conf/attribute-resolver-full.xml</value> ◦ vim /opt/shibboleth-idp/conf/attribute-resolver-full.xml ▪ Remove the comment from this section: • • • Schema: Core Schema attributes Schema: InetOrgPerson attributes Schema: eduPerson attributes ▪ Remove the comment on the LDAP Connector that you can configure with ldap.properties ▪ Enable the generation of persistent-id : • vim /opt/shibboleth-idp/conf/saml-nameid.properties (the sourceAttribute MUST BE an attribute, or a list of attributes where its values are commaseparated, that univocally identify the user. Its value MUST BE STABLE, PERMANENT and NOTREASSIGNABLE.) 25 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux # Comment out to disable legacy NameID generation via Attribute Resolver #idp.nameid.saml2.legacyGenerator= shibboleth.LegacySAML2NameIDGenerator #idp.nameid.saml1.legacyGenerator= shibboleth.LegacySAML1NameIdentifierGenerator idp.persistentId.sourceAttribute = uid … idp.persistentId.algorithm = SHA idp.persistentId.salt = ## SALT TOOK FROM THE PREVIOUS ATTRIBUTE RESOLVER ## … idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.dataSource = PersistentIdDataSource … idp.persistentId.store = MyPersistentIdStore idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator • vim /opt/shibboleth-idp/conf/saml-nameid.xml Remove the comment from: <ref bean="shibboleth.SAML2PersistentGenerator" /> Add at the head (after the first comment): <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. --> <bean id="MyDataSource" class="org.apache.commons.dbcp2.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true" p:username="idem" p:password="demo" p:maxIdle="5" p:maxWaitMillis="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> <!-- A "store" bean suitable for use in the idp.persistentId.store property. --> <bean id="MyPersistentIdStore" parent="shibboleth.JDBCPersistentIdStore" p:dataSource-ref="MyDataSource" p:queryTimeout="PT2S" p:retryableErrors="#{{'23000'}}" /> ▪ Change the subject-c14n for the managemente of the SAML2 PersistentID : • vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml ◦ Remove the comment from the bean “c14n/SAML2Persistent” ▪ Change the Default RelyingParty to be able to release the persistent-id to all without limitation: • • • • cd /opt/shibboleth-idp/conf cp relying-party.xml relying-party.xml.old cp /opt/shibboleth-idp/dist/conf/relying-party.xml.dist relying-party.xml vim /opt/shibboleth-idp/conf/relying-party.xml 26 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean> 19. Translate the Login, the Consent, and the Term Of Use pages in your preferred language: • Open the page containing the translated files: CLICK HERE • Retrieve the 3 file for your language and insert them into /opt/shibboleth-idp/messages • Restart Tomcat8: ◦ service tomcat8 restart 20. Delete the “endorsed” directory from Tomcat (if present): • rm -f /usr/share/tomcatN/endorsed 21. Enable ajp connector on port 8009 (if not already enabled): • vim /etc/tomcatN/server.xml <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" /> 22. Enable the usage of the new version of “relying-party.xml” and “metadata-providers.xml”: • vim $IDP_HOME/conf/services.properties ... idp.service.relyingparty.resources= shibboleth.RelyingPartyResolverResources ... 23. Recover the metadata' certificates: • • • • • cd ln ln ln ln /opt/shibboleth-idp/credentials -s idp.crt idp-signing.crt -s idp.crt idp-encryption.crt -s idp.key idp-signing.key -s idp.key idp-encryption.key 27 HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux 24. Start Tomcat and check that the IdP Metadata Page appears: • service tomcatN start • https://#YOUR.IDP.FQDN#/idp/shibboleth 25. Try to access on https://sp24-test.garr.it/secure and, if all is OK, delete the old “userdb” from your mysql server. 28