Versionen im Vergleich

Alte Version 12

changes.mady.by.user Peter Brand

Gespeichert am

verglichen mit

Neue Version Aktuell

changes.mady.by.user Peter Brand

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.
Kommentar: rm links to old TCS supplieer

...

Hinweis
iconfalse
titleThis Guide assumes
  • A fresh, minimal (e.g. netinst.iso) install of Debian 12 ("Bookworm") with no "tasks" except openssh-server
    • Unfortunately Ubuntu 24.04 LTS ("Noble Numbat") Server works the same as Debian 12 for the purpose of this guidecan no longer be recommended, see the warning on the page Shibboleth IDP 5.
  • Accessed via SSH or the console (no GUI/X11/wayland required and certainly not recommended),
  • Correct server time configuration using NTP (e.g. using systemd-timesyncd or ntpd)
  • Packet filters or firewall rules in place, e.g.:
    • With outgoing(ports TCP/80 and TCP/443) network access:
      • Port 80 for Debian APT updates, i.e., for downloading signed software packages
      • Port 80 and 443 for downloading cryptographically signed eduID.at Metadata documents.
      • Port 443 is also needed for downloads of the Shibboleth IDP software or additional modules
      • With local authentication the IDP will likely also need to connect to your LDAP Directory Servers for authentication and attribute lookup,
        • either on the standard port TCP/389 for LDAP(+STARTTLS),
        • or on port TCP/636 for LDAPS (which which no formal specification exists),
        • or maybe on the "global catalog" port of your Microsoft Active Directory (only if it's necessary you access that).
      • For access to NTP services you also need outgoing connectivity to the configured NTP servers (e.g. ACOnet's)
    • And incoming HTTPS access on port TCP/443 only. Noone needs to access your IDP by manually entering its URL, so no need to even have the IDP listening on TCP/80 publically, and therefore also no need for a redirect from TCP/80 to TCP/443.
      • Also, if the server is managed via SSH you'll need to allow access to port TCP/22, though only from a secured management network.
  • All commands in this guide to be issued by user root (uid=0) so sudo -s first as needed.
  • The shell used is /bin/bash (you can get fancy with fish/zsh/etc. after finishing the install/configuration if you want)
  • Use of systemd for service management, in order to use the amended service unit contained in this documentation.

...

Equipped with the CSR you can now request a TLS certificate based from your CA, e.g. using the using ACOnet TCS supplier. Once the certificate has been issued copy it to the IDP server as webserver.crt.
You'll also need to copy any intermediary Certificate Authority (CA) certificates to the IDP server.

Info

In case of ACOnet TCS, Sectigo and an RSA OV certificate the only intermediate CA certificate you'll need is the one with the subject "C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4", referenced as file GEANT-OV-RSA-CA-4.crt below.

Convert the TLS/SSL keypair into PKCS12

!

Convert the TLS/SSL keypair into PKCS12

Copy the private key, new TLS certificate and any intermediate Copy the private key, new TLS certificate and any intermediate CA certificates into a PKCS#12 keystore file:

Kein Format
openssl pkcs12 -export -in webserver.crt -inkey webserver.key -certfile GEANTMATCHING-OV-RSAINTERMEDIATE-CA-4CERTS.crt -name webserver -out webserver.p12

...

Kein Format
openssl s_client -CApath /etc/ssl/certs/ -connect webserver-fqdn:443 2>&1 </dev/null | grep -A8 "^Certificate chain"[si]:

and verify that it looks something like the "Certificate chain" presented below. The Subject of cert 0 will obviously differ, and depending on your choice of CA or certificate product the CA or certificate chain may also be different. A correct chain (and therfore PKCS#12 keystore) for TLS usage should contain all the certificates up until but excluding the root CA certificate. I.e, in the example below the certificate with CN = USERTrust RSA Certification Authority is Hellenic Academic and Research Institutions RootCA 2015 is not included in the chain sent from the server (but must be known by the web browser):(but must be known by the web browser).

Kein Format
 0 s:C = AT, ST = Wien, O = Universit\C3\A4t Wien, CN = idp.aco.net                  
   i:C = GR, O = Hellenic Academic and Research Institutions CA, CN = GEANT TLS RSA 1
 1 s:C = GR, O = Hellenic Academic and Research Institutions CA, CN = GEANT TLS RSA 1
Kein Format
Certificate chain
 0 s:C = AT, postalCode = 1010, ST = Wien, L = Wien, street = Universitaetsstrasse 7, O = ACOnet, CN = idp.aco.net
   i:C = NLGR, O = GEANT VerenigingHellenic Academic and Research Institutions CA, CN = GEANTHARICA OVTLS RSA Root CA 42021
 12 s:C = NLGR, O = GEANT Vereniging Hellenic Academic and Research Institutions CA, CN = GEANTHARICA OVTLS RSA Root CA 42021
   i:C = USGR, STL = New JerseyAthens, LO = JerseyHellenic City,Academic Oand =Research TheInstitutions USERTRUSTCert. NetworkAuthority, CN = USERTrust RSA Certification Authority Hellenic Academic and Research Institutions RootCA 2015

In case of errors check the output of "journalctl -u tomcat10 -ef".

...

Debian's Tomcat comes with an almost-usable systemd service that needs to be amended in order to:

  1. Avoid the systemd-house-of-horror that's still all too common with Tomcat/Java packaging
  2. Avoid slow startup times due to use of a blocking /dev/random (cf. Myths about urandom, also linked to from the Shib wiki).
  3. Allow the IDP application to write logs and metadata to the filesystem as needed (by adding more ReadWritePaths)
  4. Try avoiding the creation of catalina.out (we already have its content in journald using this configuration)

And since we're creating an override for the OS-supplied systemd service unit anyway we'll also set the maximum memory usage there ("-Xmx3gXmx4g" in the example below, i.e., 3GB).
Adjust this as needed, but 3- 4GB should be sufficient even for large metadata aggregates (as are common with Interfederation). Also leave a bit of RAM for the OS. (Not that you should be running anything else on an IDP server.)

Codeblock
languagebash
install -o root -g root -m 0755 -d /etc/systemd/system/tomcat10.service.d

cat <<'EOF' > /etc/systemd/system/tomcat10.service.d/override.conf
[Service]
Environment="CATALINA_OUT=/dev/null"
Environment="JAVA_OPTS=-Djava.security.egd=file:/dev/urandom -Djava.awt.headless=true -Xmx3gXmx4g"
Environment="JSSE_OPTS=-Djdk.tls.ephemeralDHKeySize=2048"
ExecStart=
ExecStart=/usr/bin/java \
  $JAVA_OPTS $JSSE_OPTS \
  -classpath ${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar \
  -Dcatalina.base=${CATALINA_BASE} \
  -Dcatalina.home=${CATALINA_HOME} \
  -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.properties \
  -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
  -Djava.io.tmpdir=${CATALINA_TMPDIR} \
  org.apache.catalina.startup.Bootstrap
ReadWritePaths=/var/log/shibboleth/
ReadWritePaths=/opt/shibboleth-idp/logs/
ReadWritePaths=/opt/shibboleth-idp/metadata/
EOF

...