Setting up test Shibboleth IdP 4.2.1 instance
Mathew, Sunil
smathew at hbs.edu
Tue Sep 20 20:47:27 UTC 2022
Hi,
I am setting up a test instance of Shibboleth IdP 4.2.1 on Red Hat Linux VM following the steps here:
https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Identity%20Provider/CentOS/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20IdP%20v4.x%20on%20CentOS%20with%20Apache2%20%2B%20Jetty9.md
Jetty seems to be working fine.
# curl http://127.0.0.1:8080/idp/status
### Operating Environment Information
operating_system: Linux
operating_system_version: 4.18.0-372.19.1.el8_6.x86_64
operating_system_architecture: amd64
jdk_version: 11.0.16
available_cores: 4
used_memory: 229 MB
maximum_memory: 2048 MB
### Identity Provider Information
idp_version: 4.2.1
start_time: 2022-09-20T17:53:27.082Z
current_time: 2022-09-20T19:31:40.291983Z
uptime: PT1H38M13.209S
enabled modules:
idp.authn.Password (Password Authentication)
idp.admin.Hello (Hello World)
installed plugins:
service: shibboleth.LoggingService
last successful reload attempt: 2022-09-20T17:53:22.156155Z
last reload attempt: 2022-09-20T17:53:22.156155Z
service: shibboleth.AttributeFilterService
last successful reload attempt: 2022-09-20T17:53:25.401245Z
last reload attempt: 2022-09-20T17:53:25.401245Z
service: shibboleth.AttributeResolverService
last successful reload attempt: 2022-09-20T17:53:25.517952Z
last reload attempt: 2022-09-20T17:53:25.517952Z
No Data Connector has ever failed
service: shibboleth.AttributeRegistryService
last successful reload attempt: 2022-09-20T17:53:24.896078Z
last reload attempt: 2022-09-20T17:53:24.896078Z
service: shibboleth.NameIdentifierGenerationService
last successful reload attempt: 2022-09-20T17:53:25.608027Z
last reload attempt: 2022-09-20T17:53:25.608027Z
service: shibboleth.RelyingPartyResolverService
last successful reload attempt: 2022-09-20T17:53:25.687792Z
last reload attempt: 2022-09-20T17:53:25.687792Z
service: shibboleth.MetadataResolverService
last successful reload attempt: 2022-09-20T17:53:25.151731Z
last reload attempt: 2022-09-20T17:53:25.151731Z
No Metadata Resolver has ever attempted a reload
service: shibboleth.ReloadableAccessControlService
last successful reload attempt: 2022-09-20T17:53:26.145038Z
last reload attempt: 2022-09-20T17:53:26.145038Z
service: shibboleth.ReloadableCASServiceRegistry
last successful reload attempt: 2022-09-20T17:53:26.192165Z
last reload attempt: 2022-09-20T17:53:26.192165Z
service: shibboleth.ManagedBeanService
last successful reload attempt: 2022-09-20T17:53:26.209593Z
last reload attempt: 2022-09-20T17:53:26.209593Z
I have setup Apache HTTP Server as a reverse proxy as per the instructions in the document above:
more 000-sso.hbsstg.org.conf
# This is an example Apache2 configuration for a Shibboleth Identity Provider
# installed with IDEM Tutorials.
#
# Edit this file and:
# - Adjust "idp.example.org" with your IdP Full Qualified Domain Name
# - Adjust "ServerAdmin" email address
# - Adjust "CustomLog" and "ErrorLog" with Apache log files path (there are examples for Debian or CentOS distribution)
# - Adjust "SSLCertificateFile", "SSLCertificateKeyFile" and "SSLCACertificateFile" with the correct file path
# SSL general security improvements should be moved in global settings
# OCSP Stapling, only in httpd/apache >= 2.3.3
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
<VirtualHost *:80>
ServerName "sso.hbsstg.org"
Redirect permanent "/" "https://sso.hbsstg.org/"
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName sso.hbsstg.org:443
ServerAdmin admin at example.org
# Debian/Ubuntu
CustomLog /var/log/apache2/sso.hbsstg.org.log combined
ErrorLog /var/log/apache2/sso.hbsstg.org-error.log
# Centos
#CustomLog /var/log/httpd/sso.hbsstg.org.log combined
#ErrorLog /var/log/httpd/sso.hbsstg.org-error.log
DocumentRoot /var/www/html/sso.hbsstg.org
SSLEngine On
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aR
SA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLHonorCipherOrder on
# Disallow embedding your IdP's login page within an iframe and
# Enable HTTP Strict Transport Security with a 2 year duration
<IfModule headers_module>
Header set X-Frame-Options DENY
Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload"
</IfModule>
# Debian/Ubuntu
SSLCertificateFile /etc/httpd/certs/sso_hbsstg_org.crt
SSLCertificateKeyFile /etc/httpd/certs/sso_hbsstg_org.key
SSLCertificateChainFile /etc/httpd/certs/sso_hbsstg_org_inter.crt
#SSLCertificateChainFile /etc/httpd/certs/__hbsstg_org_interm-2.cer
# ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
#SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem
#TODO:
#SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem
# Centos
#SSLCertificateFile /etc/pki/tls/certs/sso.hbsstg.org.crt
#SSLCertificateKeyFile /etc/pki/tls/private/sso.hbsstg.org.key
# ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
#SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem
#SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.pem
<IfModule mod_proxy.c>
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
ProxyPass /idp http://localhost:8080/idp retry=5
ProxyPassReverse /idp http://localhost:8080/idp retry=5
<Location /idp>
Require all granted
</Location>
</IfModule>
</VirtualHost>
</IfModule>
# This virtualhost is only here to handle administrative commands for Shibboleth, executed from localhost
<VirtualHost 127.0.0.1:80>
ProxyPass /idp http://localhost:8080/idp retry=5
ProxyPassReverse /idp http://localhost:8080/idp retry=5
<Location /idp>
Require all granted
</Location>
</VirtualHost>
When I try https://sso.hbsstg.org/idp/status in a browser, I get the following error message in /var/log/apache2/sso.hbsstg.org-error.log
[Tue Sep 20 15:38:11.634673 2022] [ssl:error] [pid 1403216:tid 140419838465792] (13)Permission denied: [client 10.227.147.169:50290] AH01974: could not connect to OCSP responder 'ocsp.usertrust.com'
[Tue Sep 20 15:38:11.634775 2022] [ssl:error] [pid 1403216:tid 140419838465792] AH01941: stapling_renew_response: responder error
[Tue Sep 20 15:38:11.638356 2022] [ssl:error] [pid 1402919:tid 140419627005696] (13)Permission denied: [client 10.227.147.169:50289] AH01974: could not connect to OCSP responder 'ocsp.usertrust.com'
[Tue Sep 20 15:38:11.638452 2022] [ssl:error] [pid 1402919:tid 140419627005696] AH01941: stapling_renew_response: responder error
[Tue Sep 20 15:38:11.666173 2022] [proxy:error] [pid 1403216:tid 140419838465792] (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed
[Tue Sep 20 15:38:11.666222 2022] [proxy_http:error] [pid 1403216:tid 140419838465792] [client 10.227.147.169:50290] AH01114: HTTP: failed to make connection to backend: localhost
I can see the index page here: https://sso.hbsstg.org
I was wondering if anyone has setup Shibboleth IdP 4.x following the installation instructions described above and what I might be doing wrong. Thanks for your help.
Regards,
Sunil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220920/945ee873/attachment.htm>
More information about the users
mailing list