Setting up test Shibboleth IdP 4.2.1 instance

Bruce Timberlake brucetim at umich.edu
Tue Sep 20 21:52:08 UTC 2022 

Check for SELinux errors in /var/log/messages? Apache can be finicky about
those settings. Also if the server can't connect to ocsp.usertrust.com
maybe there is a firewall issue? That site should be reachable from
anywhere...

On Tue, Sep 20, 2022, 4:47 PM Mathew, Sunil via users <users at shibboleth.net>
wrote:

> Hi,
>
>
>
> I am setting up a test instance of Shibboleth IdP 4.2.1 on Red Hat Linux
> VM following the steps here:
>
>
> https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Identity%20Provider/CentOS/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20IdP%20v4.x%20on%20CentOS%20with%20Apache2%20%2B%20Jetty9.md
>
>
>
> Jetty seems to be working fine.
>
>
>
> # curl http://127.0.0.1:8080/idp/status
>
> ### Operating Environment Information
>
> operating_system: Linux
>
> operating_system_version: 4.18.0-372.19.1.el8_6.x86_64
>
> operating_system_architecture: amd64
>
> jdk_version: 11.0.16
>
> available_cores: 4
>
> used_memory: 229 MB
>
> maximum_memory: 2048 MB
>
>
>
> ### Identity Provider Information
>
> idp_version: 4.2.1
>
> start_time: 2022-09-20T17:53:27.082Z
>
> current_time: 2022-09-20T19:31:40.291983Z
>
> uptime: PT1H38M13.209S
>
>
>
> enabled modules:
>
>        idp.authn.Password (Password Authentication)
>
>        idp.admin.Hello (Hello World)
>
>
>
> installed plugins:
>
>
>
> service: shibboleth.LoggingService
>
> last successful reload attempt: 2022-09-20T17:53:22.156155Z
>
> last reload attempt: 2022-09-20T17:53:22.156155Z
>
>
>
> service: shibboleth.AttributeFilterService
>
> last successful reload attempt: 2022-09-20T17:53:25.401245Z
>
> last reload attempt: 2022-09-20T17:53:25.401245Z
>
>
>
> service: shibboleth.AttributeResolverService
>
> last successful reload attempt: 2022-09-20T17:53:25.517952Z
>
> last reload attempt: 2022-09-20T17:53:25.517952Z
>
>
>
>        No Data Connector has ever failed
>
>
>
> service: shibboleth.AttributeRegistryService
>
> last successful reload attempt: 2022-09-20T17:53:24.896078Z
>
> last reload attempt: 2022-09-20T17:53:24.896078Z
>
>
>
> service: shibboleth.NameIdentifierGenerationService
>
> last successful reload attempt: 2022-09-20T17:53:25.608027Z
>
> last reload attempt: 2022-09-20T17:53:25.608027Z
>
>
>
> service: shibboleth.RelyingPartyResolverService
>
> last successful reload attempt: 2022-09-20T17:53:25.687792Z
>
> last reload attempt: 2022-09-20T17:53:25.687792Z
>
>
>
> service: shibboleth.MetadataResolverService
>
> last successful reload attempt: 2022-09-20T17:53:25.151731Z
>
> last reload attempt: 2022-09-20T17:53:25.151731Z
>
>
>
>        No Metadata Resolver has ever attempted a reload
>
>
>
> service: shibboleth.ReloadableAccessControlService
>
> last successful reload attempt: 2022-09-20T17:53:26.145038Z
>
> last reload attempt: 2022-09-20T17:53:26.145038Z
>
>
>
> service: shibboleth.ReloadableCASServiceRegistry
>
> last successful reload attempt: 2022-09-20T17:53:26.192165Z
>
> last reload attempt: 2022-09-20T17:53:26.192165Z
>
>
>
> service: shibboleth.ManagedBeanService
>
> last successful reload attempt: 2022-09-20T17:53:26.209593Z
>
> last reload attempt: 2022-09-20T17:53:26.209593Z
>
>
>
> I have setup Apache HTTP Server as a reverse proxy as per the instructions
> in the document above:
>
>
>
> more 000-sso.hbsstg.org.conf
>
> # This is an example Apache2 configuration for a Shibboleth Identity
> Provider
>
> # installed with IDEM Tutorials.
>
> #
>
> # Edit this file and:
>
> # - Adjust "idp.example.org" with your IdP Full Qualified Domain Name
>
> # - Adjust "ServerAdmin" email address
>
> # - Adjust "CustomLog" and "ErrorLog" with Apache log files path (there
> are examples for Debian or CentOS distribution)
>
> # - Adjust "SSLCertificateFile", "SSLCertificateKeyFile" and
> "SSLCACertificateFile" with the correct file path
>
>
>
>
>
> # SSL general security improvements should be moved in global settings
>
> # OCSP Stapling, only in httpd/apache >= 2.3.3
>
> SSLUseStapling on
>
> SSLStaplingResponderTimeout 5
>
> SSLStaplingReturnResponderErrors off
>
> SSLStaplingCache shmcb:/var/run/ocsp(128000)
>
>
>
> <VirtualHost *:80>
>
>    ServerName "sso.hbsstg.org"
>
>    Redirect permanent "/" "https://sso.hbsstg.org/"
>
> </VirtualHost>
>
>
>
> <IfModule mod_ssl.c>
>
>    <VirtualHost _default_:443>
>
>      ServerName sso.hbsstg.org:443
>
>      ServerAdmin admin at example.org
>
>      # Debian/Ubuntu
>
>      CustomLog /var/log/apache2/sso.hbsstg.org.log combined
>
>      ErrorLog /var/log/apache2/sso.hbsstg.org-error.log
>
>      # Centos
>
>      #CustomLog /var/log/httpd/sso.hbsstg.org.log combined
>
>      #ErrorLog /var/log/httpd/sso.hbsstg.org-error.log
>
>
>
>      DocumentRoot /var/www/html/sso.hbsstg.org
>
>
>
>      SSLEngine On
>
>      SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
>
>      SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
> EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aR
>
> SA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5
> !EXP !PSK !SRP !DSS !RC4"
>
>
>
>      SSLHonorCipherOrder on
>
>
>
>      # Disallow embedding your IdP's login page within an iframe and
>
>      # Enable HTTP Strict Transport Security with a 2 year duration
>
>      <IfModule headers_module>
>
>         Header set X-Frame-Options DENY
>
>         Header set Strict-Transport-Security "max-age=63072000 ;
> includeSubDomains ; preload"
>
>      </IfModule>
>
>
>
>      # Debian/Ubuntu
>
>      SSLCertificateFile /etc/httpd/certs/sso_hbsstg_org.crt
>
>      SSLCertificateKeyFile /etc/httpd/certs/sso_hbsstg_org.key
>
>      SSLCertificateChainFile /etc/httpd/certs/sso_hbsstg_org_inter.crt
>
>      #SSLCertificateChainFile /etc/httpd/certs/__hbsstg_org_interm-2.cer
>
>
>
>      # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo
> RSA Organization Validation Secure Server CA)
>
>      #SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem
>
>      #TODO:
>
>      #SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem
>
>
>
>
>
>      # Centos
>
>      #SSLCertificateFile /etc/pki/tls/certs/sso.hbsstg.org.crt
>
>      #SSLCertificateKeyFile /etc/pki/tls/private/sso.hbsstg.org.key
>
>
>
>      # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo
> RSA Organization Validation Secure Server CA)
>
>      #SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem
>
>      #SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.pem
>
>
>
>      <IfModule mod_proxy.c>
>
>         ProxyPreserveHost On
>
>         RequestHeader set X-Forwarded-Proto "https"
>
>         ProxyPass /idp http://localhost:8080/idp retry=5
>
>         ProxyPassReverse /idp http://localhost:8080/idp retry=5
>
>
>
>         <Location /idp>
>
>            Require all granted
>
>         </Location>
>
>      </IfModule>
>
>    </VirtualHost>
>
> </IfModule>
>
>
>
> # This virtualhost is only here to handle administrative commands for
> Shibboleth, executed from localhost
>
> <VirtualHost 127.0.0.1:80>
>
>   ProxyPass /idp http://localhost:8080/idp retry=5
>
>   ProxyPassReverse /idp http://localhost:8080/idp retry=5
>
>   <Location /idp>
>
>     Require all granted
>
>   </Location>
>
> </VirtualHost>
>
>
>
> When I try https://sso.hbsstg.org/idp/status in a browser, I get the
> following error message in /var/log/apache2/sso.hbsstg.org-error.log
>
>
>
> [Tue Sep 20 15:38:11.634673 2022] [ssl:error] [pid 1403216:tid
> 140419838465792] (13)Permission denied: [client 10.227.147.169:50290]
> AH01974: could not connect to OCSP responder 'ocsp.usertrust.com'
>
> [Tue Sep 20 15:38:11.634775 2022] [ssl:error] [pid 1403216:tid
> 140419838465792] AH01941: stapling_renew_response: responder error
>
> [Tue Sep 20 15:38:11.638356 2022] [ssl:error] [pid 1402919:tid
> 140419627005696] (13)Permission denied: [client 10.227.147.169:50289]
> AH01974: could not connect to OCSP responder 'ocsp.usertrust.com'
>
> [Tue Sep 20 15:38:11.638452 2022] [ssl:error] [pid 1402919:tid
> 140419627005696] AH01941: stapling_renew_response: responder error
>
> [Tue Sep 20 15:38:11.666173 2022] [proxy:error] [pid 1403216:tid
> 140419838465792] (13)Permission denied: AH00957: HTTP: attempt to connect
> to 127.0.0.1:8080 (localhost) failed
>
> [Tue Sep 20 15:38:11.666222 2022] [proxy_http:error] [pid 1403216:tid
> 140419838465792] [client 10.227.147.169:50290] AH01114: HTTP: failed to
> make connection to backend: localhost
>
>
>
>
>
> I can see the index page here: https://sso.hbsstg.org
>
>
>
> I was wondering if anyone has setup Shibboleth IdP 4.x following the
> installation instructions described above and what I might be doing wrong.
> Thanks for your help.
>
>
>
>
>
> Regards,
> Sunil
>
>
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220920/1a40e087/attachment.htm>

More information about the users mailing list