canariecaf / idp-installer-caf Goto Github PK
View Code? Open in Web Editor NEWThis project forked from idp-installer-manager/idp-installer-global
The CAF managed version of the idp-installer
License: Apache License 2.0
This project forked from idp-installer-manager/idp-installer-global
The CAF managed version of the idp-installer
License: Apache License 2.0
use net-tools repository for the CentOS stream.
see: http://unix.stackexchange.com/questions/146190/commands-not-found-netstat-nmap-on-centos-7
Support CentOS7 as a deployment platform for the IdP Installer
The reference jdk for Shibboleth operation is the Oracle Jdk. The IdP Installer should be current and in alignment with the reference implementation to ensure best operation and support profile
When selecting regular LDAP usage, use uid instead of sAMAccountname via the gui.
It would be nice to be able to have the installer to automate the VLAN assignment for local users to be different than eduroam roamers.
Enabling ECP facilitates non web Federated Single Sign On use cases. Verify that it is appropriately configured as a default configuration
New JVM options of -Xmx1024 and more vebose garbage collection are applied in in /etc/defaults/jetty
It would be nice to have a pre-flight verification of server reachability beyond just ping, but that of verifying the necessary ports are open to prevent installation failures downstream.
Specifically the Active Directory servers and fetching of certificates
An error in status.log appears:
Starting mysqld: [ OK ]
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Buildfile: src/installer/resources/build.xml
and what is happening is that the mysql driver does not get fetched properly.
Please fix
BC's Telus CDMA cellular carrier has discontinued CDMA and the servers were removed from service.
These discontinued servers should be replaced with the national time servers from NRC:
tic.nrc.ca
tac.nrc.ca
Installation problem statement:
Post installation, managing the java keystore is sometimes challenging especially when dealing with multiple domain controllers which have their own certificates.
It may be useful to have the ability to 'load' the JKS with a given servers certificate as well as the removal of one so that the challenge of fetching, loading, and maintaining them are diminished.
This same Interface, if possible, would also be useful to load a commercial certificate for the servlet container.
A new version of Shibboleth has come out and recommend supporting it as the preferred 3.0.0-CAF build.
One key notable difference is that jetty-base has been changed and is now located for the 3.2.0 release in the embedded directory.
Support in future versions of the Idp will see the jetty-base disappear from the release.
Support Ubuntu 14.04LTS as a deployment platform for the IdP
Reference additional log locations for key components
SWAMID has a slight tweak for the GUI for multiple LDAP configuration support (space separated items)
The feature for FTICKS is now native:
https://issues.shibboleth.net/jira/browse/IDP-501
but is not configured upon installation and needs to be per federation operator install.
See: https://wiki.shibboleth.net/confluence/display/IDP30/AdvancedLogging
and use the logback configuration.
Sometimes LDAP certificates expire and require the javakeystore to refresh in order to preserve secure communication of the IdP to the Directory Store.
The request is to have some form of health monitor for the IdP to check the certificate validity and whether or not it is up and coming for expiration.
This check may be part of other overall IdP Health checks to permit automated operation or enhanced standalone continuous operation.
eduPersonTargetedID should be derived from the database
update attribute-resolver.xml around line 246 to sourceAttributeID="persistentId" and line 247 as Dependancy ref="StoredId"
This setting should be in place regardless of new install or migrated installation such that the salt is preserved.
grep: /etc/sysconfig/iptables: No such file or directory
/idp-installer-CAF/files/script.functions.sh: line 1177: /etc/sysconfig/iptables: No such file or directory
iptables: unre
This happens during installation or sometimes when aacli.sh from /opt/shibboleth-idp/bin is attempted to be executed
UseConsent may not be the desired installation default behaviour of the IdP and should have an option in the installer to recognize it's status as enabled or disabled.
Update metadata aggregates to appropriately use the certificate validation and metadata refresh policies for the CAF production aggregates and the necessary test aggregates
Function enableJettyOnRestart only runs if $dist != "ubuntu"
Adding the following in the function would fix:
else
update-rc.d jetty defaults
Branch: develop
See: https://wiki.shibboleth.net/confluence/display/IDP30/SecretKeyManagement for details of required cronjob
The initial non production installation does not have trust to the self-signed certificate and needds to be loaded into the keystore
Several functions has only support for ubuntu and centos version 7 and no support for either centos version 6 or redhat.
When choosing the non-interactive installation item in the GUI, the deploy_idp.sh still requires interactivity in the following spots:
To be fully non-interactive the following needs to happen:
mitigation item:
1 - do not require entire, but fail to proceed if error state happens
2. - dialog to proceed can be skipped
3. - dialog can be skipped, but alert to end user and status.log that the user must join the machine to the domain should be there. Documentation should also be updated for headless/non-interactive/unattended installation.
The experience of visiting the IdP post configuration should be improved from the 404 error page that it shows.
Recommendation is if at all possible to provide a blank default war to present at the root that then the site admin could customize as needed without disrupting the idp installation process.
the function ldapwhoami which is used in the preflight check for directory reachability fails mysteriously against Active Directory 2003.
This is substantiated with this bugzilla report from RedHat:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=916195
The work around is to use ldapsearch:
files/script.bootstrap.functions.sh:
`#${Echo} "ldapwhoami -vvv -H ldaps://${ldapserver} -D "${ldapbinddn}" -x -w """ >> ${statusFile}
${Echo} "ldapsearch -LLL -x -w "" -H ldaps://${ldapserver} -D "${ldapbinddn}" -b "${ldapbinddn}"" '(objectclass=*)' >> ${statusFile}
ldapsearch -LLL -x -w "${ldappass}" -H ldaps://${ldapserver} -D "${ldapbinddn}" -b "${ldapbinddn}" '(objectclass=*)' &>> ${statusFile} `
The MySQL connect string needs to be improved to allow for:
Resulting string should be
jdbcURL="jdbc:mysql://127.0.0.1:3306/shibboleth?autoReconnect=true&localSocketAddress=127.0.0.1&connectTimeout=1800&initialTimeout=2&logSlowQueries=true&autoReconnectForPools=true"
in attribute-resolver.xml
In the standard JRE distribution, the cryptography is regionally limited but the Service Providers in the metadata may require higher standards of cryptography.
This is called out on the idp install page here:
https://wiki.shibboleth.net/confluence/display/IDP30/Installation
The IdP-installer when it downloads the JRE should also download the extra cryptography settings and install the appropriate jars per instructions from download here:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
If you don't do the JCE tweak for Unlimited Strength Jurisdiction Policy File step, the IdP will operate normally until an SP requiring this tweak is used (such as wiki.shibboleth.net) with the following warning/error fingerprint in your logs
2015-06-05 00:00:00,605 WARN [org.opensaml.saml.saml2.profile.impl.EncryptAssertions:140] - Profile Action EncryptAssertions: Error encrypting assertion
org.opensaml.xmlsec.encryption.support.EncryptionException: Error encrypting XMLObject
at org.opensaml.xmlsec.encryption.support.Encrypter.encryptElement(Encrypter.java:543)
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1186)
Caused by: java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1034)
2015-06-05 00:00:00,689 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request
Reference material on this problem: http://shibboleth.net/pipermail/users/2014-June/016098.html
The default behaviour for ldap.properties should have LDAPS with startTLS set the following:
idp.authn.LDAP.ldapURL= ldaps://AD-FQDN
idp.authn.LDAP.useStartTLS= false
idp.authn.LDAP.useSSL= true
current configuration has useStartTLS=true which fails to negotiate
It would be of more utility for not only authenticating users but also doing authorization with LDAP groups and have this feature enabled or described how to extend freeRADIUS specific to the installation by the installer.
Investigate if there is a way to have a default way to monitor the installation for version and health status.
Right now it is limited to localhost connections. The enhancement would be to:
(Note that the Federation Operator needs to take into consideration that different software platforms (ADFS, simpleSAMLPHP Ping Federate, etc) do not have this function.
Now that Shibboleth 3.2.0 supports F-TICKS, the 'overlay' done by the IdP-installer results in double logging the anonymized identifier when it should be a singular entry.
Remediation is expected to be -- augment the overlay to be aware of Shib v3.2.0 implementation of F-TICKS and provide a relevant version of the template and re-verify the logging experience.
Connecting to localhost is problematic and requires an extra iptables definition to be applied
If there was a way to do the installation only consuming the config file looking for the variable:
installer_interactive=y
for interactive to use whiptail interfaces as expected
and if
installer_interactive=n
this would have this behaviour:
Assumptions for successful headless install
There are materially different settings needed for Jetty 9.3 support than Jetty 9.2 requires in order to pass the CI unit tests.
The attribute-filter for the dev V3 branch has arbitrary attribute release policy configurations. Update the attribute filters to provide the best operating practices for the CAF IdP installations.
The colour indicators may not always change depending on usage approach.
Replace tomcat for Jetty as the java container to align with Shibboleth's usage of Jetty as the reference implementation.
These attributes are not needed in the current build for v3 but remain present in the GUI but commented out.
Jetty installations MAY encounter a browser dialog asking the end user for a client certificate when it shouldn't anytime a TLS connection is established with the server, such as logging in or processing a SAML redirection.
The origin of the issue has been identified as a setting not being properly observed in all installations.
The 'fix' is to ensure there is a setting to avoid that in case something tries to override it.
The scope of the bug is not fully known as it was reported on an older version of the software (IdP-Installer 2.2.x on CentOS6.5). Performing this alteration will help ensure the problem does not re-occur
Details on how to check and reproduce and mitigate were provided by Alvin Yeung from Ryerson.ca:
This jar: jetty9-dta-ssl-1.0.0.jar may set the getWantClientAuth() method to true.
To mitigate this, update the jetty.xml.caf template to force it to false
Quick example of how this may reveal itself:
compile this and use the full classpath that jetty9 and shibboleth use:
import net.shibboleth.utilities.jetty9.DelegateToApplicationSslContextFactory;
public class JettyDTASSLTest {
public static void main(String[] args) {
DelegateToApplicationSslContextFactory factory = new DelegateToApplicationSslContextFactory();
System.out.println("getNeedClientAuth=" + factory.getNeedClientAuth());
System.out.println("getWantClientAuth=" + factory.getWantClientAuth());
}
}
Result
getNeedClientAuth:false
getWantClientAuth:true
So this class actually override jetty's default for WantClientAuth. "false" was the default.
On my jetty I have to change "wantClientAuth" back to false for the shibContextFactory2 section.
/opt/jetty/base/etc/jetty-shibboleth.xml
<New id="shibContextFactory2" class="net.shibboleth.utilities.jetty9.DelegateToApplicationSslContextFactory">
<Set name="KeyStoreType">pkcs12</Set>
<Set name="KeyStorePath">/opt/shibboleth-idp/credentials/https.p12</Set>
<Set name="KeyStorePassword">...</Set>
<Set name="wantClientAuth">false</Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="excludeProtocols">
<Array type="String">
<Item>SSLv3</Item>
</Array>
</Set>
</New>
this part of the code came from the installer:
idp-installer-CAF-2.2.1-CAF/xml/CAF/server.xml.jetty Line 21-31
Feedback has been left that it is unclear precisely what was installed by the installer. Additional text or indicators of what was installed would be beneficial to be added.
When importing an existing config servlet container can be changed.
appserv='blargh' in config import will cause an failure.
There is a desire to have the configuration to be applied to the windows environment.
Warnings appear in the startup of the v3 IdP startup sequence and should use a different provider for the crypto work
see: https://issues.shibboleth.net/jira/browse/IDP-623 for more details.
Anywhere X509Filesystem appears, X509ResourceBacked should be used.
The file /etc/sysconfig/iptables does not exist on Ubuntu.
Branch: develop
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.