Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Slides:



Advertisements
Similar presentations
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Advertisements

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏
The EC PERMIS Project David Chadwick
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Java Servlets and JSP.
APACHE SERVER By Innovationframes.com »
Tomcat Celsina Bignoli History of Tomcat Tomcat is the result of the integration of two groups of developers. – JServ, an open source.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.
1 Lecture 5 George Koutsogiannakis/ Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
CSCI 6962: Server-side Design and Programming
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
SWITCHaai Team Introduction to Shibboleth.
Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Java Servlets CS-422. Application Mapping Your servlet application will be mapped to a directory structure: –“myapp” maps to some directory C:/docs/apps/myapp.
Apache + Tomcat. Apache + Tomcat Download mod_webapp.so:
CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES LECTURE 5_1 George Koutsogiannakis/ Summer
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
IBM OmniFind Enterprise Edition V9.1 – July 2010 Data Source – FileNet P8 crawler overview  Key features: –Access to FileNet P8 Content Engine by using.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Unit 1: Protection and Security for Grid Computing Part 2
Secure Credential Manager Claes Nilsson - Sony Ericsson
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
Module 9: Fundamentals of Securing Network Communication.
Running Jakarta/Tomcat CIT304/CSE301 University of Sunderland Harry R. Erwin, PhD.
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth and IIS Integration Tips, Tricks, Alternatives
Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Apache Web Server Quick and Dirty Evelyn NAMARA for AfNOG 2014 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Apache Web Server Quick and Dirty Ayitey Bulley for AfNOG 2011 (Originally by Joel Jaeggli for AfNOG 2007) ‏
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Apache Web Server Quick and Dirty Kevin G. Chege for AfNOG 2013 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Csci5931 Web Security1 Java Security Model (GS: Ch. 7)
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
LAB#8 PKI & DIGITAL CERTIFICATE CPIT 425. Public Key Infrastructure PKI 2  Public key infrastructure is the term used to describe the laws, policies,
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Shibboleth Project at GSU
Tomcat Celsina Bignoli
Course Outcomes of Advanced Java Programming AJP (17625, C603)
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
IBM Certified WAS 8.5 Administrator
What’s changed in the Shibboleth 1.2 Origin
Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright.
Shibboleth Architecture and Requirements
Presentation transcript:

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002

2 Installation: Packaging Alpha 1 and 2 are binary distributions. Source was made public in late July: Alpha 2.5 will probably be binary with source. Beta 1 should support “./configure; make; make install” for autoconf platforms and Visual Studio on Windows. Even with better packaging, manual installation of servlets and Apache modules will be needed.

3 Installation: General Solaris 2.x and Linux Current Development Versions: Apache mod_ssl OpenSSL Sun JDK Jakarta Tomcat Deploy Guide:

4 Installation: General Both origins and targets need: SSL-enabled Apache server, equipped with a certificate signed by a club-approved CA Jakarta Tomcat servlet engine with AJP 1.3 connector (mod_jk) All the servlets are packaged together in a single deployment archive (shibboleth.war) that can be copied into tomcat/webapps, auto-expanded, and configured

5 Installation: Origin Site Install additional supporting components: User handles can be stored in-memory or in MySQL User attributes can be accessed in LDAP or a restricted set (EPPN and affiliation=member) can be “echoed” by the AA Back-end interfaces will be refined over time to simplify pluggable implementations, and use standard Java APIs like JNDI and JDBC when possible.

6 Installation: Origin Site LDAP To use the LDAP support in the AA, provide web.xml with an LDAP URL and an attribute to match against usernames (e.g. uid). Any vanilla LDAP server will do, but users should be in the eduPerson object class, so that EPPN, affiliation, and entitlements can be found. Current strategy is to populate LDAP with these attributes in advance. Future AA will be more flexible, support relational queries, etc.

7 Deployment: Origin Site Choose a name for your site, probably your best known top-level domain. This name will be part of your club application and is configured into the HS and AA servlets (web.xml). Special Note: Alpha-2 targets will reject attributes like EPPN if the “scope” doesn’t match the site name. This will be more flexible later.

8 Deployment: Origin Site PKI Requirements The web server’s SSL certificate will protect both the HS and AA servlets. The AA servlet path is configured to support client certificate authentication: SSLVerifyClient optional SSLOptions +ExportCertData The allowable client CAs are specified: SSLCACertificateFile /usr/local/shib/etc/ca-bundle.crt

9 Deployment: Origin Site PKI Requirements The HS servlet must digitally sign its messages using a key and certificate valid for digital signature creation, signed by a club-approved CA. Alpha-2 uses a Java keystore, which allows self- generation of a key and certificate request with the keytool command (see deploy guide). The hostname of your HS is the first field in the certificate request. Using the SSL server key is possible, but requires some custom Java code to import/export a private key.

10 Deployment: Origin Site Club Application Target sites are given a “registry” of trusted origin sites to protect them from rogue users. Once names are chosen, provide the following in an (address in deploy guide): Site Name Complete Handle Service servlet URL The HS hostname (went into the certificate CN) Aliases/shorthand for your institution (used by WAYF)

11 Installation: Target Site SHIRE (Java) Target “session-establishment” is installed by mounting the SHIRE servlet into Apache. The servlet will pass session details on to Apache using files in a /tmp folder (the beta will integrate the design and remove the servlet). The servlet will load the origin site registry at startup, either from Internet2 or a local file, and can optionally verify the registry signature.

12 Installation: Target Site SHIRE/SHAR/RM (mod_*) Target “enforcement” is installed by loading mod_shib and mod_eduPerson into Apache (see deploy guide for command details). Mutual configuration between httpd.conf and web.xml links the implementation. mod_shib should coexist with most existing modules and configurations.

13 Deployment: Target Site PKI Requirements The web server’s SSL certificate protects both the SHIRE servlet, and optionally the content. The SHIRE verifies authentication assertions by comparing information to the club registry, and by verifying the signing certificate against the roots.jks keystore of trusted CAs.

14 Deployment: Target Site PKI Requirements The SHAR (in mod_shib) needs an SSL client certificate signed by a club-approved CA to authenticate to AAs. The SSL server certificate may double as a client certificate, unless a key usage extension limits its use. mod_ssl (correctly) rejects such certificates. Some commercial CAs include such a restriction (Thawte), and some don’t (Verisign). The SHAR uses a list of trusted CAs to validate an AA’s server certificate.

15 Deployment: Target Site Resource Manager mod_shib currently provides flexible.htaccess processing. Attributes can be mapped to Require rules and to HTTP headers, including REMOTE_USER. Existing basic-auth sites (i.e. WebCT) can be “hijacked” to use Shibboleth.