目次 |
---|
添付ファイル |
---|
Purpose
The purpose of this document is to install and validate the (global) mAP environment.
...
Table 2‑1 Required Software
Software Name | Version | Notes |
CentOS (64bit) | 7. |
9 | Operating System |
Shibboleth-SP |
3. |
4. |
1 | Service Provider |
Shibboleth-IdP |
4. |
1. |
7 | Identity Provider | |
Apache HTTP Server | 2.4 (*1) | WEB Server |
Java | OpenJDK |
11.0. |
19 (*1) | IdP Executable Environment |
Jetty |
9. |
4.51 | Servlet Container |
MySQL | 5. |
7.38 | Relational Database | |
Postfix | 2.10 (*1) | Mail Transfer Agent |
PHP | 5.4.16 (*1) | Programing Language |
*1 Latest version of yum package as of 20152023/2/2905/18
These software will be used in the following structure:
Installing Shibboleth SP
Please install Shibboleth SP while referring to the install guide.
Shibboleth SP Install Guide
https://meatwiki.nii.ac.jp/confluence/display/GakuNinShibInstallen/SP+Install
In addition to shibboleth Shibboleth SP, apacheApache, mod_ssl and NTP should be installed simultaneously. Please setup these environment as well.
...
In addition to Shibboleth IdP, Java and Tomcat Jetty should be installed as well. Please setup these environment as well.
Installing and Setting Up
...
MySQL
Install MariaDB by using following command.
コード ブロック |
---|
$ sudo yum install mariadb-serverlocalinstall http://dev.mysql.com/get/mysql57-community-release-el7-7.noarch.rpm $ sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022 $ sudo yum install mysql-community-server |
* If the MySQL * If the MariaDB has already been installed as the initial component, you can skip this process.
Setup /etc/my.cnf
コード ブロック |
---|
[mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql symbolic-links=0 old_passwords=1 character-set-server = utf8 [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid [mysql] default-character-set-server = utf8 |
Execute
コード ブロック |
---|
$ sudo systemctl start mariadbmysqld.service $ sudo systemctl enable mariadbmysqld.service |
...
Create Database
コード ブロック |
---|
$ mysql -u root CREATE DATABASE vo; GRANT ALL PRIVILEGES INSERT, SELECT, UPDATE, DELETE ON vo.* TO 'vouser'@'localhost' IDENTIFIED BY 'YOUR OWN PASSWORD'; |
...
コード ブロック |
---|
$ sudo yum install php $ sudo yum install php-devel php-gd php-mbstring php-pdo $ sudo yum install php-mysql php-xml $ sudo systemctl restart httpd.service |
...
Setting Up Timezone
Add timezone in /etc/php.ini . Parameter “Asia/Tokyo” should be changed depending on your local time.
...
Download required files from following URL.
Please contact GakuNin Office if authentication is requested. |
...
Modify Setting
attribute-map.xml
Add the following line or make sureisMemberOf
attribute is recognized.コード ブロック language xml <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
attribute-policy.xml
Add the following rule beforeattributeID="*"
line.コード ブロック language xml <!-- isMemberOf --> <afp:AttributeRule attributeID="isMemberOf"> <afp:PermitValueRule xsi:type="AttributeIssuerString" value="https://[Host Name of the SP]/idp/shibboleth"/> </afp:AttributeRule>
Modify “[Host Name of the SP]” to this server host name.
shibboleth2.xml
Add MetadataProvider.コード ブロック language xml <!-- Example of locally maintained metadata. --> <!-- Metadata of this IdP --> <MetadataProvider type="XML" file="/opt/shibboleth-idp/metadata/idp-metadata.xml"/>
And add SimpleAggregation AttributeResolver after
<AttributeResolver type="Query" subjectMatch="true"/>
line.コード ブロック <!-- Uses eduPersonPrincipalName from IdP to query, and asks for isMemberOf. --> <AttributeResolver type="SimpleAggregation" attributeId="eppn" format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"> <Entity>https://[Host Name of the IdP]/idp/shibboleth</Entity> </AttributeResolver>
Modify “[Host Name of the IdP]” to this server host name.
...
Download required file from following URL.
Please contact GakuNin Office if authentication is required. https://mariadb.com/my_portal/download/java-client Please download trustany-ssl-1.0.x.jar from wiki.shibboleth.net: |
...
Modify Configuration
- attribute-resolver.xml
Modify“SALT”to appropriate random values.
Setup database password to be the same one with “6. Installing and Setting Up MariaDB.
Modify “Host name of the IdP” to this server host name. relying-party.xml
Add MetadataProvider for SP which utilize this mAP system.コード ブロック language xml <metadata:MetadataProvider id="SP" xsi:type="metadata:ResourceBackedMetadataProvider"> <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="/etc/shibboleth/metadata/sp-metadata.xml" /> </metadata:MetadataProvider>
...
Overwrite the configuration files.
...
コード ブロック |
---|
# cd /opt/shibboleth-idp/credentials # UMASKORIG="`umask`" ; umask 0077 # openssl pkcs12 -export -out server.p12 -in idp.crt -inkey idp.key -name HOST-NAME-OF-THIS-SERVER Enter Export Password: YOUR-OWN-PASSOWRD Verifying - Enter Export Password: YOUR-OWN-PASSWORD # umask "$UMASKORIG" |
* This instruction assume assumes IdP certificate and key as idp.crt and idp.key respectively.
Back Channel Port
Enable 8443 port in the server.xml of Tomcat configuration file.
...
Download files from the following URL.
...
Deployment
コード ブロック |
---|
$ unzip cloudgateway-1.0.zip $ sudo mv map /usr/local/. |
...
コード ブロック |
---|
# Announce Information $ cd /usr/local/map $ mkdir -p app/webroot/tmp/ $ touch app/webroot/tmp/announce.txt $ sudo chown -R apache.apache app/webroot/tmp # Adjust permissions $ sudo chown -R apache.apache /usr/local/map/app/tmp $ sudo chmod +x /usr/local/map/cake/console/cake $ sudo chmod +x /usr/local/map/app/vendors/shells/*.php $ sudo chmod -R 777 /usr/local/map/app/tmp/cache # Group Icons Deletion of Log Files and Cache Files $ sudo mkdirrm -prf app/tmp/uploadscache/groupmodels/original* $ sudo mkdirrm -prf app/tmp/uploadscache/group/thumbnails/{20,50,100,200}persistent/* $ sudo mkdirrm -prf app/tmp/uploadscache/groupviews/temp* $ sudo mkdirrm -prf app/tmp/uploads/sp_group/thumbnails/64 $ sudo chown -R apache.apache app/tmp/uploads # Deletion of Log Files and Cache Files $ sudo rm -rf app/tmp/cache/models/* $ sudo rm -rf app/tmp/cache/persistent/* $ sudo rm -rf app/tmp/cache/views/* $ sudo rm -rf app/tmp/logs/* # Copy of Configuration Files $ cp app/config/database.template.php app/config/database.php $ cp app/config/core.template.php app/config/core.php # Put random data on 'Security.salt' and 'Security.cipherSeed' in core.php. $ vi app/config/core.php # Deletion of Files for Development (if exist) $ rm app/config/local.php |
Configuration of httpd.conf
Include following configuration in /etc/httpd/conf/httpd.conf
コード ブロック |
---|
<VirtualHost _default_:80>
Redirect permanent / https://[HOST-NAME-OF-THIS-SERVER]/
</VirtualHost>
Alias /map "/usr/local/map"
<Directory "/usr/local/map">
Order allow,deny
Allow from all
Options ExecCGI FollowSymLinks
AllowOverride All
</Directory>
<Location "/map">
AuthType shibboleth
ShibRequestSetting requireSession 0
require shibboleth
</Location>
|
Restart
コード ブロック |
---|
$ sudo systemctl restart httpd.service |
Database Configuration
コード ブロック |
---|
$ mysql -u root vo < /usr/local/map/ddl/ddl.sql
$ mysql -u root vo < /usr/local/map/ddl/alter.sql
$ mysql -u root vo < /usr/local/map/ddl/index.sql
$ mysql -u root vo < /usr/local/map/ddl/init_system_admin.sql
$ mysql -u root vo
Open /usr/local/map/ddl/stored_procedure.sql and copy & paste the contents. |
Application Configuration File
logs/*
# Copy of Configuration Files
$ cp app/config/database.template.php app/config/database.php
$ cp app/config/core.template.php app/config/core.php
# Put random data on 'Security.salt' and 'Security.cipherSeed' in core.php.
$ vi app/config/core.php
# Deletion of Files for Development (if exist)
$ rm app/config/local.php |
Configuration of httpd.conf
Include following configuration in /etc/httpd/conf/httpd.conf
コード ブロック |
---|
<VirtualHost _default_:80>
Redirect permanent / https://[HOST-NAME-OF-THIS-SERVER]/
</VirtualHost>
Alias /map "/usr/local/map"
<Directory "/usr/local/map">
Order allow,deny
Allow from all
Options ExecCGI FollowSymLinks
AllowOverride All
</Directory>
<Location "/map">
AuthType shibboleth
ShibRequestSetting requireSession 0
require shibboleth
</Location>
|
Restart
コード ブロック |
---|
$ sudo systemctl restart httpd.service |
Database Configuration
コード ブロック |
---|
$ mysql -u root vo < /usr/local/map/ddl/ddl.sql
$ mysql -u root vo < /usr/local/map/ddl/alter.sql
$ mysql -u root vo < /usr/local/map/ddl/index.sql
$ mysql -u root vo < /usr/local/map/ddl/init_system_admin.sql
$ mysql -u root vo
Open /usr/local/map/ddl/stored_procedure.sql and copy & paste the contents. |
Application Configuration File
- /usr/local/map/app/config/database.php
In the 'password' => '', set the password defined at “6. Installing and Setting Up MariaDB” - /usr/local/map/app/config/mail.php
In the 'host' => '', set the SMTP server.
In the $from, - /usr/local/map/app/config/database.php
In the 'password' => '', set the password defined at “6. Installing and Setting Up MariaDB” - /usr/local/map/app/config/mail.php
In the 'host' => '', set the SMTP server.
In the $from, $this->from, set the FROM address of the email which will be send from this server.
In the $footer_jp_map, $footer_jp_test, $footer_eng_map and $footer_eng_test, modify to the appropriate sentences as you want. - /usr/local/map/app/config/system.php
In the "host" and the host of "loginlink" in $config["production"], $config["test"], set the host name of this server. Registration of System Administrator
Create a new account by accessing to the following URL.
https://HOTS-NAME-OF-THIS-SERVER/map/
After selecting the IdP and then login, create a new account.
Register the Administrator of the Database.コード ブロック $ mysql -u vouser vo -pYOUR-OWN-PASSWORD mysql> select id,name,mail from accounts; Find your ID by the above command, and then and execute the following SQL to your ID. mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(YOUR-ACCOUNT-ID, 1, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); Example) mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(1, 1, 1, NOW(), NOW());
Registration of IdP administrators
By the following commands, will be registered IdP administrators.
コード ブロック |
---|
$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app idp_administrator /path/to/somewhere/idp_administrator.tsv |
/path/to/somewhere/idp_administrator.tsv must be created in the format below.
...
UTC_TIMESTAMP(), UTC_TIMESTAMP());
Registration of organizations
...
コード ブロック |
---|
$ mysql -u vouser vo -pYOUR-OWN-PASSWORD mysql> insert into sp_administrators(eppn, host_name, entityid, created) values('YOUR-ePPN', 'HOST-NAME-OF-UTILIZED-SP', 'ENTITY-ID-OF-UTILIZED-SP', NOWUTC_TIMESTAMP()); Example1)Registration for researchmap and kyouindb mysql> insert into sp_administrators(eppn, host_name, entityid, created) \ values('xxxx@kyoto-u.ac.jp', 'researchmap.jp', 'https://researchmap.jp/shibboleth-sp', NOWUTC_TIMESTAMP()); mysql> insert into sp_administrators(eppn, host_name, entityid, created) \ values('xxxx@kyoto-u.ac.jp', 'kyouindb.iimc.kyoto-u.ac.jp', \ 'https://kyouindb.iimc.kyoto-u.ac.jp/shibboleth-sp', NOWUTC_TIMESTAMP()); Exmaple2) Registration for test-meatmail.nii.ac.jp and test-map-sp1.nii.ac.jp mysql> insert into sp_administrators(eppn, host_name, entityid, created) \ values('xxxxxx@ebook-idp.nii.ac.jp', 'test-meatmail.nii.ac.jp', \ 'https://test-meatmail.nii.ac.jp/shibboleth-sp', NOWUTC_TIMESTAMP()); mysql> insert into sp_administrators(eppn, host_name, entityid, created) \ values(' xxxxxx@ebook-idp.nii.ac.jp', 'test-map-sp1.nii.ac.jp', \ 'https://test-map-sp1.nii.ac.jp/shibboleth-sp', NOWUTC_TIMESTAMP()); |
Create SP Connector
Create SP Connector of the utilized SP by executing the following SQL.
コード ブロック |
---|
$ mysql -u vouser vo -pYOUR-OWN-PASSWORD mysql> insert into groups(group_key,name,introduction,active,public,openmember,\ inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,\ created,modified) values('GROUP-KEY', 'SERVICE-NAME', '', 0, 1, 1, 1, 0, 2, 0, 2, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); Example1)Researchmap and kyouindb mysql> insert into groups(group_key,name,introduction,active,public,openmember,\ inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,created,modified) \ values('researchmap', 'Researchmap', '', 0, 1, 1, 1, 0, 2, 0, 2, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); mysql> insert into groups(group_key,name,introduction,active,public,openmember,\ inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,created,modified \ ) values('kyouindb', 'kyouindb', '', 0, 1, 1, 1, 0, 2, 0, 2, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); Example2)test-meatmail.nii.ac.jp and test-map-sp1.nii.ac.jp mysql> insert into groups(group_key,name,introduction,active,public,openmember,\ inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,created,modified) \ values('test-meatmail.nii.ac.jp', 'test-meatmail.nii.ac.jp', '', \ 0, 1, 1, 1, 0, 2, 0, 2, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); mysql> insert into groups(group_key,name,introduction,active,public,openmember,\ inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,created,modified) \ values('test-map-sp1.nii.ac.jp', 'test-map-sp1.nii.ac.jp', '', \ 0, 1, 1, 1, 0, 2, 0, 2, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); |
Register the administrator of SP Connector to the database.
コード ブロック |
---|
$ mysql -u vouser vo -pYOUR-OWN-PASSWORD mysql> select id,name,mail from accounts; mysql> select id,group_key,name from groups where sp=1; Find your ID and Group table ID by the search com"mand above and then put it in the "YOUR-ACCOUNT-ID"and "GroupID" in the following SQL. mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(YOUR-ACCOUNT-ID, GroupID, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); Example) In case of creating 3 SP Connectors mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(1, 2, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(1, 3, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(1, 4, 1, NOWUTC_TIMESTAMP(), NOWUTC_TIMESTAMP()); |
Connection between SP Connecor and SP.
...
コード ブロック |
---|
$ mysql -u vouser vo -pYOUR-OWN-PASSWORD Search utilizes SP Connector ID. mysql> select id, name from groups where sp = 1; Search utilizes SP ID mysql> select id, name from sp_hosts; Based on the search result, register connecting information between SP Connector and SP. insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \ values(SP-CONNECTOR-ID, SP-ID, 'SERVICE-URL', NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP(), 'SERVICE-NAME'); ・SP Connector ID:ID of groups table ・SP ID:ID of sp_hosts table Example1)Researchmap and kyouindb mysql> insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \ values(2, 3, 'http://researchmap.jp/', NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP(), 'Researchmap'); mysql> insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \ values(3, 15, 'http://kyouindb.iimc.kyoto-u.ac.jp/', NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP(), 'kyouindb'); Example2)test-meatmail.nii.ac.jp and test-map-sp1.nii.ac.jp mysql> insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \ values(2, 80, 'https://test-meatmail.nii.ac.jp/', NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP(), 'Test-MeatMail'); mysql> insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \ values(3, 175, 'https://test-map-sp1.nii.ac.jp/', NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP(), 'Test-mAP-SP1'); |
...
Automatic Connection of SP Connector
...
コード ブロック |
---|
$ mysql -u vouser vo -pYOUR-OWN-PASSWORD Obtain ID by searching SP Connector mysql> select id, name from groups where sp = 1; Set the found ID in the following SQL and then execute. mysql> insert into sp_auto_connectors(groupid,created) values(FOUND-ID, NOWUTC_TIMESTAMP()); Example) mysql> insert into sp_auto_connectors(groupid,created) values(2, NOWUTC_TIMESTAMP()); mysql> insert into sp_auto_connectors(groupid,created) values(3, NOWUTC_TIMESTAMP()); |
Attribute Consent Setting for SP Connector
...
コード ブロック |
---|
$ mysql -u vouser vo -pYOUR-OWN-PASSWORD Obtain ID by searching SP Connector mysql> select id, name from groups where sp = 1; Set ID for SP Connector in the following SQL and then execute. mysql> insert into provide_attributes(group_id,ismemberof,eptid,name,mail,idp,introduction,\ language,organization,created,modified) values(FOUND-ID, 1, 1, 1, 1, 1, 1, 1, 1, NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP()); Example) select id, name from groups where sp = 1; +----+-------------------------+ | id | name | +----+-------------------------+ | 2 | xxxxxxx | | 3 | yyyyyyy | | 4 | zzzzzzz | mysql> insert into provide_attributes(group_id,ismemberof,eptid,name,mail,idp,introduction,\ language,organization,created,modified) values(2, 1, 1, 1, 1, 1, 1, 1, 1, NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP()); mysql> insert into provide_attributes(group_id,ismemberof,eptid,name,mail,idp,introduction,\ language,organization,created,modified) values(3, 1, 1, 1, 1, 1, 1, 1, 1, NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP()); mysql> insert into provide_attributes(group_id,ismemberof,eptid,name,mail,idp,introduction,\ language,organization,created,modified) values(4, 1, 1, 1, 1, 1, 1, 1, 1, NOWUTC_TIMESTAMP(),NOWUTC_TIMESTAMP()); |
Importing the Account Data from the Existing Database
...
コード ブロック |
---|
LOCAL-ID(SPS-ID)<<TAB>>ePPN<<TAB>>DISPLAY-NAME(NAME) ... |
...
Import command is as follows.
...