Set up uPortal on geni-portal.co.internet2.edu

Install Shib SP

(done already, or see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall)

Configure SP for Delegation

(As per Configuring Shibboleth Delegation for a Portal.)

  1. Edit /etc/shibboleth/shibboleth2.xml:
    1. Add exportAssertion="true"/ to 
      <Host name="geni-portal.co.internet2.edu">
    <Path name="secure" authType="shibboleth" requireSession="true" />
</Host>
    2. XXX May need to edit server IP ACL
    3. Replace the AttributeExtractor block with the following: 
      <AttributeExtractor type="Chaining">
  <AttributeExtractor type="XML" path="attribute-map.xml"/>
  <AttributeExtractor type="KeyDescriptor" signingId="Signing-Keys"/>
</AttributeExtractor>
  2. /etc/init.d/shibd restart

Create an NMI User

Check Version Numbers

Set the appropriate version numbers in the paths, or use symlinks instead.

# /usr/sbin/useradd -d /home/nmi -g 100 -s /bin/bash -u 20037 -c 'NMI Software' nmi
# cat >> ~nmi/.bashrc
JAVA_HOME=/usr/java/default
export JAVA_HOME

JAVA_OPTS="-XX:MaxPermSize=128m"
export JAVA_OPTS

ANT_HOME=/home/nmi/ant/apache-ant-1.7.1
export ANT_HOME

MAVEN_HOME=/home/nmi/maven/apache-maven-2.2.1
export MAVEN_HOME

PATH=${PATH}:${ANT_HOME}/bin:${MAVEN_HOME}/bin

Download and install Java JDK (not just the JRE)

  1. Download from http://java.sun.com/javase/downloads/index.jsp
  2. sh ./jdk-6u20-linux-i586-rpm.bin

Install Hypersonic

For a production installation, some other database should be used.

Download zip from http://www.hsqldb.org to ~nmi/hsql/

# su - nmi
$ cd hsql
$ unzip hsqldb_1_8_1_2.zip
$ mkdir hsqldb/data
$ cd hsqldb/demo

Create an appropriate init.d script and

# /sbin/chkconfig --add hsql
# /etc/init.d/hsql start

or manually start HSQL via

$ ./runServer.sh -port 8887 -database uPortal &

Install Ant

Not All Ants Are Alike

Don't use yum's ant, as it causes build errors about xml-commons-apis not found.
Also, use v1.7.1, not 1.8.1.

Download from http://ant.apache.org/bindownload.cgi or http://archive.apache.org/dist/ant/binaries.

$ cd ~nmi
$ mkdir ant
$ cd ant
$ tar xjf apache-ant-1.7.1-bin.tar.bz2

Install Maven

Download from http://maven.apache.org/download.html.

$ cd ~nmi
$ mkdir maven
$ cd maven
$ tar xjf apache-maven-2.2.1-bin.tar.bz2

Install Tomcat

  1. Download from http://tomcat.apache.org/download-60.cgi.
  2. $ cd ~nmi
$ tar xzf apache-tomcat-6.0.28.tar.gz
$ ln -s apache-tomcat-6.0.28 tomcat6
  3. Edit tomcat6/conf/catalina.properties. Set shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar
  4. Edit tomcat6/conf/server.xml. Add emptySessionPath="true" to 
     <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
  5. Edit tomcat6/conf/server.xml. Add request.tomcatAuthentication="false" (otherwise REMOTE_USER won't be passed through). 
        <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
       request.tomcatAuthentication="false" />
  6. Create a startup script 
    $ vi /etc/init.d/nmi-tomcat6
  7. Set up init.d links 
    # /sbin/chkconfig --add nmi-tomcat6
  8. Start Tomcat 
    # /etc/init.d/nmi-tomcat6 start
  9. After testing, stop Tomcat in preparation for Portal installation. 
    # /etc/init.d/nmi-tomcat6 stop

Configure httpd SSL

Set up an SSL cert with the correct server name, though it's not clear this is strictly necessary.

$ cd ~nmi
$ mkdir ssl
$ cd ssl
$ openssl req -new -x509 -nodes -out server.crt -keyout server.key
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Michigan
Locality Name (eg, city) [Newbury]:Ann Arbor
Organization Name (eg, company) [My Company Ltd]:Internet2
Organizational Unit Name (eg, section) []:COmanage Dev
Common Name (eg, your name or your server's hostname) []:geni-portal.co.internet2.edu
Email Address []:
# mv ~nmi/ssl/server.crt /etc/pki/tls/certs/
# mv ~nmi/ssl/server.key /etc/pki/tls/private/
# vi /etc/httpd/conf.d/ssl.conf
  Change the paths to the above
# /etc/init.d/httpd restart

Configure AJP connector

uPortal spews a bunch of stuff into the top-level Tomcat space, so it's easiest to tell mod_ajp what not to pass.

  1. Add the following to /etc/httpd/conf.d/proxy_ajp.conf: 
    ProxyPass /cgi-bin !
ProxyPass /Shibboleth.sso !
ProxyPass /secure !
ProxyPass /shibboleth !
ProxyPass / ajp://localhost:8009/
  2. /etc/init.d/httpd restart

Install uPortal

  1. $ cd ~nmi
$ mkdir uportal
$ cd uportal
  2. Download from http://www.jasig.org/uportal/download.
  3. $ tar xzf uPortal-3.2.1.tar.gz
$ cd uPortal-3.2.1
  4. Create a build.properties file and set the locations for Tomcat and Maven. 
    $ cp build.properties.sample build.properties
$ vi build.properties
  Set
    server.home=/home/nmi/tomcat6
    maven.home=/home/nmi/maven/apache-maven-2.2.1
  5. Run initportal. This will set up a default portal and database. (It might take around 15 minutes to run.) 
    $ ant initportal
[... lots of output]
BUILD SUCCESSFUL
Total time: 14 minutes 20 seconds
  6. Start Tomcat. 
    $ /etc/init.d/nmi-tomcat6 start
  7. Verify that https://geni-portal.co.internet2.edu/uPortal renders the portal.

Reconfigure internal CAS

By default, uPortal will try to access CAS via localhost, which won't work for testing or the next step. Note CAS is accessed over HTTP not HTTPS. This is to work around issues with certificate validation. Since we'll only use CAS briefly, this is just easier.

  1. $ /etc/init.d/nmi-tomcat6 stop
  2. Edit ~/uportal/uPortal-3.2.1/uportal-war/src/main/webapp/WEB-INF/web.xml and change the CAS server URLs from http://localhost:8080 to http://geni-portal.co.internet2.edu. Be sure to leave ServerName as https, as this is not used to generate CAS URLs.
  3. Edit ~/uportal/uPortal-3.2.1/uportal-impl/src/main/resources/properties/security.properties similarly.
  4. $ cd ~/uportal/uPortal-3.2.1
  5. $ ant deploy-war
  6. $ /etc/init.d/nmi-tomcat6 start

Set up Portal admin user

Before setting up shib authentication, create a new user in uPortal that will match the username returned in $REMOTE_USER and that has admin privileges.

  1. $ cd ~/uportal/uPortal-3.2.1
$ ant md5passwd -Dusername=benno@i2.edu
     [...]
     [java] Enter Password for benno@i2.edu:
somepass
  2. Login as the user you just created (eg: benno@i2.edu). This will create the skeletal user record needed next.
  3. Logout.
  4. Login as an existing admin user.
  5. Click "Admin Tools".
  6. Click "Manage groups".
  7. Click "Portal System".
  8. Click "Portal Administrators".
  9. Click "Edit Group".
  10. Click "Add Members".
  11. Enter the username in the search box and click "Go".
  12. Tick the checkbox next to the user you created and click "Select Marked".
  13. Click "Done With Selection". The new user is now an admin. You can log out and log back in as that user and you should now see the admin tab.

Reconfigure uPortal to use Shib auth

  1. vi /etc/httpd/conf.d/shib.conf 
    <Location /uPortal/Login>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>
  2. /etc/init.d/httpd restart
  3. $ /etc/init.d/nmi-tomcat6 stop
  4. Configure uPortal to get the username from the REMOTE_USER header. In uportal-impl/src/main/resources/properties/security.properties comment out all root.* properties and add the property 
    root=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
  5. Configure uPortal to create users on demand based on the REMOTE_USER header. In uportal-impl/src/main/resources/properties/contexts/userContext.xml replace SimplePersonManager bean 
    <bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" />
    with the RemoteUserPersonManager bean. 
    <bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" />
  6. Configure uPortal to populate user's attributes based on headers from Shibboleth.
    1. In pom.xml update the line: (XXX RC8 or RC6?) 
      <person-directory.version>1.5.0-RC3</person-directory.version>
      To 
      <person-directory.version>1.5.0-RC8</person-directory.version>
    2. In uportal-impl/src/main/resources/properties/contexts/personDirectoryContext.xml add the following beans (XXX update for correct attributes?) and comment out the previous definitions of requestAttributeSourceFilter and requestAdditionalDescriptors. 
      <!--
 | Servlet filter that creates an attribute for the serverName
 +-->
<bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter">
    <property name="additionalDescriptors" ref="requestAdditionalDescriptors" />
    <property name="usernameAttribute" value="remoteUser" />
    <property name="remoteUserAttribute" value="remoteUser" />
    <property name="serverNameAttribute" value="serverName" />
    <property name="processingPosition" value="BOTH" />
    <property name="headerAttributeMapping">
        <map>
            <!-- MODIFY THESE MAPPINGS TO EXPOSE HEADERS FROM SHIB AS USER ATTRIBUTES -->
            <entry key="cn">
                <list>
                    <value>cn</value>
                    <value>displayName</value>
                </list>
            </entry>
            <entry key="givenName" value="givenName" />
        </map>
    </property>
</bean>

<!--
 | Session-scoped descriptors object. One of these will exist for each user in their session. It will store the
 | attributes from the reques set by the requestAttributeSourceFilter
 +-->
<bean id="requestAdditionalDescriptors" class="org.jasig.services.persondir.support.MediatingAdditionalDescriptors">
    <property name="delegateDescriptors">
        <list>
            <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="globalSession">
                <aop:scoped-proxy />
            </bean>
            <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="request">
                <aop:scoped-proxy />
            </bean>
        </list>
    </property>
</bean>
    3. In uportal-war/src/main/webapp/WEB-INF/web.xml add the following servlet filter 
      <filter>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <url-pattern>/Login</url-pattern>
</filter-mapping>
  7. $ ant deploy-war
  8. $ /etc/init.d/nmi-tomcat6 start

Configure uPortal for delegated assertion processing

(As per https://wiki.jasig.org/display/UPM31/Configuring+uPortal+to+pass+the+SAML+Assertion.)

  1. $ /etc/init.d/nmi-tomcat6 stop
  2. Edit pom.xml and add this line after the servlet-api.version line. 
    <uportal-shibboleth-delegation-integration.version>1.1.0</uportal-shibboleth-delegation-integration.version>
  3. Also, add this block after the person-directory-impl dependency. 
    <dependency>
    <groupId>org.jasig.service</groupId>
    <artifactId>uportal-shibboleth-delegation-integration</artifactId>
    <version>${uportal-shibboleth-delegation-integration.version}</version>
</dependency>
  4. Edit uportal-impl/pom.xml and add this dependency after the person-directory-impl dependency. 
    <dependency>
    <groupId>org.jasig.service</groupId>
    <artifactId>uportal-shibboleth-delegation-integration</artifactId>
    <scope>compile</scope>
</dependency>
  5. Add the following to uportal-war/src/main/webapp/WEB-INF/web.xml 
    <filter>
    <filter-name>SamlAssertionFilter</filter-name>
    <filter-class>org.jasig.portal.security.provider.SamlAssertionFilter</filter-class>
    <init-param>
        <param-name>samlAssertionSessionAttributeName</param-name>
        <param-value>SAML Assertion</param-value>
    </init-param>
    <init-param>
        <param-name>idpPublicKeysSessionAttributeName</param-name>
        <param-value>IdP Public Keys</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>SamlAssertionFilter</filter-name>
    <servlet-name>Login</servlet-name>
</filter-mapping>
  6. Add the following to uportal-impl/src/main/resources/properties/contexts/portletContainerContext.xml:
    1. Add <ref bean="samlAssertionUserInfoService" /> to userInfoServices.
    2. Add 
      <bean id="samlAssertionUserInfoService" class="org.jasig.portal.portlet.container.services.SamlAssertionUserInfoService">
    <property name="userInstanceManager" ref="userInstanceManager" />
    <property name="portletWindowRegistry" ref="portletWindowRegistry" />
    <property name="portletEntityRegistry" ref="portletEntityRegistry" />
    <property name="portletDefinitionRegistry" ref="portletDefinitionRegistry" />
    <property name="portalRequestUtils" ref="portalRequestUtils" />

    <!-- These have to match what portlets declare for user attributes in portlet.xml -->
    <property name="samlAssertionKey" value="samlAssertion" />
    <property name="idpPublicKeysKey" value="idpPublicKeys" />

    <!-- These have to match the values defined for the SamlAssertionFilter in web.xml -->
    <property name="samlAssertionSessionKey" value="SAML Assertion" />
    <property name="idpPublicKeysSessionKey" value="IdP Public Keys" />
</bean>
  7. $ ant deploy-war
  8. $ /etc/init.d/nmi-tomcat6 start
  • No labels