Skip to Content.
Sympa Menu

shibboleth-dev - Re: Notes for Discussion -- Shib Quick Start proposal

Subject: Shibboleth Developers

List archive

Re: Notes for Discussion -- Shib Quick Start proposal


Chronological Thread 
  • From: Digant C Kasundra <>
  • To:
  • Cc:
  • Subject: Re: Notes for Discussion -- Shib Quick Start proposal
  • Date: Mon, 29 Nov 2004 13:46:08 -0600

I don't see why such a thing would be hard to adapt to the latest Red
Hat Enterprise Linux release. As a matter of fact, self-building
tarball+script is the model we use at UTA for our OpenLDAP and Kerberos
deployments. I'd be happy to help make whatever you create RHEL-ready
(and wouldn't be surprised if it was as-is anyway).

-- DK


On Mon, 2004-11-29 at 12:34,

wrote:
> Over the last several months, we've tried to improve the ability of
> sites to install and operate the Shib software by introducing Install
> Fests; additionally, we've recently published on the shib web site
> the "checklist" that was developed to help Fest attendees. Both of
> these steps have generated some success stories; people do seem to be
> finding it easier to install and configure shib and the required
> dependencies. However, there seems to be a set of people that are
> still having trouble.... discussion of these situations led to the
> development of the "Quick Start Package" proposal. This note is a
> description of the current thinking about Quick Start, what its
> targeted at, and what it would contain....
>
> -- initially, it would be targeted at Fedora systems..... later, this
> might be extended.
>
> -- one goal here is to provide people with direct access to several
> different "working installations".
>
> -- the package would install shib + ALL the dependencies (eg java,
> tomcat, etc). It would also contain supporting files and scripts to
> allow the new install to be easily moved among three possible
> configurations: operation in localhost mode, operational in bilateral
> mode, and operational in InQueue.
>
> -- after the shell archive script runs, the machine should be
> operational in localhost mode. A user should be able to start X on
> the Fedora system, start a browser, enter the appropriate url (which
> we'll supply), and have the freshly installed IdP and SP components
> interact successfully.
>
> -- the bilateral mode script would allow *any* browser user to enter
> the appropriate url and have the freshly installed IdP and SP
> components interact successfully. (The difference with localhost mode
> is that url's would no longer contain a hostname of localhost.) This
> script would generate and use self-signed cert's to have the two
> components trust each other.
>
> -- InQueue mode would have the IdP and SP components join the IQ
> federation. this would require configuring them to use cert's signed
> by a trusted CA.....
>
> -- POTENTIAL CONCERN -- Scott has suggested that the Quick Start
> package contain a signing key for a CA trusted by IQ. Two reasons: 1)
> even a moron would now recognize the IQ cannot be trusted for
> realwork, and 2) this would greatly simplify the steps needed to
> reconfigure for membership in IQ.
>
> -- the package would be a shell archive (tarball + script)
>
> -- the tarball would contain:
> - java 1.4
> - tomcat
> - a directory containing scripts and config files, to be used
> in normal operation (eg a basic auth user.db file with Test Users in
> it), and by the three modes
>
> - the shell archive script would:
> - install java
> - install tomcat
> - download and explode the shib IdP software
> - use rpm to install the shib SP dependencies and the Shib SP package
> -### configure the IdP software
> - copy shib files into the tomcat tree
> - make required edit's to tomcat files (see checklist)
> - start tomcat, wait, stop tomcat
>
> -### configure the SP software
> - edit httpd.conf, to Include files containing items relevant
> to running both the IdP and SP
>
> (I may have missed a couple of items.... but in this note I'm
> more worried about the concept than the detail)
>
> -- At this point, the system should be fully operational in localhost mode.
>
> -- Supplied scripts would edit config files appropriately, and would
> use files included in the Quick Start package, to reconfigure the
> machine to bilateral or IQ mode.....




Archive powered by MHonArc 2.6.16.

Top of Page