OpenIdP Server rebuilding

Copy:

• users' folders
  
• root's folder
• /usr/local/apache-tomcat-5.5.23
• /usr/local/shibboleth-idp
• /usr/java/jdk1.5.0_11
• /var/www/http/*
• /etc/httpd/conf/
• /etc/httpd/conf.d/shib-idp.conf
• /etc/httpd/conf.d/ssl.conf
• /etc/httpd/conf.d/redirectToHTTPS.conf

Command:

• ln -s /usr/local/apache-tomcat-5.5.23 tomcat
• ln -s /usr/java/jdk1.5.0_11 java

Add into /etc/httpd/conf.d/proxy_ajp.conf

• ProxyPassReverse /shibboleth-idp/ ajp://localhost:8009/shibboleth-idp/
• ProxyPass /shibboleth-idp/ ajp://localhost:8009/shibboleth-idp/

Install LDAP:

• compat-openldap.i386
  
• openldap-clients.i386
  
• openldap-servers.i386
  
• openldap-servers-sql.i386

Copy LDAP Database:

• slapcat > idp.ldiff # old idp
  
• slapadd -v -l idp.ldiss # new idp
• start ldap

Edit shib-idp.conf:

• 
  AuthType Basic
  AuthName "BeSTGRID Identity Provider"
  AuthLDAPBindDN cn=shibboleth,dc=idp,dc=bestgrid,dc=org
  AuthLDAPBindPassword "password"
  AuthLDAPURL "ldap://idp.bestgrid.org:389/ou=people,dc=idp,dc=bestgrid,dc=org?cn"
  AuthBasicProvider ldap
  require valid-user
  Require ldap-filter objectClass=*
  AuthzLDAPAuthoritative on
  
  

Start/restart httpd:

• service httpd restart

Start Tomcat:

• /etc/init.d/tomcat stop
• /etc/init.d/tomcat start

Test:

• login from www.bestgrid.org

Cron Jobs

• /etc/cron.hourly/idp-aaL1-metadata
• /etc/cron.hourly/idp-bestgrid-test-metadata

WAYF Test server transfer

Copy:

• users' folders
  
• root's folder
• /usr/local/apache-ant-1.7.0
• /usr/local/apache-tomcat-5.5.23
• /usr/local/shibboleth-idp-metadatatool
• /usr/local/shibboleth-wayf
• /usr/java/jdk1.5.0_11
• /var/www/http/*
  

Command:

• ln -s /usr/local/apache-tomcat-5.5.23 tomcat
• ln -s /usr/java/jdk1.5.0_11 java

Add into /etc/httpd/conf.d/proxy_ajp.conf

• ProxyPassReverse / ajp://localhost:8009/
• ProxyPass / ajp://localhost:8009/

Create self-signed certificate:

• openssl req -x509 -nodes -days 1095 -subj '/CN=wayf.test.bestgrid.org/C=NZ/L=Auckland/OU=BeSTGRID/O=Broadband enabled Science and Technology GRID' -newkey rsa:1024 -keyout wayfcert.key -out wayfcert.crt

Copy:

• wayfcert.key to /etc/httpd/conf/ssl.key/wayfcert.key
• wayfcert.crt to /etc/httpd/conf/ssl.crt/wayfcert.crt

Commands:

• ln -s /etc/httpd/conf/ssl.key/wayfcert.key /etc/httpd/conf/ssl.key/server.key
• ln -s /etc/httpd/conf/ssl.crt/wayfcert.crt /etc/httpd/conf/ssl.crt/server.crt

Edit /etc/httpd/conf.d/ssl.conf:

• SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
• SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Start/restart httpd:

• service httpd restart

Start Tomcat:

• /etc/init.d/tomcat stop
• /etc/init.d/tomcat start

Test:

• login from wiki.test.bestgrid.org
  

EVO Panda Firewall rules

# Punch a few holes for proper Panda operation
# Connections from other Panda servers
-A RH-Firewall-1-INPUT -m udp -p udp --dport 46014 -j ACCEPT
# Connections from Koala
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 46015 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 46015 -j ACCEPT
# Connections from Mongoose
-A RH-Firewall-1-INPUT -m udp -p udp --dport 46025 -j ACCEPT
# ApMon from MonALISA -A RH-Firewall-1-INPUT -m udp -p udp --dport 8884 -j ACCEPT
# Connections from any remote H.323/SIP clients
-A RH-Firewall-1-INPUT -m udp -p udp --dport 57000:57400 -j ACCEPT
# Remote management from MonkeySSL
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 3232 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 3233 -j ACCEPT
# Remote management from Kiwi
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 5354 -j ACCEPT