Versions Compared

Old Version 1

changes.mady.by.user carsi_pku_team

Saved on

compared with

New Version Current

changes.mady.by.user carsi_pku_team

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1.下载安装脚本和相应的软件

登录mgmt.carsi.edu.cn自服务系统,“我的CARSI”-“我的IdP”下载安装脚本:idp_install_script.zip。解压后为:idp4.3.2zip。解压后为:idp512-openeuler-anolisos-jettyjetty11-install.sh(如需4.1.7安装脚本,请发邮件到carsi@pku.edu.cn),如下图所示:sh,如下图所示:

使用carsi用户登录IdP服务器并下载以下脚本和软件,存放在同一个目录下。

Code Block
languagebash
borderStylesolid
[carsi@www ~]$ curl -O  https://ds.carsi.edu.cn/45.3inst0inst/v1/shibboleth-identity-provider-45.31.2.tar.gz
[carsi@www ~]$ curl -O  https://ds.carsi.edu.cn/45.3inst0inst/v1/jetty-home-1011.0.20.tar.zipgz

#核对所下载文件的md5值是否和下述md5值一致,如果不一致可能是下载异常,请重新下载
[carsi@www ~]$ md5sum shibboleth-identity-provider-45.31.2.tar.gz jetty-home-1011.0.20.tar.zipgz
06929aa04589e31d48e3aac684788f74  
487e8739e894ca07f48eafd58936bff8  shibboleth-identity-provider-45.31.2.tar.gz
fde76dba0c0a12e4e7492515014be5cc04a7d1d97c5f7324314018089111c3c9  jetty-home-1011.0.20.ziptar.gz

#赋予脚本可执行权限
[carsi@www ~]$ chmod 755 idp4.3.2idp512-openeuler-anolisos-jettyjetty11-install.sh


2.安装IdP

运行idp4运行idp5.31.2-openeuler-jetty-installl.sh并开始安装IdP,整个安装过程分为五个部分:运行环境检测、安装java、nginx、Jetty基础软件、安装IdP软件、选择认证对接方式和重新编译war文件,详细描述如下:

注:安装过程中会在脚本同目录下的install.log中保存日志,但因技术限制,安装脚本的输出内容不能被全部自动收集,建议手工保存日志输出(将屏幕输出复制保存到文件),出现问题时可用于分析问题。log中保存日志,但因技术限制,安装脚本的输出内容不能被全部自动收集,建议手工保存日志输出(将屏幕输出复制保存到文件),出现问题时可用于分析问题。不通操作系统,下面的内容也会有差异。

2.1 运行环境检测

Code Block
languagebash
borderStylesolid
[carsi@www ~]$ sudo sh ./idp4.3.2idp512-openeuler-anolisos-jettyjetty11-install.sh
Install shibboleth idp at 2024.0304.22 15:18:24
Shibboleth IdP 45.31.2 is installing.
Script Version v4v5.31.2
Checking Internet access...
Check Internet access success!
Setting timezone...
Install tar ...
Install zip and unzip...
Testing installing envirenment...
Check shibboleth idp installation file success!
Check Jetty installation file success!

...

如果机器从IdP v3版本升级到新版本,可能会提示另外准备安装环境并退出。请根据IdP511IdP512: 将IdP 从v3.4.3/v3.4.7/v4.1.7/v4.3.1升级到v5x升级到v5.1.12,进行新版本安装。

Code Block
languagebash
borderStylesolid
You are upgrading IdP from 3.4.7 to 45.31.21 . We suggest to setup suitable environment to install IdP 45.31.21 but don't upgrade from the old system.
If you still insist to upgrade the old system to IdP 45.31.21, please make sure you have made a backup of data. You will take some risks for the installation.

注意:如果IdP已经上线,需要升级,强烈建议在新环境重新安装。新系统安装成功后拷贝老系统credentials和metadata目录下文件,完成配置和调试,以减少新老系统切换对IdP服务的影响。重装后如何恢复IdP请参考IdP511IdP512: IdP备份恢复及高可用方案

2.2 安装java、nginx、Jetty基础软件

...

Code Block
languagebash
borderStylesolid
Installing shibbolet idp...
Buildfile: /home/carsiINFO  - Skipping non-existent resource: class path resource [-Didp.src.dir=../shibboleth-identity-provider-4.35.1/bin/build.xml

install:
New Install.  Version: 4.3.2]
Installation Directory: [/opt/shibboleth-idp] ?   #确认安装路径,直接回车
install:
INFO  - New Install.  Version: 5.1.2
Host Name: [idp.xxx.edu.cn] ?          #确认是服务器hostname是否正确,一般会设置hostname和IdP域名一致,此处可能显示IP地址,如果出现IP地址,请手动输入IdP服务器域名

INFO  - Creating idp-signing, CN = idp.xxx.edu.cn URI = https://idp.xxx.edu.cn/idp/shibboleth, keySize=3072
INFO  - Creating idp-encryption, CN = idp.xxx.edu.cn URI = https://idp.xxx.edu.cn/idp/shibboleth, keySize=3072
BackchannelINFO PKCS12 Password:-  Creating  backchannel  keystore, CN #设置并输入一个密码,用于创建后台证书
Re-enter password:               #再输入一遍 
Creating backchannel keystore, CN = idp.xxx.edu.cn URI = = idp.xxx.edu.cn URI = https://idp.xxx.edu.cn/idp/shibboleth, keySize=3072
INFO  - Creating Sealer KeyStore
INFO  - No existing versioning property, initializing...
SAML EntityID: [https://idp.xxx.edu.cn/idp/shibboleth,] keySize=3072? Cookie Encryption Key Password:#确认是正确的EntityID,主要检查域名是否正确,无误后回车(不需要输入Y),如果不是,请手动输入EntityID,注意中间不要有空格
 
Attribute Scope: [xxx.edu.cn] ?  #设置并输入一个密码,用于创建Cookie加密密码 Re-enter password:  #确认是正确的学校域名,无误后回车,如果不是,请手动设置学校域名,比如:pku.edu.cn

INFO  - Initializing OpenSAML using the Java Services API
INFO  - Algorithm failed runtime support #再输入一遍check, Creatingwill Sealernot KeyStorebe INFO  - No existing versioning property, initializing...
SAML EntityID: [https://idp.xxx.edu.cn/idp/shibboleth] ?       #确认是正确的EntityID,主要检查域名是否正确,无误后回车(不需要输入Y),如果不是,请手动输入EntityID,注意中间不要有空格 

Attribute Scope: [xxx.edu.cn] ?    #确认是正确的学校域名,无误后回车,如果不是,请手动设置学校域名,比如:pku.edu.cn

Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
Rebuildingusable: http://www.w3.org/2001/04/xmlenc#ripemd160
INFO  - Algorithm failed runtime support check, will not be usable: http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160
INFO  - Algorithm failed runtime support check, will not be usable: http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160
INFO  - Including auto-located properties in /opt/shibboleth-idp/warconf/admin/idp.war, Version 4.3.2
Initial populate fromadmin.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/distauthn/webappauthn.properties
to /opt/shibboleth-idp/webpapp.tmp
Overlay fromINFO  - Including auto-located properties in /opt/shibboleth-idp/conf/c14n/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
Creating war filesubject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/warconf/idpldap.warproperties
INFO BUILD SUCCESSFUL- Total time: 2 minutes 16 seconds
Enabling idp.intercept.Consent...
	conf/intercept/consent-intercept-config.xml created
	views/intercept/attribute-release.vm created
	views/intercept/terms-of-use.vm created
[OK]

2.4 选择认证对接方式(根据学校认证系统实际情况进行选择):

Code Block
languagebash
borderStylesolid
Please chosing your idp authentication type...
1.LDAP(easiest way)
2.CAS
3.Oauth2
4.Tencent WeChat Work(企业微信)
5.exit
Please enter your choice:#选择认证对接的方式
download fileforldap1 success!
download fileforldap2 success!
download fileforldap3 success!
download fileforldap4 success!
download fileforall1 success!
download fileforall2 success!
download fileforall3 success!
download fileforall4 success!
download fileforall5 success!
download fileforall6 success!
download fileforall7 success!
download fileforall8 success!
download fileforall9 success!
download fileforall10 success!

2.5 重新编译war,重启nginx和jetty。

Code Block
languagebash
borderStylesolid
Rebuilding Including auto-located properties in /opt/shibboleth-idp/conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/services.properties
INFO  - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
INFO  - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.2
INFO  - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Creating war file /opt/shibboleth-idp/war/idp.war
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/warbin/idp..war
Buildfile: /optconf/shibboleth-idp/bin/build.xml

build-war:
Installation Directory: [authn/authn.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp] ?  #直接回车

INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.3.2
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from/bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/dist/webapp tobin/../conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 4 seconds
restarting Jetty...
Jetty restarted/bin/../conf/services.properties
Enabling idp.intercept.Consent...
	conf/intercept/consent-intercept-config.xml created
	views/intercept/attribute-release.vm created
	views/intercept/terms-of-use.vm created
[OK]

2.4 选择认证对接方式(根据学校认证系统实际情况进行选择):

Code Block
languagebash
borderStylesolid
Please chosing your idp authentication type...
1.LDAP(easiest way)
2.CAS
3.Oauth2
4.Tencent WeChat Work(企业微信)
5.exit
Please enter your choice:#选择认证对接的方式
download fileforldap1 success!
download fileforldap2 success!
download fileforldap3 success!
download fileforldap4 success!
download fileforall1 success!
download fileforall2 success!
download fileforall3 success!
download fileforall4 success!
download fileforall5 success!
download fileforall6 success!
download fileforall7 success!
download fileforall8 success!
download fileforall9 success!
download fileforall10 success!

2.5 重新编译war,重启nginx和jetty。

Code Block
languagebash
borderStylesolid
Installing nashorn plugin and rebuilding /opt/shibboleth-idp/war/idp.war
INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties
INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/authn/authn.properties
INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/c14n/subject-c14n.properties
INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties
INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/saml-nameid.properties
INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/services.properties
INFO - Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/scripting/2.0.0/idp-plugin-nashorn-jdk-dist-2.0.0.tar.gz]
....................................
INFO - Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/scripting/2.0.0/idp-plugin-nashorn-jdk-dist-2.0.0.tar.gz.asc]
INFO - Plugin net.shibboleth.idp.plugin.nashorn: Trust store folder does not exist, creating
INFO - Plugin net.shibboleth.idp.plugin.nashorn: Trust store does not exist, creating
INFO - TrustStore does not contain signature 0x1483F262A4B3FF0
Accept this key:
Signature: 0x1483F262A4B3FF0
FingerPrint: 4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0
Username: Rod Widdowson <rdw@steadingsoftware.com>
[yN] y   #接受插件的安装,输入y
INFO - Installing Plugin 'net.shibboleth.idp.plugin.nashorn' version 2.0.0
INFO - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.2
INFO - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO - Creating war file /opt/shibboleth-idp/war/idp.war
restarting Jetty...
Jetty restarted
download filefornginx2 success!
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
...............................+++++
e is 65537 (0x010001)
Signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = xxx, OU = xxx, CN = idp.xxx.edu.cn
Getting CA Private Key
restarting nginx...
nginx restarted...
shibboleth idp installed success!