port 8443 and apache httpd

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

port 8443 and apache httpd

Tore Halset
Hello.

(newbie alert)

I am installing a shibboleth 2 idp. We use JBoss application server  
behind a Apache httpd webserver. The connection between the apache  
httpd and the application server is ajp. The application server is not  
directly connectable from the internet, only via the apache httpd.

I am reading the install-documentation on how to prepare jboss for  
shib idp.
https://spaces.internet2.edu/display/SHIB2/IdPJBossTomcatPrepare

Is it possible to set up Apache httpd to listen to 8443 using the idp  
certificate and forward the requests to JBoss using ajp? Any example  
on how to do that?

Regards,
  - Tore.
Reply | Threaded
Open this post in threaded view
|

Re: port 8443 and apache httpd

Ahmed Choudhry
The following is what is working for us with IdP 2.0, Apache 2.2 and
JBoss 4.2.2:

A few notes on this environment:
1. The behaviour of optional_no_ca is not the official version.  In
our installation, it seems to not require a verification chain up to a
trusted CA, but it does require some CA at least.  This may not be
standard behaviour.

2. The JAAS login configuration will need to be defined in the JBoss
server/conf login config.

3. With Shibboleth IdP 2.1+ and JBoss 4.2.3, a different string than
the logged in user id is being sent by the IdP for attribute
resolution.  In other words, requestContext.principalName is returning
a Java object string representation.  My team hasn't had time to
explore this yet.  It is probably due to JBoss using Role collections
in the principal.

4. For the backchannel, you can use the same AJP port on
JBoss-embedded Tomcat that you use for the main IdP application, with
tomcatAuthentication set to false.

Apache configuration for the backchannel:

NameVirtualHost 10.10.10.10:8443
<VirtualHost x.x.x.x:8443>
        ServerName x.x.x.x:8443
        ErrorLog /var/log/apache2/idp-backchannel-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/idp-backchannel-access.log combined
        ServerSignature On

<IfModule mod_ssl.c>
        SSLEngine On
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /opt/ssl/x-x-x-x.crt
        SSLCertificateKeyFile /opt/ssl/x-x-x-x.key
        SSLCertificateChainFile /opt/ssl/x-x-x-x.crt
        SSLVerifyClient optional_no_ca  [make sure you verify behaviour for
your flavour of Apache]
        SSLOptions -StdEnvVars +ExportCertData
</IfModule>
<IfModule mod_proxy_ajp.c>
        ProxyRequests Off
        <Proxy ajp://localhost:8010>
        Allow from all
        </Proxy>
        ProxyPass /idp ajp://localhost:8010/idp retry=5
</IfModule>
</VirtualHost>

2009/1/9 Tore Halset <[hidden email]>:

> Hello.
>
> (newbie alert)
>
> I am installing a shibboleth 2 idp. We use JBoss application server behind a
> Apache httpd webserver. The connection between the apache httpd and the
> application server is ajp. The application server is not directly
> connectable from the internet, only via the apache httpd.
>
> I am reading the install-documentation on how to prepare jboss for shib idp.
> https://spaces.internet2.edu/display/SHIB2/IdPJBossTomcatPrepare
>
> Is it possible to set up Apache httpd to listen to 8443 using the idp
> certificate and forward the requests to JBoss using ajp? Any example on how
> to do that?
>
> Regards,
>  - Tore.
>
Reply | Threaded
Open this post in threaded view
|

Re: port 8443 and apache httpd

Tore Halset
Thanks Ahmed!

  - Tore.

On Jan 9, 2009, at 11:19 , Ahmed Choudhry wrote:

> The following is what is working for us with IdP 2.0, Apache 2.2 and
> JBoss 4.2.2:
>
> A few notes on this environment:
> 1. The behaviour of optional_no_ca is not the official version.  In
> our installation, it seems to not require a verification chain up to a
> trusted CA, but it does require some CA at least.  This may not be
> standard behaviour.
>
> 2. The JAAS login configuration will need to be defined in the JBoss
> server/conf login config.
>
> 3. With Shibboleth IdP 2.1+ and JBoss 4.2.3, a different string than
> the logged in user id is being sent by the IdP for attribute
> resolution.  In other words, requestContext.principalName is returning
> a Java object string representation.  My team hasn't had time to
> explore this yet.  It is probably due to JBoss using Role collections
> in the principal.
>
> 4. For the backchannel, you can use the same AJP port on
> JBoss-embedded Tomcat that you use for the main IdP application, with
> tomcatAuthentication set to false.
>
> Apache configuration for the backchannel:
>
> NameVirtualHost 10.10.10.10:8443
> <VirtualHost x.x.x.x:8443>
> ServerName x.x.x.x:8443
> ErrorLog /var/log/apache2/idp-backchannel-error.log
>
>        # Possible values include: debug, info, notice, warn, error,  
> crit,
>        # alert, emerg.
>        LogLevel warn
>
>        CustomLog /var/log/apache2/idp-backchannel-access.log combined
>        ServerSignature On
>
> <IfModule mod_ssl.c>
> SSLEngine On
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /opt/ssl/x-x-x-x.crt
> SSLCertificateKeyFile /opt/ssl/x-x-x-x.key
> SSLCertificateChainFile /opt/ssl/x-x-x-x.crt
> SSLVerifyClient optional_no_ca  [make sure you verify behaviour for
> your flavour of Apache]
> SSLOptions -StdEnvVars +ExportCertData
> </IfModule>
> <IfModule mod_proxy_ajp.c>
> ProxyRequests Off
> <Proxy ajp://localhost:8010>
> Allow from all
> </Proxy>
> ProxyPass /idp ajp://localhost:8010/idp retry=5
> </IfModule>
> </VirtualHost>
>
> 2009/1/9 Tore Halset <[hidden email]>:
>> Hello.
>>
>> (newbie alert)
>>
>> I am installing a shibboleth 2 idp. We use JBoss application server  
>> behind a
>> Apache httpd webserver. The connection between the apache httpd and  
>> the
>> application server is ajp. The application server is not directly
>> connectable from the internet, only via the apache httpd.
>>
>> I am reading the install-documentation on how to prepare jboss for  
>> shib idp.
>> https://spaces.internet2.edu/display/SHIB2/IdPJBossTomcatPrepare
>>
>> Is it possible to set up Apache httpd to listen to 8443 using the idp
>> certificate and forward the requests to JBoss using ajp? Any  
>> example on how
>> to do that?
>>
>> Regards,
>> - Tore.
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: port 8443 and apache httpd

Peter Schober
In reply to this post by Tore Halset
* Tore Halset <[hidden email]> [2009-01-09 10:42]:
> Is it possible to set up Apache httpd to listen to 8443 using the idp  
> certificate and forward the requests to JBoss using ajp? Any example on
> how to do that?

https://spaces.internet2.edu/download/attachments/5557/shib2idpbeta-apache.conf?version=3

cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140