Hunterjewelry107

Skip to end of metadataGo to start of metadata

Next, we’re going to install an SSL certificate on CentOS. Install an SSL certificate on CentOS. Using the method below, you can install an SSL certificate on CentOS 7 & 6. Download the primary and intermediate certificates that you’ve received from your SSL provider; Copy your SSL files to your Apache server. To install the packages required, simply run as root: # yum install httpd modssl -y If the server already have httpd installed, you only need to install modssl, all the required configuration is done by the installer. Note however that in this case you need to restart httpd, so it can load the ssl module. Install A2enmod Redhat. 0 Comments Read Now. Comments placed here should be directed to suggestions to improve the documentation or the server and can be removed. PHP zlib and sockets are part of php-common. Install php-gd and php-common. Yum install php php-gd php-common to enable sockets find the PHP configuration directory and run the following commands in the terminal./configure -enable-sockets make && make install Apache rewrite module allows URL rewriting. It's enabled by Default in Centos 7. Install A2enmod Redhat. When installing Apache and PHP under Ubuntu 14.04, I needed to specifically enable php configs by issuing a2enmod php5-cgi. Davidgo davidgo.

This document describes the procedure used to install Shibboleth Service Provider (SP) software on Centos, RedHat and to configure it to work with the Cornell Shibboleth Identity Provider (IdP).

Prerequisites

• Apache must be installed and your website have an SSL certificate installed and SSL enabled. To request a SSL certificate: https://it.cornell.edu/ssl/renew-or-request-ssl-certificate.
• Shibboleth doesn't support http access. If http access is supported on your site, define a redirect rule in Apache configuration that route http traffic to https.
• Make sure your server time is accurate.
• Your server has user shibd available.
  

Installation

If you are on a CIT Managed Server, please check this document: https://sysdocs.cit.cornell.edu/Documentation/LinuxShibbolethRepository

Otherwise, Install using RPM: https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall

1. Visit https://shibboleth.net/downloads/service-provider/RPMS/, choose your platform, then click Generate
2. Copy generated content to /etc/yum.repos.d/shibboleth.repo
3. sudo yum install shibboleth.x86_64 ( 64 bit OS )
   sudo yum installshibboleth (32 bit OS )

Make sure you are running Ubuntu version 20.04 or above. Otherwise you may have SP 2 instead of SP 3 installed. SP 2 is no longer supported.

sudo apt-get update

sudo apt-get install libapache2-mod-shib2

sudo a2enmod shib

Configuration - Shibboleth SP

After installation Shibboleth configuration files are placed at /etc/shibboleth/. Necessary Apache configuration in /etc/httpd/conf.d/shib.conf(Centos/Redhat), /etc/apache2/conf-available/shib2.conf (Ubuntu). Make sure shib.conf is included in your Apache configuration file. If you are converting CUWebAuth to Shibboleth on a production server, make sure you set 'ShibCompatValidUser' to 'On' in shib.conf to avoid interruption to your website's CUWebAuth authentication. Set it back to 'Off' after you finish the conversion.

Download our sample attribute-map.xmland replace your /etc/shibboleth/attribute-map.xml with downloaded file. Our attribute-map.xml defines all commonly used attributes.

All attributes except groups defined in attribute-map.xml are released by default to all SP. Attribute 'groups' is released on demand. Please specify your group names in Shibboleth Integration Request form. Shibboleth IDP doesn't support nested groups( for example group B is a member of group A, user C is a member of group B, IDP doesn't know user C is a member of group A) . If you have to use nested group, you need to convert nested group to dynamic group.

Download our sample shibboleth2.xml and replace your /etc/shibboleth/shibboleth2.xml with downloaded file. Open shibboleth2.xml in a text editor.

• Update SP entityID:

Search <ApplicationDefaults entityID='https://mysite.cit.cornell.edu/shibboleth'... >. EntityID is the Unique identifier for your SP. Cornell Shibboleth Identity Provider(IDP) provides service to many applications. This entityID will help Cornell IDP to identify your SP. We recommend you follow shibboleth convention named it 'https://xxx/shibboleth'. It's better not include space or special characters in it( / and : are fine). One SP can server multiple sites in your Apache so it doesnotnecessarily equate to the hostname(s) at which your service runs.

• Update SP session:
  Search <Sessions lifetime='28800' timeout='3600' ...>

--- lifetime is the maximum duration in seconds that a session maintained by the SP will be valid.The settings shown in the example will set your Shibboleth session lifetime to 28800 (8 hours).

--- timeout is the maximum inactivity allowed between requests in a session maintained by the SP. The settings shown in the example will set your Shibboleth session timeout to 3600 (1 hour).

--- postData='ss:mem' postTemplate='postTemplate.html'

Add it to <Session ..> if your website has web form. Web form POST data will be saved in the Shibboleth memory cache rather than discarded when a user requires authentication after filling out a web form. 'postTemplate.html' is located in /etc/shibboleth directory. Modify it to meet your website's style.

More information: https://wiki.shibboleth.net/confluence/display/SP3/Sessions

• Update the support contact:

Search<ErrorssupportContact='root@localhost' helpLocation='/about.html'styleSheet='/shibboleth-sp/main.css' />. Change the email address to your application's support email address. Change the helpLocation to your application's help page.

If Shibboleth is installed via RPM, signing/encryption key and certificate files are generated automatically. Check if you have sp-signing-cert.pem, sp-signing-key.pem, sp-encrypt-key.pem, sp-encrypt-cert.pem in /etc/shibboleth directory. If they are not there, generate them.

Shibboleth Configuration Check

In the command line, execute the following command to see whether the Shibboleth Service Provider can load the default configuration:

sudo LD_LIBRARY_PATH=/opt/shibboleth/lib64 shibd -t

The last line of the output should read:

overall configuration is loadable, check consolefornon-fatal problems

If there are any ERROR log entries, we strongly recommend you resolve these. Messages with log level WARN are generally not problematic but you should understand the causes of these warning messages and run the configuration check again when you are finished with your setup.

Logs for Shibboleth SP are located at /var/log/shibboleth/. Take a look at /var/log/shibboleth/shibd_warn.log and make sure there is no error in there. You need to fix error if there is any and restart shibd and httpd.

Start Shibboleth Service Provider and Apache

shibd is installed to /usr/sbin and may be managed using service and chkconfig (on System V platforms) or with systemctl (on systemd platforms, some additional information available).

On Centos 7, you can start shibd and apache by running

sudo systemctl start shibd

sudo systemctl start httpd

After you run the command, make sure shibd and httpd are running.

Register Service Provider with Cornell IDP

Navigate to https://yoursiteDomain/Shibboleth.sso/Metadata and download it.Open your downloaded file with text editor. Some browser doesn't show metadata correctly in the browser. DO NOT copy the content in the browser. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in Apache require Shibboleth authentication, you can get SP's metadata by navigating to one of the site, then you need to manually add assertion consumer service url for each of the other sites in your SP's metadata.

Submit your shibboleth integration request from https://shibrequest.cit.cornell.edu. On the second page of the request form, select 'No' for question 'Has the application service provider's metadata been published with InCommon?'. Use text editor open your SP's metadata, copy the content of the metadata and paste it in the 'Service Provider's metadata field. Once the form is submitted, Identity Management team get a Remedy case. We'll configure your SP in IDP in 1 - 2 business day. We'll notify you when the configuration is complete.

Configuration - Apache Access control

After you are notified that your metadata has been integrated in Cornell IDP, you can continue your configuration.

Open /etc/httpd/conf.d/shib.conf in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file.

Addition configuration information can be found at https://wiki.shibboleth.net/confluence/display/SP3/Apache

After you finish the configuration, restart Apache.

Test SP integration with IdP

Confirm you are able to log in with your netID and user's attributes are properly released. To verify attribute release, in shibboleth2.xml, you need to set showAttributeValues to true and restart shibd, httpd.

<Handler type='Session' Location='/Session' showAttributeValues='true'/>

1. Using a web browser, visit the /secure directory (or other protected location) of your SP.
2. If you are prompted to log in, that means that your SP is properly integrated with Cornell IdP.
3. After you log in, open a new tab of the same browser and point your web browser to https://<your dns name>/Shibboleth.sso/Session. Your browser should return a status page that show you all the attributes and values released to your SP.

Auto start shibd after server reboot

sudo systemctl enable shibd

Retrieve Shibboleth Attributes in Application

By default, Shibboleth attributes that released to your shibboleth SP are available to your application as environment variables, not available in HTTP headers. In your application, you should get authenticated user's netID from server variable REMOTE_USER.

Detail and examples about attribute access.

If you have tomcat in your environment, since environment variables are not passed by mod_proxy_ajp unless they have AJP_ prefixes, you'll need to add attributePrefix='AJP_' to the <ApplicationDefaults> element in your configuration:

Need Help?

contact idmgmt@cornell.edu

This page describes how to install a brat server and its third-partydependencies.

(If you already have a running server, you may wish to read about annotation configuration next.)

Please note: you do not need to install brat to try it out;brat runs in your browser and a live demo system usable with anysupported browser islinked form the brat home page.

If you wish to set up your own local brat installation for yourannotation project, please follow the instructions below.

Table of contents

Quick start

The following brief technical instructions present a quick minimal wayto set up the brat server. If you are not sure if your setup fills thetechnical requirements, please skip this section and read the detailedinstructions below.

The brat server is aPython(version 2.5+) program that runs by default as aCGIapplication, and the installation script assumes a UNIX-likeenvironment. If you are setting up brat server in a compatibleenvironment with an existing web server that supports CGI, the quickstart instructions for using CGI should work.If you don’t have aweb server installed and want to try brat out locally, you may wanttry out the quick start instructions for thestandalone server. (For securityreasons, we strongly recommend serving brat via a full web server suchas Apache in production environments.)

First, download a brat package from the brat home page.

Then, unpack the package (e.g. in the public_html subdirectory ofyour home directory)

Next, enter the created brat directory

The next step depends on whether you intend to run brat in a CGIenvironment or as a standalone server.

Quick start installation: using CGI

Run the installation script

and follow the instructions. You will be prompted for the followinginformation:

• brat username (e.g. “editor”)
• brat password (for the given user, e.g. “annotate”)
• administrator contact email (e.g. “admin@example.com”)

Finally, if you are not running the installation as superuser, thescript will prompt you for the sudo password. (This is necessary toassign write permissions to the work and data directories to theweb server.)

If this works, the brat installation is complete. Now that brat is installedyou will have to install and configure a CGI-capable web server if one is notalready available on your system. You then only need to make sure that yourweb server permits CGI for the brat directory (see the Apache 2.x sectionbelow for instructions).

Quick start installation: standalone server

First, please note the following:

• The brat standalone server only is available in brat v1.3 and above.
• The standalone server is experimental and should not be used for sensitive data or systems accessible from the internet.

Run the installation script in “unprivileged” mode

and follow the instructions (as above). Then, start the standaloneserver

You should then be able to access the brat server from the addressprinted out by standalone.py. For more detail, see thestandalone server instructionsbelow.

Quick start: next steps

After initial installation, you may want to set up some data of yourown in your brat installation. For this, look in the Placing Datasection below.

If you want to add additional users, you can edit the config.pyfile, which contains further instructions.

If you feel that your installation requires a more fine-tunedconfiguration, please see the section Manual Installation below.

If you encountered any issues with these quick start instructions,read on for detailed instructions. You may also wish to check thetroubleshooting page.

Detailed Instructions

Preliminaries

The brat server is implemented in Python, and requires version 2.5 (orhigher in the 2.x series) of python to run. If you do not currentlyhave python installed, we recommend installing the most recent versionof python in the 2.x series from python.org.

In its standard setup, brat is a served through a web server.If you are installing brat server on a machine that is not currently running a web server, you should consider starting by installing one. brat is currently developed againstApache 2.x, and we recommend using Apache.

For serving brat via a web server,These instructions primarily assume Apache, but we do have alsoLigHTTPD configuration files in the repository if you prefer thisalternative, and any CGI-capable web server can be configured to runthe brat server.

Alternatively, you may wish to consider running brat using theexperimental standalone server included in version 1.3 and above.In this case, no web server is required.

Finally, these installation instructions and parts of the brat serverassume a UNIX-like environment. These instructions should work withoutchanges on most linux distributions. If you are running OS X (mac),please note a couple of OS X-specific points in the instructions below.If you are running windows, the easiest way to run a brat server is in a virtual machinerunning a UNIX-like operating system such asUbuntu.

Manual Installation

First, download a brat package from the brat home page.

Then, unpack the package

(where VERSION is the version string, like “v1.1_Albatross”).Next, enter the created brat directory

Setting up working directories

The brat server needs to read and write data to several directories.Let’s create them:

We now need to set the permissions of the directories so that they canbe read and written by the web server. We recommend doing this byassigning the directories to the apache group and setting grouppermissions. To do this, you will need to know the apache group. Thefollowing script is provided for convenience for determining this

(if this doesn’t work, see the “Finding Your Apache 2 Group” sectionof this document).

Then simply change the group of the directories (replace${YOUR_APACHE_GROUP} with the output you got above) and set thecorrect permissions:

A2enmod Not Found

If you can’t succeed with the above or you are not concerned withsecurity (say that it is a single-user system), you can run thecommand below instead. This will make the directories write-able andread-able by every user on your system. (This is not necessary if thecommand above succeeded.)

Setting up dependencies

brat uses JSON for client-servercommunication. As JSON support is not included in all supportedversions of python, you may need to set up a JSON library.

First, you can determine the version of python you are running with

if your python version is 2.5 or lower, you will need to installan external JSON library. As of v1.2, brat supports twoJSON libraries, UltraJSONand simplejson. You onlyneed to set up one of these, and UltraJSON is recommended as itis considerably faster.

To install UltraJSON, run the following in the brat root directory:

If this fails, or you prefer simplejson, install simplejson as

No other library setup is required for standard brat operation.

(if you require Japanese tokenization support, please set upMeCab,included in the external/ directory.)

brat server configuration

The overall configuration of the brat server is controlled byconfig.py in the brat root directory. This configuration file isautomatically created when running install.sh, but can be set upmanually as follows:

Put a configuration template in place:

cp config_template.py config.py

Edit the configuration to suit your environment using your favoritetext editor, e.g.

Detailed instructions for setup are contained in the configurationfile itself.

brat standalone server

As of version 1.3, brat includes an experimental standalone server.This is an alternative for running the brat server that doesn’trequire a separate web server such as Apache, and can be substantiallyfaster, reducing server response times by 90% in some cases.

However, the standalone server is not currently security-hardened oras comprehensively tested as the rest of brat. For these reason, westrongly recommend serving brat via a full web server such as Apachein production environments, projects involving sensitive data, andon systems accessible from the internet.

On a standard installation, the brat standalone server can typicallybe run simply as

(this command will prompt for your password.)

In more detail: to run the standalone server, you need to execute thescript standalone.py in the brat directory. This script should havewrite permissing to the working directories (normally work/ anddata/). If you have set these directories up using install.sh orper the instructions in the section onworking directories,they should be writable by the Apache user (if one exists). Theabove attempts to determine the username for Apache(./apache-user.sh), and then run standalone.py as this user(sudo -u).

If you do not have Apache installed, you may instead run thestandalone server with

where USER is any user with write permissions to the brat workand data directories.

Placing Data

Your installation should now be ready, just place your data in thedata directory and make sure it has the right permissions usingchmod as you did above.

You can either place your data files directly in the data directory,or create arbitraty directory structure under data. We recommendcreating a subdirectory into data for each (version of a) corpus youare working on.

Brat stores its data in a standoff format, using twofiles for each document: a .txt file containing the document text(UTF-8 encoding), and a .ann file containing the annotations. Tostart a new annotation project, you can simply place the .txt filesin the desired location and create an empty .ann file correspondingto each .txt. After copying the .txt files in the data directory,the .ann files can be created as follows:

(Remember also to set write permissions for these files.)

You can now access your brat installation by retrieving the brat directory orindex.xhtml file from your web server using asupported web browser.

Third-party components

This part largely focuses on Ubuntu, but the instructions should bereadily applicable to other *NIX-based systems.

Apache 2.x

brat supports FastCGI which can speed up yourinstallation by roughly x10 since you won’t have to invoke the Pythoninterpreter for every request. If you want to use FastCGI as opposed to CGIkeep an eye out for configuration comments regarding it.

For FastCGI you need the flup Python library:

Enable Apache Modules In CentOS By Command Line

Install Apache 2.x if you don’t have it already:

From here, the setup process is different for OS X and for otherUNIX-like systems such as linux. Please check the section relevant toyour system below.

Apache setup on UNIX-like systems other than OS X

Next, let’s edit httpd.conf:

If you are installing brat into the public_html subdirectory of your homedirectory, add the following lines:

If you are not installing into public_html in your home directory, adjust the above (in particular the line <Directory /home/*/public_html>) accordingly. If you installed into public_html in your homedirectory, make sure that you have the userdir module enabled:

For FastCGI you also want to install its module and then add it and therewrite module that we use to redirect the CGI requests to FastCGI:

The final FastCGI step is detailed in .htaccess in the brat installationdirectory, which involves uncommenting and configuring the rewrite module.

Finally tell Apache 2.x to load your new configuration.

Apache setup on OS X

Next, let’s edit the apache httpd.conf:

where USER is your username.

If you are installing brat into the Sites directory in your homedirectory, make sure the following is included:

where USER is again your username.

Finally, restart apache

(For FastCGI, we’re currenly trying to determine a configuration thatworks on OS X and will provide instructions once we have one.)

Finding Your Apache 2 Group

Ideally you should set all permissions as needed for the Apache 2 group, butfinding it can be painful.

Find out what the Apache group name is, it is usually apache or www-data;it can be found in apache2.conf or httpd.conf under /etc/apache2/ or/etc/httpd/. Let’s assume it’s www-data. Then:

Actually, due to the joy of Linux segmentation you can find the groupelsewhere as well. Here is a small heuristic that works on at least twoLinux distributions:

If what you get from this looks funky (like a variable), say with a leading $, try this:

If this doesn’t work either dive into /etc/group and hope that you can findsomething that at least looks like apache or www-data:

Back-ups

There is a script that you can use with good old cron.Do as follows.

Chapter 2. The Apache HTTP Server Red Hat Enterprise Linux 6 ...

Add a line like the one below to the crontab for your Apache user:

VirtualBox Guest Addition Installation

You will now have a back-up made into your work directory every morning atfive o’clock.