Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This article is

...

This article intended for JANET and GÉANT pilot participants, and it describes the upgrade from Trust Router 1v1.2 or 1v1.3 and FreeRADIUS 3v3.0.1 -3and v3.0.3, as there are some significant changes within FreeRADIUS.

Step-by-step guide

Upgrading Trust Router:

Upgrade the trust router as per your operating system instructions:

  1. On RHEL platforms, run yum update trust_router trust_router-libs
  2. On Debian platforms, run apt-get install moonshot-trust-router

 

Trust Router now ships with a System V init script. 

...

Code Block
languagebash
ipaddr="[your TIDS host IP address]"		# IP address that the TIDS is reachable on
hostname="[your TIDS host name]"			# The host name that the TIDS is known as
gssname="trustrouter@apc.moonshot.ja.net"	# The GSS service name for the TIDS APC
 
TIDS_USER="trustrouter"					# The user that the TIDS is running as
TIDS_GROUP="trustrouter"					# The group that the TIDS is running as 

...

 

The SQLite database that contains the trust router keys has moved and changed:

  1. If /var/lib/trust_router/keys exists after the upgrade and you did not originally create it there, you should not need to do anything and you can skip the remainder of these steps.
  2. If /var/lib/trust_router/keys exists after the upgrade and you did create it there, delete it, then follow step 3.
  3. If /var/lib/trust_router/keys does not exist after the upgrade, create it manually: 

    Code Block
    languagebash
    # sqlite3 </usr/share/trust_router/schema.sql /var/lib/trust_router/keys
    # chown trustrouter:trustrouter /var/lib/trust_router/keys
    # chmod 660 /var/lib/trust_router/keys
  4. Delete any old, obsolete copies of the keys database.

 

The user trustrouter must be able to read some information from directories owned by the FreeRADIUS user and group (radiusd on RHEL, freerad on Debian), notably the FreeRADIUS certificates. 

  1. Run the id trustrouter command. 
  2. If you can see the FreeRADIUS group in the groups= list in the output, you do not need to do anything.
  3. If you cannot see the FreeRADIUS group in the groups= list in the output, run the below command:

    Code Block
    $ usermod -a -G [FreeRADIUS group] trustrouter
    $ id trustrouter
  4. Verify that the FreeRADIUS group is now in the groups= list in the output. 

 

Start the TIDS service as per your operating system instructions, then check its log to ensure there were no errors during startup.

Upgrading FreeRADIUS:

Upgrade FreeRADIUS as per your operating system instructions:

  1. On RHEL platforms, run yum update freeradius
  2. On Debian platforms, run apt-get install freeradius freeradius-config
  3. Repeat the command for any other FreeRADIUS modules that you use in your installation, such as the LDAP, KRB5 and SQLite modules.
  4. Install the freeradius-abfab module; it will do much of the reconfiguration (such as enabling the sites and modules used by Moonshot, as well as creating and configuring users).
  5. Do not start the server.

 

The FreeRADIUS user (radiusd on RHEL, freerad on Debian) must be able to read some information from directories owned by the trustrouter user and group, notably the SQLite database in /var/lib/trust_router

  1. Run the id [FreeRADIUS user] command. 
  2. If you can see the trustrouter group in the groups= list in the output, you do not need to do anything.
  3. If you cannot see the trustrouter group in the groups= list in the output, run the below command:

    Code Block
    $ usermod -a -G trustrouter [FreeRADIUS user]
    $ id [FreeRADIUS user]
  4. Verify that the trustrouter group is now in the groups= list in the output. 

 

Several items in FreeRADIUS have been superceded:

Note
In the below instructions, /etc/raddb will be equivalent to /etc/freeradius on Debian platforms.
  1. Check that the /etc/raddb/sites-enabled/channel_bindings, /etc/raddb/sites-enabled/abfab-tr-idp, and /etc/raddb/sites-enabled/abfab-tls symbolic links exist. If they do not, create them:

    Code Block
    languagebash
    $ cd /etc/raddb/sites-enabled
    $ ln -s ../sites-available/channel_bindings
    $ ln -s ../sites-available/abfab-tls
    $ ln -s ../sites-available/abfab-tr-idp
  2. Delete the /etc/raddb/sites-enabled/chbind and /etc/raddb/sites-enabled/tls symbolic links.
  3. Check that the /etc/raddb/mods-enabled/abfab_psk_sql symbolic link exists. If it does not, create it:

    Code Block
    languagebash
    $ cd /etc/raddb/sites-enabled
    $ ln -s ../mods-available/abfab_psk_sql
  4. Delete the /etc/raddb/mods-enabled/psk symbolic link.
  5. Open the file /etc/sites-available/abfab-tr-idp for editing and comment out the psk_authorize line in the authorize section.

    Note
    This step will not be necessary once all sites have upgraded to the same minimum version of FreeRADIUS that supports channel bindings.
  6. On the Moonshot IdP only, transfer the SAML assertion (as created per the Issue SAML Assertions section) from the post-auth section in /etc/raddb/sites-available/default into the post-auth section of /etc/raddb/sites-available/abfab-tr-idp, or create a custom policy in /etc/raddb/policy.d that you can call from both post-auth sections. To see how to do this, visit the Hard-coded in the RADIUS Server page.
  7. Open the file /etc/raddb/proxy.conf for editing and check that the proxy server section contains the below keyword:

    Code Block
     dynamic = yes 

    If it does not, either insert it at the top or the bottom of the section.

  8. Check that the realm suffix entries in /etc/raddb/mods-available/realm are as they were before the upgrade:

    Code Block
    linenumberstrue
    realm suffix {
      format = suffix
      delimiter = "@"
      default_community = "apc.moonshot.ja.net"
      rp_realm = "hostname of your IdP as registered with the Janet Moonshot Community Portal"
      trust_router = "tr1.moonshot.ja.net"
    }
  9. Start the server. It should start ok and continue to function as normal.

    Warning

    On RHEL/CentOS/SL systems, please ensure that SELinux is switched into Permissive mode!

Content by Label
showLabelsfalse
max5
spacesWikiDev
sortmodified
showSpacefalse
reversetrue
typepage
labelsfreeradius trustrouter kb-how-to-article upgrade

 

These instructions apply to both Identity Providers and Relying Party Proxies.

Linux