Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. On RHEL platforms, edit /etc/sysconfig/tids to adjust the TIDS_SERVER_IP and TIDS_SERVER_NAME entries to suit your trust router information.
  2. On Debian platforms, edit /etc/default/trust_router (if necessary, create it) as follows:

    Code Block
    languagebash
    ipaddr="127.0.0.1"						# IP address that the TIDS is reachable on
    hostname="trustrouter.host.name"			# The host name that the TIDS is known as
    gssname="trustrouter@apc.moonshot.ja.net"	# The GSS service name for the TIDS APC
     
    TIDS_USER="trustrouter"					# The user that the TIDS is running as
    TIDS_GROUP="trustrouter"					# The group that the TIDS is running as 
  3. Enable the init script as per your operating system instructions, but do not start the server yet.
  4. Move /var/tmp/keys (if it exists) to /var/lib/trust_router/keys and set the user permissions on
  5. Change ownership of /var/lib/trust_router/keys to  to both user and group trustrouter, and set the user permissions to 660
  6. Add the user radiusd (on RHEL) or freerad (on Debian) to the trustrouter group.
  7. Add the user trustrouter to the radiusd (on RHEL) or freerad (on Debian) group.
  8. Start the TIDS service as per your operating system instructions. 
  9. Verify that you can see TIDS running by executing ps ax |grep tids

...

  1. Delete /etc/raddb/sites-enabled/chbind and /etc/raddb/sites-enabled/tls
  2. Delete /etc/raddb/mods-enabled/psk
  3. Edit /etc/sites-available/abfab-tr-idp and comment out the psk_authorize line in the authorize section. This will no longer be necessary once all pilot sites have upgraded to the same minimum version of FreeRADIUS that supports channel bindings.

  4. On the Moonshot IdP only, transfer the SAML assertion (as created per the Issue SAML Assertions section) from the post-auth section in /etc/raddb/sites-available/default into the post-auth section of /etc/raddb/sites-available/abfab-tr-idp, or create a custom policy in /etc/raddb/policy.d that you can call from both post-auth sections).
  5. Start the server. It should start ok and continue to function as normal.

...