Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Upgrading Trust Router:

Upgrade the trust router package as per your operating system instructions:

...

Adjust the TIDS_SERVER_IP and TIDS_SERVER_NAME entries to suit your trust router host information.

Enable the init script as per your operating system instructions, but do not start the server yet. 

...

  1. Change to the /etc/raddb/sites-enabled directory.

  2. Check that the channel_bindings, abfab-tls and abfab-tr-idp symbolic links exist. If they do not, create them:

    Code Block
    languagebash
    $ ln -s ../sites-available/channel_bindings
    $ ln -s ../sites-available/abfab-tls
    $ ln -s ../sites-available/abfab-tr-idp
  3. Delete the obsolete chbind and tls symbolic links.

  4. Change to the /etc/raddb/mods-enabled directory.
  5. Check that the abfab_psk_sql symbolic link exists. If it does not, create it:

    Code Block
    languagebash
    $ ln -s ../mods-available/abfab_psk_sql
  6. Delete the obsolete psk symbolic link.
  7. Check that the realm suffix entries in the realm file are as they were before the upgrade:

    Code Block
    linenumberstrue
    realm suffix {
      format = suffix
      delimiter = "@"
      default_community = "apc.moonshot.ja.net"
      rp_realm = "your service realm as registered with the Janet Moonshot Community Portal"
      trust_router = "tr1.moonshot.ja.net"
    }
  8. Change to the /etc/raddb/sites-available directory.
  9. Open the file abfab-tls for editing, then update the client default stanza at the bottom of the file to match the below:

    Code Block
    client default {
            ipaddr = 0.0.0.0/0
            proto = tls
            gss_acceptor_realm_name = "your service realm as registered with the Janet Moonshot Community Portal"
            trust_router_coi = apc.moonshot.ja.net
    }

    If you have any other client definitions here, please also update these.

  10. On the Moonshot IdP only, open the file abfab-tr-idp for editing, then transfer the SAML assertion (as created per the Issue SAML Assertions section) from the /etc/raddb/sites-available/default file into the post-auth section.

    Info
    Alternatively, you can create a policy in /etc/raddb/policy.d that you can call from the post-auth sections of the abfab-tr-idp and default files. To see how to do this, visit the HardIssuing SAML Assertions hard-coded in the RADIUS Server page.
  11. Open the file /etc/raddb/proxy.conf for editing and check that the proxy server section contains the below keyword:

    Code Block
     dynamic = yes 
  12. If it does not, either insert it at the top or the bottom of the section.

  13. Start the server. It should start ok and continue to function as normal.

    Warning

    Before starting the server, ensure that SELinux is switched into Permissive mode!

...