Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

This article is aimed at Moonshot Pilot Users who were at the February 2014 Janet or June 2014 GÉANT workshops.

This article describes the upgrade from Trust Router 1.2 or 1.3 and FreeRADIUS 3.0.1-3.0.3, as there are some significant changes within FreeRADIUS.

Step-by-step guide

Upgrading Trust Router:

Upgrade the trust router as per your operating system instructions:

  1. On RHEL platforms, run yum update trust_router trust_router-libs
  2. On Debian platforms, run apt-get install moonshot-trust-router


Trust Router now ships with a System V init script. 

  1. On RHEL platforms, edit /etc/sysconfig/tids to adjust the TIDS_SERVER_IP and TIDS_SERVER_NAME entries to suit your trust router information.
  2. On Debian platforms, edit /etc/default/trust_router (if necessary, create it) as follows:

    ipaddr=""						# IP address that the TIDS is reachable on
    hostname=""			# The host name that the TIDS is known as
    gssname=""	# The GSS service name for the TIDS APC
    TIDS_USER="trustrouter"					# The user that the TIDS is running as
    TIDS_GROUP="trustrouter"					# The group that the TIDS is running as 
  3. Enable the init script as per your operating system instructions, but do not start the server yet.
  4. Move /var/tmp/keys (if it exists) to /var/lib/trust_router/keys
  5. Change ownership of /var/lib/trust_router/keys to both user and group trustrouter, and set the user permissions to 660
  6. Add the user radiusd (on RHEL) or freerad (on Debian) to the trustrouter group.
  7. Add the user trustrouter to the radiusd (on RHEL) or freerad (on Debian) group.
  8. Start the TIDS service as per your operating system instructions. 
  9. Verify that you can see TIDS running by executing ps ax |grep tids

Upgrading FreeRADIUS:

Upgrade FreeRADIUS as per your operating system instructions:

  1. On RHEL platforms, run yum update freeradius
  2. On Debian platforms, run apt-get install freeradius
  3. Repeat the command for any other FreeRADIUS modules that you use in your installation, such as the LDAP, KRB5 and SQLite modules, and install the ABFAB module to enable the trust router IDP and RP proxy.
  4. Install the freeradius-abfab module; it will do much of the reconfiguration (such as enabling the sites and modules used by Moonshot, as well as creating and configuring users).
  5. Do not start the server.



Several items in FreeRADIUS have been superceded:

In the below instructions, /etc/raddb will be equivalent to /etc/freeradius on Debian platforms.
  1. Delete the /etc/raddb/sites-enabled/chbind and /etc/raddb/sites-enabled/tls symbolic links.
  2. Delete the /etc/raddb/mods-enabled/psk symbolic link.
  3. Edit /etc/sites-available/abfab-tr-idp and comment out the psk_authorize line in the authorize section. This will no longer be necessary once all sites have upgraded to the same minimum version of FreeRADIUS that supports channel bindings.

  4. On the Moonshot IdP only, transfer the SAML assertion (as created per the Issue SAML Assertions section) from the post-auth section in /etc/raddb/sites-available/default into the post-auth section of /etc/raddb/sites-available/abfab-tr-idp, or create a custom policy in /etc/raddb/policy.d that you can call from both post-auth sections).
  5. Start the server. It should start ok and continue to function as normal.

There is no content with the specified labels

  • No labels