Skip to end of metadata
Go to start of metadata

On this page you will find instructions on how to install the Moonshot libraries on a RHEL 7, CentOS 7, or Scientific Linux 7 (RHEL/CentOS/SL 7) system, in order to enable applications/services on that system to perform Moonshot-based authentication.

Contents

Assumptions and Prerequisites

This guide assumes you have a RHEL 7, CentOS 7, or Scientific Linux 7 system (a minimal install will do) and that you have a Moonshot RP Proxy available to connect to.

1. System Preparation

1.1. Turn off SELinux

There are currently no SELinux policies for Moonshot, and SELinux must be run in Permissive mode.

For CentOS SELinux information please refer to the CentOS documentation: https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html

1.2. Network configuration

For production deployments, it is recommended that the machine be assigned a static IP address.

For CentOS networking information please refer to the CentOS documentation: https://www.centos.org/docs/5/html/5.1/Deployment_Guide/ch-network-config.html

1.3. Firewall configuration

The following ports are required to be accessible to the outside world in the local firewall:

  • 2083/tcp (for RadSec connections to other Moonshot entities, including the RP proxy).

1.4. Add the required repositories

Moonshot requires three yum repositories to be added to the system - EPEL and the Shibboleth repositories (home of some required dependencies), and the Moonshot repository itself.

  1. Install EPEL by running the following command:

    $ yum install epel-release

    Depending on your platform, the epel-release package is part of one of the optional repositories. On CentOS, it is part of the Extras repository. On RHEL, you must enable both the Optional and Extras repositories. For more information, visit the EPEL homepage.

  2. Install the official Shibboleth repository:

    $ wget -O /etc/yum.repos.d/shibboleth.repo http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
  3. Install the Moonshot repository by creating a new file at /etc/yum.repos.d/moonshot.repo with the following content:

    [Moonshot]
    name=Moonshot
    baseurl=http://repository.project-moonshot.org/rpms/centos7/
    failovermethod=priority
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/Moonshot
  4. Install the Moonshot GPG key:

    $ wget -O /etc/pki/rpm-gpg/Moonshot http://repository.project-moonshot.org/rpms/centos7/moonshot.key

2. Install Moonshot

We are now ready to install the Moonshot software and its required dependencies. Install the software by running the following command:

$ yum install moonshot-gss-eap --disablerepo=security_shibboleth

3. Next Steps

3.1. Configure your Moonshot Libraries to connect to an RP Proxy

The Moonshot GSS-EAP mechanism needs to connect to a local Moonshot RP Proxy (RADIUS server) via RADIUS or RadSec in order to create the first hop between the service and the user's home IdP to allow authentication to happen. See the Configure a Linux Server to Connect to an RP Proxy page for instructions on how to do this.

3.2. Configure your Application/Service to use Moonshot

Finally, you may have to install/configure that application/service as necessary.

4 Comments

  1. Apparently current Centos7 packages are broken, as they try to install shibboleth-sp (v 2.5.x from Moonshot repo) and shibboleth (v 2.6.x from Shib repo), and it results into the following error:

    Transaction check error:

    file /etc/shibboleth/attribute-map.xml conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /etc/shibboleth/attribute-map.xml.dist conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /etc/shibboleth/attribute-policy.xml conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /etc/shibboleth/attribute-policy.xml.dist conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /etc/shibboleth/example-shibboleth2.xml conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /etc/shibboleth/example-shibboleth2.xml.dist conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /etc/shibboleth/keygen.sh conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/bin/mdquery conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/bin/resolvertest conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/lib/systemd/system/shibd.service conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/lib64/shibboleth/adfs-lite.so conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/lib64/shibboleth/adfs.so conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/lib64/shibboleth/memcache-store.so conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/lib64/shibboleth/mod_shib_24.so conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/lib64/shibboleth/odbc-store.so conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/lib64/shibboleth/plugins-lite.so conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/lib64/shibboleth/plugins.so conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/sbin/shibd conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-basic.xsd conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-saml.xsd conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/share/xml/shibboleth/shibboleth-2.0-afp.xsd conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64
    file /usr/share/xml/shibboleth/shibboleth-2.0-native-sp-config.xsd conflicts between attempted installs of shibboleth-sp-2.5.6-1.x86_64 and shibboleth-2.6.0-2.1.x86_64

     

    Workaround is to disable official Shib repo.

     

    1. Can you be more specific about what you were doing? 

      1. Just installing Moonshot libraries on a clean Centos 7 box, following these instructions. 

        1. If a new release is out, we should probably rebuild our packages against that new release, no?