This guide describes how to install and configure NetScaler as saml service provider, the protection of a very basic IIS hosted site. The requests are authenticated against a SAML identity provider, simpleSAMLphp here. The guide also describes how to set up a base install CentOS via net-based installation XenServer 6.0.2. SimpleSAMLphp will be installed and configured with Apache and PHP and SSL.
Environment
The environment consists of two class c networks, 192.168.199.0/24 (DMZ) and 192.168. 0.0 / 24 (lab.local). In a DMZ NetScaler MPX resides will be the SAML service provider in the target configuration. Lab.local contains all internal services and the machine that will be introduced in this guide.
Audience
This document is intended for experienced NetScaler and public networking. Hence some basic tools and knowledge can not be described here.
The indirect benefits
- working and configured based NetScaler 10 MPX
- XenServer host with 8GB of storage for the virtual machine , 512 MB free RAM
- Network for guest internet access vm
- CentOS install media (http://ftp.uni-bayreuth.de/linux/CentOS/6 / isos / x86_64 / CentOS-6.3-x86_64-netinstall.iso)
- Putty SSH customer
- a certificate authority to sign certificates both and it is the public key ( "lab-ca .crt "Base64 encoded)
- a certificate and private key for" centos.lab.local "(centos.lab.local.key /" centos.lab.local.cert "Base64 encoded, no password for the key)
- a certificate and private key for "aaa.lab.local" ( "aaa.lab.local.key" / "aaa.lab.local.cert" Base64 encoded no password for the key)
- DNS name centos.lab.local (IdP) dclb.lab.local (protected VSERVER LB) and aaa.lab.local (AAA VSERVER) should be solvable
creating XenServer guest
log on to XenCenter and create a new vm guest with given parameters
- 1 CPU
- 512 MB RAM
- 8GB hDD oh
- 1 network interface connected to a network with Internet access and DHCP (or set the IP address manually vm more later)
- DVD player connected to the network install CentOS iso file
Select the model "CentOS 6" and give the new guest name.
chose the previous downloaded CentOS install iso net and tharget XenServer to welcome your guests.
Let the number of CPUs and configure 512 MB of RAM.
Select the network to hold your guests and complete the creation process.
Installation of the base system
After completing the process of creating XenServer will launch the newly created machine. When the installation begins full steps with the following parameters
- Skip test media (as we are in the laboratory)
- Language: English
- Method Installation: URL
- Configure TCP / IP: Enable IP v4 suport only with DHCP
- URL configuration: http://mirror.centos.org/centos/6/os/x86_64
- time zone settings: to fit your territory
- root Password: chosen one
- Partitioning Type: replace existing Linux system
Skip test media for save time and choose the English language to align with this guide.
Select "URL" as a method of installation that we only net installation media and use v4 IP via DHCP.
Set the URL given to sources of installing CentOS (http://mirror.centos.org/centos/6/os/x86_64).
installation file will be recovered, and the installation process starts.
It is never used disc, we will to initialize. After that, the time zone must be set.
Root password and the layout partition must be defined.
Not the old data on the disk to write the changes! HDD Installation begins ...
base system is now ready and can be restarted.
Once the connection system using the username root and the previously selected password and find the iP address of the system using the command line next.
[root@localhost ~] # ifconfig eth0
now connect using Putty, which makes it much easier to work with the system.
From now all the work can be done via Putty. command line examples can be copied and pasted into Putty.
Setting Basic System
First nano installation, easy to use command line editor tool.
[root@localhost ~] # yum -y install nano
After installing nano, some parameters of the system must be changed. To save time some tools must be installed-
[root@localhost ~] # yum -y install system-config-firewall-based system-config-network-tui
Use system-config network to update the configuration of your network.
[root@localhost ~] # system-config-network
disable SELinux, open config selinux and line change starting with
SELinux = Application
to
= permissive SELinux
[root@localhost ~] # nano / etc / selinux / config (CTRL + X to save)
Stop and disable iptables.
[root@localhost ~] # /etc/init.d/iptables stop [root@localhost ~] # chkconfig iptables off
To restart the network interface with the newly configured settings using the XenCenter console of your CentOS vm and enter the following lines.
[root@localhost ~] # ifdown eth0 [root@localhost ~] # ifup eth0
From now log in to your CentOS vm using Putty and the new IP address .
Installation / configuration of Apache, PHP, SSL
The system was installed in a minimal configuration. No more services than the basic things are running. As we will install a PHP script we first need a web server equipped with the support of the scripting language (PHP) and Secure Socket Layer (SSL). To install apache and the benefits the following commands should be issued
Install apache and php basis :.
[root@localhost ~] # yum -y install httpd mod_ssl php
php install addons needed:
[root@localhost ~] # yum -y install php-xml php-ldap PHP- memcached
Try apache start:
[root@localhost ~] # service httpd start
now you can access the website using vm http: //
to test the PHP installation create a new file called test.php in / var / www / html and fill it with the following example
[root@localhost ~] # nano /var/www/html/test.php (CTRL + X to save)
eg .:
PHP can be tested using a browser and the URL http: //
Now, the web server is ready to be configured with an outlet port 443 tcp -. Obviously secured by SSL. To do this, the certificate of SSL is required. This guide uses two separate files, one containing the private key and another file containing the certificate. The certificate has been made to the name dns "centos.lab.local". Since the files are relatively small, they can be copied to the clipboard and pasted into the Putty session. To do this, first change to the / etc / pki / tls / private and open a new file "centos.lab.local.key" with nano.
[root@localhost ~] # cd / etc / pki / tls / private /
[root@localhost private] # nano centos.lab.local.key
Paste the previously copied content the private key in the Putty window by clicking the right mouse button and save the file with CTRL + X. now change directory / etc / PLI / tls / certs and open a new file "centos.lab.local.cert "nano.
[root@localhost certs] # nano centos.lab.local .cert
[root@localhost ~] # cd / etc / pki / tls / certs
To configure Apache with the new certificate two values in the /etc/httpd/conf.d/ssl file. conf need to be changed using nano as follows.
SSLCertificateFile /etc/pki/tls/certs/centos.lab.local.cert
SSLCertificateKeyFile / etc / pki / tls / private / CentOS .lab.local.key
After saving the file should be resarted apache using the following command line.
[root@localhost conf.d] # /etc/init.d/httpd restart
After Apache has restarted the default Web site is accessible on https, too.
Installing and configuring simpleSAMLphp
As the web server is ready to host applications now the identity provider can be downloaded. To do this, the best way to get the files to the CentOS machine curl.
[root@localhost ~] # http://simplesamlphp.googlecode.com/files/simplesamlphp-1.9.1.tar.gz loop> /root/simplesamlphp.tar.gz
tar must be used to unzip the downloaded archive.
[root@localhost ~] # tar -xvzf /root/simplesamlphp.tar.gz
to clean things up a bit directory names must be changed to simpleSAMLphp.
[root@localhost ~] of -1.9.1 / simpleSAMLphp # mv
now, the whole directory to be copied / var because / root is a user folder.
[root@localhost ~] # mv simpleSAMLphp / var /
to make the web interface simpleSAMLphp visible for apache users must be configured with an alias. Open /etc/httpd/conf.d/ssl.conf with nano and scroll to the end of the file. Locate the "" and insert the following code above it.
Alias / simplesaml / var / simpleSAMLphp / www
apache Restart.
[root@localhost ~] # /etc/init.d/httpd restart
Simlesamlphp is now accessible via https: //
to log in as the needs of the file manager to edit via nano. the following lines must be modified.
Change "123 "to a new secure password manager.
'auth.adminpassword' => '123',
Change" defaultsecretsalt "a random string of characters. for example." NetScalerRocks " .
'secretsalt' => 'defaultsecretsalt'
NULL Change to a time zone of PHP (see http://php.net/manual/en/timezones.php)
'timezone' => NULL,
Change false to true.
'enable.saml20-idp' => false,
Save config.php with CTRL + X
Enable authentication via local test accounts.
[root@localhost ~] # mv / var / simpleSAMLphp / modules / exampleauth / default-disable / var / simpleSAMLphp / modules / exampleauth / default-set
now needs to configure SAML. First the IdP part needs some changes to be made in the saml20-idp-hosted.php file.
[root@localhost ~] # nano /var/simplesamlphp/metadata/saml20-idp-hosted.php
The following lines must be added below the line
$ metadata ['__DYNAMIC:1__'] = array (
/ * * Turn off the prompt signing NetScaler does not include this type of signature * / 'saml20.sign.response' => FALSE, 'saml20.sign.assertion' => FALSE
the following line must be configured with "example-userpass" for local accounts to work.
'auth' => 'example-userpass'
Save the file and exit nano using CTRL + X. now, the game is over and IdP IdP needs to know how to handle SAML requests for some service providers. This must be done in the "saml20-sp file -remote.php. "
[root@localhost ~] # nano /var/simplesamlphp/metadata/saml20-sp-remote.php
At the end of the following lines file to be inserted. Exit nano using CTRL + X after insertion
$ metadata ['dclb.lab.local'] = array. ( 'AssertionConsumerService' => 'http: //dclb.lab.local/cgi/samlauth');
time synchronization
as saml works with tickets and tickets have a life time defined synchronization between all systems is highly required. For the time synchronization ntp IdP must be installed. This can be done with the following commands.
[root@localhost ~] # yum -y install ntp [root@localhost ~] # chkconfig ntpd on [root@localhost ~] # ntpdate pool.ntp.org [root@localhost ~] # / etc / init. d / ntpd start
now, the system time is synchronized with NTP servers to pool.ntp.org.
Configuration NetScaler
In this example, a default IIS page will be provided by AAA VSERVER. To do this the following steps must be performed.
- Copies lab-ca.crt, aaa.lab.local.key / .cert, centos.lab.local.cert on NetScaler in direcory / nsconfig / ssl
- Install SSL certificates for CA, AAA VSERVER and public key IdP on NetScaler.
- Creating AAA Authentication with SAML policy VSERVER / server.
- Create LB VSERVER with a backend service to a Microsoft IIS server.
- Set LB VSERVER with authentication.
The previously copied certificates must be installed on NetScaler. In NetScaler SSL GUI switch Certificates.
The aaa.lab.local certificate must be linked to the cert LAB CA.
now that the certificates are installed AAA VSERVER listening on port 443 (SSL) can be added and configured with authentication against the IdP saml previously installed and configured.
In NetScaler GUI switch to AAA traffic enforcement, policies, authentication, SAML create AAA authentication server and politics.
Create AAA VSERVER.
In NetScaler GUI go to the load balancing services and create a service that points to an IIS server in the background.
Switching to virtual servers and create LB VSERVER with authentication.
NetScaler is now. set
test
to test point a browser to http environmental address: //dclb.lab.local. NetScaler be mentioned that there is no SAML assertion in the application and forward it to the browser configured redirect URL (IdP). Once connected, the IdP redirects the browser to the originally requested resource.
Connect with student / studentpass.
IdP will check the data connection and redirects to the requested resource.
to follow
- authorization with SAML (affiliations)
- authentication against ldap (Active Directory)
This comment has been removed by the author.
ReplyDelete