Authors: David W. Chadwick, Wensheng Xu, Alexander Otenko , George Inman

Introduction

1 Before you start

2 Installation steps

3 For advanced users

The PERMIS Shibboleth Apache Authorisation Module (SAAM) is essentially an Apache module that uses PERMIS to control access to websites that use either Apache or Shibboleth to provide user authentication. Part 1 of this cookbook shows you how to implement the PERMIS SAAM with Shibboleth authentication. Part 2 shows you how to implement the PERMIS SAAM with Apache authentication. On completion of this cookbook, you will be able to install and setup all the necessary components for using the PERMIS SAAM with either Shibboleth or Apache.

In this Part 1 of the cookbook, PERMIS will normally be configured to work in push mode where Shibboleth is used to push the user’s attributes from the user’s  Identity Provider (or Attribute Authority) to the service provider. (PERMIS can also be configured to work in pull mode to retrieve the user’s X.509 attribute certificates (ACs) from one or more specified LDAP servers and make an access decision based on these ACs, but this is an advanced mode of use with Shibboleth.) The PERMIS policy may be stored either in the LDAP entry of the policy writer (who is called the Source of Authority or SoA) as a digitally signed policy AC, or in the file store of the Shibboleth service provider’s machine as a simple text file containing the XML policy. The PERMIS Policy Editor is able to create both of these policy formats.

You will need to have the following components before you start to install PERMIS with Apache and Shibboleth.

The following systems should be installed and working prior to installing PERMIS:

1. An Apache web server (version 1.3 or 2.0) with DSO support.

2. Apache authentication module mod_auth_ldap at the Shibboleth origin side to serve as the user authentication service.

3. Shibboleth target and origin sites should be installed and interoperating.

In order to create and manage PERMIS policies, you will need the following:

1. An XML policy creating tool. The PERMIS Policy Editor tool can be used for this. A test policy policy1.xml is provided with the installation kit but you will need to modify this after installation to suit your own operational environment.

2. An optional X.509 private signing key for signing your policies. The key file permisv5.p12 is provided in the installation kit and can be used for testing purposes, but it should be replaced by your own key pair before your system goes live. The password for this p12 file is (starts with lowercase "L", not number "1"):

The Kent SAAM Installation kit comprises the following items:

1. The PERMIS Java classes library saam.jar for the Shibboleth target site

2. The source code for the mod_permis modules mod_permis_13.so and mod_permis_20.so in the sub directory <mod_permis_src>:

o        C++ source code mod_apache_permis.cpp for both mod_permis_13.so and mod_permis_20.so

Installation will proceed as follows:

You will install PERMIS using a default XML text policy file with attributes pushed by the Shibboleth origin site.

Then under Advanced Use you may install PERMIS using a default signed policy AC, and optionally pull or push user ACs from a Shibboleth IdP.

In this stage you will install the PERMIS software on your system, using a test XML policy stored on the local file system and plain text attributes provided by Kent's LDAP server.

a. In the Shibboleth target computer, if you are using Apache 1.3, copy the file mod_permis_13.so to <APACHE_HOME/libexec/>; if you are using Apache 2.0, copy mod_permis_20.so to <APACHE_HOME/modules/>, where <APACHE_HOME> is the directory, in which your Apache is installed.

b. In the Shibboleth target computer, copy the file saam.jar to <$JAVA_HOME/jre/lib/ext/>, where JAVA_HOME is your Java home directory.

c. Copy the file iaik_jce.jar into <JAVA_HOME/jre/lib/ext/>.

d. Copy the file log4j-1.2.13.jar into <JAVA_HOME/jre/lib/ext/>.

On the target site computer, run the following command to update the environment variable: LD_LIBRARY_PATH

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth-target-1.2/lib: $JAVA_HOME/jre/lib/i386/client:$JAVA_HOME/jre/lib/i386

This will allow the Java virtual machine and the JNI support classes to be found by JNI when they are called by the mod_permis apache module. In this command JAVA_HOME is the environment variable of the computer system referring to the Java home directory. Please make sure the two system environment variables JAVA_HOME and APACHE_HOME are correctly configured to refer to your Java home directory and Apache home directory respectively.

The order in which the modules appear in the configuration file and the names of the shared libraries are different for Apache 1.3 and Apache 2.0, so we provide instructions for both versions of web-servers.

Modify the Shibboleth configuration file for Apache: apache.config. This file is included by the Apache configuration file httpd.conf so it is part of the Apache configurations and can be found in the following directory: </opt/Shibboleth-target-1.2/etc/Shibboleth/>. Before modification, the apache.config file may look like the following:

LoadModule mod_shib /opt/shibboleth-target-1.2/libexec/mod_shib_13.so----[directive 1]

 
... ... (other directives)

 
<Location /secure2>
    AuthType shibboleth----------------------------------------------------[directive 2]
    ShibRequireSession On
    require valid-user
</Location>

 
So location </secure2> is protected by Shibboleth.

Insert the following directives into this configuration file immediately AFTER directive 1: (Please pay attention to AFTER)

LoadModule mod_permis APACHE_HOME/libexec/mod_permis_13.so---------------[directive N1]
PermisPolicyLocation APACHE_HOME/conf/policy1.xml----------------[directive N4]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8]

Insert the following directive immediately after directive 2:

PermisAuthorization------------------------------------------------------[directive N6]

After the above modifications, the configuration file will look like the following:

LoadModule mod_shib /opt/shibboleth-target-1.2/libexec/mod_shib_13.so----[directive 1]
LoadModule mod_permis APACHE_HOME/libexec/mod_permis_13.so---------------[directive N1]
PermisPolicyLocation APACHE_HOME/saam/policy1.xml----------------[directive N4]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8] 
... ... (other directives)

 
<Location /secure2>
    AuthType shibboleth --------------------------------------------------[directive 2]
    PermisAuthorization --------------------------------------------------[directive N6]
    ShibRequireSession On
    require valid-user
</Location>

In the above configurations APACHE_HOME should be your Apache home directory and JAVA_HOME should be your Java SDK home directory.

Please note: if you add [directive N6] to a Shibboleth protected location, then this location and all its subordinate directories will be protected by the PERMIS SAAM. If you delete this directive from the Shibboleth protected location in the configuration file, then this location will no longer be protected by the PERMIS SAAM.

Modify the Shibboleth configuration file for Apache: apache2.config. This file is included by the Apache configuration file httpd.conf so it is part of the Apache configurations and it can be found in this directory: </opt/Shibboleth-target-1.2/etc/Shibboleth/>. Before modification, the apache2.config may look like the following:

LoadModule mod_shib /opt/shibboleth-target-1.2/libexec/mod_shib_20.so----[directive 1]

 
... ... (other directives)

 
<Location /secure2>
    AuthType shibboleth---------------------------------------------------[directive 2]
    ShibRequireSession On
    require valid-user
</Location>

So location </secure2> is protected by Shibboleth.

Insert the following directives into this configuration file immediately BEFORE directive 1: (Please pay attention to BEFORE)

LoadModule mod_permis APACHE_HOME/modules/mod_permis_20.so---------------[directive N1]

Insert the following directives immediately after directive 1:

PermisPolicyLocation APACHE_HOME/conf/policy1.xml----------------[directive N4]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8]

Insert the following directive immediately after directive 2:

PermisAuthorization------------------------------------------------------[directive N6]

After the above modifications, the configuration file will look like the following:

LoadModule mod_permis APACHE_HOME/modules/mod_permis_20.so---------------[directive N1]
LoadModule mod_shib /opt/shibboleth-target-1.2/libexec/mod_shib_20.so----[directive 1]
PermisPolicyLocation APACHE_HOME/conf/policy1.xml----------------[directive N4]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8]

 
... ... (other directives)

 
<Location /secure2>
    AuthType shibboleth---------------------------------------------------[directive 2]
    PermisAuthorization---------------------------------------------------[directive N6]
    ShibRequireSession On
    require valid-user
</Location>

In the above configurations APACHE_HOME should be your Apache home directory and JAVA_HOME should be your Java SDK home directory.

Please note: if you add [directive N6] to a Shibboleth protected location, then this location and all its subordinate directories will be protected by the PERMIS SAAM. If you delete this directive from the Shibboleth protected location in the configuration file, then this location will no longer be protected by the PERMIS SAAM.

AAP.xml can be found at </opt/Shibboleth-target-1.2/etc/Shibboleth/> on the Shibboleth target computer. In this file, add one new entry into it:

<AttributeRule Name="urn:mace:dir:attribute-def:permisRole" Header="permisRole">
 <AnySite>
 <AnyValue/>
 </AnySite>
</AttributeRule>

This will allow the Shibboleth target site to accept one new plain text attribute permisRole from the Shibboleth origin site.

Please note: for attribute permisRole, the Header must be set as "permisRole". This is required by the PERMIS test policy. The attribute name sent to the shibboleth service provider for authorization with SAAM can take any value as long as it is either the same name as the attribute used in the policy or uses the Header variable to remap the received variable to the attribute used in the policy.

This file can be found at <$TOMCAT_HOME/webapps/shibboleth/WEB-INF/classes/conf/> in the Shibboleth origin site computer. Add the following entry into it:

<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:permisRole"
    smartScope="kent.ac.uk">
    <DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>

Please note the smartScope is needed for the example PERMIS policy used in this cookbook. If it is absent here, then the origin site host name will be used as the domain name which may not be recognized by the example PERMIS policy. In this case you should modify the PERMIS policy to allow the origin site host domain name to be recognized.

In the same file, modify the JNDIDirectoryDataConnector entry as follows:

<JNDIDirectoryDataConnector id="directory">
     <Search filter="uid=%PRINCIPAL%">
     <ControlssearchScope="SUBTREE_SCOPE"returningObjects="false"/>
     </Search>
     <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
     <Property name="java.naming.provider.url" value="ldap://sec.cs.kent.ac.uk/c=gb"/>
</JNDIDirectoryDataConnector>

Note in the above entry that uid should be used as the search filter and the LDAP should be ldap://sec.cs.kent.ac.uk/c=gb so that the LDAP server at the university of Kent can be used.

This file arp.site.xml can be found at <$TOMCAT_HOME/webapps/shibboleth/WEB-INF/classes/conf/arps/> in the Shibboleth origin site computer. Add the following entry into it:

<Attribute name="urn:mace:dir:attribute-def:permisRole">
 <AnyValue release="permit"/>
</Attribute>

Step 5 and Step 6 will allow the Shibboleth origin site to release the permisRole attribute to the target site.

We assume you are using a mod_auth_ldap Apache module to authenticate users at the Shibboleth origin site. So the directives for the Shibboleth Handle Service in httpd.conf for Apache at the origin site may look like the following.

<Location /shibboleth/HS>
     Options Indexes FollowSymLinks
     AllowOverride None
     Order allow,deny
     Allow from all
     AuthName "Shibboleth Handle Service"
     AuthType Basic
     LDAP_Server 129.12.3.197 -------------- Note: This is the IP address of ldap://sec.cs.kent.ac.uk at Kent University.
     LDAP_Port 389
     Base_DN "c=gb"
     UID_Attr uid
     Require valid-user
</Location>

Note that during this installation step, you will be using user names and passwords configured into Kent's LDAP directory, so that you do not have to modify your own LDAP service. You will use your own usernames and passwords later on.

For this test authentication LDAP, there are 2 test users (LDIF of the entries is provided in ldif.zip). Each user has the following attributes: cn, sn, uid, userPassword, attributeCertificateAttribute, permisRole, objectClass: person, objectClass:pmiUser, objectClass: top.

The attributes for user User0 are shown in Figure 1.

For User0:

So for User0, the username/password is: User0/User0.

For User1:

dn: cn=User1,o=permisv5,c=gb.
cn: User1
uid: User1
permisRole: Role1
userPassword: User1

So for User1, the username/password is: User1/User1.

You have set up a Shibboleth-PERMIS protected location </secure2> in the above Step 3. Now edit the httpd.conf file as described in Appendix A to create another 3 separate locations on your web site: a public page at </public>, and a page that requires authentication only at </simple>, and a location that is protected only by Shibboleth at </shibsecure>. So now you have got 4 locations altogether:

/public: without any authentication or authorisation

/simple: with basic Apache authentication

/shibsecure: with Shibboleth authentication and authorisation

/secure2: with Shibboleth authentication and PERMIS authorisation

Note that the above configuration is for installation and testing purposes only, to ensure that all components are working as expected, without interfering unexpectedly with each other.

In this stage you will migrate to using your own Authentication System, your own PERMIS policy, and your own attributes.

You are using Apache and Shibboleth, so do the following. Here we assume you are using the same LDAP server as the authentication server and the Shibboleth attribute server.

Please note that if you have already configured your Shibboleth IdP to authenticate a user and return a plain text attribute that you wish to use as a role attribute then you should move straight to Step 11 and configure your policy to recognise the new role attribute's name and role values.

Change the directives for Shibboleth Handle Service in httpd.conf for Apache at the origin site as follows:

<Location /shibboleth/HS>
    Options IndexesFollowSymLinks
    AllowOverride None
    Orderallow,deny
    Allow from all
    AuthName "Shibboleth Handle Service"
    AuthType Basic
    LDAP_Server 11.11.11.11 ---------- Note: Change this to the IP address of your own ldap server, say the IP address of ldap.myuniv.ac.uk
    LDAP_Port 389
    Base_DN "c=gb" ----------------- Note: You may need to change this depending upon your own LDAP tree structure
    UID_Attruid ---------Note: You may need to change this depending upon the attribute you use for authentication
    Require valid-user
</Location>

For your authentication LDAP server, you should set 2 testing users: User0 and User1. Each user should have the following attributes: dn, cn, uid, userPassword and permisRole.

For User0:

dn: cn=User0,o=permisv5,c=gb
cn: User0
uid: User0
userPassword: User0
permisRole: Role0

For User1:

dn: cn=User1,o=permisv5,c=gb
cn: User1
uid: User1
userPassword: User1
permisRole: Role1

You can change the userPassword for both User0 and User1 to anything you like.

Note: If you would prefer to use X.509 ACs to hold user attributes please refer to the PERMIS API cookbook for more details. To run PERMIS SAAM using attribute certificates, please read Section 3 of this cookbook. If you would like to create attribute certificates and add them to an LDAP server, please download and use the PERMIS Attribute Certificate Manager software.

Modify the file

$TOMCAT_HOME/webapps/shibboleth/WEB-INF/classes/conf/resolver.ldap.xml in the Shibboleth origin site computer:

<JNDIDirectoryDataConnector id="directory">
     <Search filter="uid=%PRINCIPAL%">
     <ControlssearchScope="SUBTREE_SCOPE" returningObjects="false"/>
     </Search>
     <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
     <Property name="java.naming.provider.url" value="ldap://sec.cs.kent.ac.uk/c=gb"/>
</JNDIDirectoryDataConnector>

This will entail:
i) modifying the policy XML file and
ii) editing the httpd.conf parameter PermisPolicyLocation to point towards your new XML policy file.

You can either edit the XML by hand or use the PERMIS Policy Management GUI.. Information about the format of the PERMIS policy can be found in the document http://sec.cs.kent.ac.uk/download/Sec2002Final.pdf..

Once you are familiar with the PERMIS SAAM, you can set advanced directives in the Apache configuration file or modify the PERMIS policy file to let the PERMIS SAAM work in advanced mode.

You can set a debug directive in the Apache configuration file to let the PERMIS SAAM output debug information. There are six different levels of Debug statements in increasing order of information that is output: OFF, FATAL, ERROR, WARN, INFO and DEBUG. In order to use debug mode you should insert one of the following directives

PermisDebug off
PermisDebug fatal
PermisDebug error
PermisDebug warn
PermisDebug info
PermisDebug debug
 

into the Apache configuration file after [directive N4]. This will switch on different levels of PERMIS debugging. The debug information for the mod_permis module will be output to a file called mod_permis.log and the debug information for the Java SAAM module will be output to permis.log in Apache&rsquo;s logs directory. Unless specifically stated by the user then the logging of debug statements is always enabled.

 
The six levels of debugging are as follows:

off - Debugging is turned off
fatal - prints out serious fatal error messages that will lead to the program terminating
error - prints out serious non fatal errors
warn - prints out less important errors
info - prints out statements to show which users are accessing your site via the PERMIS SAAM, and the results of their attempted access
debug - prints out all the verbose debug information in the PERMIS SAAM.

Please refer to the Section Debug information and the Section Possible problems for SAAM in the SAAM Apache User Guide.

In order to create and manage user X.509 ACs you will need the following:

1.A tool for creating user attribute certificates. The PERMIS Attribute Certificate Manager (ACM) tool can be used for this.

2.Optionally a tool for bulk loading lots of user attribute certificates into an LDAP directory. The PERMIS Bulk Loader can be used for this.

For added security, you may want to use X.509 ACs with Shibboleth instead of plain attributes. Using X.509 ACs ensures that the user attributes are tamperproof since they are digitally signed by the issuer. Instead of doing the above Step 4 to Step 6 in the installation process, you should first edit the Apache configuration file as described below before following steps M4 to M6:

In order to use X.509 Attribute certificates you should add the following attributes in the Apache configuration file where you defined your original policy details
 

PermisRootCA APACHE_HOME/conf/rootca.cer
PermisACAttribute attributeCertificateAttribute
PermisPKCAttribute userCertificate

After the above modifications, the configuration file will look like the following:

LoadModule mod_shib /opt/shibboleth-target-1.2/libexec/mod_shib_20.so----[directive 1]
LoadModule mod_permis APACHE_HOME/libexec/mod_permis_13.so---------------[directive N1]
PermisPolicyLocation APACHE_HOME/conf/policy1.xml----------------[directive N4]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8]
PermisRootCA APACHE_HOME/conf/cacert.cer
PermisACAttribute attributeCertificateAttribute
PermisPKCAttribute userCertificate

... ... (other directives)

<Location /secure2>
   AuthType shibboleth---------------------------------------------------[directive 2]
   PermisAuthorization---------------------------------------------------[directive N6]
   ShibRequireSession On
   require valid-user
</Location>

The PermisRootCA directive points to a PKC certificate that can be used to verify if an X.509 certificate has been signed by the correct certificate issuing authority (CA).
The PermisACAttribute directive contains the String name for an LDAP or Shibboleth attribute that contains an X.509 attribute certificate.
The PermisPKCAttribute directive contains the String name for an LDAP or Shibboleth attribute that contains an X.509 public key certificate.
The PermisACAttribute and PermisPKCAttribute values are used to parse and verify the signatures on pushed shibboleth attributes and to retrieve pulled ACs from LDAP.
The above [directive N1] is for Apache 1.3. If you are using Apache 2.0, then refer to Step 3 of this cookbook and change this directive accordingly.

AAP.xml can be found at </opt/Shibboleth-target-1.2/etc/Shibboleth/> on the Shibboleth target computer. In this file, add two new entries into it:

<AttributeRule Name="urn:mace:dir:attribute-def:dn"
 Header="User-Distinguished-Name" Alias="dn">
     <AnySite>
     <AnyValue/>
     </AnySite>
</AttributeRule>
<AttributeRule Name="urn:mace:dir:attribute-def:attributeCertificateAttribute"
 Header="attributeCertificateAttribute">
     <AnySite>
     <AnyValue/>
     </AnySite>
</AttributeRule>

This will allow the Shibboleth target site to accept two new attributes dn and attributeCertificateAttribute from Shibboleth origin sites.

Please note: for attribute dn, the Header in this entry must be set as "User-Distinguished-Name"; for attribute attributeCertificateAttribute, the Header must be set as "attributeCertificateAttribute". This is required by the PERMIS SAAM to operate on X.509 ACs.

This file can be found at <$TOMCAT_HOME/webapps/shibboleth/WEB-INF/classes/conf/> in the Shibboleth origin site computer, where TOMCAT_HOME should be your Tomcat home directory. Add the following two entries into it:

<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:dn">
     <DataConnectorDependency requires="directory"/>
    </SimpleAttributeDefinition>
    <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:attributeCertificateAttribute"
valueHandler="edu.internet2.middleware.shibboleth.aa.attrresolv.provider.Base64ValueHandler">
     <DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>

In the same file, modify the JNDIDirectoryDataConnector entry as follows:

<JNDIDirectoryDataConnector id="directory">
     <Search filter="uid=%PRINCIPAL%">
     <ControlssearchScope="SUBTREE_SCOPE"returningObjects="false"/>
     </Search>
     <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
     <Property name="java.naming.provider.url" value="ldap://sec.cs.kent.ac.uk/c=gb"/>
     <Property name="java.naming.ldap.attributes.binary" value="attributeCertificateAttribute" />
</JNDIDirectoryDataConnector>

Note in the above entry that uid should be used as the search filter and the LDAP should be ldap://sec.cs.kent.ac.uk/c=gb so the LDAP at the University of Kent can be used.

Please note: in order to make use of resolver.ldap.xml, make sure that in the Shibboleth configuration file origin.xml the following entry is present:

resolverConfig="/conf/resolver.ldap.xml"

This file arp.site.xml can be found at <$TOMCAT_HOME/webapps/shibboleth/WEB-INF/classes/conf/arps/> in the Shibboleth origin site computer. Add the following two entries into it:

<Attribute name="urn:mace:dir:attribute-def:attributeCertificateAttribute">
     <AnyValue release="permit"/>
    </Attribute>
    <Attribute name="urn:mace:dir:attribute-def:dn">
     <AnyValue release="permit"/>
</Attribute>

Steps M5 and M6 will allow the Shibboleth origin site to release the dn and attributeCertificateAttribute attributes to the target site.

After the above configurations, restart Shibboleth at both the origin site and target site and replay the testing step 9 above. You should have accessed the protected page using PERMIS authorization based on an attributeCertificateAttribute attribute instead of a permisRole attribute.

You can use both attributes and X.509 ACs with the PERMIS SAAM at the same time. During the above Step 4 to Step 6 or Step M4 to Step M6, configure Shibboleth to let permisRole, attributeCertificateAttribute and dn be released and accepted in Shibboleth, then both the values of permisRole and attributeCertificateAttribute will be passed to PERMIS, in which case both the roles contained in permisRole and attributeCertificateAttribute will be used by PERMIS to make an access control decision for the user.

In the above Section 2 Installation Steps, in Step 3, we assume that you were using an XML file to hold the PERMIS policy on the Shibboleth target machine, and the configurations in the Apache server for the PERMIS policy were as follows:

PermisPolicyLocation APACHE_HOME/saam/policy1.xml----------------[directive N4]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8]

PERMIS can also use digitally signed policies for added security.  If you would prefer to use digitally signed policies, these should be stored as X.509 attribute certificates in the attributeCertificateAttribute stored in an LDAP server. In this case, the configurations in the Apache server for the signed policy stored in LDAP are as follows:
 

PermisPolicyIdentifier 1.2.826.0.1.3344810.6.0.0.11----------------------[directive N2]
PermisPolicyIssuer cn=A Permis TestUser,o=permisv5,c=gb -------------------[directive N3]
PermisPolicyLocation ldap://sec.cs.kent.ac.uk----------------------------[directive N4]
PermisRootCA APACHE_HOME/conf/cacert.cer---------------------------------[directive N5]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8]
PermisACAttribute attributeCertificateAttribute---------------------------[directive N9]
PermisPKCAttribute userCertificate;binary---------------------------------------[directive N10]

The directives have the following meanings:

The PermisPolicyLocation directive should contain the URL of the LDAP server.
The PermisPolicyIdentifier directive should contain the unique policy identifier(OID) set when the policy was created.
The PermisPolicyIssuer directive should contain the policy's source of authority(SOA) i.e. the DN of the person who signed the policy.
The above 3 directives are used to locate the policy in the LDAP server.
The PermisRootCA directive should point to a PKC certificate that can be used to verify if a users X.509 certificate has been signed by the correct certificate issuing authority (CA).
The PermisACAttribute directive should contain the name for an LDAP or Shibboleth attribute that contains an X.509 attribute certificate.
The PermisPKCAttribute directive should contain the name for an LDAP or Shibboleth attribute that contains an X.509 public key certificate.
The PermisACAttribute and PermisPKCAttribute values are used to parse and verify the digitally signed attribute certificate containing the PERMIS policy.

Shibboleth PERMIS normally works in push mode, meaning that Shibboleth pushes plain text attributes or X.509 ACs to PERMIS. PERMIS can also work in Attribute Certificate Pull Mode, in which case PERMIS will pull all the X.509 ACs that it needs from all the configured LDAP servers and Shibboleth will not provide any attributes or ACs to PERMIS. To use PERMIS in AC pull mode for the Apache locations one new directive is needed in the locations in the Apache configuration file: PermisPullMode.
 

In this working mode the Apache configurations for the PERMIS SAAM are as follows:
 

LoadModule mod_shib /opt/shibboleth-target-1.2/libexec/mod_shib_13.so----[directive 1]
LoadModule mod_shib /opt/shibboleth-target-1.2/libexec/mod_shib_13.so----[directive 1]
LoadModule mod_permis APACHE_HOME/libexec/mod_permis_13.so---------------[directive N1]
PermisPolicyLocation APACHE_HOME/conf/policy1.xml----------------------------[directive N4]
PermisRootCA APACHE_HOME/conf/cacert.cer---------------------------------[directive N5]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8]
PermisACAttribute attributeCertificateAttribute---------------------------[directive N9]
PermisPKCAttribute userCertificate;binary---------------------------------------[directive N10]

 
... ... (other directives)

 
<Location /secure>
    AuthType shibboleth----------------------------------------------------[directive 2]
    PermisAuthorization----------------------------------------------------[directive N6]
    PermisPullMode---------------------------------------------------------[directive N7]
    ShibRequireSession On
    require valid-user
</Location>

In this working mode, the authenticated user DN is passed from the Shibboleth origin site via the Shibboleth target site to PERMIS, PERMIS retrieves the attribute certificates for the user from the LDAP repository(ies) specified by PermisPolicyLocation and PermisACLocation directive(s) in the Apache configuration file, and by the repository policy section in the PERMIS policy file.

Please note that if an XML policy file is used then there must exist either a PermisACLocation attribute in the Apache configuration file or a pre-defined repository in the PERMIS policy, otherwise the SAAM module will not be able to pull attributes.

The above [directive N1] is for Apache 1.3. If you are using Apache 2.0, then refer to Step 3 of this cookbook and change this directive accordingly.

When working in PERMIS pull mode, PERMIS needs to be told where to fetch attribute certificates from. There are two methods in the PERMIS SAAM to configure the AC LDAP locations.

In the Apache configuration file, add the directive PermisACLocation to define an AC LDAP repository location:
 

LoadModule mod_shib /opt/shibboleth-target-1.2/libexec/mod_shib_13.so----[directive 1]
LoadModule mod_permis APACHE_HOME/libexec/mod_permis_13.so---------------[directive N1]
PermisPolicyLocation APACHE_HOME/conf/policy1.xml ----------------------------[directive N4]
PermisRootCA APACHE_HOME/conf/cacert.cer---------------------------------[directive N5]
PermisJavaClass ".:JAVA_HOME/jre/lib/ext/saam.jar:JAVA_HOME/jre/lib/ext/iaik_jce.jar:JAVA_HOME/jre/lib/ext/axis.jar:JAVA_HOME/jre/lib/ext/ log4j-1.2.13.jar "-----[directive N8]
PermisACAttribute attributeCertificateAttribute---------------------------[directive N9]

PermisPKCAttribute userCertificate---------------------------------------[directive N10]
PermisACLocation ldap://site1.ac.uk/-------------------------------------[directive N11]

 
... ... (other directives)

 
<Location /secure>
    AuthType shibboleth----------------------------------------------------[directive 2]
    PermisAuthorization----------------------------------------------------[directive N6]
    PermisPullMode---------------------------------------------------------[directive N7]
    ShibRequireSession On
    require valid-user
</Location>
 

Multiple LDAP locations can be specified by using the directive PermisACLocation multiple times. PERMIS will now fetch (pull) X.509 attribute certificates from the locations specified in the PermisACLocation directive [directives N11 and N12].

When using SAAM you can specify a set of LDAP repositories to be used in pull mode inside your PERMIS policy. This can be accomplished by adding a “RepositoryPolicy” XML element to the main body of the XML document. The “RepositoryPolicy” element is a container for a set of “Repository” elements each of which should contain the URL for a single LDAP server.

In the PERMIS policy file, add a new RepositoryPolicy element:

<RepositoryPolicy>
     <Repository URL="ldap://site1.ac.uk"/>
     <Repository URL="ldap://site2.ac.uk"/>
</RepositoryPolicy>

PERMIS will now fetch (pull) X.509 attribute certificates from the locations specified by the RepositoryPolicy XML element inside the PERMIS policy file.

Note that the PermisACLocation directives and the RepositoryPolicy element inside the PERMIS policy are ignored if the PermisPullMode directive [directive N7] in the Apache configuration file is missing.

If you have any further queries regarding PERMIS SAAM, please contact either:

permis-users@jiscmail.ac.uk
or
permis-dev@jiscmail.ac.uk