Class shib2idp::idp::configure
In: /etc/puppet/modules/shib2idp/manifests/classes/idp/configure.pp
Parent:

Class: shib2idp::idp::configure

This class executes the configure stage of the installation and configuration of the Shibboleth IdP on the Puppet agent machine.

The configure operations are used to configure all Tocamt connectors and web applications to support Shibboleth IdP execution.

Parameters:

idpfqdn:This parameters must contain the fully qualified domain name of the IdP. This name must be the exact name used by client users to access the machine over the Internet. This FQDN, in fact, will be used to determine the CN of the certificate used for HTTPS. If the name is not identical with the server name specified by the client, the client‘s browser will raise a security exception.
keystorepassword:This parameter permits to specify the keystore password used to protect the keystore file on the IdP server.

Actions:

Requires:

Sample Usage: This class file is not called directly.

Resources

Resources

Augeas["server.xml_connector_443"]
   context => "/files/etc/tomcat6/server.xml/Server/Service[#attribute/name = 'Catalina']"
   changes => ["set Connector[last()+1] #empty", "set Connector[last()]/#attribute/port 443", "set Connector[last()]/#attribute/protocol HTTP/1.1", "set Connector[last()]/#attribute/SSLEnabled true", "set Connector[last()]/#attribute/maxThreads 150", "set Connector[last()]/#attribute/scheme https", "set Connector[last()]/#attribute/secure true", "set Connector[last()]/#attribute/clientAuth false", "set Connector[last()]/#attribute/sslProtocol TLS", "set Connector[last()]/#attribute/keyAlias idp2-tomcat-ssl", set Connector[last()]/#attribute/keystoreFile $idp_home/credentials/idp2.ssl.jks, set Connector[last()]/#attribute/keypass $keystorepassword]
   onlyif => "get Connector/#attribute/port[../port = '443'] == ''"
   require => Augeas["server.xml_connector_8443"]
Augeas["server.xml_connector_80"]
   context => "/files/etc/tomcat6/server.xml/Server/Service[#attribute/name = 'Catalina']"
   changes => ["set Connector[#attribute/port = '8080']/#attribute/port 80"]
   onlyif => "get Connector/#attribute/port[../port = '80'] == ''"
   require => Augeas["server.xml_connector_443"]
Augeas["server.xml_connector_8443"]
   context => "/files/etc/tomcat6/server.xml/Server/Service[#attribute/name = 'Catalina']"
   changes => ["set Connector[last()+1] #empty", "set Connector[last()]/#attribute/port 8443", "set Connector[last()]/#attribute/protocol org.apache.coyote.http11.Http11Protocol", "set Connector[last()]/#attribute/SSLImplementation edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation", "set Connector[last()]/#attribute/scheme https", "set Connector[last()]/#attribute/SSLEnabled true", "set Connector[last()]/#attribute/clientAuth true", "set Connector[last()]/#attribute/keystoreFile /opt/shibboleth-idp/credentials/idp.jks", set Connector[last()]/#attribute/keystorePass $keystorepassword]
   onlyif => "get Connector/#attribute/port[../port = '8443'] == ''"
   require => Exec["apps_wget_dtassl"]
Augeas["tomcat6_authbind"]
   context => "/files/etc/default/tomcat6"
   changes => ["defvar authcomment *[. = 'AUTHBIND=no']", "ins AUTHBIND after $authcomment", "set AUTHBIND yes"]
   onlyif => "get AUTHBIND != 'yes'"
   require => Augeas["server.xml_connector_80"]
Augeas["tomcat6_javahome"]
   context => "/files/etc/default/tomcat6"
   changes => ["defvar javahome *[. =~ regexp('JAVA_HOME.*')]", "ins JAVA_HOME after $javahome", set JAVA_HOME $shib2idp::prerequisites::java_home]
   onlyif => get JAVA_HOME != '$shib2idp::prerequisites::java_home'
   require => Augeas["tomcat6_authbind"]
Exec["apps_semaphore_shibboleth_configured"]
   cwd => "/usr/local/src"
   command => "/bin/echo configured > /usr/local/src/shibboleth-identityprovider/.puppet"
   require => Augeas["tomcat6_javahome"]
Exec["apps_wget_dtassl"]
   command => /usr/bin/wget https://build.shibboleth.net/nexus/content/repositories/releases/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar -O $tomcat::tomcat_home/lib/tomcat6-dta-ssl-1.0.0.jar
   require => [Package["wget"], File_line["idp_environment_rule_2"]]

Configure Shibboleth IdP

File_line["idp_environment_rule_1"]
   ensure => present
   path => "/etc/environment"
   line => "JAVA_ENDORSED_DIRS=/usr/share/tomcat6/endorsed"
   require => Notify["configuring"]
File_line["idp_environment_rule_2"]
   ensure => present
   path => "/etc/environment"
   line => IDP_HOME=$idp_home
   require => File_line["idp_environment_rule_1"]
Notify["check_certs"]
   message => "check for new certificates"
   require => Exec["apps_semaphore_shibboleth_configured"]
Notify["securitizing"]
   message => "securitizing"
   require => Exec["apps_semaphore_shibboleth_configured"]

[Validate]