SOCKET
QMShibb - Installation, configuration and testing
QMShibb is a web application that can be installed and tested in Apache Tomcat. Here's how to do it. I assume that the Questionmark Web Integrated Services environment (QMWISE) is installed on the IIS server running Perception and that Tomcat has been installed.
Setting up Perception and QMWISe for QMShibb
Go to the directory that contains the configuration file for Perception, probably Perception\server, and open the file Perception.ini (or Perceptionv4.ini). Look for these entries in the Enterprise Manager section:
Enable exlogin=0
Allow external EM entry =0
Simple EM checksum =0
Edit these to:
Enable exlogin=1
Allow external EM entry =1
Simple EM checksum =1
There may be a section in this file that refers to QMWISe. If so, look for the following entries in that section:
SecurityRequire=0 TrustRequire=0
Edit these to:
SecurityRequire=1 TrustRequire=0
Now go to the directory that contains QMWISE, probably Perception\server\qmwise, and open the file Web.config in a text editor. Look for the entries:
<add key="SecurityRequire" value="0" />
<add key="TrustRequire" value="0" />
Edit these to:
<add key="SecurityRequire" value="1" />
<add key="TrustRequire" value="0" />
Save the file and use the Enterprise Manager to reset the Perception dlls.
Installing and configuring QMShibb
Download the file QMShibb.war from the SOCKET Sourceforge site.
Put this file in the webapps directory of Tomcat (e.g. c:\Program Files\Tomcat 5.5\webapps). It will be automatically expanded with all of the directory structures and files needed.
Go to the QMShibb WEB-INF directory (e.g. c:\Program Files\Tomcat 5.5\webapps\QMShibb\WEB-INF) and open the file web.xml in a text editor. This file contains the configuration settings for QMShibb. Here is a description of the settings:
<context-param>
<param-name>
security
</param-name>
<param-value>
1
</param-value>
</context-param>
|
|
<context-param>
<param-name>
ClientID
</param-name>
<param-value>
Manager
</param-value>
</context-param>
|
|
<context-param>
<param-name>
checksum
</param-name>
<param-value>
xxxxxx
</param-value>
</context-param>
|
|
<context-param>
<param-name>
QMWISe-url
</param-name>
<param-value>
http://.../QMWISe/QMWISe.asmx
</param-value>
</context-param>
|
|
<context-param>
<param-name>
test-mode
</param-name>
<param-value>
1
</param-value>
</context-param>
|
|
<context-param>
<param-name>
test-user
</param-name>
<param-value>
ADent
</param-value>
</context-param>
|
|
<context-param>
<param-name>
test-firstname
</param-name>
<param-value>
Arthur
</param-value>
</context-param>
|
|
<context-param>
<param-name>
test-lastname
</param-name>
<param-value>
Dent
</param-value>
</context-param>
|
|
<context-param>
<param-name>
test-groups
</param-name>
<param-value>
test_group1;test_group2
</param-value>
</context-param>
|
|
<context-param>
<param-name>
create-account
</param-name>
<param-value>
1
</param-value>
</context-param>
|
|
<context-param>
<param-name>
join-existing-groups
</param-name>
<param-value>
1
</param-value>
</context-param>
|
|
<context-param>
<param-name>
create-groups
</param-name>
<param-value>
0
</param-value>
</context-param>
|
|
<context-param>
<param-name>
username-attribute
</param-name>
<param-value>
HTTP_..._eduPersonPrincipalName
</param-value>
</context-param>
|
|
<context-param>
<param-name>
fullname-attribute
</param-name>
<param-value>
HTTP_..._eduPersonNickname
</param-value>
</context-param>
|
|
<context-param>
<param-name>
firstname-attribute
</param-name>
<param-value>
HTTP_givenName
</param-value>
</context-param>
|
|
<context-param>
<param-name>
lastname-attribute
</param-name>
<param-value>
HTTP_sn
</param-value>
</context-param>
|
|
<context-param>
<param-name>
groups-separator
</param-name>
<param-value>
;
</param-value>
</context-param>
|
|
<context-param>
<param-name>
groups-attribute
</param-name>
<param-value>
HTTP_urn:bodington:member
</param-value>
</context-param>
|
|
You need to provide the username of a Perception administrator who has at least sufficient privilege to manage the server dlls and configure the server. Edit the ClientID parameter to that username. You also need to edit the checksum parameter. QMWISe comes with a test harness program that is designed to generate the checksum from the administrator's username and password. At the time of writing, the checksums generated by this program are incorrect. You can contact Questionmark for help with generating checksums. In the US you can email support@questionmark.com and in the UK you should contact helpdesk@questionmark.co.uk. If you have access to the installation of Microsoft SQL Server that hosts the Perception database, you can generate your own checksum as follows:
Open the SQL Server management application and connect to the server. Select the Perception database and open the Tables item. Select the table whose name ends in User (e.g. dbo.G_User). Right-click on this item and select Open Table. You should be able to locate the username of your chosen administrator in the User Name column. Next to it is the Password column. This contains 16-digit numbers that are the encrypted form of the password. Note the number corresponding to your chosen administrator. Close the SQL Server Management application. Open a web browser and go to http://pajhome.org.uk/crypt/md5/. In the input box type the username of the administrator followed immediately by the encrypted password. If you administrator's username is Admin and the encrypted password is 1234567887654321, then you should type Admin1234567887654321. The input is case-sensitive so make sure that the Caps Lock key on your keyboard is not on and make sure that there is no space between the username and the encrypted password. Now click on the MD5 button. The result is the checksum that you should enter in the checksum parameter in your web.xml file.
Go back to your web.xml file and make sure that the QMWISe-url parameter is correct for your setup. Set the test-mode parameter to 1 and save the web.xml file. Then restart Tomcat.
Testing QMShibb
Open a browser.
If your Tomcat is a standalone installation, go to the URL:
- http://path_to_Tomcat:8080/QMShibb/getaccessassessmentlist
If you have installed Tomcat into IIS, go to the URL:
-
http://path_to_IIS/QMShibb/getaccessassessmentlist
There will be a slight delay while the servlet is instantiated, but then you should be directed to the Perception list of assessments for Arthur Dent. This will probably be empty.
Open the Questionmark Enterprise Manager and look at the lists of Participants and Groups. Arthur Dent should now be one of your Participants and he should be the only member of a group called external_shibboleth_users. You can delete the Participant and the Group if you want to. Close the Enterprise Manager and go back to the directory containing the QMShibb web.xml file. Change the test-mode parameter to 0. Decide on a policy regarding automatic account and group creation and set the parameters appropriately. Save the web.xml file and restart Tomcat.
Shibboleth and QMShibb
Having established that QMShibb is working correctly, you must protect the servlets in the QMShibb directory. The easiest way to do this is to put the QMShibb servlets behind a Guanxi Service Provider Guard. This approach has the advantage that it will work irrespective of the location of Tomcat - on the Perception server, a VLE server or a third server. Alternatively, if you have installed Tomcat into the IIS server running Perception, you can install the Internet2 Service Provider and configure it to protect the QMShibb directory. Whichever method you choose, you will have to make sure that before you try using QMShibb, your Service Provider has exchanged the appropriate metadata and certificates with the Shibboleth Identity Provider(s) that you are going to use.
Posted at 12:26PM May 13, 2006 by Andrew G. Booth in Questionmark Perception |