• SakaiVre
• PlanningProgress
• 20060605

Project planning meeting - 5 June 2006

(Meeting rescheduled from 2 June 2006)

Present: Stuart Yeates (SY), Graham Klyne (GK)

Last report: SakaiVre/PlanningProgress/20060508

This report: SakaiVre/PlanningProgress/20060605

Next meeting: 19 June 2006, 09:00 SakaiVre/PlanningProgress/20060619

Contents

1. Agenda

• Review agenda
• Confirm date/time of next meeting
• Review actions outstanding at last meeting
• New activities and issues arising from current work
• Discussion of specific issues

2. Activity since last report

2.1. Actions closed

20060508.1

DONE. (Review Stuart's notes about WebAuth and Shibboleth. See SakaiVre/ShibbolethWebAuthIntegration

2.2. Actions progressed

20060306.2

Stuart has succesfully installed a Kerberos principal to interact with the local WebAuth system. Against the "master plan" for this strand of activity, the following have been completed:

1. Install Kerberos software, needed to access WebAuth administration interface

2. Test case: use WebAuth to protect static pages served by Apache HTTPD server

3. For the time being, we have obtained details for InQueue federation membership to test our installation

4. Install mod_jk for communicating between httpd and Tomcat And progress has been made on the following:
5. Shibboleth linked to SDSS federation:

20060508.2

[GK - 20060512] Finish securing the Sakai VRE demonstrator system:

• GK has checked the SSHBlack logs and iptables, and it appears to be working. A large number of attacks logged since SSHBlack instllation may have been a hangover from old system log files.
• Check that Sendmail is turned off, as we are using Postfix, but logwatch shows Sendmail is still active. GK rechecked the system and sendmail appears to be inactive. Maybe logwatch is raising spurious messages?

20060301.5

[SY - 20060519] Analysis of search requirements. SY did some work on FOAF information as as a source of material searching over - see SakaiVre/LDAPToFOAFIdea. This highlighted organizational as well as technical aspects to the kind of search facility envisaged.

SY has reinstalled Sakai using Java 1.5 (previously we used Java 1.4.2) as this is the version that Shibboleth seems to require. This change presents no apparent problems.

On VRE demo host, create /etc/init.d/tomcat to hook startup into chkconfig/service/Redhat auto system startup.

GK has met Kang Tang, who is creating a Shibboleth instllation using the same basic components as us (Scientific Linux, Apache 2.0, Tomcat 5.5, Mod_JK, Java 1.5). We have created user accounts so that each can look to the other's system for configuration clues.

GK gave an RTS talk about BioImage Web

• abstract (2 May), slides.

2.3. New activities and notes

20060605.1

[GK] Review Stuart's notes on search requirements and FOAF (see SakaiVre/LDAPToFOAFIdea)

20060605.2

[SY] Review GK's notes on Shibboleth IdP installation (see ShibbolethInstallNotes)

20060605.3

[SY] Update Sakai installation notes to reflect Java 1.5 installation (see SakaiNotes)

3. Discussion

3.1. Apache Mod_JK connector

Mod_JK is the mechanism used by the Apache web server to pass requests to Tomcat for handling using Java Servlets.

We experienced problems installing this, due in part to errors in the Shibboleth configuration instructions for the JK option. Our notes now highlight the problem area and include more detailed instructions for configuring Mod_JK to work with the Shibboleth IdP (see ShibbolethInstallNotes).

After we succeeded in getting Mod_JK installed (see TomcatNotes), Stuart had some feedback from the Tomcat community suggesting that Mod_rewrite is the preferred way to achieve the same function (effectively diverting the HTTP request to Tomcat's Coyote HTTP server), despite being slower (supporting approximately half the request rate of Mod_JK). We'll stick with Mod_JK for the time being.

3.2. Shibboleth installation

GK/SY had some continuing difficulties with Apache Mod_JK, which were eventually overcome. (See above and TomcatNotes.)

GK has installed the Shibboleth IdP software, and this appears to be working but we can't tell for sure until the Service Provider module is also installed. (See ongoing action 20060306.2 below.)

3.3. Coordinating with other groups

Kang Tang (who works with David Wallom on the Campus Grid project) is spending some time working in the same office as GK and Christian Fernau, with the intent that we can share our knowledge and experiences, and work toward a common solution for Shibboleth deployment.

For the SakaiVre project, we still need to complete task the task to define requirements and procedure to create a Shibboleth deployment, as we are planning to lead a multi-centre roll-out across the project.

3.4. Java on Linux

Stuart noted that, following a recent aghreement between Sun and OS developers to allow inclusion of Java with Linux distributions, we may soon see new Java kits that are better integrated with Linux systems.

This should not affect our work, and we propose that unless some specific development forces our hand, we will stick with the current Java 1.5 distribution for our work with Sakai and Shibboleth.

3.5. Other

GK attended WWW2006 22-26 May. The main themes of the week were Semantic Web, mobile computing and security.

I was particularly interested to note that Semantic Web components are finding their way into a wide variety of Web-based systems, and the role of Semantic Web ideas in aggregating data from multiple sources is becoming much clearer. The recent publication of the SPARQL specification is a key element of this, coupled with recognition that there is no need to perform en masse conversion of existing data sources to RDF. (Added later: see also http://www.jisc.ac.uk/index.cfm?name=iwww_closing.)

Related to the mobile computing initiative is a W3C Ubiquitous Web activity, one aspect of which provides a cleaner solution to the problem for which inter-portlet communications have been proposed. See: http://trexy.com/search/mytrails.txy?trailid=828589, and in particular http://www.w3.org/TR/rex/ and http://www.ietf.org/html.charters/widex-charter.html.

SY attended a BECTA meeting, and noted that open source providers to BECTA are rolling out Shibboleth to schools.

SY also noted that ELGG (http://elgg.net/) are deploying FOAF and other Semantic Web components.

4. Summary of ongoing actions

20060306.2

[GK/SY - 20060526] Requirements and procedure to create a minimal Shibboleth deployment. The next key step is to install the Shibboleth service provider module, and test it in authentication of access to some static web pages, then to configure and test operations with the InQueue test federation. Against the "master plan" for this strand of activity, we now have:

1. Install Kerberos software, needed to access WebAuth administration interface DONE.

2. Test case: use WebAuth to protect static pages served by Apache HTTPD server DONE.

3. Shibboleth linked to SDSS federation:
   1. Need to apply for membership of SDSS federation. (PENDING)

   2. Install Shibboleth and link to WebAuth. Test case: Shibboleth-controlled access to locally served pages based on WebAuth credentials. (IN PROGESS)

   3. Obtain SDSS test account based on remote credentials. Also, identify remotely-served test pages (i.e. outside WebAuth domain). (PENDING)

   4. Test case: Shibboleth-controlled access to locally served pages based on remote credentials. (PENDING)

   5. Test case: Shibboleth-controlled access to remotely served pages based on local WebAuth credentials. (PENDING)

   6. Test case: Shibboleth-controlled access to remotely served pages based on remote credentials. (PENDING)

4. For the time being, we have obtained details for InQueue federation membership to test our installation (DONE)

5. Install mod_jk for communicating between httpd and Tomcat. (DONE)

20060508.2

[GK - 20060512] Finish securing the Sakai VRE demonstrator system:

• Continue monitoring Logwatch for Sendmail activity
• Set up system backup via HSM (PENDING)

20060301.5

[SY - 20060519] Analysis of search requirements.

20060301.10

[GK - 20060519] Add Shibboleth authentication to Sakai: (Waiting for 20060306.2).

20060301.9

[GK - 20060605] Port SPIE Shibboleth/WSRP (cf. work by Jasper Tredgold) to Sakai: (Waiting for 20060301.10) Install Shibboleth/WSRP software locally, and convert to work with Sakai. The main remaining unknown is to get Shibboleth attributes into the Sakai portal framework.

20060301.11

[GK - 20060327] Investigate Sakai background technologies (Spring, JSF) (See SakaiNotes; TODO: input concerning JSF.)

5. Notes for next meeting

(Matters arising following the meeting)

• Have arranged lunch with Kang Tang and Christian Fernau on Monday 5 June 2006, giving us some opportunity to informally discusss goals, progress, problems encountered, etc.
• 20060605 and 07: we had continuing problems with Shibboleth IdP installation. Went back to virgin Tomcat installation. Further problems encountered related to getting all configuration files and security tokens in the right places, and Tomcat security configuration, but in the end an apparently working installation was achieved. Next steps: attribute authority and service provider modules. Need to think about source of attributes (LDAP?) and review JNDI model.
  • The SP module successfully installed and working. This too proved more difficult than the imnstallation notes would suggest, mainly in getting the configuration right. Stuart reports success in getting attributes released from our LDAP into the Shibboleth SAML assertion, achieved by editing the attribute release policy configuration. (GK thinks... do we need to think about constructing a document, partly graphical, of configuration files and how they inter-relate?)
• 20060612: discovered problem with getting an assertion was due to earlier problems configuring port 8443 access, compounded by SELinux enfircement of prohibition of port listening by Apache server. Progressed with configuration of LDAP attribute authority and have this basically all working.
20060605.1

[GK] Review Stuart's notes on search requirements and FOAF (see SakaiVre/LDAPToFOAFIdea). DONE: see http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:67:200606:eclapdhlmkloeendedad.

---

-- GrahamKlyne 2006-06-05 10:56:56

The content of this wiki is licensed under the Creative Commons Attribution-ShareAlike 2.0 England & Wales Licence.

OSS Watch is funded by the Joint Information Systems Committee (JISC) and is situated within the Research Technologies Service (RTS) of the University of Oxford.