Versions Compared

Version Old Version 4 New Version Current
Changes made by

Alejandro Perez Mendez

Alejandro Perez Mendez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Panel

On this page you will find instructions on how to set up a Moonshot RP Proxy (RPP) on Debian or Ubuntu. It also installs and configures the Trust Router client, if you are going to use the Trust Router infrastructure.

Contents

Table of Contents
maxLevel2


Tip

If your organisation already has a Moonshot Identity Provider, this can also be used as a Moonshot RP Proxy - you may not need to install a Moonshot RP Proxy as well.


Numberedheadings

Install the Moonshot RP Proxy

We’re now ready to install the Moonshot software and its required dependencies. Install the software by running the following command:

bashtrue


If you try to start FreeRADIUS at this point, it will not currently start successfully as the certificates it requires have not been generated - they are created in step 4.1 below.

Configure the Moonshot RP Proxy

Next, we need to configure the Moonshot RP.

Configure FreeRADIUS

Channel Binding Support

We next need to configure your FreeRADIUS server to support channel bindings.

  1. Open /etc/freeradius/sites-available/abfab-tls for editing:
    1. Scroll to the client default stanza at the bottom of the file

    2. Edit the stanza to match the below:


      gss_acceptor_realm_name

      For simple deployments, specify the same RP realm as in the rp_realm option in Section 4.1 below. For simple deployments, this usually matches your IDP Realm. For extended pilots or production environments, you should specify a realm value that will match all the hosts you will be connecting to your RP Proxy.

      Additionally, you must add a domain wildcard constraint in the Jisc Assent Portal that will match this realm value.


    3. If you have any other client definitions here, for example to distinguish between internal and external clients, also apply the change to them.

Configure the Trust Router Client

If you are going to connect your Moonshot RP Proxy to a Trust Router network, then the next step involves configuring the Trust Router client software and configuring its connection to a Trust Router.

Testing

Now that we have the Moonshot RP Proxy installed and configured, we're now ready to test!

Tip

At this point you probably want two consoles open on the server, so that you can manually run various components separately.

Testing FreeRADIUS locally

The first test is to check whether FreeRADIUS is working in its most basic manner.

  1. In window 1, run (as the freerad user)

    bashtrue


  2. Check that no errors are output.

Testing the Trust Router connection

To test the connection to Trust Router, we need to make sure the Temporary Identity Server (TIDS) software is running, then use the Temporary Identity Client (TIDC) software to simulate a connection to the Trust Router.

Testing using the Temporary Identity Client (TIDC)

  1. In window 2, (as the freerad user) run the tidc command:

    bashtrue


    This uses the "tidc" binary which is used in the following way - tidc [hostname-of-trust-router] [rp-realm] [hostname-of-apc-server] [apc-name]


  2. If the Trust Router connection was successful, you should see something like the following:

    In window 2 - TIDC output


Next Steps

At this point, you now have a Moonshot RP that is working and registered with a Trust Router. Now for the next steps:

Automatically start the software

FreeRADIUS

To automatically start FreeRADIUS, issue the following command (as root):

true

Configure clients

The next step is to .