Confluence and Oracle 11g

January 25th, 2013 No comments

What is Confluence?
Wikipedia entry says:

Confluence is team collaboration software. Written in Java and mainly used in corporate environments, Confluence is developed and marketed by Atlassian.

 

Oracle Database Back-end
Confluence consists of two part; the front-end is the Confluence Software itself, with a back-end database. We are going to use Oracle 11g as our back-end database for Confluence. Download the latest Oracle 11g database from Oracle. We also need the latest Oracle 11g JDBC drivers (ojdbc6.jar and orai18n.jar). Make sure you use the right version of the JDBC libraries for your version of Oracle. I am using Oracle 11.2.0, so I need the 11.2.0.1.0 of ojdbc6.jar and orai18n.jar.

Read the Confluence instructions for the Oracle database setup.

Oracle 11g Install
This is fairly simple if you keep a few things in mind. The install is done via a GUI, so have your display (permission) setup properly if you are performing the install remotely. I use X forwarding in a SSH session:

ssh -X -l oracle <confluence_db_server>

The other thing to remember is setting the max-shm-memory variable so that Oracle has enough memory space to run and create the database.

projadd -U oracle -K "project.max-shm-memory=(priv,10GB,deny)" user.oracle
projmod -K "project.max-shm-memory=(priv,16GB,deny)" user.oracle

I’ve found that I need 16GB to install, but other have found 10GB sufficient.

Once Oracle 11 is installed and the database for confluence has been created, we need to create a user and schema for the Oracle database (Confluence instance) and grant this user the connect and resource privileges:

> sqlplus /nolog
SQL*Plus: Release 11.2.0.1.0 Production on Fri Jan 25 11:29:17 2013
Copyright (c) 1982, 2009, Oracle.  All rights reserved.
SQL> connect / as sysdba
Connected.
SQL> create user confluence identified by ***********;
User created.
SQL> grant connect to confluence;
Grant succeeded.
SQL> grant create table to confluence;
Grant succeeded.
SQL> grant create trigger to confluence;
Grant succeeded.
SQL> create view confluence.all_object as select * from sys.all_objects where owner = upper('confluence');
View created.

To verify if your database and user has been created, use these commands:

SQL> select * from all_users;
USERNAME
--------------------------
   USER_ID CREATED
---------- ---------------
CONFLUENCE
        91 25-JAN-13
BI
        90 24-JAN-13
PM
        89 24-JAN-13
<cut>

Login as confluence user and create a table:

sqlplus confluence/<password>@confluence_db_SID
SQL*Plus: Release 11.2.0.1.0 Production on Mon Jan 28 12:39:21 2013
Copyright (c) 1982, 2009, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create table employee (empid char(9) not null, primary key (empid));
Table created.
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE CLUSTER
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE
10 rows selected.
SQL>

As Oracle user run the satus command to get all the needed Oracle info for the Confluence software setup:

> lsnrctl status
LSNRCTL for Solaris: Version 11.2.0.1.0 - Production on 28-JAN-2013 14:33:25
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Solaris: Version 11.2.0.1.0 - Production
Start Date                28-JAN-2013 13:22:41
Uptime                    0 days 1 hr. 10 min. 45 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/ence/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=CONFLUENCE_DB_HOST)(PORT=1521)))
Services Summary...
Service "CONFLUENCE_ORACLE_SID" has 1 instance(s).
  Instance "CONFLUENCE_ORACLE_SID", status READY, has 1 handler(s) for this service...
Service "CONFLUENCE_ORACLE_SIDXDB" has 1 instance(s).
  Instance "CONFLUENCE_ORACLE_SID", status READY, has 1 handler(s) for this service...
The command completed successfully

 

Confluence Install
Download the latest Confluence Software from Atlassian. I downloading the tar.gz file for Linux, and transferred it to my Solaris 10 zone.

Create confluence directory and unzip:

mkdir -p /usr/local/confluence
cd /usr/local/confluence
/usr/sfw/bin/gtar zxvf /var/tmp/atlassian-confluence-4.3.6.tar.gz

If you have not a confluence user on your system, create one and change the ownership of the files to this user:

useradd -d /usr/local/confluence confluence
chown -R confluence /usr/local/confluence

 

Configure Confluence

First of all we need to create a directory for the local data:

vi /usr/local/confluence/confluence-4.3.6/confluence/WEB-INF/classes/confluence-init.properties

Uncomment the last line and add your location:

confluence.home=/usr/local/confluence/var/

Create the directory and make it owned by the confluence user:

mkdir -p /usr/local/confluence/var
chown confluence /usr/local/confluence/var

Configure datasource resource, by editing the server.xml file entering the Oracle database information:

vi /usr/local/confluence/confluence-4.3.6/conf/server.xml

Adding this following just above the <Manager pathname=””>, under the Host -> Context section:

         <Resource
         name="jdbc/confluence"
         auth="Container"
         type="javax.sql.DataSource"
         driverClassName="oracle.jdbc.OracleDriver"
         url="jdbc:oracle:thin:@hostname:port:sid"
         username="<username>"
         password="<password>"
         connectionProperties="SetBigStringTryClob=true"
         maxActive="25"
         maxIdle="5"
         maxWait="10000"
         />

Replace the hostname with the Confluence Oracle database server, and the sid with the Confluence database SID. The port is the Oracle standard port of 1521, unless you are running the Confluence Oracle database on a different port.

Lastly, we must insert a reference for this datasource, edit the web.xml file:

vi /usr/local/confluence/confluence-4.3.6/confluence/WEB-INF/web.xml

Adding the following lines before the </web-app> tag:

<resource-ref>
    <description>Connection Pool</description>
    <res-ref-name>jdbc/confluence</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
</resource-ref>

 

Confluence Startup and Shutdown
There are startup and shutdown scripts in /bin. We can proceed to startup Confluence and continue through the install using the Wizard:

/usr/local/confluence/confluence-4.3.6/bin/startup.sh

If all is well you will see the Java process that is running Confluence in your processes list:

ps -ef|grep java
 cfeuser  5427  5423   0 10:30:36 pts/4       0:00 grep java
 cfeuser  5158  4662   0 10:25:02 ?           5:32 /usr/bin/java  Djava.util.logging.config.file=/usr/local/confluence/conf/loggin

Confluence Configuration Wizard
You now need to complete your setup using the Web wizard. Fire up your favourite browser and point it at your Confluence server on the right port. Here my (server.xml) configuration says port 8090:

more conf/server.xml
<Server port="8000" shutdown="SHUTDOWN" debug="0"<
    <Service name="Tomcat-Standalone"<
        <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" minProcessors="5" maxProcessors="75"

[cut]
Categories: Uncategorized Tags:

WordPress and Shibboleth

September 20th, 2012 2 comments

There are a few issues to get into before going ahead and making WordPress work with Shibboleth (this will come later once I’ve installed Shibboleth and got it working.)

What is Shibboleth?

Wikipedia entry says this:

Shibboleth is a ‘single-sign in’, or logging-in system for computer networks and the internet. It allows people to sign in, using just one ‘identity’, to various systems run by ‘federations’ of different organizations or institutions. The federations are often universities or public service organizations.

Apache2 Shibboleth Module

Before we can do anything, we need to build the module for our Apache2 webserver so that we can use Shibboleth authentication. The Shibboleth site gives full detail on how to do this on Solaris and this will be the documentation I shall be following:

I have used the Apache2 http server downloaded and installed as packages from the Sunfreeware software site (dowload here if you don’t want to register), so I am hoping that this build will work with it. These packages are installed in /usr/local and the following were needed.

binutils-2.21.1a-sol10-sparc-local  libgcc-3.4.6-sol10-sparc-local
gdbm-1.9.1-sol10-sparc-local        libiconv-1.14-sol10-sparc-local
libintl-3.4.0-sol10-sparc-local     libidn-1.25-sol10-sparc-local
libssh2-1.4.2-sol10-sparc-local     libintl-3.4.0-sol10-sparc-local
perl-5.12.3-sol10-sparc-local       jpeg-8d-sol10-sparc-local
apache-2.2.22-sol10-sparc-local     libtool-2.4.2-sol10-sparc-local
curl-7.26.0-sol10-sparc-local       libxml2-2.8.0-sol10-sparc-local
db-4.7.25.NC-sol10-sparc-local      mysql-5.0.67-sol10-sparc-local
expat-2.0.1-sol10-sparc-local       openldap-2.4.30-sol10-sparc-local
freetds-0.91-sol10-sparc-local      openssl-1.0.1c-sol10-sparc-local
freetype-2.4.2-sol10-sparc-local    php-5.3.16-sol10-sparc-local
gcc-3.4.6-sol10-sparc-local         sasl-2.1.25-sol10-sparc-local
gd-2.0.35-sol10-sparc-local         zlib-1.2.7-sol10-sparc-local

These could be split into install for Apache-Wordpress and install for Shibboleth but I will leave them as they are for now. From the Shibboleth Native Solaris build page, I downloaded the following and proceeded to compile them as per instruction. There are issues with following the page – mainly that they don’t work!

Here are the compilation lines I used:

/usr/sfw/bin/gtar zxf boost-1.51.tar.gz
chown -R bin:bin boost_1_51_0/
mv boost_1_51_0/ /usr/local

/usr/sfw/bin/gtar zxf log4shib-1.0.5.tar.gz
cd log4shib-1.0.5
setenv CC gcc
setenv CXX g++
setenv PATH $PATH":/usr/local/bin"
./configure --disable-static --disable-doxygen
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf xerces-c-3.1.1.tar.gz
cd xerces-c-3.1.1
setenv LD_LIBRARY_PATH /usr/local/lib
./configure --enable-netaccessor-socket
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf xml-security-c-1.7.0.tar.gz
cd xml-security-c-1.7.0
./configure --with-openssl=/usr/local/ssl --with-xerces
/usr/sfw/bin/gmake

At this point if you get an error like this

o   -lxerces-c -lsocket -lm   -L/usr/local/ssl/lib -lcrypto -lssl
../libtool: line 6031: cd: yes/lib: No such file or directory
libtool: link: cannot determine absolute directory name of `yes/lib'
gmake[2]: *** [libxml-security-c.la] Error 1
gmake[2]: Leaving directory `/var/tmp/SSO/SHIB/xml-security-c-1.7.0/xsec'

Then edit the ‘Makefile’ and ‘xsec/Makefile’ files and remove the ‘-Lyes/lib’ setting for LDFLAGS and ‘-Iyes/include’ setting for the CPPFLAGS.

vi Makefile
vi xsec/Makefile
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf xmltooling-1.5.1.tar.gz
cd xmltooling-1.5.1
./configure --with-log4shib=/usr/local --with-curl=/usr/local \
--with-openssl=/usr/local/ssl --with-boost=/usr/local/boost_1_51_0
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf opensaml-2.5.0.tar.gz
cd opensaml-2.5.0
./configure --with-log4shib=/usr/local --with-boost=/usr/local/boost_1_51_0 \
--with-openssl=/usr/local/ssl

If you get an error like the following:

checking xmltooling/XMLToolingConfig.h presence... yes
checking for xmltooling/XMLToolingConfig.h... yes
configure: error: unable to link with XMLTooling, or version was too old

Then edit the ‘configure’ script and remove the XMLTooling check:

if ac_fn_cxx_try_link "$LINENO"; then :

else
  as_fn_error $? "unable to link with XMLTooling, or version was too old" "$LINE
NO" 5
fi

Then run the configure again.

./configure --with-log4shib=/usr/local --with-boost=/usr/local/boost_1_51_0 \
--with-openssl=/usr/local/ssl
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf shibboleth-sp-2.5.0.tar.gz
cd shibboleth-sp-2.5.0
./configure --with-log4shib=/usr/local --with-boost=/usr/local/boost_1_51_0 \
--enable-apache-22 --with-apxs22=/usr/local/apache2/bin/apxs

Again if you come across the configuration error message:

checking xmltooling/base.h presence... yes
checking for xmltooling/base.h... yes
configure: error: unable to link with XMLTooling, or version was too old

Then edit the configure script, removing the lines:

if ac_fn_cxx_try_link "$LINENO"; then :

else
  as_fn_error $? "unable to link with XMLTooling, or version was too old" "$LINE
NO" 5
fi

If you get the the configuration error message:

checking for saml/saml2/metadata/Metadata.h... yes
configure: error: unable to link with OpenSAML, or version was too old

Again edit this out from the configure script:

if ac_fn_cxx_try_link "$LINENO"; then :

else
  as_fn_error $? "unable to link with OpenSAML, or version was too old" "$LINENO
" 5
fi

We know that we are using the latest XMLTooling and OpenSAML! Run the configure script again:

./configure --with-log4shib=/usr/local --with-boost=/usr/local/boost_1_51_0 \
--enable-apache-22 --with-apxs22=/usr/local/apache2/bin/apxs
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install

After a long while, if the compilation drops out with this error:

Undefined                       first referenced
 symbol                             in file
xmltooling::AbstractPKIXTrustEngine::validate(x509_st*, stack_st*, xmltooling::CredentialResolver const&, xmltooling::CredentialCriteria*) const../shibsp/.libs/libshibsp.so
non-virtual thunk to xmltooling::AbstractPKIXTrustEngine::validate(x509_st*, stack_st*, xmltooling::CredentialResolver const&, xmltooling::CredentialCriteria*) const../shibsp/.libs/libshibsp.so
ld: fatal: symbol referencing errors. No output written to .libs/shibd
collect2: ld returned 1 exit status
gmake[2]: *** [shibd] Error 1

Then do a make clean and run the configure script again with a path to XMLTooling:

/usr/sfw/bin/gmake clean
 ./configure --with-log4shib=/usr/local --with-openssl=/usr/local/ssl \
--with-boost=/usr/local/boost_1_51_0 --enable-apache-22 \
--with-apxs22=/usr/local/apache2/bin/apxs --with-xmltooling=/usr/local/lib -C

/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install

Make sure you have openssl in your PATH because when you perform the make install, it will need to generate the certificate for your Shibboleth server. However, don’t worry if it fails to generate the certificate at install, you can manually do this by running the keygen.sh (-b) script in the /usr/local/etc/shibboleth directory.

Apache2 Shibboleth Module
Now that we have compiled and installed the Shibboleth SP software, if it has not added the module in our Apache2 configuration file, we need to add the following:

LoadModule mod_shib /usr/local/lib/shibboleth/mod_shib_22.so
<Location /Shibboleth.sso>
        SetHandler shib
</Location>

Restart Apache to see if it starts up OK and that the module has been successfully compiled and installed.

Setting up iDP and SP
So the server that your WordPress install is on needs the Shibboleth daemon (the software we just compiled and install) running. First thing to do is to write a startup/shutdown script for the shibd process.

vi /etc/init.d/shid

#!/sbin/sh

case "$1" in
'start')
        /usr/local/sbin/shibd &        
        ;;
'stop')
        pkill -INT shibd
        ;;
esac

cd /etc/rc3.d
ln -s ../init.d/shibd S99shibd

Then test out the script:

./shibd start
ps -ef|grep shib
    root  2942 19382   0 12:07:02 pts/1       0:00 grep shib
    root  2940  2693   0 12:06:57 ?           0:00 /usr/local/sbin/shibd

/etc/init.d/shibd stop
ps -ef|grep shib
    root  2996 19382   0 12:12:45 pts/1       0:00 grep shib

Firstly you need to configure your iDP to recognise your SP. Log onto your iDP server and edit the attribute-filter.xml, adding your entry to the section with your server:

<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://SERVER.DOMAIN/shibboleth" />

where SERVER.DOMAIN is your WP server fully qualified.

Now we configure Shibboleth SP on our WP server:

vi /usr/local/etc/shibboleth/shibboleth2.xml

making sure the details of y/our iDP is in there, and that under the entry for your WP server, you have ‘uid’ within the REMOTE_USER variable.

We need to allow the uid to be passed to us so we also need to edit the attributes in attribute-map.xml, adding these lines or checking that they are present:

    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid">
        <AttributeDecoder xsi:type="StringAttributeDecoder"/>
    </Attribute>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid">
        <AttributeDecoder xsi:type="StringAttributeDecoder"/>
    </Attribute>

You will also need to add your SP’s metadata into your iDP. To do that go to your WordPress server to fetch the metadata: https://WP.DOMAIN.COM/Shibboleth.sso/Metadata

This should come down as a file, and you should insert the content into a file called local-metadata.xml with the metadata directory in the Shibboleth install.

WordPress Shibboleth plugin

The WordPress Shibboleth plugin is available to download and install here. We will ignore the fact that it is over 2 years old – shall we? We will ignore the fact it mentions WordPress MU (not Multsite – MS) too! (Well until we come across a problem with using it on WordPress MS installation.)

After a lot of Googling for help on getting the Shibboleth plugin to work – I’ve managed to modified the code sufficiently so that it does the job for me with WordPress Multisite 3.4.2 (I’m sure it will work with 3.5 too.) You can download it here: shibboleth-new.zip

Once the Shibboleth plugin has been activated, it should look like this in the Network Dashboard:

In the Settings menu you should have a Shibboleth entry, clicking on it will open up the settings page for Shibboleth. Fill in the Session Initiator URL to be your WordPress server/Shibboleth.sso/Login. The Logout URL should be the same with /Logout. I have also filled in the Password Change URL as we do have a password changing page for our LDAP users. Other options are up to you. Select the Allow sitewide redirects.

For the User Profile Data, I have set the following:

Username uid
First name givenName
Last name sn
Nickname uid
Display Name displayName
Email Address mail

All are managed except the first (Username). The rest of the Shibboleth plugin configuration is not filled in.

Document Root Configuration
Back on the WordPress server (Apache2), in the document root directory, make a directory ‘shibboleth-sp’. Put a logout image here for when a user logs off the system, called ‘logo.jpg’.

Edit the .htaccess file to have these lines:

RewriteRule ^Shibboleth\.sso - [L]

# BEGIN Shibboleth
AuthType Shibboleth
Require Shibboleth
# END Shibboleth
Categories: Uncategorized Tags: