more

0abd3fef · Adam Lewenberg · 59a5fcdb · 0abd3fef · 0abd3fef
Commit 0abd3fef authored 8 years ago by Adam Lewenberg
--- a/manifests/apache2.pp
+++ b/manifests/apache2.pp
@@ -55,6 +55,20 @@ class shibb_idp3::apache2(
    keyname => "ssl-key/${apache_pool_fqdn}",
  }

+
+  # Keytab used for ECP authentication on production systems
+  case "${shibb_idp3::env}" {
+    'prod': {
+      base::wallet { 'HTTP/idp-lb.stanford.edu':
+        path   => '/etc/http-krb5.keytab',
+        owner  => 'root',
+        group  => 'www-data',
+        mode   => '0640',
+        ensure => present;
+      }
+    }
+  }
+
  ## Apache Logs

  # Rotate Apache logs

--- a/manifests/install.pp
+++ b/manifests/install.pp
@@ -20,50 +20,4 @@ class shibb_idp3::install {
  }


-#  # Install this application's web.xml in /etc/shibboleth-idp. The
-#  file {
-#    '/etc/shibboleth-idp':
-#       ensure => directory;
-#    '/etc/shibboleth-idp/Catalina/':
-#       ensure => directory;
-#    '/etc/shibboleth-idp/Catalina/localhost':
-#       ensure => directory;
-
-
-  ## SECURITY
-
-  # Shibboleth IdP signing and encryption key. This should be a
-  # self-signed certificate of at least 2048-bits with a distant
-  # expiration. Note that this key-pair is NOT the same as the key-pair
-  # used by the Apache server.
-  #
-  # We make a soft-link to the public and private keys to make it easier
-  # for Shibboleth to find them.
-  $cert_name = "idp-metadata${shibb_idp3::host_suffix}"
-  apache::cert::comodo { $cert_name:
-    ensure  => present,
-    keyname => "ssl-key/idp${shibb_idp3::host_suffix}.stanford.edu/metadata",
-    symlink => false,
-  }
-
-  # Make soft-links to public and private keys. These paths should match those
-  # used in relying-party.xml
-  file { '/opt/shibboleth-idp/credentials/idp-saml.key':
-    ensure  => link,
-    target  => "/etc/ssl/private/${cert_name}.key",
-    require => [
-      Apache::Cert::Comodo[$cert_name],
-      Package['shibboleth-identity-provider'],
-    ]
-  }
-
-  file { '/opt/shibboleth-idp/credentials/idp-saml.pem':
-    ensure  => link,
-    target  => "/etc/ssl/certs/${cert_name}.pem",
-    require => [
-      Apache::Cert::Comodo[$cert_name],
-      Package['shibboleth-identity-provider'],
-    ]
-  }
-
 }