work on idp pool name

d99404a0 · Adam Lewenberg · dbbae8ee · d99404a0 · d99404a0 · d99404a0
Commit d99404a0 authored 8 years ago by Adam Lewenberg
--- a/manifests/apache2.pp
+++ b/manifests/apache2.pp
@@ -12,4 +12,13 @@ class shibb_idp3::apache2 {
    content => template('shibb_idp3/etc/apache2/sites-available/shibboleth-idp.erb'),
  }

+  # We want the "officially" signed certificate and private key for the
+  # Apache front end. By default, apache::cert::comodo puts the key pair
+  # in /etc/ssl/certs/server.pem and /etc/ssl/private/server.key which is
+  # exactly where we want them to be.
+  apache::cert::comodo { "idp-${shibb_idp3::pool_name}":
+    ensure  => present,
+  }
+
+
 }
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -4,6 +4,17 @@ class shibb_idp3(
 {
  notify { 'Hello': }

+  # $pool_name will be the name to refer to the IDP pool and depends on
+  # the environment:
+  #   prod:  idp.stanford.edu
+  #   uat:   idp-uat.stanford.edu
+  #   test:  idp-test.stanford.edu
+  #   dev:   idp-dev.stanford.edu
+  case $env {
+    'prod':  { $pool_name = 'idp.stanford.edu' }
+    default: { $pool_name = "idp-${env}.stanford.edu" }
+  }
+
  # Install the tomcat8 main configuration file.
  file { '/etc/tomcat8/server.xml':
    source => 'puppet:///modules/shibb_idp3/etc/tomcat8/server.xml';

--- a/manifests/install.pp
+++ b/manifests/install.pp
@@ -42,7 +42,8 @@ class shibb_idp3::install {

  # Shibboleth IdP signing and encryption key. This should be a
  # self-signed certificate of at least 2048-bits with a distant
-  # expiration.
+  # expiration. Note that this key-pair is NOT the same as the key-pair
+  # used by the Apache server.
  apache::cert::comodo { "idp-metadata-${shibb_idp3::env}":
    ensure  => present,
    keyname => "ssl-key/idp-${shibb_idp3::env}.stanford.edu/metadata",

--- a/templates/etc/apache2/sites-available/shibboleth-idp.erb
+++ b/templates/etc/apache2/sites-available/shibboleth-idp.erb
@@ -14,12 +14,12 @@ JkMount /idp/* ajp13

  SSLEngine On

-#  #
-#  # Change these paths to point to the correct key & certificate
-#  #
-#  SSLCertificateFile /etc/ssl/certs/server.pem
-#  SSLCertificateKeyFile /etc/ssl/private/server.key
-#  SSLCACertificatePath /etc/ssl/certs
+  #
+  # Change these paths to point to the correct key & certificate
+  #
+  SSLCertificateFile /etc/ssl/certs/server.pem
+  SSLCertificateKeyFile /etc/ssl/private/server.key
+  SSLCACertificatePath /etc/ssl/certs

  ServerName idp-google.stanford.edu