This space contains the old OpenAthens SP documentation and is no longer maintained.
OpenAthens SP software is already out of support and will reach end of life in May 2020.

Check out OpenAthens Keystone instead. It's supercool and makes dealing with SAML much easier.

Search

Skip to end of metadata
Go to start of metadata

This page will help you create a self signed key and install it. Skip ahead to the folder location if you already have one to use (e.g. if you are upgrading from Shibboleth).

Create a self-signed certificate

The standard install creates a keys directory at /usr/share/atacama-platform/keys. In this folder there is a script that will generate a self-signed keypair valid for 10 years. To run it:

cd /usr/share/atacama-platform/keys

sudo ./gen_self_signed_cert.sh 'yourdomain.com' 'Short Description'

The script places the key in the same directory, which is where OpenAthens SP expects to find it.

Next

Move an existing certificate pair to the expected location

If you already have a key pair, concatenate your public and private keys into one file:

 

 Example file
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQTFAASCBKcwggSjAgEAAoIBAQDEfGbxYibPLb9b
svsQ30nDbNY7mJYn+qkQLDC6MzHE6yP6dpzPuz3s0x7feLsY5VP2d9QT9GDgbg7I
3XqpGM/eMEd/iPi4YK4gQYWO/1IdpJrmUyXvs1jVjn6X7HHLyFb3eE5Do7Mmg5Sx
rg4k9lex9ti+90iYETw/od1DoASejHRRa2kWYdT+osXAdzRldzHYG9jHiJ5+LZhe
y2PE7HrYeazvVLXDCuleuhbndLNd1nwkZxJInJ+kRpYNzi3wGtuMARvkqsi50jj8
rPbXXbvT6p5SfCrbth3PSr/gLkOIQlylbuhGdif6acGiiGfi41pXaHR5qX17mv4i
nXth0L6hAgMBAAECggEBAKR1E5TacG1cdxyDlE0s94qQ4EeFkbjovvUAZ9CR67p8
reKHwPzGVjCRDPgzDzbpS/uxlFRXYra2p71MU8yRLftlIZMHzFZW5aet7+Ierkom
alh6I/ibfrFQ0XjLuPu+Nbxwf+ExdRO5co29h608W25jlEtSovpVAr6n9pERs3oM
0PcrJ+e/WuXqmDhjdDKcQ7sAunA0MaFM2OuvksjxJCi8EAdcscoM9dTeLlk36UBW
LBojkcG2bhAiorxVDOPdH6jIkAL3q9C4Hto2kkA6F7AdXM42RumQmytbRWqHHMQ5
w5XMG5B2xTXeYI5NrFvloCqNMcH40g+0PBygUTeIqSECgYEA8so2Co0BlziCCVG8
0xYne39DfTxRRqMcTb6JGOcSHcAsdLpXy7xmTOWd/8Oc9Gf1uHt3OiS025xnzNVb
A81YANyRnbP1ht1iLKQWhvugrYSahFm1Md1GL2uqTWb+NeczUP2d1Ozp7G//s/N2
BnhfExvYcz9ZSxA4iPny0PIIA/WCgYEAzy06uzL1BSh4zOu/VWsMqmAHs5hdV5Zg
nBSHVTco5yBiEC08yi9FFGLWzKOyxqcFapXZxSr4XyqUZBoplt7/SK90AcBBTlRN
s5t+2RzXM1BQlR/0rOLiylUl2jRO3acqUeniHOVK+ySyGX9T926Yfr/rdN+mkVer
iu5FoJvZkH0CgYAX1eZMTt+TGwDZJx8kkg46P5o+l0dbafQDZetLuJO8vRwnMYwh
AlQAxKIoU+n6zKIBBI4F9UiULtS57VBMJUK4gu8AzoQSQ3W58DoN8nIp1u3+hFgX
lyOm0CkeBDh8zj/peZyfJMsqXSE7XDGAHR0oYRl05wk7J1KFkBRYkwpaaQKBgFJG
6RstCoeo4gin202l/Nqw1n4plXASZT23HWPnSxQ3FRrNjGXTTgDhm+KcYm/oJsuE
hX67KPZKZ7I1fazQFNwd6dlEK+RaqZ0ZtM+ul3xmegovLbF3TZADLsw1D5zRZYow
cz78hMGmeiCMI6GRR3iW6YB5zaCNCnBbXkWBf27VAoGAT1EKEcDJuqyrJx6vX+a+
12uGkFnpLKiYxz+ySZkwAzQiDtHeEXDLFZ9mZ0CA9jsPKipva5W1lLu4eBxGcpzG
gqeoStkrOf2FlISw3leXGt0ECOyUSEUzVaqcmJxquqmUpXq/35CnyVqzkslWBKfA
FAKEkrm2FvodwgQs4dUmjyU=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
FAKEITCCAgmgAwIBAgIJAKRw0xue4uCtMA0GCSqGSIb3DQEBBQUAMCcxEjAQBgNV
BAoMCWFuZHkgdGVzdDERMA8GA1UEAwwIYW5keXRlc3QwHhcNMTYwNTA5MTYwMzM0
WhcNMjYwNTA3MTYwMzM0WjAnMRIwEAYDVQQKDAlhbmR5IHRlc3QxETAPBgNVBAMM
CGFuZHl0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHxm8WIm
zy2/W7L7EN9Jw2zWO5iWJ/qpECwwujM5xOsj+nacz7s97NMe33i7GOVT9nfUE/Rg
4G4OyN16qRjP3jBHf4j4uGCuIEGFjv9bnaSa5lMl77NY1Y5+l+xxy8hW93hOQ6Oz
JoOUsa4OJPZXsfbYvvdImBE8P6HdQ6AIHox0UWtpFmHU/qLFwHc0ZXcx2BvYx4ie
fi2YXstjxOx62Hms71S1wwrpXroW53SzHdZ8JGcSSJyfpEaWDc4t8BrbjAEb5KrI
udI4/Kz211270+qeUnwq27Ydz0q/4C5MCEJcpW7oRnYn+mnBoohn4uNaV2h0eal9
e5r+Ip17YdC+oQIDAQABo1AwTjAdBgNVHQ4EFgQUy1OJS5OkLrbUG2zN0eTDhUdm
qH8wHwYDVR0jBBgwFoAUy1OJS5OkLrbUG2zN0eTDhUdmqH8wDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOCAQEAL3napI9qZq6HlTrIZvoVZTsd9al45Qp8VVVs
mpjC5kWGEggUiQDiYSnfqUX1IvHHrFi+7D/iFyZs4B/lDnTUZ8YVwqTEGmTsCNu1
2nd+eYiMBNJLkhGKCf4mtlM3DsCwMkFM1JZ8i9lxqqOOK+dFF4aT/rZv3pstJFd8
z+BczfPM6r5zsXy4Cd6Zb+SO9Isum1mXID0ghrfLpAQTWUmVBoJMBPPVoS73YVEc
nFlYVk3c7ZEWtHmvzwhgmZCuQmSu5G6MDSPMpMpITzsnTXZpj7Cqda6c76aGBGE7
tZRH29ELP8kXm2A4Ijv/7fs0PCdSSqWpv5mx2c4SxNLVbti7Uw==
-----END CERTIFICATE-----

 

...and place it in the /usr/share/atacama/keys directory.

You should check the key's permissions and security context are correct:

ls -Z yourdomain.com.pem

-rw-r--r--. root root unconfined_u:object_r:usr_t:s0   yourdomain.com.pem

 

If you see anything different from the above, change it with the following commands:

sudo chmod 644 yourdomain.com.pem

sudo chown root:root yourdomain.com.pem

sudo chcon -u unconfined_u -r object_r -t usr_t:s0

Next

  • No labels