Mellon is an open source Apache module. Its source codes and some pre-built binary codes can be downloaded from its website:        

https://code.google.com/p/modmellon/

If the binary code for your Linux OS is not found in the Mellon website, then you will have to build it from its source code. Building the binary code of Mellon is actually a simple task. Appendix B in this document describes how to build Mellon from source code.  

If your Linux OS is Ubuntu 12+, then you can download the pre-built binary code from Deepnet’s website: 

http://support.deepnetsecurity.com

Install Mellon Module

The Mellon module is named "mod_auth_mellon.so". Copy it to the folder below on your Apache server:

/usr/lib/apache2/modules

You can further check its dependencies by:

ldd /usr/lib/apache2/modules/mod_auth_mellon.so 

Switch to the folder

/etc/apache2/mods-available 

Create a file named  auth_mellon.load with the following content:

LoadModule auth_mellon_module /usr/lib/apache2/modules/mod_auth_mellon.so

Enable the module by:

 sudo a2enmod auth_mellon

(The above enable command copies the file auth_mellon.load into the folder /etc/apache2/mods-enabled. On some linux OS, LoadModule appears in httpd.conf file)

Restart Apache server by:

sudo service apach2 restart

Now, switch to the folder

/etc/apache2/mods-enabled

Create a file named auth_mellon.conf with following content, or download the latest from 

https://modmellon.googlecode.com/svn/trunk/mod_mellon2/README

#################################################################################

# Global configuration for mod_auth_mellon.

# This configuration is shared by every virtual server and location in this instance of apache.

#################################################################################

# MellonCacheSize sets the maximum number of sessions which can be active at once.

# When mod_auth_mellon reaches this limit, it will begin removing # the least recently used sessions.

# The server must be restarted before any changes to this option takes effect.

# Default: MellonCacheSize 100

MellonCacheSize 100

 

# MellonLockFile is the full path to a file used for synchronizing access to the session data.

# The path should only be used by one instance of apache at a time.

# The server must be restarted before any changes to this option takes effect.

# Default: MellonLockFile "/var/run/mod_auth_mellon.lock"

MellonLockFile "/var/run/mod_auth_mellon.lock"

 

# MellonPostDirectory is the full path of a directory where POST requests are saved during authentication.

# This directory must writeable by the # Apache user. It should not be writeable (or readable) by other users.

# Default: None

# Example: MellonPostDirectory "/var/cache/mod_auth_mellon_postdata" 

 

# MellonPostTTL is the delay in seconds before a saved POST request can be flushed.

# Default: MellonPostTTL 900 (15 mn)

MellonPostTTL 900

 

# MellonPostSize is the maximum size for saved POST requests

# Default: MellonPostSize 1073741824 (1 MB)

MellonPostSize 1073741824

 

# MellonPostCount is the maximum amount of saved POST requests

# Default: MellonPostCount 100

MellonPostCount 100

 

###########################################################################

# End of global configuration for mod_auth_mellon.

###########################################################################

Create Mellon Metadata

Every SAML SP and IdP has its own configuration data called Metadata. The SAML protocol requires that the SP and IdP must exchange their Metadata.

You need to create the SAML SP Metadata for the Mellon module. To create this metadata, you can use a script:

mellon_create_metadata.sh

This script takes in two options:

    • The Entity ID, which identifies your service.
    • The base URL to the endpoints for mod_mellon.

Example:

mellon_create_metadata.sh http://example.org/myEntityID http://example.org/mellon

This will create three files:

  • A .key-file, which contains the private key in PEM format. This file should be set in the MellonSPPrivateKeyFile option in your website configuration file.
  • A .cert-file, which contains the certificate in PEM format. This file should be set in the MellonSPCertFile option in your website configuration file.
  • A .xml-file, which contains the metadata file for the SP. This file should be set in the MellonSPMetadataFile option in your website configuration file.

Download the script from:

https://modmellon.googlecode.com/svn/trunk/mod_mellon2/mellon_create_metadata.sh

and save it to the folder:

/etc/apache2/mellon

You might have to make it executable using the chmod command:

sudo chmod a+x mellon_create_metadata.sh

Switch to the folder:

/etc/apache2/mellon

And execute the following command:

 ./mellon_create_metadata.sh http://acme.org/apache http://acme.org/mellon

We use "apache" as the EntityID and "mellon" as the endpoint. "acme.org" is the FQDN of the example website. Replace "acme.org" with the FQDN of your website.

This will create three files in the folder:

    • Private key:                 http_acme.org_apache.key
    • Certificate:                   http_acme.org_apache.cert
    • Metadata:                    http_acme.org_apache.xml

Now, the Mellon module is installed and configured to work as a SAML Service Provider.

Next, you will need to register the Mellon SP in your DualShield Server, and exchange the Metadata between the Mellon SP and DualShield IdP.

  • No labels