Child pages
  • Installation Guide
Skip to end of metadata
Go to start of metadata


The EduShib VA requires (minimum):

  1. 25GB Storage
  2. 2GB Rams
  3. 1 Network Interface
  4. 2 CPU Cores
  5. Firewall: Allow connection from internet to port 80 (tcp), 8443 (tcp), 1812 (tcp and udp), 1813 (tcp and udp), 2083 (tcp and udp)



  • Even though in the VA may works as well in another type of hypervisor, but it is recommended to install EduShib VA in KVM hypervisor.
  • Beside computing resources requirements, the administrator need to apply host certificate from MyIFAM CA and register the service to SIFULAN Federation and eduroam Malaysia.


In general the EduShib VA should works as-it-is with minimum customization at some of the configuration files and able to support small-medium organizations (in some case large organization may also supported by increasing some computer resources (e.g. number of cores, RAM), however we unable to guarantee that the EduShib VA will works/practical in very complex situation where the services need to be splitted. Although the EduShib VA comes with pre-configured openldap, shall the organization already has directory service installation, it is recommended to connect EduShib VA to the existing directory service instead of using the pre-configure openldap. For eduroam we assumed that the Access Points are physically connected to separate VLAN in situation where the IT administrator would like to assigned eduroam users to seperate VLAN with the local users.


Installation Instruction



The steps given below is must be in order! Failed to do so, may cause unsuccessful deployment.

Due to recent OpenSSL vulnerability, please update the openssl library to the latest version before you start to configure the system. To update, please type: yum update -y openssl

  1. Download EduShib VA image [ Raw Format ][ OVA Format ][ VMWare Image Format ]
  2. Extract the EduShib VA image (For VMWare Image Format, please use the 7-Zip software to extract the image)

    # tar -jxvf edushib-(version).tar.bz2
  3. Deploy it to your Virtualization Server

  4. Login to the VA (the root password is: eduroamshibboleth)

  5. Change the root password:

    # passwd
  6. Configure the network interface according to your setup. Make sure that the vm can goes to the internet

  7. Generate host certificate key and certificate signing request:

    # createhostcsr ← (replace with your hostname)
  8. The createhostcsr command will generate host_req.pem file. Copy this file and email it to MyIFAM CA ([email protected]). However, some policy may applied by MyIFAM CA before your host csr is signed. The MyIFAM CA will inform you the serial number of your certificate which you need it for the next step.

  9. Download your signed host certificate:

    #  retreivehostcert 12345 ← (replace 12345 with the actual serial number of your certificate)
  10. Run the configurator tool:

    # runconfig --hostname --ip ← (replace with your hostname and with the ip address of the vm)
  11. The Shibboleth installer may asked you few questions:

    1. Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] Press Enter
    2. What is the fully qualified hostname of the Shibboleth Identity Provider server? [] Enter your hostname, e.g.
    3. A keystore is about to be generated for you. Please enter a password that will be used to protect it. Enter your preferred keystore password
  12. Edit /usr/share/tomcat6/conf/server.xml file. Find keystorePass="eduroamshibboleth" statement and replace it with yoru keystore password

  13. Restart the tomcat service:

    # service tomcat6 restart
  14. Download the root CA certificate file

    # wget -O /etc/certs/ca/tls-ca-bundle.pem
  15. Edit /opt/radsecproxy-1.6.5/etc/radsecproxy.conf . Replace: CACertificatePath /etc/certs/ca/ with CACertificateFile /etc/certs/ca/tls-ca-bundle.pem
  16. Edit /opt/radsecproxy-1.6.5/etc/conf.d/realms.conf . Replace: /edushib\.sifulan\.my$ with your realm (e.g. /upm\.edu\.my$)

  17. Edit /etc/raddb/proxy.conf . Replace: edushib\\.sifulan\\.my$ with your realm (e.g. upm\\.edu\\.my$)

  18. Edit /opt/radsecproxy-1.6.5/etc/conf.d/clients.conf . Add your wireless access point ipaddress/network information to this file by using these syntax:

    in case of standalone/unmanageable wireless access point:

    in case of controlled/manageable access point:

  19. Restart the radsecproxy service:

    # service radsecproxy restart
  20. Restart the radius service:

    # service radiusd restart
  21. Please contact SIFULAN ([email protected]) and Eduroam Malaysia ([email protected]) to test your EduShib VA installation. Please mention the hostname of your EduShib VA as well.