How do I install a Bluestem client on a Linux server?

Please note that we no longer support new Bluestem client registrations. This document is intended only for existing registrations. If you wish to configure SSO for a new application, please install a Shibboleth Service Provider.

This guide explains how to install the Bluestem client on a Linux (CentOS 7) server.

Register Application Server

Visit Bluestem application server registration page and click Add New Server. Type the hostname of the server in Hostname field. If the server later gets a CNAME, the CNAME will automatically work with Bluestem without any additional registrations. Copy the key string and click Save Changes.

Install Prerequisites

Apache web server should already be installed. We need mod_ssl to enable https. Bluestem client requires mod_perl (which needs epel-release). Finally, we install setroubleshoot to help us troubleshoot any SELinux issues.

sudo yum install epel-release mod_ssl setroubleshoot -y

Now that EPEL repo is available, install mod_perl.

sudo yum install mod_perl -y

Start logging SELinux messages in /var/log/messages:

sudo systemctl reload auditd.service

Configure the Firewall

We have to make sure that the server's firewall allows http and https traffic through. The firewall zone you specify will depend on whether the website should be accessed on an internal network (internal), on a UIC network (uic), or from anywhere (public). In this example, we are using the uic zone:

sudo firewall-cmd --permanent --zone=uic --add-service=http
sudo firewall-cmd --permanent --zone=uic --add-service=https
sudo firewall-cmd --reload

Install Bluestem Client

Download the latest Bluestem client:


and unpack:

tar -xzvf bluestem-client-latest.tar.gz

Enter the directory that was unpacked, bluestem-client-x.x.x and run:

sudo perl

You will be prompted to select installation directory and other paths. In almost all cases, the default is appropriate and you can press Enter to advance. When prompted for the Server key, paste in the key string.

Open /var/www/bluestem-client/bluestem.httpd.conf and uncomment the following 2 lines:

PerlRequire /var/www/bluestem-client/
PerlAccessHandler Apache::Bluestem::access_handler

Next, add a symbolic link to this file in /etc/httpd/conf.d:

sudo ln -s /var/www/bluestem-client/bluestem.httpd.conf /etc/httpd/conf.d/10-bluestem.conf

Make sure the following files and directories are owned by apache user:

  • /var/log/bluestem
sudo chown apache /var/log/bluestem

Configure SELinux

The following commands need to be executed to make Bluestem work with SELinux:

sudo setsebool -P httpd_can_network_connect 1

sudo semanage fcontext -a -f a -t httpd_log_t '/var/log/bluestem'
sudo restorecon -v /var/log/bluestem

sudo semanage fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/bluestem-client/bluestem.conf'
sudo restorecon -v /var/www/bluestem-client/bluestem.conf

sudo semanage fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/bluestem-client/cache(/.*)?'
sudo restorecon -rv /var/www/bluestem-client/cache/

sudo semanage fcontext -a -f a -t httpd_sys_script_exec_t '/var/www/bluestem-client/cgi(/.*)?'
sudo restorecon -rv /var/www/bluestem-client/cgi

Start the Webserver and Verify

Enable and start Apache webserver:

sudo systemctl enable httpd.service
sudo systemctl start httpd.service

Visit https://[hostname]/bluestem/cgi/test.cgi to test login. Visit https://[hostname]/bluestem/cgi/admin.cgi to test the Bluestem admin page.

If you haven't installed the SSL certificate yet, you will get a warning about it.


Article ID: 884
Fri 1/15/21 6:13 PM
Fri 11/19/21 11:06 AM