Versions Compared

Old Version 8

changes.mady.by.user Peter Brand

Saved on

compared with

New Version Current

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: stop tomcat, adjust cookie enc properties file

...

Before running the installer stop Tomcat and safe off the current umask of your root user's shell (so that we can later restore it) and change it to the value given below:

No Format
systemctl stop tomcat9
oldumask=$(umask)
umask 0022

The IDP installer will ask for two passwords: One to protect a newly generated PKCS#12 keystore (for a SOAP/backchannel connector, configuration of which which we've dropped from this documentation), the other as Cookie/localStorage encryption key (for client-side session storage). So generate two random strings to be used as passwords and note them down somewhere temporarily but securely, indicating their purpose (backchannel, cookie encryption). The cookie encryption password will be written to /opt/shibboleth-idp/confcredentials/idpsecrets.properties by the installer , though(as idp.sealer.storePassword and idp.sealer.storePassword parameters).

No Format
openssl rand -hex 16  # run twice to generate two random strings

Download and unpack the latest Shibboleth IDPv4 software, adjusting the value of $VER to the latest/current version. Optional (but recommended, if you understand how PGP and the Web of Trust work) commands for verification of the software using cryptographic signatures from the Shibboleth devlopers are also included below.

Include Page
IDP 4 include - download-install-v4
IDP 4 include - download-install-v4

When prompted:

Note

If the installer appears to be "hanging/stuck" it's probably just sitting there waiting for you to enter something or to hit <Return> to continue!

...

Since we want the IDP (and hence Apache Tomcat and the whole JVM) to be run as a non-priviledged user we'll need to adjust a couple of file system permissions:

Include Page
IDP 4 include - file-system-permissions-v4
IDP 4 include - file-system-permissions-v4

As per the Shibboleth IDPv3 documentation for Tomcat we'll need to make a few more adjustments:

...

Following the recommendations from the Shibboleth IDPv3 wiki we also uncomment (i.e., make active) the line <Manager pathname="" /> in Tomcat's context.xml. And since we have to change that file anyway let's replace it with a minimalist version that also avoids scanning (most) of the IDP's JAR files during startup, see section Slow Startup towards the end of that Shibboleth wiki page.

Include Page
IDP 4 include - context.xml-v4
IDP 4 include - context.xml-v4

Restart Tomcat, which may take a bit, and check the logs for WARN and ERROR messages: By default the IDP logs to /opt/shibboleth-idp/logs/idp-process.log but if something is seriously wrong and the IDP isn't even able to start up you'll have to look at Tomcat's journal entries:

...