Page History
...
Note | ||||
---|---|---|---|---|
| ||||
|
...
Install required (and used, throughout this documentation) packages, possibly replacing vim
with your $EDITOR
of choice (e.g. emacs-nox
or nano
micro
, both of which also support syntax highlighting, which helps when editing XML files) and stop the automatically started tomcat until we've completed more configuration performed further below:
No Format |
---|
apt install --no-install-recommends default-jdk-headless tomcat9tomcat10 \ vim less openssl curl expat multitail gnupg net-tools systemctl stop tomcat9tomcat10 |
Post-install fix-ups
Redirect requests to Tomcat's web root ("/
") to a URL of your choice, e.g. your institution's home page, replacing "www.example.edu" in the command below. The Shibboleth IDP application by default will run at /idp
, allowing you to easily add and update other content outside of /idp
, e.g. logos or CSS stylesheets without having them to integrate them with the "idp" context/application. The document root for that is in /var/lib/tomcat9tomcat10/webapps/ROOT/
and nothing in the Shibboleth IDP software (or during use of SAML) by default links to /
of the server, so you can use that for locally hosted content without interfering with the IDP application. For example, you will want to add a robots.txt file to avoid unnecessary scanning by well-behaved search bots.
No Format |
---|
rm /var/lib/tomcat9tomcat10/webapps/ROOT/index.html echo '<% response.sendRedirect("https://www.example.edu/"); %>' > /var/lib/tomcat9tomcat10/webapps/ROOT/index.jsp echo -e "User-agent: *\nDisallow: /" > /var/lib/tomcat9tomcat10/webapps/ROOT/robots.txt |
Set JAVA_HOME
for the current (and future) shell(s):
...
Note |
---|
Do not use an existing wildcard certificate (if one is available that would also cover your IDP webserver) – just do the work as described below and create another certificate for your IDP. Under ACOnet's TCS agreement you can get unlimited globally valid commercial certificates at no cost to you. (Alternatively, though not recommended for your eduID.at IDP, there's always letsencrypt.) |
...
Tip | ||||
---|---|---|---|---|
| ||||
In case you're replacing an expiring TLS certificate where the matching private key is still considered to be secure and of sufficient strength (in 2021 2023 for RSA keys that means a key size of at least 2048 bits) you may 'll want to keep using the existing private key (and PKCS#12 keystore passphrase) and generate the CSR any CSRs from that key.
When asked to "Enter Import Password" supply the existing Then generate a CSR from the extracted private key, either by supplying the necessary data (at least the subject) on the command line or by entering any data interactively when being prompted for it (when not adding
When asked to "Enter pass phrase for webserver.key" again provide the passphrase from the previous steps. The content of webserver.csr is what you provide to your CA then, e.g. via |
Equipped with the CSR you can now request a TLS certificate based from your CA, e.g. using the ACOnet TCS supplier. Once the certificate has been issued copy it to the IDP server as webserver.crt.
You'll also need to copy any intermediate intermediary Certificate Authority (CA) certificates to the IDP server.
...
No Format |
---|
openssl pkcs12 -export -in webserver.crt -inkey webserver.key -certfile GEANT-OV-RSA-CA-4.crt -name "webserver" -out webserver.p12 |
When asked to "Enter pass phrase for webserver.key" provide the passphrase generated earlier.
Again when asked to "Enter Export Password".
And yet again, when asked to "Verifying - Enter Export Password".
Move the newly created keystore to its final location (we're chosing Tomcat's config directory) and set strict file system permissions on it:
No Format |
---|
[[ -f /etc/tomcat9tomcat10/webserver.p12 ]] && cp -a /etc/tomcat9tomcat10/webserver.p12 /etc/tomcat9tomcat10/webserver.p12.`date -u +%Y%m%d` mv webserver.p12 /etc/tomcat9tomcat10/ chown root:tomcat /etc/tomcat9tomcat10/webserver.p12 chmod 640 /etc/tomcat9tomcat10/webserver.p12 |
Configure Tomcat Connector
Remove or comment out all other Connectors in /etc/tomcat9tomcat10/server.xml
, then add the two Connectors as per below, replacing keystorePass
with the password generated earlier:
...
Code Block | ||
---|---|---|
| ||
<!-- Localhost-only connector for IDP command line tools --> <Connector address="127.0.0.1" port="80" /> <!-- https://tomcat.apache.org/tomcat-910.01-doc/ssl-howto.html --> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" maxPostSize="100000" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.3" keystoreType="pkcs12" keystoreFile="/etc/tomcat9tomcat10/webserver.p12" keystorePass="see above"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector> |
...
No Format |
---|
systemctl restart tomcat9tomcat10 netstat -lntp | fgrep java # should show 443, and 80 only on the loopback interface |
...
In case of errors check the output of "journalctl -u tomcat9 tomcat10 -ef".
If everything works fine and the certificate chain looks as expected you can remove the private key and certificate again (as both can be extracted from the PKCS#12 keystore if needed), keeping the CSR in file webserver.csr around for next time you need to renew that certificate (as long as you still consider the matching private key secure):
...
By default Tomcat logs everything multiple times, including to /var/log/tomcat9tomcat10/catalina.out
and /var/log/tomcat9tomcat10/localhost.*
, which we don't care for. So create a backup copy of Tomcat's logging.properties
and replace its content with the minumum needed to getTomcat's stdout/stderr to the console (which ends up in the systemd journal in our configuration). To prevent catalina.out from being created we deacticate it further below (in our "Systemd service" override) by setting the CATALINA_OUT=/dev/null
environment variable for the java process.
No Format |
---|
systemctl stop tomcat9tomcat10 cp -a /etc/tomcat9tomcat10/logging.properties /etc/tomcat9tomcat10/logging.properties.`date -u +%Y%m%d` echo -n 'handlers = java.util.logging.ConsoleHandler java.util.logging.ConsoleHandler.level = INFO java.util.logging.ConsoleHandler.formatter = org.apache.juli.SystemdFormatter org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = java.util.logging.ConsoleHandler ' > /etc/tomcat9tomcat10/logging.properties |
Then comment out or delete the whole Valve
element at the end of your /etc/tomcat9tomcat10/server.xml
, and replace it with the following one:
...
After deleting all Tomcat logs (only) access.log
should be generated in Tomcat's log directory going forward:
No Format |
---|
rm -f /var/log/tomcat9tomcat10/* systemctl restart tomcat9tomcat10 ls -l /var/log/tomcat9tomcat10/ multitail /var/log/tomcat9tomcat10/* -l 'journalctl -u tomcat9tomcat10.service -f' # exit with 'q' systemctl stop tomcat9tomcat10 |
If you're certain there's no catalina.log file being generated anymore you can also disable the default logrotate config snippet for it:
No Format |
---|
sed -i 's/^/#/' /etc/logrotate.d/tomcat9tomcat10 |
Systemd service
Debian's Tomcat comes with an almost-usable systemd service that needs to be amended in order to
...
Code Block | ||
---|---|---|
| ||
install -o root -g root -m 0755 -d /etc/systemd/system/tomcat9tomcat10.service.d cat <<'EOF' > /etc/systemd/system/tomcat9tomcat10.service.d/override.conf [Service] Environment="CATALINA_OUT=/dev/null" Environment="JAVA_OPTS=-Djava.security.egd=file:/dev/urandom -Djava.awt.headless=true -Xmx3g" Environment="JSSE_OPTS=-Djdk.tls.ephemeralDHKeySize=2048" ExecStart= ExecStart=/usr/bin/java \ $JAVA_OPTS $JSSE_OPTS \ -classpath ${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar \ -Dcatalina.base=${CATALINA_BASE} \ -Dcatalina.home=${CATALINA_HOME} \ -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.properties \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djava.io.tmpdir=${CATALINA_TMPDIR} \ org.apache.catalina.startup.Bootstrap ReadWritePaths=/var/log/shibboleth/ ReadWritePaths=/opt/shibboleth-idp/logs/ ReadWritePaths=/opt/shibboleth-idp/metadata/ EOF |
...