Versions Compared

Old Version 9

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 10

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: mv idp logs to next step

...

Note
iconfalse
titleThis Guide assumes
  • A fresh, minimal (e.g. netinst.iso) install of Debian 12 ("Bookworm") with no "tasks" except openssh-server
    • Ubuntu 2224.04 LTS ("Jammy JellyfishNoble Numbat") Server works the same as Debian 12 for the purpose of this guide
  • Accessed via SSH or the console (no GUI/X11/wayland required and certainly not recommended),
  • Correct server time configuration using NTP (e.g. using systemd-timesyncd or ntpd)
  • Packet filters or firewall rules in place, e.g.:
    • With outgoing(ports TCP/80 and TCP/443) network access:
      • Port 80 for Debian APT updates, i.e., for downloading signed software packages
      • Port 80 and 443 for downloading cryptographically signed eduID.at Metadata documents.
      • Port 443 is also needed for downloads of the Shibboleth IDP software or additional modules
      • With local authentication the IDP will likely also need to connect to your LDAP Directory Servers for authentication and attribute lookup,
        • either on the standard port TCP/389 for LDAP(+STARTTLS),
        • or on port TCP/636 for LDAPS (which which no formal specification exists),
        • or maybe on the "global catalog" port of your Microsoft Active Directory (only if it's necessary you access that).
      • For access to NTP services you also need outgoing connectivity to the configured NTP servers (e.g. ACOnet's)
    • And incoming HTTPS access on port TCP/443 only. Noone needs to access your IDP by manually entering its URL, so no need to even have the IDP listening on TCP/80 publically, and therefore also no need for a redirect from TCP/80 to TCP/443.
      • Also, if the server is managed via SSH you'll need to allow access to port TCP/22, though only from a secured management network.
  • All commands in this guide to be issued by user root (uid=0) so sudo -s first as needed.
  • The shell used is /bin/bash (you can get fancy with fish/zsh/etc. after finishing the install/configuration if you want)
  • Use of systemd for service management, in order to use the amended service unit contained in this documentation.

...

No Format
apt install --no-install-recommends defaultopenjdk-17-jdk-headless tomcat10 \
  vim less openssl curl expat multitail gnupg net-tools

systemctl stop tomcat10

...

No Format
rm webserver.{key,crt}

Tune log file creation

IDP logs

You might prefer to have the IDP application write its logs to a more standard location in the file system, specifically one outside the application's own directory and on a file system where data usage is expected to grow dynamically (e.g. on /var). To do that simply set the idp.logfiles property in any of the property files read by the IDP, e.g. within conf/idp.properties:

idp.logfiles=/var/log/shibboleth

We also have to create that directory. And in order for the example commands in this documentation to work with either log directory location we'll remove the (still empty) log dir created by the IDP installer and replace it with a symlink to one we just created ourselfs:

No Format
install -o tomcat -g root -m 0750 -d /var/log/shibboleth/
cd /opt/shibboleth-idp/ && rmdir logs && ln -s /var/log/shibboleth logs

Tomcat logs

Tomcat logs

By default Tomcat logs everything multiple times, including to /var/log/tomcat10/catalina.out By default Tomcat logs everything multiple times, including to /var/log/tomcat10/catalina.out and /var/log/tomcat10/localhost.*, which we don't care for. So create a backup copy of Tomcat's logging.properties and replace its content with the minumum needed to getTomcat's stdout/stderr to the console (which ends up in the systemd journal in our configuration). To prevent catalina.out from being created we deacticate it further below (in our "Systemd service" override) by setting the CATALINA_OUT=/dev/null environment variable for the java process.

...

No Format
rm -f /var/log/tomcat10/*
systemctl restart tomcat10
ls -l /var/log/tomcat10/
multitail /var/log/tomcat10/* -l 'SYSTEMD_COLORS=false journalctl -u tomcat10.service -f --no-pager'  # exit with 'q'
systemctl stop tomcat10

...

Activate the override with systemctl daemon-reload, maybe also verify with systemd-delta | fgrep tomcat

Note that at this point Tomcat is stopped. Leave it that way and continue with the next step from this guide.

Note

Next step: Installing the IDP software

...