Page History
...
Note | ||||
---|---|---|---|---|
| ||||
|
...
No Format |
---|
apt install --no-install-recommends defaultopenjdk-17-jdk-headless tomcat10 libtaglibs-standard-impl-java \ vim less openssl curl expat multitail gnupg net-tools systemctl stop tomcat10 |
...
Redirect requests to Tomcat's web root ("/
") to a URL of your choice, e.g. your institution's home page, replacing "www.example.edu" in the command below. The Shibboleth IDP application by default will run at /idp
, allowing you to easily add and update other content outside of /idp
, e.g. logos or CSS stylesheets without having them to integrate them with the "idp" context/application. The document root for that is in /var/lib/tomcat10/webapps/ROOT/
and nothing in the Shibboleth IDP software (or during use of SAML) by default links to /
of the server (i.e., the web server's base URL), so you can use that for locally hosted content without interfering with the IDP application. For example, you will want to add a robots.txt file to avoid unnecessary scanning by well-behaved search bots.
...
Tip | ||||
---|---|---|---|---|
| ||||
In case you're replacing an expiring TLS certificate where the matching private key is still considered to be secure and of sufficient strength (in 2023 2024 CE for RSA keys that means a key size of at least 2048 bits) you'll want to keep using the existing private key (and PKCS#12 keystore passphrase) and generate any CSRs from that key.
When asked to "Enter Import Password" supply the existing Then generate a CSR from the extracted private key, either by supplying the necessary data (at least the subject) on the command line or by entering any data interactively when being prompted for it (when not adding
When asked to "Enter pass phrase for webserver.key" again provide the passphrase from the previous steps. The content of webserver.csr is what you provide to your CA then, e.g. via |
...
Remove or comment out all other Connectors in /etc/tomcat10/server.xml
, then add the two Connectors as per below, replacing keystorePass
certificateKeystorePassword
with the password generated earlier:
...
Code Block | ||
---|---|---|
| ||
<!-- Localhost-only connector for IDP command line tools --> <Connector address="127.0.0.1" port="80" /> <!-- https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html --> <!-- https://tomcat.apache.org/tomcat-10.1-doc/config/http.html#SSL_Support --> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" maxPostSize="100000" SSLEnabled="true" scheme="https" secure="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig><SSLHostConfig <Certificate type="RSA" protocols="TLSv1.2,TLSv1.3" ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"> <Certificate type="RSA" certificateKeystoreType="PKCS12" certificateKeystoreFile="/etc/tomcat10/webserver.p12" certificateKeystorePassword="see sections above" /> </SSLHostConfig> </Connector> |
...
Start Tomcat, check for listening ports, and access https://webserver-fqdn/foo
which should result in an HTTP Status 404
error (since /foo won't exist) but allows you to confirm a hopefully valid TLS/SSL webserver configuration:
...
No Format |
---|
rm webserver.{key,crt} |
Tune log file creation
IDP logs
You might prefer to have the IDP application write its logs to a more standard file system location in the file system, specifically one outside the application's own directory and on a file system that where data usage is expected to grow dynamically (e.g. on /var). To do that simply set the idp.logfiles
property in any of the property files read by the IDP, e.g. within conf/idp.properties
:
idp.logfiles=/var/log/shibboleth
We also have to create that directory. And in order for the example commands in this documentation to work with either log directory we'll remove the (still empty) log dir created by the IDP installer and replace it with a symlink to the actual log directory:
No Format |
---|
install -o tomcat -g root -m 0750 -d /var/log/shibboleth/
cd /opt/shibboleth-idp/ && rmdir logs && ln -s /var/log/shibboleth logs |
Tomcat logs
Tomcat logs
By default Tomcat logs everything multiple times, including to to /var/log/tomcat10/catalina.out
and /var/log/tomcat10/localhost.*
, which we don't care for. So create a backup copy of Tomcat's logging.properties
and replace its content with the minumum needed to getTomcat's stdout/stderr to the console (which ends up in the systemd journal in our configuration). To prevent catalina.out from being created we deacticate it further below (in our "Systemd service" override) by setting the CATALINA_OUT=/dev/null
environment variable for the java process.
...
No Format |
---|
rm -f /var/log/tomcat10/* systemctl restart tomcat10 ls -l /var/log/tomcat10/ multitail /var/log/tomcat10/* -l 'SYSTEMD_COLORS=false journalctl -u tomcat10.service -f --no-pager' # exit with 'q' systemctl stop tomcat10 |
If you're certain there's no catalina.log file being generated anymore you can also disable the default logrotate config snippet for it:
...
Debian's Tomcat comes with an almost-usable systemd service that needs to be amended in order to:
- Avoid the systemd-house-of-horror that's still all too common with Tomcat/Java packaging
- Avoid slow startup times due to use of a blocking /dev/random (cf. Myths about urandom, also linked to from the Shib wiki).
- Allow the IDP application to write logs and metadata to the filesystem as needed (by adding more
ReadWritePaths
) - Try avoiding the creation of catalina.out (we already have its content in journald using this configuration)
And since we're creating an override for the systemOS-supplied systemd service unit anyway we'll also set the maximum memory usage there ("-Xmx3g
" in the example below, i.e., 3GB).
Adjust this as needed, but 3-4GB should be sufficient even for large metadata aggregates (as are common with with Interfederation). Also leave a bit of RAM for the OS. (Not that you should be running anything else on an IDP server.)
...
Activate the override with systemctl daemon-reload
, maybe also verify with systemd-delta | fgrep tomcat
Note that at this point Tomcat is stopped. Leave it that way and continue with the next step from this guide.
Note |
---|
...