Local additions to the official upgrade instructions from the Shibboleth wiki, to be re-visited for each upgrade of the IDP software.
If you're still running the old Shibboleth IDP version 2.x you can follow another guide to build a completely new IDP, on a current and supported OS and then later migrate settings from IDPv2 over as needed.
Seems from version 3.3.0 on the IDP also needs the JSP API 2.3 , which can be found in the
libservlet3.1-java package, if you don't have that installed already:
apt install --no-install-recommends libservlet3.1-java
Download and unpack the latest Shibboleth IDPv3 software, adjusting the value of
$VER to the latest/current version. Optional (but recommended, if you understand how PGP and the Web of Trust work) commands for verification of the software using cryptographic signatures from the Shibboleth devlopers are included below.
First we'll stop the running Tomcat because it might otherwise try to reload the Shibboleth application even before we're done with all the required steps provided below:
systemctl stop tomcat9
Next start the upgrade:
This will use the current directory (
/usr/local/src/shibboleth-identity-provider-$VER) as source and the default directory (
/opt/shibboleth-idp) as target, and should produce output like this:
Source (Distribution) Directory (press <enter> to accept default: [/usr/local/src/shibboleth-identity-provider-3.x.x] Installation Directory: [/opt/shibboleth-idp] Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 4 seconds
It will be necessary to re-apply file system permission changes done during installation, so just run these again:
You'll also want to regenerate the list of the IDP's JARs that shouldn't be scanned during Tomcat startup, see section Slow Startup towards the end of that Shibboleth wiki page. Those will go into
/etc/tomcat9/context.xml so we'll make a time-stamped backup copy of that file before replacing its content:
Restart Tomcat, which may take a bit, and check the logs for
ERROR messages: By default the IDP logs to
/opt/shibboleth-idp/logs/idp-process.log but if something is seriously wrong and the IDP isn't even able to start up you'll have to look at Tomcat's journal entries:
systemctl restart tomcat9 multitail /opt/shibboleth-idp/logs/idp-process.log -l 'journalctl -u tomcat9.service -f' # exit with 'q'
Now the IDP should be running the current version and you can test the output of the
status command line utility: