Wednesday, October 28, 2015

Shibboleth-Basic Installation

Jetty Base

As a prerequisite be sure you understand the Jetty Base concept: a separate directory structure containing just configuration info. In order to implement it you have to add JETTY_BASE environment variable to /etc/default/jetty or to /etc/environment pointing to the above mentioned directory.

Install Steps

Just things that went wrong during my installation (or worth mentioning) are captured here.

Run initial steps as described in general instructions section https://wiki.shibboleth.net/confluence/display/IDP30/Installation#Installation-Non-WindowsInstallation.

Go now to the container specific instructions (https://wiki.shibboleth.net/confluence/display/IDP30/Jetty93) in my case.

Create the JETTY_BASE directory structure as mentioned at and apply step by step the instructions. As I noticed afterwards, there is already a jetty_base directory in the unpacked structure (which is not copied to the target directory by the setup script). Some of the artefacts can be copied from this directory (like jars) but be aware that the content of configuration files is not exactly as what the instructions require. Delete for now all the optional files.

Configure Jetty Modules and JVM Settings

For start.ini:

  • Uncomment and change the line #-Didp.home=/path/to/shibboleth-idp to -Didp.home=/opt/shibboleth-idp even if the comment suggest to let it commented!!!
  • Add the following lines to the end of the file:
    • -Djava.io.tmpdir=tmp
    • -Dorg.eclipse.jetty.LEVEL=DEBUG (so that we have logging info for Jetty start-up)

Configure HTTP Connectors

Be sure that you deploy (and change the name and the password accordingly) a valid server side certificate as configured by the lines added in ssl.ini:

  • jetty.sslContext.keyStorePath=/opt/shibboleth-idp/credentials/idp-browser.p12
  • jetty.sslContext.keyStoreType=PKCS12
  • jetty.sslContext.keyStorePassword=thepasswordgoeshere

So far I didn't do any other configuration (neither logging nor SOAP sections).

Before trying to stop (Jetty is automatically launched by OS if configured as depicted in post used in previous blog) and start be sure you make jetty owner on all files in /opt/shibboleth-idp and opt/jetty directories, otherwise it will not be able to read idp.war or SSL certificate, for instance. Run sudo chown -R jetty:jetty /opt/shibbolet-idp or chmod -R a+r /opt/shibbolet-idp After (successful or not) start have a look in logging directories of jetty_base and shibbolet-idp.

You could also use java -jar opt/jetty//start.jar -DDEBUG=true -Dorg.eclipse.jetty.LEVEL=DEBUG jetty.port=8085 (from jetty_base!; don't forget to check if /etc/environment contains the proper definition for JAVA_HOME).

Other helpful commands:

  • service jetty status -l
  • netstat -tulpn ;use this command to see what processes keep open TCP ports(sometimes Jetty service does not stop/start properly and a java process remains hanged keeping opened ports for HTTP and HTTPS which prevents restarting the service)

jetty Default Environment Variables

I used the following /etc/defaults/jetty file:

JETTY_HOME=/opt/jetty
JETTY_BASE=/opt/shibboleth-idp/jetty-base
NO_START=0
JETTY_HOST=0.0.0.0
JETTY_USER=jetty
  • For a complete list of environment options have a look in /etc/init.d/jetty
  • I suppose most of the options can be moved in start.ini (apart from JETTY_HOME, JETTY_BASE and JETTY_USER, of course) or use specific Jetty configuration options from jetty_base/etc/*.ini (like jetty.ssl.host from ssl.ini)
IyBKZXR0eSBCYXNlDQoNCkFzIGEgcHJlcmVxdWlzaXRlIGJlIHN1cmUgeW91IHVuZGVyc3RhbmQgdGhlIEpldHR5IEJhc2UgY29uY2VwdDogYSBzZXBhcmF0ZSBkaXJlY3Rvcnkgc3RydWN0dXJlIGNvbnRhaW5pbmcganVzdCBjb25maWd1cmF0aW9uIGluZm8uIEluIG9yZGVyIHRvIGltcGxlbWVudCBpdCB5b3UgaGF2ZSB0byBhZGQgSkVUVFlfQkFTRSBlbnZpcm9ubWVudCB2YXJpYWJsZSB0byAvZXRjL2RlZmF1bHQvamV0dHkgb3IgdG8gL2V0Yy9lbnZpcm9ubWVudCBwb2ludGluZyB0byB0aGUgYWJvdmUgbWVudGlvbmVkIGRpcmVjdG9yeS4NCg0KIyBJbnN0YWxsIFN0ZXBzDQoNCkp1c3QgdGhpbmdzIHRoYXQgd2VudCB3cm9uZyBkdXJpbmcgbXkgaW5zdGFsbGF0aW9uIChvciB3b3J0aCBtZW50aW9uaW5nKSBhcmUgY2FwdHVyZWQgaGVyZS4NCg0KUnVuIGluaXRpYWwgc3RlcHMgYXMgZGVzY3JpYmVkIGluIGdlbmVyYWwgaW5zdHJ1Y3Rpb25zIHNlY3Rpb24gW2h0dHBzOi8vd2lraS5zaGliYm9sZXRoLm5ldC9jb25mbHVlbmNlL2Rpc3BsYXkvSURQMzAvSW5zdGFsbGF0aW9uI0luc3RhbGxhdGlvbi1Ob24tV2luZG93c0luc3RhbGxhdGlvbl0oaHR0cHM6Ly93aWtpLnNoaWJib2xldGgubmV0L2NvbmZsdWVuY2UvZGlzcGxheS9JRFAzMC9JbnN0YWxsYXRpb24jSW5zdGFsbGF0aW9uLU5vbi1XaW5kb3dzSW5zdGFsbGF0aW9uKS4NCg0KR28gbm93IHRvIHRoZSBjb250YWluZXIgc3BlY2lmaWMgaW5zdHJ1Y3Rpb25zIChbaHR0cHM6Ly93aWtpLnNoaWJib2xldGgubmV0L2NvbmZsdWVuY2UvZGlzcGxheS9JRFAzMC9KZXR0eTkzXShodHRwczovL3dpa2kuc2hpYmJvbGV0aC5uZXQvY29uZmx1ZW5jZS9kaXNwbGF5L0lEUDMwL0pldHR5OTMpKSBpbiBteSBjYXNlLg0KDQpDcmVhdGUgdGhlIEpFVFRZX0JBU0UgZGlyZWN0b3J5IHN0cnVjdHVyZSBhcyBtZW50aW9uZWQgYXQgIGFuZCBhcHBseSBzdGVwIGJ5IHN0ZXAgdGhlIGluc3RydWN0aW9ucy4gQXMgSSBub3RpY2VkIGFmdGVyd2FyZHMsIHRoZXJlIGlzIGFscmVhZHkgYSBqZXR0eV9iYXNlIGRpcmVjdG9yeSBpbiB0aGUgdW5wYWNrZWQgc3RydWN0dXJlICh3aGljaCBpcyBub3QgY29waWVkIHRvIHRoZSB0YXJnZXQgZGlyZWN0b3J5IGJ5IHRoZSBzZXR1cCBzY3JpcHQpLiBTb21lIG9mIHRoZSBhcnRlZmFjdHMgY2FuIGJlIGNvcGllZCBmcm9tIHRoaXMgZGlyZWN0b3J5IChsaWtlIGphcnMpIGJ1dCBiZSBhd2FyZSB0aGF0IHRoZSBjb250ZW50IG9mIGNvbmZpZ3VyYXRpb24gZmlsZXMgaXMgbm90IGV4YWN0bHkgYXMgd2hhdCB0aGUgaW5zdHJ1Y3Rpb25zIHJlcXVpcmUuICoqRGVsZXRlIGZvciBub3cgYWxsIHRoZSBvcHRpb25hbCBmaWxlcy4qKg0KDQoNCiMjIENvbmZpZ3VyZSBKZXR0eSBNb2R1bGVzIGFuZCBKVk0gU2V0dGluZ3MNCg0KRm9yIGBzdGFydC5pbmlgOg0KDQoqIFVuY29tbWVudCBhbmQgY2hhbmdlIHRoZSBsaW5lIGAjLURpZHAuaG9tZT0vcGF0aC90by9zaGliYm9sZXRoLWlkcGAgdG8gYC1EaWRwLmhvbWU9L29wdC9zaGliYm9sZXRoLWlkcGAgZXZlbiBpZiB0aGUgY29tbWVudCBzdWdnZXN0IHRvIGxldCBpdCBjb21tZW50ZWQhISENCiogQWRkIHRoZSBmb2xsb3dpbmcgbGluZXMgdG8gdGhlIGVuZCBvZiB0aGUgZmlsZTogDQoJKiBgLURqYXZhLmlvLnRtcGRpcj10bXBgDQoJKiBgLURvcmcuZWNsaXBzZS5qZXR0eS5MRVZFTD1ERUJVR2AgKHNvIHRoYXQgd2UgaGF2ZSBsb2dnaW5nIGluZm8gZm9yIEpldHR5IHN0YXJ0LXVwKQ0KDQojIyBDb25maWd1cmUgSFRUUCBDb25uZWN0b3JzDQoNCkJlIHN1cmUgdGhhdCB5b3UgZGVwbG95IChhbmQgY2hhbmdlIHRoZSBuYW1lIGFuZCB0aGUgcGFzc3dvcmQgYWNjb3JkaW5nbHkpIGEgdmFsaWQgc2VydmVyIHNpZGUgY2VydGlmaWNhdGUgYXMgY29uZmlndXJlZCBieSB0aGUgbGluZXMgYWRkZWQgaW4gc3NsLmluaToNCg0KKiBqZXR0eS5zc2xDb250ZXh0LmtleVN0b3JlUGF0aD0vb3B0L3NoaWJib2xldGgtaWRwL2NyZWRlbnRpYWxzLyoqaWRwLWJyb3dzZXIucDEyKioNCiogamV0dHkuc3NsQ29udGV4dC5rZXlTdG9yZVR5cGU9UEtDUzEyDQoqIGpldHR5LnNzbENvbnRleHQua2V5U3RvcmVQYXNzd29yZD0qKnRoZXBhc3N3b3JkZ29lc2hlcmUqKg0KDQoNClNvIGZhciBJIGRpZG4ndCBkbyBhbnkgb3RoZXIgY29uZmlndXJhdGlvbiAobmVpdGhlciBsb2dnaW5nIG5vciBTT0FQIHNlY3Rpb25zKS4NCg0KQmVmb3JlIHRyeWluZyB0byBzdG9wIChKZXR0eSBpcyBhdXRvbWF0aWNhbGx5IGxhdW5jaGVkIGJ5IE9TIGlmIGNvbmZpZ3VyZWQgYXMgZGVwaWN0ZWQgaW4gcG9zdCB1c2VkIGluIHByZXZpb3VzIGJsb2cpIGFuZCBzdGFydCBiZSBzdXJlIHlvdSBtYWtlIGpldHR5IG93bmVyIG9uIGFsbCBmaWxlcyBpbiBgL29wdC9zaGliYm9sZXRoLWlkcGAgYW5kIGBvcHQvamV0dHlgIGRpcmVjdG9yaWVzLCBvdGhlcndpc2UgaXQgd2lsbCBub3QgYmUgYWJsZSB0byByZWFkIGlkcC53YXIgb3IgU1NMIGNlcnRpZmljYXRlLCBmb3IgaW5zdGFuY2UuIFJ1biBgc3VkbyBjaG93biAtUiBqZXR0eTpqZXR0eSAvb3B0L3NoaWJib2xldC1pZHBgIG9yIGBjaG1vZCAtUiBhK3IgL29wdC9zaGliYm9sZXQtaWRwYA0KQWZ0ZXIgKHN1Y2Nlc3NmdWwgb3Igbm90KSBzdGFydCBoYXZlIGEgbG9vayBpbiBsb2dnaW5nIGRpcmVjdG9yaWVzIG9mIGpldHR5X2Jhc2UgYW5kIHNoaWJib2xldC1pZHAuDQoNCllvdSBjb3VsZCBhbHNvIHVzZSBgamF2YSAtamFyIG9wdC9qZXR0eS8vc3RhcnQuamFyICAtRERFQlVHPXRydWUgLURvcmcuZWNsaXBzZS5qZXR0eS5MRVZFTD1ERUJVRyBqZXR0eS5wb3J0PTgwODVgIChmcm9tIGpldHR5X2Jhc2UhOyBkb24ndCBmb3JnZXQgdG8gY2hlY2sgaWYgYC9ldGMvZW52aXJvbm1lbnRgIGNvbnRhaW5zIHRoZSBwcm9wZXIgZGVmaW5pdGlvbiBmb3IgSkFWQV9IT01FKS4NCg0KT3RoZXIgaGVscGZ1bCBjb21tYW5kczoNCg0KKiBgc2VydmljZSBqZXR0eSBzdGF0dXMgLWxgDQoqIGBuZXRzdGF0IC10dWxwbmAgO3VzZSB0aGlzIGNvbW1hbmQgdG8gc2VlIHdoYXQgcHJvY2Vzc2VzIGtlZXAgb3BlbiBUQ1AgcG9ydHMoc29tZXRpbWVzIEpldHR5IHNlcnZpY2UgZG9lcyBub3Qgc3RvcC9zdGFydCBwcm9wZXJseSBhbmQgYSBqYXZhIHByb2Nlc3MgcmVtYWlucyBoYW5nZWQga2VlcGluZyBvcGVuZWQgcG9ydHMgZm9yIEhUVFAgYW5kIEhUVFBTIHdoaWNoIHByZXZlbnRzIHJlc3RhcnRpbmcgdGhlIHNlcnZpY2UpDQoNCiMgamV0dHkgRGVmYXVsdCBFbnZpcm9ubWVudCBWYXJpYWJsZXMNCg0KSSB1c2VkIHRoZSBmb2xsb3dpbmcgYC9ldGMvZGVmYXVsdHMvamV0dHlgIGZpbGU6DQoNCmBgYA0KSkVUVFlfSE9NRT0vb3B0L2pldHR5DQpKRVRUWV9CQVNFPS9vcHQvc2hpYmJvbGV0aC1pZHAvamV0dHktYmFzZQ0KTk9fU1RBUlQ9MA0KSkVUVFlfSE9TVD0wLjAuMC4wDQpKRVRUWV9VU0VSPWpldHR5DQpgYGANCg0KKiBGb3IgYSBjb21wbGV0ZSBsaXN0IG9mIGVudmlyb25tZW50IG9wdGlvbnMgaGF2ZSBhIGxvb2sgaW4gYC9ldGMvaW5pdC5kL2pldHR5YA0KKiBJIHN1cHBvc2UgbW9zdCBvZiB0aGUgb3B0aW9ucyBjYW4gYmUgbW92ZWQgaW4gYHN0YXJ0LmluaWAgKGFwYXJ0IGZyb20gSkVUVFlfSE9NRSwgSkVUVFlfQkFTRSBhbmQgSkVUVFlfVVNFUiwgb2YgY291cnNlKSBvciB1c2Ugc3BlY2lmaWMgSmV0dHkgY29uZmlndXJhdGlvbiBvcHRpb25zIGZyb20gamV0dHlfYmFzZS9ldGMvKi5pbmkgKGxpa2UgYGpldHR5LnNzbC5ob3N0YCBmcm9tIGBzc2wuaW5pYCkNCg==
Posted by at

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )