Versions Compared

Old Version 44

changes.mady.by.user Former user

Saved on

compared with

New Version 45

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Required Configuration Changes

  • Endorse Xerces and Xalan by creating the directory JETTY_HOME/lib/endorsed/ and copy all five of the .jar files included in the IdP source endorsed/ directory into the newly created directory.
  • Jetty listens on ports 8080 and 8443 for user-facing web traffic by default. You will most likely need to modify these ports to 80 and 443 in the jetty.xml and jetty-ssl.xml config files, and make arrangements for Jetty to run as root, or utilize a setuid extension to support the privileged ports.
  • Add the following Java options to your start.ini(all ### is the amount of memory in megabytes to allow for the option):
    • -Xmx###m - this is the maximum amount of memory that Jetty may use, at least 512M is recommended
    • -XX:MaxPermSize=128m - (Sun JVM specific option) the maximum amount of memory allowed for the permanent generation object space
    • -Djava.endorsed.dirs=lib/endorsed - tells Jetty where the endorsed libraries are
  • Uncomment --exec
  • Uncomment etc/jetty-ssl.xml at the bottom of start.ini

...

Recommended Configuration Changes

  • Jetty will use /tmp as a staging area for unpacking the warfile, and if you have cron jobs sweeping that for old files, your IdP can be disrupted. You will probably want to create a tmp directory under Jetty itself, and set -Djava.io.tmpdir=tmp in your start.ini

  • The Jetty distribution ships with a number of example applications located in the JETTY_HOME/webapps directory and deployment descriptors located in JETTY_HOME/contexts. You should remove all of these unless you are specifically using them.

Supporting SOAP Endpoints

Service Providers will sometimes make direct connections to the IdP. These Most new deployments without legacy needs will not need to support back-channel SOAP communication. The most common case requiring this feature is support for legacy Shibboleth SPs using SAML 1.1 that perform attribute queries using SOAP.

If you do need this support, these connections require special security properties which are not appropriate for user-facing/browser use. Therefore an additional endpoint must be configured.

  1. Copy the jetty7-dta-ssl-2.0.0.jar (asc (http:https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/utilities/jetty7/jetty7-dta-ssl/2.0.0/jetty7-dta-ssl-2.0.0.jar.asc) ) to JETTY_HOME/lib/ext.

  2. Create the file JETTY_HOME/etc/shibjetty-delegatesslshibboleth.xml and place the following content in it:

    Code Block
    xml
    xml
    <Configure id="Server" class="org.eclipse.jetty.server.Server">
  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
         <Arg>
           <New class="net.shibboleth.utilities.jetty7.DelegateToApplicationSslContextFactory">
             <Set name="keyStore">IDP_HOME/credentials/idp.jks</Set>
             <Set name="keyStorePassword">PASSWORD</Set>
           </New>
          </Arg>
        <Set name="port">8443</Set>
        <Set name="maxIdleTime">30000</Set>
      </New>
    </Arg>
  </Call>
</Configure>
  3. Replace IDP_HOME with the IdP home directory entered during installation.
  4. Replace PASSWORD with the password for the IdP key entered during installation.
  5. Add etc/shibjetty-delegatesslshibboleth.xml to your Jetty start.ini file (towards toward the bottom of the file you should see other configuration files listed).

Deploying the IdP

In order to deploy the IdP Jetty must be informed of the location of the IdP war. This can be done by:

Warning

The below instructions does not work with jetty-9 the idp.xml neets to be created in the JETTY_HOME/webapps folder.

 

  1. Create the file JETTY_HOME/contexts/idp.xmland place the following content in it :

    Code Blockxmlxml
    <Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <Set name="war">IDP_HOME/war/idp.war</Set>
  <Set name="contextPath">/idp</Set>
  <Set name="extractWAR">false</Set>
  <Set name="copyWebDir">false</Set>
</Configure>

    Recent Jetty versions may need <Set name="copyWebInf">true</Set> declared as well(cure for java.lang.IllegalArgumentException spam on startup).(replacing IDP_HOME with your IdP's home directory):

    Code Block
    xml
    xml
    <Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <Set name="war">IDP_HOME/war/idp.war</Set>
  <Set name="contextPath">/idp</Set>
  <Set name="extractWAR">false</Set>
  <Set name="copyWebDir">false</Set>
  <Set name="copyWebInf">true</Set>
</Configure>
  2. Replace IDP_HOME with your IdP's home directory.

...