...
The start.d/idp.ini file that configures the “idp” module contains not only the bulk of the basic settiings settings needed but is a place you can add your own settings to control JVM startup, change which logging module is used, etc.
Configure Jetty Modules and JVM Settings
File(s): start.d/idpstart.ini
...
start.ini
Code Block | ||
---|---|---|
| ||
# Any other required Jetty modules... # Allows setting Java system properties (-Dname=value) # and JVM flags (-X, -XX) in this file # NOTE: spawns child Java process --exec # Uncomment if IdP is installed somewhere other than /opt/shibboleth-idp #-Didp.home=/path/to/shibboleth-idp # Maximum amount of memory that Jetty may use, at least 1.5G is recommended # for handling larger (> 25M) metadata files but you will need to test on # your particular metadata configuration. If MDQ metadata on demand is used, # requirements may be much lower. -Xmx1500m # Prevent blocking for entropy. -Djava.security.egd=file:/dev/urandom # Set Java tmp location -Djava.io.tmpdir=tmp |
...
Use the setuid extension to support listening on the privileged ports as a non-root user.
Use a port forwarding approach (load balancer, iptables rules, etc).
Use POSIX capabilities to allow use of priviledged ports by an unpriviledged process, e.g. when using systemd by setting
AmbientCapabilities=CAP_NET_BIND_SERVICE
idp.ini
Code Block |
---|
# --------------------------------------- # Module: idp # Shibboleth IdP # --------------------------------------- --module=idp ## Keystore file path (relative to $jetty.base) jetty.sslContext.keyStorePath=../credentials/idp-userfacing.p12 ## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=../credentials/idp-userfacing.p12 ## Keystore type jetty.sslContext.keyStoreType=PKCS12 ## Truststore type and provider jetty.sslContext.trustStoreType=PKCS12 ## Keystore password jetty.sslContext.keyStorePassword=changeit ## Truststore password jetty.sslContext.trustStorePassword=changeit ## KeyManager password jetty.sslContext.keyManagerPassword=changeit ## Deny SSL renegotiation jetty.sslContext.renegotiationAllowed=false ## Connector host/address to bind to # jetty.ssl.host=0.0.0.0 ## Connector port to listen on jetty.ssl.port=443 # Allows use of default IdP command line tools. jetty.http.host=127.0.0.1 jetty.http.port=80 |
...
etc/jetty-requestlog.xml
Code Block | ||
---|---|---|
| ||
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd"> <!-- =============================================================== --> <!-- Configure the Jetty Request Log --> <!-- =============================================================== --> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <!-- =========================================================== --> <!-- Configure Request Log for Server --> <!-- Use RequestLogHandler for a context specific RequestLog --> <!-- =========================================================== --> <Set name="RequestLog"> <New id="RequestLog" class="org.eclipse.jetty.server.CustomRequestLog"> <!-- Writer --> <Arg> <New class="org.eclipse.jetty.server.Slf4jRequestLogWriter" /> </Arg> <!-- Format String --> <Arg> <Property name="jetty.requestlog.formatString" deprecated="jetty.customrequestlog.formatString"> <Default> <Get class="org.eclipse.jetty.server.CustomRequestLog" name="EXTENDED_NCSA_FORMAT"/> </Default> </Property> </Arg> </New> </Set> </Configure> |
...