Versions Compared

Old Version 9

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 10

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You should install and download the "Visual C++ redistributable packages for Visual Studio 2015, 2017 and 2019".  At the time of writing this is available from this link.  You need the file vc_redist.x64.exe  (or vc_redist.x86.exe  for a 32 bit install).

You can establish whether this is needed by looking for the file c:\Windows\system32\ucrtbase.dll but it is safe to run the executable multiple times.

...

If you chose to install Jetty, then an incoming  firewall exception will be added for the system service which runs jetty.   

64 or 32 bit Installer?

You should install the version for the OS you are running. On a 64 bit machine you should install a 64 bit java and a use the 64 bit installer.

...

The 64 bit installer will not run on a 32 bit machine

...

The 32 bit installer will not run on a 64 bit machine.

...

Running Jetty as a Captive Account 4.3

Up until V4.3 the system Servuce running Jetty was always run under the LocalSystem Account. Starting in V4.3 it is possible to run the service as a specified account (which need not have any privileges beyond “Log on as a a service”.

To use this you have to have created the account prior and given it the appropriate privilege prior to running and the installation. You might want to use a Service Account.

Then, during installation (or upgrade), click on the “Run as User” tick box and supply the credentials:

...

Java Installed from a .tar.gz file (tarball)

Some Java server installations are in the of a .tarball.  For obvious reasons these installations from a tarball does not populate any registry settings which means that the Jetty installation cannot locate the correct jvm to run.    This means that the shibd_idp does not start.

To fix this:

  1. run shibd_idpw

  2. Go to the "java tab"

  3. Unclick "Use Default"

  4. Under "Java Virtual Machine" browse to %JAVA_HOME%\jre\bin\server\jvm.dll (for instance: C:\Program Files\java\jdk1.8.0_25\jre\bin\server\jvm.dll)

Troubleshooting the Jetty installation

...

If you tick the "Install Jetty" check-box then a minimal Jetty is installed and a service called shibd_idp is created to run the jetty installation.  This  By default the service will automatically start, but if it does it is usually due to the specification of the Java run time.

You can tell whether the service has started from an elevated command line

Code Block
languagebash
C:\Users\Administrator>sc interrogate shibd_idp
[SC] ControlService FAILED 1062:
The service has not been started.

The easiest way to debug such a situation is by a combination of the parameters setting tool (procrun\shibd_idpw.exe), the procrun logs (procrun\log) and running the service from the command line (procrun\shibd_idp.exe or procrun\amd64\shibd_idp.exe on an x64 machine).

When you run shibd_idp.exe in a successfully configured system you will see something like this in the common-daemons.2015-01-29 log

Code Block
languagebash
[2015-01-29 14:09:07] [info]  [ 2124] Commons Daemon procrun (1.0.15.0 64-bit) started
[2015-01-29 14:09:07] [info]  [ 2124] Debugging 'shibd_idp' service...
[2015-01-29 14:09:07] [info]  [ 2124] Starting service...
[2015-01-29 14:09:08] [info]  [ 2124] Service started in 1092 ms.

In an unsuccessfully configured system it may look like this:

Code Block
languagetext
2015-01-29 14:07:30] [info]  [ 1896] Commons Daemon procrun (1.0.15.0 32-bit) started
[2015-01-29 14:07:30] [info]  [ 1896] Debugging 'shibd_idp' service...
[2015-01-29 14:07:30] [info]  [ 1896] Starting service...
[2015-01-29 14:07:30] [error] [ 1896] Failed creating java 
[2015-01-29 14:07:30] [error] [ 1896] ServiceStart returned 1
[2015-01-29 14:07:30] [info]  [ 1896] Debug service finished with exit code 1
[2015-01-29 14:07:30] [error] [ 1896] Commons Daemon procrun failed with exit value: 3 (Failed to run service as console application)

This is usually due to one of two causes.

...

On an x64 machine, running against a 32 bit Java installation.  This can be show since the 32 bit system service (procrun\shibd_idp.exe) will start but the 64 bit one (procrun\amd64\shibd_idp.exe) will not.   This can be fixed by changing the image associated with the service as described above.

...

be started immediately but you can override this by running the the installer with the property ALWAYS_START_SERVICE set to “NO” (From V4.3).

C:\>msiexec /i IDP....msi ALWAYS_START_SERVICE=NO

Sometime the service not starting can cause the entire installation to be rolled back and this command is a useful guide to diagnosing these situations. In particular if you are running the service as a captive account you may need to check the password or, if you installation is advanced or non standard, to inspect or add to the ACLs on the file system.

Another common reason for the service not starting is that it could not locate the correct JVM.DLL  This can often be diagnosed by turning up the logging to debug in the

...

shibd_idpw tool and closely inspecting the log.  The procrun software goes to considerable lengths to find a workable JVM and we have not been able to make this fail in the lab, but you can force the JVM.DLL to be used in the Java tab of the parameters tool.

You can tell whether the service has started from an elevated command line

Code Block
languagebash
C:\Users\Administrator>sc interrogate shibd_idp
[SC] ControlService FAILED 1062:
The service has not been started.

Supressing Firewall Exceptions

If you chose to install Jetty, then an incoming  firewall exception will be added for the system service which runs jetty.   This can be suppressed by running the the installer with the property NO_FIREWALL_EXCEPTION set to any value.

C:\>msiexec /i shibboleth-identity-provider-3.xxxi IDP...msi NO_FIREWALL_EXCEPTION=true

Again, it needs to be reiterated that if you need control at this level you are approaching the level at which you would be recommended to install and manage you on separate jetty instance.

...

If you have chosen to configure for active directory then much, but not all, of the configuration will have been done for you.  You do need to 

  1. Complete LDAP configuration by providing the AD server's certificate information to the IdP in the ldap.properties file.

  2. Complete Metadata configuration by providing the metadata for the SPs you will interoperate with in the metadata-providers.xml file.

See Configuration for more details

...

To upgrade, download the appropriate MSI package for your system from https://shibboleth.net/downloads/identity-provider/latest/ and run it. When the installer encounters an upgrade the only dialog is to ask whether Jetty is to be installed and to query the account details.

...

The check box is set to the value that was selected on the previous install.  As noted in the Upgrading topic, no existing configuration is overwritten by an upgrade and so no new configuration information is asked for.  New configuration files may be populated, but existing files are never touched.

Note that althohh the User Domain and Username are be remembered, the password is never stored and so always needs to be supplied on upgrade (if you are not using a Service Account).

Service releases and "Same Version upgrades" 

...