| Table of Contents | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
The jetty-base installer We provide a Windows installation package for the Jetty container software to simplify installation and upgrades. The nstaller MSI installs Jetty itself, ajetty-baseconfiguration tree suitable for running an the IdP software on Windows, and other components needed to run the Jetty (with the IdP) as a system service. Thus, it includes:
The Apache Procrun executable which is used to run java Java programs as windows Windows system serviceservices
The Jetty servlet container and web server
A
jetty-baseconfiguration that supports basic use of the IdP within Jetty, largely derived from our examples
It does sufficient configuration of all these subsystems to allow the IdP to be started and run, either under the standard system account or as a specified user. Such a user would usually be given more limited privileges and access.
Release History
Unreleased Jul, Sep 10 2023 - Jetty12Jetty 12.0.8 13 (see below for some important notes and caveats)
Nov 3, 2023 – Jetty 11.0.18
Oct 11, 2023 - Jetty 11.0.17
Aug 31, 2023 - Jetty 11.0.16
Prerequisites
You should must install and download the "Visual C++ redistributable packages for Visual Studio 2015, 2017 and 2019". At the time of writing this is available from this link. You You need the file vc_redist.x64.exe You can establish whether this is needed by looking for the file c:\Windows\system32\ucrtbase.dll but but it is safe to run the executable multiple times.
You should must install a Java JDK (version Version 17 or greater - see Java Distributions) and ensure that a system environment variable named JAVA_HOME points at the installation.
Downloading
Download the appropriate MSI package for your system from Index of /downloads/identity-provider/jetty-windows
The name of the installer isshibboleth-jetty-base-x64-<EmbeddedJettyVerson>.msi
Installation and Update
The process for new installation or update is very similar only one configuration dialog is presented
...
Appropriate ACLs are placed onto the IdP installation using SetACLCommand and explicit calls to icacls. This allow Administrators full access and no-one else access. Thus all management needs to be done from an elevated process. Additionally, if 'Run as as User' is specified then that user is given read access to the IdP installation and write access to the log folders:
%IDP_HOME%\logs%IDP_HOME%\logs\Program Files (x86)\Shibboleth\log
Updating to or Using Jetty 12
With the release of the jetty Jetty 12 versioncontainer, the project is removing all support for managing the “backchannel”. Customers who need this should be managing their own jetty installations, which is a secondary virtual host listening on a separate port and supporting client TLS authentication. Deployers requiring support for SAML Artifact binding or Attribute Query profile usage should consider migrating that support to the standard port 443. The IdP will rely on message signature verification rather than TLS client authentication for securing those requests.
Prior to upgrading to Jetty12 Jetty 12 for the first time, you should remove all use of the backchannel must complete this migration to port 443 and update and distribute your metadata appropriately. You should NOT remove the backchannel properties from jetty-base\start.d\idp.ini at this stage (since your existing jetty Jetty installation will still support the backchannel and expect the properties). Once the metadata has propagated and traffic has been tested and migrated, you can upgrade to Jetty12Jetty 12.
After the installation, you should then update your jetty-base\start.d\idp.ini to remove the these backchannel properties:
| Code Block |
|---|
idp.backchannel.keyStorePassword idp.backchannel.keyStorePath idp.backchannel.keyStoreType |
Further Configuration
(obviously) The Your separate IdP installation is of course fully configurable as normal, but the only configuration of Jetty which is available to you is in the file %IDP_HOME%\jetty-base\start.d\idp.ini, and you should not edit any other file in the jetty-base directory, let alone files in the Jetty installation directory, because you will lose these changes when you perform ( Jetty ) upgrades.
You must not add any modules to the configuration or do any configuration in this file which is not the editing of the 6 properties provided in the default version of this file.
If you need to edit any file except idp.ini, (or make changes to idp.ini beyond changing the 6 properties), then you are an advanced user and should deploy your own container. You can still use the Windows Installer for the IdP itself if you choose.
You may choose to make changes to the Java environment in which Jetty runs via the c:\Program Files (x86)\Shibboleth\Procrun\shib_idpw.exe program. Typical changes include changing the memory requirements or adding system variables (required by plugins). The only change which will survive an upgrade is the "Maximum memory pool". All other changes will not survive an upgrade. If you need to make substantial or long lived changes you should consider installing your own container.
Properties
The jetty-base installation can be driven from the command line by using msi properties
...
MSI Property | Default | Description |
|---|---|---|
ALWAYS_START_SERVICE | TRUE | If set to FALSE the installer does not try to start the service (failing to start the service can cause the install to unwind in which situation debugging the install can be aggravating and long winded) |
NO_FIREWALL | By default the installer sets up a firewall exception for the system service. This property supresses it. | |
INSTALL_JETTYD_USER | Controls whether to set the system service to run as a specified user | |
JETTYD_USER | The specified user | |
JETTYD_DOMAIN | %USERDOMAIN% | The specified user’s domain |
JETTYD_PASSWORD | The specified user’s password |
Version Support
New Versions versions of the jetty-base Jetty installer are normally tested with the current IdP version, but with no previous ones. While the IdP version should in general be independent of the Jetty installer version the only supported versions are the latest Jetty installer on the latest IdP release.