...
Note |
---|
Restricting ACLsNote that prior to V3.4.1, the installer did not adjust file system ACLs based on your install path. As of that version, we have added changes that are designed to provide full access to the administrative/system accounts and read access to the standard “Users” group (primarily for IIS). Wherever you choose to install the software, you should consider reviewing and hardening the file and folder access to that location. Most of these folders and files should be read only. The daemon process runs by default as a system account and should already have the necessary access. You should if possible prevent all other access to the private key file(s) as those need not be readable by anything else, and you need not allow any writing of files, or creation of folders or files by any other users. If you run your web server under a different user account (not a member of the This can be achieved at install time by specifying the account (our group) on the command line setting the WEBSERVER_USER property on the command line (see below) |
Upgrades
Upgrading to new releases is handled automatically when the MSI installer is used. The system prevents configuration files from being overwritten and skips "initial install" tasks like generating keys. The Shibboleth daemon is restarted by the package but you will need to restart the web server you're using yourself.
...
Property | Description | ||
---|---|---|---|
| Allows extra parameters to be passed to the keygen command used during installation. For instance,
allows the addition of a subjectAltName in the generated certificate. | ||
| Set this to | ||
| The name of a User or User group to be granted explicit read access to the installation tree. Use this if your web server runs under a restricted account. |
Shibboleth Service
Once installation is complete, you'll need to run the Shibboleth daemon, shibd
, at all times that the SP is in use. shibd
is a console application that is usually installed as a Windows service.
...