Page Comparison

...

There are no known issues with any specific Tomcat 8.0 release. The latest stable version should be used.

We Tomcat 8+ (including 8.5 and 9.0) are also supported but we don't have a specific page at present for Tomcat 8.5 , but so far earlier and 9.0. See also SystemRequirement for more info. Earlier versions e.g. 8.5.4 had session bugs that render the IdP unstable.

...

<Context docBase="idp.home/war/idp.war"
         privileged="true"
         antiResourceLocking="false"
         swallowOutput="true">

	<!-- Work around lack of Max-Age support in IE/Edge for Tomcat 8.0.x -->
	<CookieProcessor alwaysAddExpires="true" />

</Context> 

• Tomcat listens on ports 8080 and 8443 for user-facing web traffic by default. You will most likely need to modify these ports to 80 and 443 in CATALINA_BASE/conf/server.xml, and make arrangements for Tomcat to run as root, use a port forwarding approach, or rely on some other solution, cf. IdPLinuxNonRoot and IdPLinuxNonRootDebianUbuntu.
• Tomcat does not provide the Java Server Tag Library (JSTL), which is required to use JSP pages as Spring views. The IdP status page at /idp/status is built with JSP and will not work without this library. You can download it from our Maven repository here (asc)from here, place it into idp.home/edit-webapp/WEB-INF/lib/, then change to idp.home and run ./bin/build.sh (or build.bat, depending on your platform).
  More details can be found at http://stackoverflow.com/tags/jstl/info
• Add the following parameters to the CATALINA_OPTS environment variable (on Windows, the CATALINA_OPTS variable can be set via the "Manage Tomcat" application in the "Java" Tab; on other systems, the file bin/setenv.sh can be created to set variables during startup):
  
  • If you chose to install to a location other than the default (/opt/shibboleth-idp):
    • -Didp.home=<location> (replacing <location> with your install location)
      Note: On windows in versions prior to 3.2.0 if the install location contains a space then you have to provide the shortname (-Didp.home=c:\progra~1\Path\To\Install).  This is best achieved by using the tomcatw.exe program.

    • In V3.1.2 or later, idp.home can be set as a context-parameter in web.xml (copied to edit-webapp and then the war rebuilt using the build command)

      Code Block
      language xml
      <context-param> <param-name>idp.home</param-name> <param-value>J:/Downloads/Shibboleth/IdP</param-value> </context-param>

  • -XX:+UseG1GC - enables alternate garbage collector that reduces memory usage on larger metadata files

  • -Xmx1500m - this is the maximum amount of memory that Tomcat may use, at least 1.5G is recommended for handling larger (> 25M) metadata files but you will need to test on your particular metadata configuration
  • -XX:MaxPermSize=128m - the maximum amount of memory allowed for the permanent generation object space (this setting applies only to Java 7)

...

To generate a list of jars to skip for a given install, a command such as this , run from idp.home, will generate output you can paste:

ls webapp/unzip -l /opt/shibboleth-idp/war/idp.war | grep WEB-INF/lib/. | sed 's/^.*WEB-INF\/lib\///' | awk '{print $1",\\"}'

The list of comma-separated jarfiles is added into the file CATALINA_BASE/conf/catalina.properties to the property value named tomcat.util.scan.StandardJarScanFilter.jarsToSkip

...