Note |
---|
These pages are examples and do not reflect any normative requirements or assumptions on the part of the IdP software and may be a mix of suggestions from both the project team and deployers. You should take any of this advice with a grain of local salt and consider general security/deployment considerations appropriate to the use of web software in your local environment. The official information about containers and versions we support is solely maintained on the SystemRequirements page. If you wish to operate without complete responsibility for your Java servlet container, you should may consider the Windows package we provide that includes an embedded container. |
...
Code Block |
---|
<Context docBase="idp.home/war/idp.war"
privileged="true"
antiResourceLocking="false"
swallowOutput="true">
<!-- Work around lack of Max-Age support in IE/Edge for Tomcat 8.0.x -->
<CookieProcessor alwaysAddExpires="true" />
</Context> |
Info |
---|
The above |
- Tomcat listens on ports 8080 and 8443 for user-facing web traffic by default. You will most likely need to modify these ports to 80 and 443 in
CATALINA_BASE/conf/server.xml
, and make arrangements for Tomcat to run as root, use a port forwarding approach, or rely on some other solution, cf. IdPLinuxNonRoot and IdPLinuxNonRootDebianUbuntu. - Tomcat does not provide the Java Server Tag Library (JSTL), which is required to use JSP pages as Spring views. The IdP status page at
/idp/status
is built with JSP and will not work without this library. You can download it from our Maven repository here (asc)from here, place it intoidp.home/edit-webapp/WEB-INF/lib/
, then change toidp.home
and run./bin/build.sh
(or build.bat, depending on your platform).
More details can be found at http://stackoverflow.com/tags/jstl/info - Add the following parameters to the CATALINA_OPTS environment variable (on Windows, the CATALINA_OPTS variable can be set via the "Manage Tomcat" application in the "Java" Tab; on other systems, the file
bin/setenv.sh
can be created to set variables during startup):- If you chose to install to a location other than the default (/opt/shibboleth-idp):
- -Didp.home=<location> (replacing <location> with your install location)
Note: On windows in versions prior to 3.2.0 if the install location contains a space then you have to provide the shortname (-Didp.home=c:\progra~1\Path\To\Install). This is best achieved by using thetomcatw.exe
program. In V3.1.2 or later, idp.home can be set as a context-parameter in web.xml (copied to edit-webapp and then the war rebuilt using the build command)
Code Block language xml <context-param> <param-name>idp.home</param-name> <param-value>J:/Downloads/Shibboleth/IdP</param-value> </context-param>
- -Didp.home=<location> (replacing <location> with your install location)
-XX:+UseG1GC - enables alternate garbage collector that reduces memory usage on larger metadata files
- -Xmx1500m - this is the maximum amount of memory that Tomcat may use, at least 1.5G is recommended for handling larger (> 25M) metadata files but you will need to test on your particular metadata configuration
- -XX:MaxPermSize=128m - the maximum amount of memory allowed for the permanent generation object space (this setting applies only to Java 7)
- If you chose to install to a location other than the default (/opt/shibboleth-idp):
...
To generate a list of jars to skip for a given install, a command such as this , run from idp.home
, will generate output you can paste:
ls webapp/unzip -l /opt/shibboleth-idp/war/idp.war | grep WEB-INF/lib/. | sed 's/^.*WEB-INF\/lib\///' | awk '{print $1",\\"}'
The list of comma-separated jarfiles is added into the file CATALINA_BASE/conf/catalina.properties to the property value named tomcat.util.scan.StandardJarScanFilter.jarsToSkip
...