Versions Compared

Old Version 79

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 80

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Apache Tomcat 6.0.17 or greater (officially supported)
  • Apache Tomcat 7 or later (SOAP works with 3rd party tomcat-dta-ssl but this plugin is not yet officially supported by the Shibboleth project)
  • Java 6 or later (see additional notes in IdPInstall)

...

Tomcat 7 is officially supported only if you don't require support for SOAP traffic on the additional port, or are prepared to deploy an Apache web server as the "front-end" to the Tomcat service. This is a consequence of there not being a supported specialized certificate evaluation override for Tomcat that delegates evaluation of SP certificates to the IdP application. It is impractical in most deployments to rely on Tomcat to perform its standard methods of client certificate validation.

...

Required Configuration Changes

...

  • Hint for CentOS 6: you may want to add "JAVA_ENDORSED_DIRS=$CATALINA_HOME/endorsed" to /usr/share/tomcat6/conf/tomcat6.confAdd the following parameters to the JAVA_OPTS environment variable (all ### is the amount of memory in megabytes to allow for the option):
    • -Xmx###m - this is the maximum amount of memory that Tomcat may use, at least 512M is recommended
    • -XX:MaxPermSize=128m - (Sun JVM specific option) the maximum amount of memory allowed for the permanent generation object space
  • Under Windows, the JAVA_OPTS variables are set via the "Manage Tomcat" application in the "Java" Tab.

Recommended Configuration Changes

  • Limit the allowed size of POST submissions to any HTTP or AJP connectors (including the SOAP connector below) by adding the maxPostSize attribute. A size of 200K about 100K (204800100000) is a reasonable choice.

Supporting SOAP Endpoints

Most new deployments without legacy needs will not need to support back-channel SOAP communication. The most common case requiring this feature is support for legacy Shibboleth SPs using SAML 1.1 that perform attribute queries using SOAP.

If you do need this support, these connections require special security properties which are not appropriate for user-facing/browser use. Therefore an additional endpoint must be configured.

For Tomcat 6, download tomcat6-dta-ssl-1.0.0.jar (asc) in to TOMCAT_HOME/lib/, or to use Tomcat 7 with the unofficial Unicon component, download tomcat7-1.1.jar. Shibboleth IdPs and SP communicate directly, as opposed to sending messages via the user's browser, during certain operations (Attribute Query, Artifact Resolution, and some forms of Logout). In order to support these request the IdP needs an additional port (called a Connector within the Tomcat configuration), distinct from the one used by the user (because they have different, mutually exclusive, security requirements).

  1. Add the following connector definition to Tomcat's TOMCAT_HOME/conf/server.xml file for tomcat 6:

    Code Block
    xml
    xml
    <Connector port="8443"
           protocol="org.apache.coyote.http11.Http11Protocol"
           SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
           scheme="https"
           maxPostSize="204800100000"
           SSLEnabled="true"
           clientAuth="want"
           keystoreFile="IDP_HOME/credentials/idp.jks"
           keystorePass="PASSWORD" />

    or this one for tomcat 7:

    Code Block
        <Connector port="8443"
               protocol="org.apache.coyote.http11.Http11Protocol"
               sslImplementationName="edu.internet2.middleware.security.tomcat7.DelegateToApplicationJSSEImplementation"
               SSLEnabled="true"
               scheme="https"
               secure="true"
               maxPostSize="204800100000"
               clientAuth="want"
               keystoreFile="IDP_HOME/credentials/idp.jks"
               keystorePass="PASSWORD"
               sslProtocol="TLS" />
  2. Replace IDP_HOME with the IdP home directory entered during installation.
  3. Replace PASSWORD with the password for the IdP key entered during installation.

...

  1. Create the file TOMCAT_HOME/conf/Catalina/localhost/idp.xml and place the following content in it (replacing IDP_HOME with your IdP's home directory):

    Code Block
    <Context docBase="IDP_HOME/war/idp.war"
         privileged="true"
         antiResourceLocking="false"
         antiJARLocking="false"
         unpackWAR="false"
         swallowOutput="true" />

    You might also want to add cookies="false" to the above Context Deployment Fragment, to prevent Tomcat from settting HTTP Cookies e.g. on MDUI Logos hosted at the IdP webserver, which would trigger Third Party Cookie warnings in some HTTP User Agents.

    Replacing IDP_HOME with your IdP's home directory

    .