The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Preparing Glassfish for the Shibboleth Identity Provider

Version Requirements/Recommendations

  • Glassfish 3.2.2.2 or greater
  • Java 6 or later.

Glassfish 3 is not yet formally supported by the Shibboleth team due to impedance mismatch with Glassfish and use of xerces / xalan. Those interested in developing the necessary support to move off xerces/xalan runtime dependencies are welcome to direct questions to the development list.

Required Configuration Changes

  • Copy xercesImpl-*.jar to your domain's lib directory using a command similar to the following:
    • cp ~/shibboleth/shibboleth-identityprovider-2.4.0/endorsed/xercesImpl-2.10.0.jar  ~/glassfish3/glassfish/domains/domain1/lib
  • Copy xml-apis-*.jar to your domain's lib directory using a command similar to the following:
    • cp ~/shibboleth/shibboleth-identityprovider-2.4.0/endorsed/xml-apis-2.10.0.jar  ~/glassfish3/glassfish/domains/domain1/lib 
  • Manually edit the ~/glassfish3/glassfish/domains/domain1/lib/xercesImpl-2.10.0.jar file to rename the folder /META-INF/services to /META-INF/servicesSAVED
    • On Linux OS renaming can be done using Archive Manager or similar application without having to extract and repackage the jar. Any other means including extracting the jar renaming the directory in filesystem and recreating the jar also works.
    • The renaming of META-INF/services makes sure that the classes of this jar are not used as plugins by JAXP layer and do not confuse the ClassLoader process
  • Add the following parameters to the JAVA_OPTS environment variable (all ### is the amount of memory in megabytes to allow for the option):
    • -Xmx###m - this is the maximum amount of memory that Tomcat may use, at least 512M is recommended
    • -XX:MaxPermSize=128m - (Sun JVM specific option) the maximum amount of memory allowed for the permanent generation object space
  • Edit the .../glassfish/domains/domain1/config/domain.xml and make equivalent changes in the <java-config> sections using <jvm-options> tags

Recommended Configuration Changes

  • Limit the allowed size of POST submissions to any HTTP connectors. A size of 200K (204800) is a reasonable choice. It is unknown how this is actually accomplished, please refer to the Glassfish documentation.

Deployment

Once the configuration changes have been made the idp.war file may be deployed using Glassfish asadmin command line interface (CLI) as follows:

  1. Startup Glassfish domain

    ~/glassfish3/bin/asadmin start-domain domain1

  2. Deploy IdP war

    ~/glassfish3/bin/asadmin deploy --force=true --contextroot idp --precompilejsp=false --verify=false --upload=false ~/shibboleth/shibboleth-identityprovider-2.4.0/installation/war/idp.war

  3. You can tail the Glassfish log:

    tail -f ~/glassfish3/glassfish/domains/domain1/logs/server.log

  4. After deployment make sure that the idp webapp is configured to load before your Service Provider app. This is done by editing the .../glassfish/domains/domain1/config/domain.xml file and making sure that the <application> tag for idp is before the <application> tag for any SP apps.
    If the IdP is loaded after an SP then you will see the following error:

    INFO: 12:17:38,740 ERROR HTTPMetadataProvider:261 - Non-ok status code 404 returned from remote metadata source





  • No labels