V5 IdP Installer
The idea behind this page to capture some thoughts about the IdP installer over and above the point changes discussed in IDP-2105: V5 Installer Container taskClosed
With a following wind this should turn into the detailed documentation for V5
Architectural overview
I had some original thoughts to split the installer into smaller sub parts, but it turns out that on further code reading the current implementation is no too far from OK. The way it is exposed (via an ant task) sucks and as per IDP-1815: Recast IDP Installer to use the CLI infrastructureClosed we can get much of where we want to just by replacing that.
The core of how the Installer (and here I also include build.sh
) works is a class which contains (and captures where needed) the implementation. Thing like source directory, target directory detailed configuration (for new installs). Currently this class is populated
From System Properties
From an supplied property file
And from the command line (if neither of the above two provide the required value)
The first two bullets have proven popular with people bundling the IdP.
The proposal is to keep this but to add to it with proper command line qualifiers
Probably one for each property we have
And we will add properties for things we some add (like HttpClient bean names or aes key sizes), but not for other CLI things (like spring bean files)
We will do away with the special logback file for the installer and replace it with the standard command line thing
I think we can get rid of the input property - you can only install from the distribution and it suffices to make that the input
Note that when I say “property driven” below this means via this class which encapsulates the above 4 bullets (so if configured, take from the command line/property file/system properties otherwise ask)
Current implementation
As the time of writing (the first pass of changes for IDP-2002: Migrate all unmanaged config files into core moduleClosed completed the code does this.
Initial Populate
Update only: Tidy
delete bin/lib
delete dist (save for the plugin stuff)
unprotected system
Copy webapp to dist\webapp (not overwriting)
Copy bin/lib to bin/lib (overwriting)
copy system to system (not overwriting)
Configure
Version handling
Write the version to a the version file in dist
check idp.properties for forbidden properties
Check plugin conformance
New Install Only:
Enable idp.Core
Create key material (property driven)
Run property changing over idp.properties, ldap.properties (property driven)
create secret.properties (prooperty driven)
Update only
check edit-webapp\WEB-INF\web.xml for badness
enable modules
Update: The ones already defined
(TODO) V4-V5 update: plus any new ones ( IDP-2108: Work out the Upgrade storyClosed)
New Install Only: from a fixed list (if not property driven)
Clean up detritus
New Install Only: Create metadata (driven from idp.properties)
Build war
(this is part of the install but also needs to be its own command line)
delete webapp (why?)
create webapp.tmp
populate from dist\webapp
overlap from dist\plugin-webapp
overlap from edit-webapp
create war\idp.war from webapp.tmp
delete webapp.tmp
Windows
This is actually not much different
Initial Populate is handled by the Windows MSI installer
Configure
andBuild war
are run as java programs inside the installer… Plus a whole lot of stuff to do with Jetty which will be exbedded (IDP-1791: Support self-standing operation via embedded JettyOpen or something else)
Properties & Qualifiers used to drive the Install
Under construction
This section os changing frequently as I update my ideas. Check in here frequently or watch the page.
Property | V5 Proposed qualifier | Default | Prompt | Description |
---|---|---|---|---|
idp.property.file | --propertyFile |
| N/A | The first thing looked it. If present it is used to get other properties |
Not as a property | --sourceDir |
| None | No longer prompted for. This is injected by the install scripts |
idp.target.dir | --targetDir |
| Installation Directory: |
|
idp.noprompt | --noPrompt |
|
| If the qualifier is present (or the property set to any value) then if a required value is not available via properties then the install fails (rather than prompting for a value) |
idp.entityID |
| https://$idp.host.name/idp/shibboleth | SAML EntityID: | Written into idp.properties on initial install |
idp.host.name |
| Some nasty hackery with the network | Host Name: | Drives the default entityId |
idp.scope |
| The host name with the first bit removed | Attribute Scope: |
|
idp.merge.properties |
| idp.entityID=$idp.entityId |
| A property file whose contents are merged into the default idp.properties on an initial install only. |
ldap.merge.properties |
| no merge |
| If present this file is merged into ldap.properties This is either the absolute path or a path relative to the source dir |
idp.LDAP.credential |
| myServicePassword |
| Used to set idp.authn.LDAP.bindDNCredential in secrets.properties |
idp.keystore.password |
|
| Backchannel PKCS12 Password: | Password for credentials/idp-backchannel.p12 |
idp.sealer.password |
|
| Cookie Encryption Key Password: | Password for credentials/sealer.p12 |
idp.sealer.alias |
| secret |
| Alias in credentials/sealer.p12 |
idp.sealer.keysize |
| 128 |
| New In V5 |
idp.keysize |
| 3072 |
| key size for credentials\idp-signing.*, credentials\idp-encryption.* and credentials/idp-backchannel.p12 |
idp.conf.setmode |
| true |
| whether to lock down the installation New install only: |
idp.conf.credentials.filemode |
| 600 |
| Mode to set credentials/* on a new install if $idp.conf.setmode |
idp.conf.credentials.group |
|
|
| If non-null and $idp.conf.setmode, the group to set on credentials/* |
idp.no.tidy |
| false |
| Debug only if set to anything then any intermdeiate files (like the merge files) are not deleted. |
idp.initial.modules |
| idp.EditWebApp (V5) idp.CommandLine (V5) idp.authn.Password idp.admin.Hello |
| Comma-separated list of modules to enable on install. If this starts with '+' then the valuse are appended to the list. |
ant.home (v4) |
| From where the installer is being run | N/A | Not available in V5 |
idp.conf.preoverlay (V4 only) |
|
|
| No longer Used, proposed alternative is to write a plugin and get that installed |
idp.initial.edit-webapp (V4 only) |
|
|
| No longer Used, proposed alternative is to write a plugin and get that installed |