The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

UpgradeCPPSP

Owned by Scott Cantor
Last updated: Jun 15, 2009Version comment

Upgrading an Existing C++ SP

Unix

Updating a SP on a UNIX system is much simpler than on a Windows OS. When you use rpm's on a RedHat/Fedora system this is even simpler.

Try to download the RPM package that is available for your system. When there isn't a RPM package available yet, try to rebuild the SRPM.

Recommended steps to do:

  • Query old packages: 
    	  $ <b>rpm -ql shibboleth-<i>old-version</i></b>
	  $ <b>rpm -ql shibboleth-debuginfo-<i>old-version</i></b>
	  $ <b>rpm -ql shibboleth-devel-<i>old-version</i></b>
  • Backup configuration files: 
    	  $ <b>tar cvf /tmp/shibboleth-<i>old-version</i>.tar /etc/shibboleth/ /etc/init.d/shibd /etc/httpd/conf.d/shib.conf</b>
  • Get the RPMs. For example: 
    	  $ <b>wget -r -l1 --no-parent --no-directories -Ashibboleth*.rpm -o log.txt http://shibboleth.internet2.edu/downloads/RPMS/i386/fedora/4/ &</b>
  • Query new packages: 
    	  $ <b>rpm -qip shibboleth-<i>new-version</i>.i386.rpm</b>
	  $ <b>rpm -qip shibboleth-debuginfo-<i>new-version</i>.i386.rpm</b>
	  $ <b>rpm -qip shibboleth-devel-<i>new-version</i>.i386.rpm</b>
  • Test new packages: 
    	  $ <b>rpm -U --test shibboleth-<i>new-version</i>.i386.rpm</b>
	  $ <b>rpm -U --test shibboleth-debuginfo-<i>new-version</i>.i386.rpm</b>
	  $ <b>rpm -U --test shibboleth-devel-<i>new-version</i>.i386.rpm</b>
  • Stop shibd: 
    	  $ <b>/etc/init.d/shibd status</b>
	  shibd (pid 1712) is running...
	  $ <b>/etc/init.d/shibd stop</b>
	  /etc/init.d/shibd stop
  • Update Shibboleth: 
    	  $ <b>rpm -Uvh shibboleth-<i>new-version</i>.i386.rpm</b>
	  $ <b>rpm -Uvh shibboleth-debuginfo-<i>new-version</i>.i386.rpm</b>
	  $ <b>rpm -Uvh shibboleth-devel-<i>new-version</i>.i386.rpm</b>
  • Test opensaml: 
    	  $ <b>export SAMLSCHEMAS=/usr/share/xml/shibboleth</b>
	  $ <b>/usr/bin/samltest</b>
	  Running 10 tests
	  ...
	  OK!
  • Start the Shibboleth daemon: 
    	  $ <b>/etc/init.d/shibd status</b>
	  shibd is stopped
	  $ <b>/etc/init.d/shibd start</b>
	  Starting shibd:
  • Restart apache gracefully: 
    	  $ <b>/etc/init.d/httpd graceful</b>

The update is now complete! The old configuration files won't be overwritten. The new configuration files will get ".dist" appended. So if there are some major changes in the configuration files you can use them after some modifications.

Windows

For updating an SP running on Windows, the simplest option is to use a special "postinstall" ZIP package containing the updated files. This will never include any files specific to your installation, so it is safe to unpack. To use it, you need to download the archive and copy the files that it contains to the correct files that are in use. You will need to shut down all services that are using the files that you need to overwrite. Unfortunately this probably means you will need to take your webserver offline for a moment to update Shibboleth. So it is wise to be very well prepared before doing this.

Smaller updates do not require any changes to the configuration at first. Though they usually do enable/fix some smaller configuration issues.

Recommended steps to update the Shibboleth software using the post-install package:

  • nothing should really prevent you from copying/reading all the current Shibboleth files so here's a good idea: safely back up the current files before you do anything
  • download the postinstall package and extract its contents somewhere on the server
  • check to which location you need to copy the new files (to overwrite the current ones)
  • check the permissions on the current files on that location (write down the owner, group and permissions, you might need them later)
    [your webservice will now go offline]
  • stop your webservice (stopping the daemon first will cause all Shibboleth auth requests to cause errors until the webservice goes down, think about what is best in your case)
    • IIS:
      • your ISAPI filter is probably loaded by the main webserver (see properties of the "Web Sites" element in the tree of the IIS manager). In this case you need to stop the entire webserver by (IIS6) right-clicking the webserver in the IIS manager, and the selecting "All tasks...", "Restart IIS...". Select "Stop Internet Services on __" and click ok.
      • if your server is running multiple "Web Sites" and you configured the filter to load for certain web sites only, you might want to choose to stop only those web sites that load the Shibboleth ISAPI filter
    • Apache (1&2): when using Apache httpd on the Windows OS, it files that are in use also get locked. Stop the Apache service completely as you are used to.
  • stop the Shibboleth Daemon ("My computer","Manage","Services")
  • overwrite the old Shibboleth files with the new ones
  • check the permissions of the new files, they should not have been changed (if the webserver can't read the necessary files it will probably fail to start)
  • start the Shibboleth daemon again
  • start your webserver again
    [your webservice most likely comes back online here]

The update has now been completed.