From b3ebbc674540f557c78820fcaa1210e9056aa52e Mon Sep 17 00:00:00 2001 From: ndk Date: Mon, 28 Jun 2004 19:58:47 +0000 Subject: [PATCH] Adds info about Coyote/JK2 and Tomcat 5. git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1062 ab3bd59b-922f-494d-bb5f-6f0a3c29deca --- doc/DEPLOY-GUIDE-ORIGIN.html | 100 ++++++++++++++++++++++++++++++------------ 1 file changed, 71 insertions(+), 29 deletions(-) diff --git a/doc/DEPLOY-GUIDE-ORIGIN.html b/doc/DEPLOY-GUIDE-ORIGIN.html index beef0d8..1142e7e 100644 --- a/doc/DEPLOY-GUIDE-ORIGIN.html +++ b/doc/DEPLOY-GUIDE-ORIGIN.html @@ -126,6 +126,11 @@ font-color: #121212; color: #00FF00 } + + + + + @@ -139,16 +144,13 @@ April 14, 2004

This version of the deploy guide is for Shibboleth v1.2. For documentation related to prior versions of Shibboleth, please consult the appropriate branch in the Shibboleth CVS.

-

The default configuration of Shibboleth is not secure and should not -be used for protection of production content. The example private key bundled -with the distribution is publically available, widely circulated, and -well-known; also, the default federation and trust metadata is for testing -purposes only. For information about securing a Shibboleth deployment, please -refer to the production guide. Shibboleth should only be used to protect -sensitive content when deployed carefully in conjunction with proper trust -settings and policies.

- -

Insert features here.

+

The default configuration of Shibboleth is not secure and should not + be used for protection of production content. The example private key bundled + with the distribution is publically available, widely circulated, and well-known; + also, the default federation and trust metadata is for testing purposes only. + For information about securing a Shibboleth deployment, please refer to the + production guide. Shibboleth should only be used to protect sensitive content + when deployed carefully in conjunction with proper trust settings and policies.

Before starting, please sign up for all applicable mailing @@ -634,7 +636,7 @@ and JSP specification 1.2.

  • Apache 1.3.26+ (<2.0)
  • Tomcat 4.1.18-24 LE Java - server and above
    • + server and above or Tomcat 5
  • Sun J2SE JDK v1.4.1_01 and above

    Other versions of the JRE are not supported and are known to @@ -679,7 +681,7 @@ and JSP specification 1.2.

    /usr/local/tomcat/webapps/

    • -
  • Tomcat 4.1.x requires that several Java jarfiles used by Shibboleth +
  • Tomcat 4.1.x and Tomcat 5 require that several Java jarfiles used by Shibboleth be located in a special "endorsed" folder to override obsolete classes that Sun includes with their JVM. To deal with this problem use the following command, adjusting paths as needed:
    @@ -694,13 +696,22 @@ and JSP specification 1.2.

  • Restart Tomcat, which will automatically detect that there has been a new .war file added. This file will by default be expanded into /usr/local/tomcat/webapps/shibboleth.
    • -
  • Apache must be told to map the URL's for the Shibboleth HS and AA to - Tomcat. Two popular ways of doing this are to include the following text - directly in httpd.conf, or to place - Include conf/mod_jk.conf in - httpd.conf, and place the following - lines in /etc/httpd/conf/mod_jk.conf:
    -

    --------- begin ---------
    +

  • Apache must be told to map the URL's for the Shibboleth HS + and AA to Tomcat. This is done differently depending on whether + Coyote/JK2 or AJP13/JK is used as the connector between Apache + and Tomcat. Generally, Tomcat 4.1.x should use AJP13/JK, and Tomcat 5 can use Coyote/JK2.

    + +

    mod_jk:

    + +

    The following configuration directs Apache to use mod_jk to redirect + queries for Shibboleth components to Tomcat. Two popular ways of doing + this are to include the following text directly in httpd.conf, or to make a separate file and Include it in httpd.conf.

    + +
    + --------- begin ---------
    <IfModule !mod_jk.c>
     LoadModule jk_module libexec/mod_jk.so
    </IfModule>
    @@ -712,15 +723,14 @@ and JSP specification 1.2.


    JkMount /shibboleth/* ajp13

    - --------- end ---------

    + --------- end ---------
    - This will result in a HS URL of http://hostname/shibboleth/HS/. -
    • -
  • Tomcat's /conf/server.xml ships by - default with the Coyote/JK2 connector enabled, which fails with - Shibboleth due to the lack of support for - REMOTE_USER. This connector must be commented out. Then, - uncomment and modify the traditional AJP 1.3 connector as follows:
      + +

      Tomcat 4.1.x defaults to having the Coyote connector enabled in /conf/server.xml. This fails with mod_jk and must be commented out. Then, uncomment + and modify the traditional AJP 1.3 connector as follows:

      +
      1. Add address="127.0.0.1" inside the <Ajp13Connector> configuration element to prevent off-host access.
        2. @@ -728,8 +738,37 @@ and JSP specification 1.2.

        to the <Ajp13Connector> configuration element to ensure that the user's identity is passed from Apache to the servlet environment. -
      2. The AJP13Connector for tomcat is not compatible with the new JMX support. To remove some warnings that will appear in the tomcat log every time tomcat is restarted, comment out all of the JMX stuff (anything that says "mbeans") from server.xml.
        3. +
      3. The AJP13Connector for tomcat is not compatible with the new JMX support. To remove some warnings that will appear in the Tomcat log every time Tomcat is restarted, comment out all of the JMX stuff (anything that says "mbeans") from server.xml.
      + +

      mod_jk2:

      + +

      The following lines must be added to or placed in a separate + configuration file pointed to by httpd.conf:

      + +
      + --------- begin ---------
      +
      + LoadModule jk2_module libexec/mod_jk2.so
      +
      + --------- end --------- +
      + +

      By default, the Coyote/JK2 connector will not permit the REMOTE_USER value set by Apache to pass into Tomcat, and thus into Shibboleth. If user authentication will be handled in this fashion(as is true of most deployments), then the /conf/jk2.properties file must include the following line:

      + +
      request.tomcatAuthentication=false
      + +

      mod_jk2 must also be told separately to map URL's to the servlets in Tomcat using /conf/workers2.properties file in the Apache tree by adding these lines. It may also be necessary to modify the references in the file to the socket port and make sure it matches the port set in the Coyote connector.

      + +
      + --------- begin ---------
      + [uri:/shibboleth/*]
      + group=lb
      + --------- end --------- +
      + +

      Both the mod_jk and mod_jk2 configurations as given will result in a HS URL of http://hostname/shibboleth/HS/ and an AA URL of http://hostname/shibboleth/AA/.

    1. It is strongly recommended that the AA be SSL-protected to protect attributes in transit. To do so, add an appropriate location @@ -1492,7 +1531,7 @@ signingCredential="string"> targets that have established bilateral agreements with the origin, or any other trust structure that origin must be aware of. In addition to its attributes, this element may contain a HSNameMapping + href="#confHSNameFormat">HSNameFormat element to specify a naming mechanism for assertions sent to this relying party. The HS and AA both perform validation against federation metadata to ensure that targets cannot construct requests that would be @@ -2333,3 +2372,6 @@ with a thorough description of errors and configurations used.

      + + + -- 1.7.10.4