The IdP installation and deployment sequence within Windows 7 professional is as follows.
6.1.2.1 Installation and configuration of JRE 7
Without Java Runtime Environment (JRE) installed and configured accordingly, it cannot be possible to install Tomcat and the IdP successfully regarding this implementation scenario. This JRE 7 is also the prerequisite for the OpenDJ installation.
After the installation of JRE 7, JAVA_HOME environment variables in windows is set by going to Advanced system settings >System Properties>Advanced>Environment Variables. Under
System variables, click New and type JAVA_HOME for the Variable name and C:\Program Files (x86)\Java\jre7 (the JRE 7 installation directory) for the Variable value and apply. The figure 19 shows the overview of the above configuration.
Figure 19: Configuration of JAVA_HOME variables
6.1.2.2 Installation and configuration of Apache Tomcat 6 Installation
The installation of Tomcat is quite simple since there is only the need of specifying the installation directory (that can be any), the HTTP/1.1 Connector at 8080 (default), providing administrator credentials and the path of JRE previously installed.The verification of Tomcat installation is done by browsing the http://localhost:8080 after
starting the tomcat service; the apache tomcat home page is displayed as on the figure 20 below, that is the successful result of the installation.
Figure 20: Tomcat 6 home page access
Configuration changes in regard to the IdP
- Xerces and Xalan endorsement: To endorse Xerces and Xalan libraries, create a directory called endorsed under Tomcat 6 directory, i.e. C:\Tomcat 6.0\endorsed,
then copy all the .jar files from the IdP source endorsed directory i.e \shibboleth-identityprovider-2.4.0\endorsed into the new endorsed directory (C:\Tomcat 6.0\endorsed).
- Setting of JAVA_OPTS environment variable in Tomcat: This is done by going to
Tomcat Manager>Configure>Java. Under Java Options, type -Xmx512m and -XX:MaxPermSize=128m and apply. Where 512 is the value of memory in Megabytes to be allowed and 128 the maximum value of memory specified by Sun Java Virtual Machine (JVM) for the generation object space. Below on figure 21 is the overview of the JAVA_OPTS variable setting.
Figure 21: JAVA_OPTS variable setting on Tomcat
SOAP Endpoints and SSL configuration
Because Shibboleth SP and IdP are intended to communicate and exchange remotely information each other, there is a need of configuring an additional port called Connector for secure communication. This will help both providers to enhance their security requirements. Below is the procedure followed to satisfy that configuration.
- Download the Tomcat library tomcat6-dta-ssl-1.0.0.jarand place it into C:\Tomcat 6.0\lib.
- Modify the server.xml file in C:\Tomcat 6.0\conf by adding the following connector definition (that content should be inside <Service> element of server.xml file).
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLImplementation="edu.internet2.middleware.security.tomcat6 .DelegateToApplicatio nJSSEImplementation"
scheme="https"
SSLEnabled="true"
clientAuth="want"
keystoreFile=" C:\IDP\credentials\idp.jks"
keystorePass="mypassword" />
idp.jks is the certificate provided by Shibboleth that will help to secure Tomcat by enabling the SSL protocol.
Note: C:\IDP\ is the directory used to install the IdP and mypassword used during the IdP installation.
Note: Another method of creating and using an SSL certificate within Tomcat can be done as below:
- Generating a keystore, that contains a single self-sign certificate to store the private key of the server by executing C:\Program Files (x86)\Java\jre7\bin\keytool -genkey -alias ans -keyalg RSA on the command line. The output of that execution is set as shown on the figure 22 (where password, path, organisation and other parameters are defined).
Figure 22: SSL certificate deployment on Tomcat
The keystore is saved at the root (directory) of the user at which it has been ran, i.e. C:\Users\Shibboleth IdP\.keystore
- Activating the certificate to make it usable by Tomcat. As the certificate is already in place within the keystore, just configure Tomcat to import it by modifying
server.xml file included in C:\Tomcat 6.0\conf. The configuration consists of commenting out the section <Connector> after the comment-line that starts "Define a SSL HTTP/1.1 Connector on port 8443" and add more parameters according to the keystore registration as follows.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="C:\Users\ShibbolethIdP\.keystore"
keystorePass="somepassword"
clientAuth="false" sslProtocol="TLS" />
- Save the server.xml file, restart Tomcat and check if the certificate has been properly implemented. To test, browser https://localhost:8443, as a result the, the security notification page is displayed and after the validation the home page of Tomcat is displayed successfully as it was the case for http://localhost:8080
browsing.
The above self-signed certificate should not be used at the same time with the certificate provided by Shibboleth Identity provider. Otherwise, the implementation will face some issues.
6.1.2.3 Installation of the Identity Provider software
There are two ways to proceed to the IdP installation under Windows environment:
Either by simply executing the Shibboleth IdP .msi file (windows installer) and follow the instructions or running the install.bat (in the IdP folder source) via the command line.
The second option is adopted for a better control of the installation. The figure 23 below shows the successful installation of the IdP with parameters customized appropriately.
Figure 23: IdP installation
idp.war deployment strategy on Tomcat
This configuration is to specify how Tomcat will deploy properly the idp.war web
application. The technique used is called Context Deployment Fragment that consist of creating a short xml code named idp.xml and put it inside \conf\Catalina\localhost\ under Tomcat directory; i.e. C:\Tomcat6.0\conf\Catalina\localhost\idp.xml. The code content isthe following:
<Context docBase="C:\IDP\war\idp.war"
privileged="true"
antiResourceLocking="false"
antiJARLocking="false"
unpackWAR="false"
swallowOutput="true" />
This code tells to Tomcat where to get the idp.war to deploy and also specify to Tomcat the properties of the web application.
By browsing http://localhost:8080/idp/profile/Status, the web page displays ok, the same result for https://localhost:8443/idp/profile/Status to indicate that idp.war has been successfully deployed within Tomcat.
The IdP service can be stop and restart by stopping and restarting the servlet container Tomcat.