Uppgraderingen till Shibboleth 4 är lite mer komplicerad än en vanlig punkt uppgradering. Här listar vi de steg som har testats och fungerar för SWAMID IdPer som tidigare installerats med hjälp av idp-installer.
Dessa steg är testad på Centos 7 och Debian X.
Viktigt! Du ska uppgradera enbart från den senaste version av Shibboleth IdP v3 som är 3.4.6. Och du ska redan har uppdaterat dina konfigurationsfiler (särskillt attribute-resolver.xml och attribute-filter.xml) till att vara kompatibla med IdP v4 INNAN du påbörjar uppgradering.
Ta en backup eller snapshot innan du påbörjar uppgradering, testa helst på en test IdP innan du uppgradera din produktions IdP!
Avinstallera Java 8 och installera Java 11. Kör följande som root.
yum remove java-1.8.0-openjdk-headless java-1.8.0-openjdk yum install java-11-openjdk-headless java-11-openjdk alternatives --config java There is 2 program that provides 'java'. Selection Command ----------------------------------------------- *+ 1 /usr/java/jre1.8.0_151/bin/java 2 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-4.el7_8.x86_64/bin/java) Enter to keep the current selection[+], or type selection number: 2 |
Avinstallera Java 8 och installera Java 11
Kör allt nedan som root.
Shibboleth IdP v4 kräver Jetty 9.4 och ganska mycket har ändrats jämfört med 9.3. SWAMID operations har packeterat en jetty-base mapp som är anpassad för SWAMID IdPer med enbart minimal ändringar. Den är baserad på en jetty-base som Shibboleth projektet publicerar.
Ladda ner den senaste version av Jetty 9.4. https://www.eclipse.org/jetty/download.html Vid skrivande stund, 9.4.31.v20200723
cd /opt/ wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.31.v20200723/jetty-distribution-9.4.31.v20200723.zip unzip jetty-distribution-9.4.31.v20200723 |
Ladda ner SWAMIDs jetty-base och packa upp. Ladda ner från HÄR
cd jetty-distribution-9.4.31.v20200723 unzip jetty-base-swamid.zip |
Uppdatera jetty-base saker.... TO BE COMPLETED.
Länka om jetty till rätt distributionsmapp
cd /opt rm jetty ln -s jetty-distribution-9.4.31.v20200723 jetty |
Uppdatera /etc/default/jetty
export JAVA_HOME=/etc/alternatives/jre_11 export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin export JAVA_OPTIONS="-Didp.home=/opt/shibboleth-idp -Xmx4096M" export JETTY_HOME=/opt/jetty export JETTY_BASE=/opt/jetty/jetty-base export JETTY_USER=jetty |
Kontrollera Jetty start script
cd /etc/init.d rm jetty ln -s /opt/jetty/bin/jetty.sh jetty |
Kontrollera ägarskap av /var/run/jetty mappen. Vi har sett problem med att /var/run/jetty ägs av root istället för jetty.jetty. Kontrollera att det är korrekt
ls -ld /var/run/jetty drwxr-xr-x 2 jetty jetty 80 1 okt 21.51 /var/run/jetty/ |
Ladda
MySQL Connector & HikariCP =============== Ladda ner mysql-connector-java-5.1.48-bin.tar.gz från https://downloads.mysql.com/archives/c-j/ wget https://repo1.maven.org/maven2/com/zaxxer/HikariCP/3.4.5/HikariCP-3.4.5.jar Jetty 9.4 ========= Kolla senaste 9.4 på https://www.eclipse.org/jetty/download.html wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.28.v20200408/jetty-distribution-9.4.28.v20200408.zip wget https://build.shibboleth.net/nexus/service/local/repositories/releases/content/net/shibboleth/idp/idp-jetty-base/9.4.0/idp-jetty-base-9.4.0.tar.gz cd jetty-distribution-9.4.28.v20200408 tar zxvf ../idp-jetty-base-9.4.0.tar.gz Bygga om jetty-base med hjälp av https://wiki.shibboleth.net/confluence/display/IDP4/Jetty94 Lägga till start.d/start.ini Uppdatera idp.ini: jetty.sslContext.keyStorePath=../../shibboleth-idp/credentials/https.p12 jetty.sslContext.trustStorePath=../../shibboleth-idp/credentials/https.p12 passwords jetty.ssl.port=7443 jetty.http.host=127.0.0.1 jetty.http.port=80 Uppdatera idp-backchannel.ini (om man använda) idp.backchannel.port=8443 idp.backchannel.keyStorePath=../../shibboleth-idp/credentials/idp-backchannel.p12 passwords Peka ut idp.war.path in idp.xml <Set name="war"><SystemProperty name="idp.war.path" default="/opt/shibboleth/war/idp.war" /></Set> cd .. sudo chown -R jetty:jetty jetty-distribution-9.4.28.v20200408/ sudo rm jetty sudo ln -s jetty-distribution-9.4.28.v20200408 jetty Uppgradera Shibboleth ===================== wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-4.0.1.tar.gz tar zxvf shibboleth-identity-provider-4.0.1.tar.gz cp -r shibboleth-idp shibboleth-idp.orig *städa i /opt/shibboleth-idp/edit-webapp/WEB-INF/lib* httpcore, httpclient, commons-dbcp2, commons-pool2 *cp in Hikari och MySQL* rm shibboleth-identity-provider ln -s shibboleth-identity-provider-4.0.1 shibboleth-identity-provider cd shibboleth-identity-provider bin/install.sh 2020-09-18 NEXT: Check database is OK with new Hikari and MySQL Check errors in idp-warn Fix u2f u2f fel: 2020-06-26 15:01:49,090 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception org.springframework.binding.expression.EvaluationException: An ELException occurred getting the value for expression 'initializeU2fRequest' on context [class org.springframework.webflow.engine.impl.RequestControlContextImpl] at org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:104) Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1021E: A problem occurred whilst attempting to access the property 'initializeU2fRequest': 'Error creating bean with name 'initializeU2fRequest' defined in URL [jar:file:/opt/jetty-distribution-9.4.28.v20200408/jetty-base/tmp/jetty-0_0_0_0-7443-idp_war-_idp-any-10504452630070337846.dir/webinf/WEB-INF/lib/shibboleth-mfa-u2f-auth-1.1-SNAPSHOT.jar!/META-INF/net/shibboleth/idp/flows/authn/U2f/u2f-authn-beans.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [eu.stderr.shibboleth.idp.u2f.authn.impl.InitializeRequest]: Constructor threw exception; nested exception is org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot cast object 'net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy@6937f8bb' with class 'net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy' to class 'com.google.common.base.Function'' at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:209) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'initializeU2fRequest' defined in URL [jar:file:/opt/jetty-distribution-9.4.28.v20200408/jetty-base/tmp/jetty-0_0_0_0-7443-idp_war-_idp-any-10504452630070337846.dir/webinf/WEB-INF/lib/shibboleth-mfa-u2f-auth-1.1-SNAPSHOT.jar!/META-INF/net/shibboleth/idp/flows/authn/U2f/u2f-authn-beans.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [eu.stderr.shibboleth.idp.u2f.authn.impl.InitializeRequest]: Constructor threw exception; nested exception is org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot cast object 'net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy@6937f8bb' with class 'net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy' to class 'com.google.common.base.Function' at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1320) Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [eu.stderr.shibboleth.idp.u2f.authn.impl.InitializeRequest]: Constructor threw exception; nested exception is org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot cast object 'net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy@6937f8bb' with class 'net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy' to class 'com.google.common.base.Function' at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:216) Caused by: org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot cast object 'net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy@6937f8bb' with class 'net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy' to class 'com.google.common.base.Function' at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnSAM(DefaultTypeTransformation.java:405) |