Changes between Version 12 and Version 13 of IdPFreshInstall


Ignore:
Timestamp:
01/05/15 16:20:42 (10 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • IdPFreshInstall

    v12 v13  
    1414[[https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare|Preparing Apache Tomcat for the Shibboleth Identity Provider]] 
    1515 
     16=== Configuring Tomcat connector & security === 
     17Tomcat configuration appears to be very version dependent.  That is, the same configuration statements in one version of Tomcat will not work properly in another.  So some research and updating is needed for each new version of tomcat. 
     18 
     19The UA IdP as of 2015-01 is using tomcat version 6.  For that version, we configured tomcat to respond on secured port 8444 [IdP runs as tomcat so must use high-numbered port] with the following configuration snippet in the tomcat directory (/opt/tomcat/conf/server.xml on the UA IdP servers) as of 2015-01: 
     20{{{ 
     21<Connector port="8444"  
     22    protocol="HTTP/1.1"  
     23    SSLEnabled="true"  
     24    maxThreads="150"  
     25    scheme="https"  
     26    secure="true"  
     27    clientAuth="false"  
     28    sslProtocols="TLSv1,TLSv1.1,TLSv1.2" 
     29    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" 
     30    keystoreFile="/opt/shibboleth-idp/credentials/idp.alaska.edu.jks"  
     31    keystorePass="••••••••••••" /> 
     32 
     33}}} 
     34This limits ciphers to those supported in the installed JDK version and considered safest by [https://www.ssllabs.com/sslltest/analyze.html| Qualsys SSL Labs]. 
     35This configuration does not support PFS; that will require an update to tomcat and JDK.  
    1636 
    1737=== Install Compatible JDK - Open JDK ===