Last modified 11 years ago
Last modified on 03/11/13 17:28:47
Shibboleth / Test IdP Config Change
This page documents the configuration change test procedure in the IAM Shibboleth installation. The Shibboleth installation has two servers (hanin and heald) in a master and hot standby configuration. Currently heald is the hot standby and hanin is the master. This procedure is meant to be a general guideline for all changes that might occur to an IdP. The example below is just that and does not reflect the actual change that might be tested.
Warning: Changes to any Tomcat config file and some changes in Shibboleth require restarting Tomcat. At a minimum these kinds of change should be preceded by an activity notification submitted here at least one week prior to the change as it could cause some level of interruption.
- Check out the appropriate directory from subversion on the hot standby Shibboleth server.
[sxjpm@heald Junk]$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/conf A conf/service.xml ... A conf/login.config Checked out revision 1.
- Copy the changed configuration file into place on the IdP.
[root@heald ~]# cp ~sxjpm/Junk/conf/attribute-filter.xml /opt/shibboleth-idp/conf/attribute-filter.xml
- Restart the IdP.
[sxjpm@heald Junk]$ pbrun su - [root@heald ~]# su - tomcat -bash-3.2$ -bash-3.2$ /opt/tomcat/bin/shutdown.sh -bash-3.2$ ps -ef | grep tomcat root 8811 8784 0 13:58 pts/1 00:00:00 grep tomcat tomcat 12756 1 0 Jun21 ? 00:03:50 /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Xmx1024m -XX:MaxPermSize=128m -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/opt/tomcat/endorsed -classpath /opt/tomcat/bin/bootstrap.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start -bash-3.2$ /opt/tomcat/bin/startup.sh
- Check the logs for startup anomalies and fix as necessary.
-bash-3.2$ cat /opt/shibboleth-idp/logs/idp-process.log | grep "DEBUG" -bash-3.2$ cat /opt/shibboleth-idp/logs/idp-process.log | grep "ERROR"
- Test with web browser and fix as necessary.
- Linux & Mac OS X: Modify local hosts file to point at standby IdP and then test SP/IdP interaction with local web browser.
john@fearless:~$ sudo vi /etc/hosts ... # Heald 137.229.114.189 idp.alaska.edu ... :wq!
- Windows: Open Notepad with "Run as Administrator" and add "137.229.114.189 idp.alaska.edu <http://idp.alaska.edu>
- Linux & Mac OS X: Modify local hosts file to point at standby IdP and then test SP/IdP interaction with local web browser.
- If test results are good then repeat steps 1. and 2. from above on hanin. The IdP is configured to reload the attribute resolution, attribute filtering, and relying party configurations every 15 minutes. So wait 15 minutes or so and then revert hosts changes in step 5. and repeat step 5. If the changes are to files of other types such as the login configuration of Shibboleth or Tomcat then a restart is required.
