These instructions are for IdPs versions 2.4.x in the SWITCHaai federation that have been installed using the deployment guides on our website.
cd /opt/shibboleth-idp tar -cvzf ../shibboleth-idp_config.tar.gz ./conf ./metadata ./credentials chmod 600 ../shibboleth-idp_config.tar.gz
Download the latest Shibboleth Identity Provider.
cd /usr/local/src curl -O https://shibboleth.net/downloads/identity-provider/2.4.4/shibboleth-identityprovider-2.4.4-bin.zip
cd /usr/local/src unzip shibboleth-identityprovider-2.4.4-bin.zip cd shibboleth-identityprovider-2.4.4 chmod u+x install.sh
WEB-INF/web.xml
) in the IdP source directory. Copy the files from the old source directory
to the new one. The customized pages are located in src/main/webapp/
.
The following instructions just replace the new webapp
directory with your current webapp
directory.
cd /usr/local/src rm -rf shibboleth-identityprovider-2.4.4/src/main/webapp cp -a shibboleth-identityprovider-2.4.3/src/main/webapp \ shibboleth-identityprovider-2.4.4/src/main
mysql-connector-java-version-bin.jar
) to/usr/local/src/shibboleth-identityprovider-2.4.4/lib/
.cd /usr/local/src/shibboleth-identityprovider-2.4.3 cp /usr/local/src/shibboleth-identityprovider-2.4.3/lib/mysql-connector-java-version-bin.jar \ /usr/local/src/shibboleth-identityprovider-2.4.4/lib/
lib
directory:
cp /opt/cas-client-X.Y.Z/cas-client-core/target/cas-client-core-X.Y.Z.jar \ /usr/local/src/shibboleth-identityprovider-2.4.4/lib/
lib
directory to the new IdP's lib
directory:
cd /usr/local/src/shibboleth-identityprovider-2.4.3 cp lib/jstl-1.2.jar \ lib/spring-jdbc-2.5.6.SEC03.jar \ lib/spring-tx-2.5.6.SEC03.jar \ lib/uApprove-2.5.0.jar \ /usr/local/src/shibboleth-identityprovider-2.4.4/lib/
install.sh
script:
cd /usr/local/src/shibboleth-identityprovider-2.4.4
If you use Debian 7.0 "wheezy" and have the package default-jre-headless
installed:
JAVA_HOME=/usr/lib/jvm/default-java ./install.sh
Else, if JAVA_HOME
is set in /etc/profile
:
./install.sh
This will produce an output similar to the following.<ENTER>
when the script asks
"Would you like to overwrite this Shibboleth configuration?
".)
Buildfile: src/installer/resources/build.xml
install:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Be sure you have read the installation/upgrade instructions on the
Shibboleth website before proceeding.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Where should the Shibboleth Identity Provider software be installed?
[/opt/shibboleth-idp]
The directory '/opt/shibboleth-idp' already exists. Would you like to
overwrite this Shibboleth configuration? (yes, [no])
no
(further output omitted)
internal.xml
configuration file so that the Apache Xerces2 library is no longer referenced (addresses the CVE-2013-4002 DoS vulnerability):
perl -pi -e 's/\Q"org.apache.xerces/"com.sun.org.apache.xerces.internal/' /opt/shibboleth-idp/conf/internal.xml
This command will change the configuration in internal.xml
to use the Java class com.sun.org.apache.xerces.internal.util.SecurityManager
instead of org.apache.xerces.util.SecurityManager
. (If this change has already been done, the command will actually do nothing.)
In case Perl is not available on your system (on a Debian system, Perl is available by default), you might just download an updated version of the file internal.xml
from the webserver of SWITCH and replace the current file with this new file:
cd /opt/shibboleth-idp/conf/ cp internal.xml internal.xml.old curl -O https://www.switch.ch/aai/docs/shibboleth/SWITCH/latest/idp/deployment/internal.xml
endorsed
subdirectory:
rm -r /usr/share/tomcat6/endorsed
/etc/init.d/tomcat6 restart
Finally, test whether your IdP still works as before.
Access the AAI Viewer, choose your home organization, login and then verify whether all attributes are available.
In case you have enabled support for interfederation, you should also verify whether all attributes required for interfederation are released.
Access the Interfederation Test page and authenticate with AAI.
More information about this test can be found in the guide Enabling Interfederation Support for a Shibboleth Identity Provider (IdP) in SWITCHaai.
If problems occur during the upgrade, or something doesn't work as expected, please contact the SWITCHaai Team by email: aai@switch.ch.
General support website: http://www.switch.ch/aai/support/