Using Jetty 9
Within this documentation,
idp.home will be used to refer to IdP installation directory (as specified during the installation process). JETTY_HOME will be used to refer to the location of the Jetty installation.
TODO: revise these docs to reflect use of JETTY_BASE
There are no known issues with any specific Jetty 9 release. The latest stable version should be used.
- Jetty listens on ports 8080 and 8443 for user-facing web traffic by default. You will most likely need to modify these ports to 80 and 443 in the jetty.xml and jetty-ssl.xml config files, and make arrangements for Jetty to run as root, utilize the setuid extension to support the privileged ports, or use a port forwarding approach.
- Add the following Java options to your
- If you chose to install to a location other than the default (/opt/shibboleth-idp), then you must add -Didp.home=<location> (replacing <location> with your install location)
- -Xmx###m - this is the maximum amount of memory that Jetty may use, at least 512M is recommended
- -XX:MaxPermSize=128m - (Sun JVM specific option) the maximum amount of memory allowed for the permanent generation object space
- Uncomment --exec
- Uncomment etc/jetty-ssl.xml at the bottom of start.ini
- Make sure at least the following modules are enabled in start.ini: plus, servlets, annotations, jstl
- Jetty will use /tmp as a staging area for unpacking the warfile, and if you have cron jobs sweeping that for old files, your IdP can be disrupted. You will probably want to create a tmp directory yourself, perhaps in JETTY_HOME, and set -Djava.io.tmpdir=tmp in your start.ini
The Jetty distribution ships with a number of example applications located in the JETTY_HOME/webapps directory and deployment descriptors located in JETTY_HOME/contexts. You should remove all of these unless you are specifically using them.
Supporting SOAP Endpoints
The use of the back-channel is discussed in the SecurityAndNetworking topic, and you should review that to understand whether or not you need to support this feature.
If you do need this support, these connections generally require special security properties that are not appropriate for user-facing/browser use. Therefore an additional endpoint must be configured.
- Copy the jetty9-dta-ssl-1.0.0.jar (asc) plugin to JETTY_HOME/lib/ext
Create the file JETTY_HOME/etc/jetty-shibboleth.xml and place something like the following content in it (this is modeled on defaults provided by Jetty):
idp.homewith the IdP home directory entered during installation.
PASSWORDwith the password for the keystore password entered during installation.
etc/jetty-shibboleth.xmlto your Jetty
start.inifile (towards the bottom of the file you should see other configuration files listed).
Deploying the IdP
In order to deploy the IdP, Jetty must be informed of the location of the IdP warfile.
Create the file JETTY_HOME/webapp/idp.xml and place the following content in it (replace
idp.home with your IdP's home directory):
Make sure to apply the settings above, or Jetty will be unable to use the packed warfile.