Tomcat
If Apache is being used to proxy the IdP then Tomcat should not be listening on ports 443 and 8443. Therefore please comment out any existing <Connector> elements for port 443 and port 8443 in the Tomcat conf/server.xml file.
You will also need to ensure that the port 8009 connector is configured to accept messages proxied from Apache. In server.xml, find the port 8009 connector and edit it so that it looks like this:
<Connector port="8009" request.tomcatAuthentication="false"
address="127.0.0.1" enableLookups="false"
protocol="AJP/1.3" redirectPort="8443" />
Apache Modules and Proxy
You will need to edit the Apache httpd configuration file httpd.conf to configure Apache to pass requests for "/idp/" to Tomcat which listens on localhost port 8009. Add this line to the end of the file:
ProxyPass /idp/ ajp://localhost:8009/idp/
Also, if you are using the Windows operating system then you need to find the following lines in httpd.conf and uncomment them (by removing the leading "#") to activate the necessary modules and include the SSL configuration file:
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule ssl_module modules/mod_ssl.so Include conf/extra/httpd-ssl.conf
Apache VirtualHost
This assumes that you are using the standard ports 443 and 8443 for the IdP. Apache needs to be listening on both of these, so you will need these two lines in your configuration; they are usually put in httpd.conf or httpd-ssl.conf (or ssl.conf in Linux):
Listen 443 Listen 8443
Our current recommendation for IdPs is to use a federation-qualified certificate for the federation trust fabric, and to use the same certificate to protect the SSL "endpoints" (the URLs which are used to access the IdP by browsers and service providers). This configuration is recommended because there are some SPs in the federation that cannot inter-operate with IdPs with self-signed trust fabric certificates.
If you wish to use a different configuration then please consult the federation support team via the UK federation helpdesk before proceeding further. Otherwise, this is the recommended Apache VirtualHost configuration, which should be added to the httpd-ssl.conf (ssl.conf in Linux). The log file locations and settings can of course be modified as necessary.
Some organisations have configured the httpd on one VirtualHost with Location directives to distinguish AA and Artifact traffic from SSO traffic. We do not recommend this, as it significantly complicates both configuration and troubleshooting.
<VirtualHost _default_:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLOptions +StdEnvVars
SSLCertificateFile /opt/shibboleth-idp/credentials/ssl-cert.crt
SSLCertificateKeyFile /opt/shibboleth-idp/credentials/ssl-cert.key
SSLCertificateChainFile /opt/shibboleth-idp/credentials/intermediate.pem
ErrorLog logs/ssl_443_error_log
TransferLog logs/ssl_443_access_log
LogLevel warn
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost _default_:8443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLOptions -StdEnvVars +ExportCertData
SSLCertificateFile /opt/shibboleth-idp/credentials/ssl-cert.crt
SSLCertificateKeyFile /opt/shibboleth-idp/credentials/ssl-cert.key
SSLCertificateChainFile /opt/shibboleth-idp/credentials/intermediate.pem
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
ErrorLog logs/ssl_8443_error_log
TransferLog logs/ssl_8443_access_log
LogLevel warn
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>