• BackLinks
• Search
• Print

Tomcat Configuration (without Apache)

If Apache is not being used to proxy the IdP then you must ensure that Tomcat has a connector configured in the conf/server.xml file (in the Tomcat installation directory) for each of ports 443 and 8443 as described below. You should first ensure you have followed these instructions for preparing Tomcat (unless you are using the Windows Quick Installer).

Please note that if you are using the Windows Quick Installer it will generate a working configuration for you in server.xml that might not look like the one below. In that case there is no need to change it, except to change the values of keystoreFile and keystorePass and add keystoreType="PKCS12" to the connectors in server.xml so that it refers to the PKCS12 file containing your CA certificate and private key, as described in the following paragraphs.

Our current recommendation for IdPs is to use a federation-qualified certificate for the federation trust fabric, and to use the same certificate to protect the SSL "endpoints" (the URLs which are used to access the IdP by browsers and SPs). This configuration is recommended because there are some SPs in the federation that cannot inter-operate with IdPs with self-signed trust fabric certificates.

If you wish to use a different configuration then please consult the federation support team via the UK federation helpdesk before proceeding further.

Tomcat cannot use certificate files directly, but instead uses Java keystores. You will therefore need to create a Java keystore file containing your federation-qualified certificate, its corresponding private key file, and the intermediate certificate file supplied by the certification authority. Without going into detail, a Java keystore is a type of file that can contain a private key and a certificate, and a CA's intermediate file if there is one. Here we recommend use of the PKCS12 format, because then you can use the OpenSSL tool to generate it, which is available for most platforms, and we have a straightforward recipe for doing this, as documented below.

We assume that you have already obtained a CA certificate; if you have not yet done so then please read the information on this page. If you have a CA certificate then the CA should also have sent you their intermediate certificate, which may actually be a "bundle" of several certificates concatenated together. The intermediate certificate in the command given below has a .pem filename extension, but this might not be the case.

To create a PKCS12 keystore file idp.pkcs12 given an existing private key file private.key, certificate file cert.crt and the CA's intermediate certificate file intermediate.pem, where all filenames are relative to the current directory or folder, you can use this OpenSSL command:

 
 openssl pkcs12 -export -in cert.crt -inkey private.key -certfile intermediate.pem -out idp.pkcs12

The resulting keystore file idp.pkcs12 contains the private key, the certificate and the intermediate certificate. Nothing will be overwritten by this command unless you already have a file called idp.pkcs12.

Please note that the idp.pkcs12 file should be kept secret and definitely not emailed to anybody, because it contains your private key.

To configure the IdP to use the idp.pkcs12 keystore you will also need to specify keystoreType="PKCS12" and change the values of keystoreFile and keystorePass in the Tomcat server.xml file. The resulting Tomcat connector configuration in conf/server.xml, assuming your IdP installation directory is /opt/shibboleth-idp, is as follows:

 
<Connector port="443"
           protocol="org.apache.coyote.http11.Http11Protocol"
           scheme="https"
           secure="true"
           SSLEnabled="true"
           keystoreType="PKCS12"
           keystoreFile="/opt/shibboleth-idp/credentials/idp.pkcs12"
           keystorePass="password"/>
<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11Protocol"
           SSLImplementation=
               "edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
           scheme="https"
           SSLEnabled="true"
           clientAuth="true"
           keystoreType="PKCS12"
           keystoreFile="/opt/shibboleth-idp/credentials/idp.pkcs12"
           keystorePass="password"

Of course, if you are familiar with Java keystores then use your preferred mechanism for creating the keystore.

Helpdesk | Privacy Policy | Website Info
© The JNT Association - JANET(UK), Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0SG
Tel: 0300 300 2212 (UK), +44 1235 822 212 (International)