...
- Copy in the idp config files for the server, to the conf subdirectory; these include:
- attribute-filter.xml
- attribute-resolver.xml.in
- handler.xml
- internal.xml
- logging.xml
- relying-party.xml
- service.xml
- tc-config.xml (for terracotta clustering)
You must replace %%LDAPUID%% and %%LDAPPASSWORD%% in attribute-resolver.xml.in with the principal uid (e.g. touchstone-core-service) and passord (principalCredential attribute) for accessing our LDAP server, and save the resulting file as attribute-resolver.xml. Make sure the file is not world-readable.
Terracotta
The terracotta software is used to cluster the IdP nodes. Each node must run the terracotta server, as well as the instrumented client (tomcat, in our case). The terracotta server operates in either the active or passive role; only one server should be in the "active/coordinator" state at a time.
Download the terracotta tarball; our current version is in the touchstone locker, in /mit/touchstone/downloads/terracotta-x.y.z.tar.gz. Extract it under /usr/local, create a logs directory for it, make it owned by the tomcat user, and symlink /usr/local/terracotta to it. For example (replace 3.1.1 with the appropriate terracotta version number):
| No Format |
|---|
# cd /usr/local # tar xzf /path/to/terracotta-3.1.1.tar.gz # mkdir -p terracotta-3.1.1/logs # chown -R tomcat:tomcat # rm -f terracotta # ln -s terracotta-3.1.1 terracotta |
Install the init script from /mit/touchstone/maint/shibboleth-idp/terracotta.init in /etc/init.d, and make sure it is configured to start at boot time. Note that terracotta must be started before tomcat.
| No Format |
|---|
# cp /path/to/terracotta.init /etc/init.d/terracotta
# chmod 755 /etc/init.d/terracotta
# chkconfig --add terracotta
|
...