1.升级目的

         为防范Spring Framework RCE vulnerability漏洞,建议IdP4.1.4版本升级到4.1.7。IdP4.1.7版本内容变动详情请参见shibboleth官网

2.注意事项
        本升级步骤仅适用于IdP 4.1.4升级,如果学校当前IdP运行版本为3.4.7或3.4.3(如何查看当前IdP版本,请参考步骤6),请根据脚本方式安装部署CARSI IdPv4.1.7(推荐) 直接安装4.1.7版本。
升级之前,为了保证服务不中断,建议将线上运行IdP进行整体虚机拷贝,再进行线上环境升级。升级安装过程不影响IdP运行,仅仅在重启jetty的时候会短暂中断IdP的服务。
对接任意认证方式的IdP均可以按照以下步骤升级

3. 升级准备

#使用carsi用户登录IdP服务器并执行以下备份操作,备份/opt/shibboleth-idp目录到carsi home目录下:
[carsi@www ~]$ sudo tar -cvf /home/carsi/IdP414backup.tar /opt/shibboleth-idp
#下载最新的IdP4.1.7安装包
[carsi@www ~]$ curl -O  https://ds.carsi.edu.cn/4.1inst/v417/shibboleth-identity-provider-4.1.7.tar.gz
#核对所下载文件的md5值是否和下述md5值一致,如果不一致请重新下载文件
[carsi@www ~]$ md5sum shibboleth-identity-provider-4.1.7.tar.gz
d123491e1dc2b67a896a34a1e220e0df  shibboleth-identity-provider-4.1.7.tar.gz
[carsi@www ~]$tar -zxvf shibboleth-identity-provider-4.1.7.tar.gz
#解压缩后,将在当前目录下生成shibboleth-identity-provider-4.1.7目录

4. 升级IdP

        下面操作中如果IdP的安装目录是/opt/shibboleth-idp,则直接回车两次即可,无需任何改变。

[carsi@www ~]$ cd shibboleth-identity-provider-4.1.7/bin
[carsi@www ~]$ sudo ./install.sh
Buildfile: /home/carsi/shibboleth-identity-provider-4.1.7/bin/build.xml
 
install:
Source (Distribution) Directory (press <enter> to accept default): [/home/carsi/shibboleth-identity-provider-4.1.7] ?   #直接回车即可
 
Installation Directory: [/opt/shibboleth-idp] ?   #直接回车即可
 
INFO [net.shibboleth.idp.installer.V4Install:162] - Update from version 4.1.4 to version 4.1.7
INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.7
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war
 
BUILD SUCCESSFUL
Total time: 8 seconds
 
##升级完成后重启jetty前再次重新构建WAR包。
[carsi@www ~]$sudo /opt/shibboleth-idp/bin/build.sh
Buildfile: /opt/shibboleth-idp/bin/build.xml
 
build-war:
Installation Directory: [/opt/shibboleth-idp] ?   #直接回车即可
 
INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.7
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war
 
BUILD SUCCESSFUL
Total time: 4 seconds

5. 重启IdP应用

[carsi@www ~]$ sudo systemctl restart jetty
#查看IdP版本,如果输出为4.1.7则表示升级成功
[carsi@www ~]$ sudo /opt/shibboleth-idp/bin/version.sh
4.1.7

6. 测试IdP功能

可以按照https://carsi.atlassian.net/wiki/spaces/CAW/pages/94701011 进行测试,确认IdP是否正常运行