IdPv4.1.4升级到v4.1.7

1.升级目的

         为防范Spring Framework RCE vulnerability漏洞,建议IdP4.1.4版本升级到4.1.7。IdP4.1.7版本内容变动详情请参见shibboleth官网

2.注意事项
        本升级步骤仅适用于IdP 4.1.4升级,如果学校当前IdP运行版本为3.4.7或3.4.3(如何查看当前IdP版本,请参考步骤6),请根据https://carsi.atlassian.net/wiki/spaces/CAW/pages/113115137 直接安装4.1.7版本。
升级之前,为了保证服务不中断,建议将线上运行IdP进行整体虚机拷贝,再进行线上环境升级。升级安装过程不影响IdP运行,仅仅在重启jetty的时候会短暂中断IdP的服务。
对接任意认证方式的IdP均可以按照以下步骤升级

3. 升级准备

1 2 3 4 5 6 7 8 9 #使用carsi用户登录IdP服务器并执行以下备份操作,备份/opt/shibboleth-idp目录到carsi home目录下: [carsi@www ~]$ sudo tar -cvf /home/carsi/IdP414backup.tar /opt/shibboleth-idp #下载最新的IdP4.1.7安装包 [carsi@www ~]$ curl -O  https://ds.carsi.edu.cn/4.1inst/v417/shibboleth-identity-provider-4.1.7.tar.gz #核对所下载文件的md5值是否和下述md5值一致,如果不一致请重新下载文件 [carsi@www ~]$ md5sum shibboleth-identity-provider-4.1.7.tar.gz d123491e1dc2b67a896a34a1e220e0df  shibboleth-identity-provider-4.1.7.tar.gz [carsi@www ~]$tar -zxvf shibboleth-identity-provider-4.1.7.tar.gz #解压缩后,将在当前目录下生成shibboleth-identity-provider-4.1.7目录

4. 升级IdP

        下面操作中如果IdP的安装目录是/opt/shibboleth-idp,则直接回车两次即可,无需任何改变。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 [carsi@www ~]$ cd shibboleth-identity-provider-4.1.7/bin [carsi@www ~]$ sudo ./install.sh Buildfile: /home/carsi/shibboleth-identity-provider-4.1.7/bin/build.xml   install: Source (Distribution) Directory (press <enter> to accept default): [/home/carsi/shibboleth-identity-provider-4.1.7] ?   #直接回车即可   Installation Directory: [/opt/shibboleth-idp] ?   #直接回车即可   INFO [net.shibboleth.idp.installer.V4Install:162] - Update from version 4.1.4 to version 4.1.7 INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.7 INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war   BUILD SUCCESSFUL Total time: 8 seconds   ##升级完成后重启jetty前再次重新构建WAR包。 [carsi@www ~]$sudo /opt/shibboleth-idp/bin/build.sh Buildfile: /opt/shibboleth-idp/bin/build.xml   build-war: Installation Directory: [/opt/shibboleth-idp] ?   #直接回车即可   INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.7 INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war   BUILD SUCCESSFUL Total time: 4 seconds

5. 重启IdP应用

1 2 3 4 [carsi@www ~]$ sudo systemctl restart jetty #查看IdP版本,如果输出为4.1.7则表示升级成功 [carsi@www ~]$ sudo /opt/shibboleth-idp/bin/version.sh 4.1.7

6. 测试IdP功能

可以按照https://carsi.atlassian.net/wiki/spaces/CAW/pages/94701011 进行测试,确认IdP是否正常运行