IdP4：安装IdP4.1.7（第3/11步）

1.下载安装脚本和相应的软件 (请使用学校负责老师的邮箱发邮件给carsi@pku.edu.cn 要4.1.7版本的安装脚本文件）

登录mgmt.carsi.edu.cn自服务系统，“我的CARSI”-“我的IdP”下载安装脚本：idp_install_script.zip. 下载后解压后即是：idp4.1.7-centos7-jetty-install.sh，如下图所示：

使用carsi用户登录操作系统并下载以下脚本和软件：

[carsi@www ~]$ curl -O  https://ds.carsi.edu.cn/4.1inst/v1/java-11-openjdk-devel-11.0.10.0.9-1.el7_9.x86_64.rpm
[carsi@www ~]$ curl -O  https://ds.carsi.edu.cn/4.1inst/v417/shibboleth-identity-provider-4.1.7.tar.gz
[carsi@www ~]$ curl -O  https://ds.carsi.edu.cn/4.1inst/v1/jetty-distribution-9.4.42.v20210604.zip

#核对所下载文件的md5值是否和下述md5值一致，如果不一致可能是下载异常，请重新下载
[carsi@www ~]$ md5sum java-11-openjdk-devel-11.0.10.0.9-1.el7_9.x86_64.rpm shibboleth-identity-provider-4.1.7.tar.gz jetty-distribution-9.4.42.v20210604.zip idp4.1.7-centos7-jetty-install.sh
f544eb679e8dbb07fc6b72835dacea5c  java-11-openjdk-devel-11.0.10.0.9-1.el7_9.x86_64.rpm
d123491e1dc2b67a896a34a1e220e0df  shibboleth-identity-provider-4.1.7.tar.gz
ebd4be67639543267fb854f7c6cb3e56  jetty-distribution-9.4.42.v20210604.zip
64050f433ffbefef5ef3ffe3d55b1534  idp4.1.7-centos7-jetty-install.sh

#赋予脚本可执行权限
[carsi@www ~]$ chmod 755 idp4.1.7-centos7-jetty-install.sh

2.安装IdP

运行idp4.1.7-centos7-jetty-install.sh并开始安装IdP，整个安装过程分为五个部分：运行环境检测、安装java、nginx、Jetty基础软件、安装IdP软件、选择认证对接方式和重新编译war文件，详细描述如下：

注：因技术限制，安装脚本的输出内容不能被全部自动收集，建议手工保存屏幕输出，便于后续分析安装过程发生的问题。

2.1 运行环境检测

[carsi@www ~]$ sudo sh ./idp4.1.7-centos7-jetty-install.sh
Install shibboleth idp at 2021.09.08 15:18:24
Shibboleth IdP 4.1.7 is installing.
Script Version v4.1.7.1
Checking Internet access...
Check Internet access success!
Setting timezone...
Install tar ...
Install zip and unzip...
Testing installing envirenment...
Check shibboleth idp installation file success!
Check Jetty installation file success!

如果服务器已经安装了IdP v3版本，可能会安装失败。从老版本升级到IdPv4.1.7，请参照IdP4：将IdP 从v3.4.3/v3.4.7升级到v4.1.7。

You are upgrading IdP from 3.4.3/3.4.7 to 4.1.7. We suggest to setup another environment to install IdP 4.1.7 and reset the dns record instead of upgrading from the old system.
If you still insist to upgrade the old system to IdP 4.1.7, please make sure you have made a backup of data. You will take some risks for the installation.

注意：如果IdP已经上线，如果需要重新安装配置IdP，我们强烈建议搭建新的虚机重新安装配置IdP，安装完成后可以将credentials和metadata目录下文件复制到新环境，便可以快速恢复IdP。重装后如何恢复IdP请参考IdP4：IdP服务器备份恢复及高可用方案。

2.2 安装java、nginx、Jetty基础软件

Installing java...
download fileforjava1 success!
Installing nginx...
Package epel-release-7-11.noarch already installed and latest version
Package centos-release-scl-rh-2-3.el7.centos.noarch already installed and latest version
Package centos-release-scl-2-3.el7.centos.noarch already installed and latest version
warning: /var/cache/yum/x86_64/7/epel/packages/nginx-1.20.1-2.el7.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for nginx-1.20.1-2.el7.x86_64.rpm is not installed
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-11.noarch (@extras)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Configure nginx certificate authentication ...
download filefornginx1 success!
download filefornginx2 success!
Generating RSA private key, 2048 bit long modulus
..................................................................................................+++
...................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=university/OU=university/CN=idp.university.edu.cn
Getting CA Private Key
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
download filefornginx4 success!
Closing seclinux...
setenforce: SELinux is disabled
Installing Jetty...
download fileforjetty01 success!
download fileforjetty02 success!
download fileforjetty03 success!
INFO  : ext             initialized in ${jetty.base}/start.ini
INFO  : webapp          transitively enabled, ini template available with --add-to-start=webapp
INFO  : server          initialized in ${jetty.base}/start.ini
INFO  : mail            transitively enabled
INFO  : servlet         transitively enabled
INFO  : jsp             initialized in ${jetty.base}/start.ini
INFO  : http-forwarded  initialized in ${jetty.base}/start.ini
INFO  : annotations     transitively enabled
INFO  : transactions    transitively enabled
INFO  : threadpool      transitively enabled, ini template available with --add-to-start=threadpool
INFO  : plus            transitively enabled
INFO  : deploy          initialized in ${jetty.base}/start.ini
INFO  : security        transitively enabled
INFO  : apache-jsp      transitively enabled
INFO  : console-capture initialized in ${jetty.base}/start.ini
INFO  : jndi            transitively enabled
INFO  : http            initialized in ${jetty.base}/start.ini
INFO  : bytebufferpool  transitively enabled, ini template available with --add-to-start=bytebufferpool
MKDIR : ${jetty.base}/lib
MKDIR : ${jetty.base}/lib/ext
MKDIR : ${jetty.base}/logs
INFO  : Base directory was modified
Created symlink from /etc/systemd/system/multi-user.target.wants/jetty.service to /usr/lib/systemd/system/jetty.service.

2.3 安装IdP软件

Installing shibbolet idp...
Buildfile: /root/shibboleth-identity-provider-4.1.7/bin/build.xml

install:
INFO [net.shibboleth.idp.installer.V4Install:158] - New Install.  Version: 4.1.7
Host Name: [idp.xxx.edu.cn] ?          #确认是服务器hostname是否正确，一般会设置hostname和IdP域名一致，此处可能显示IP地址，如果出现IP地址，请手动输入IdP服务器域名

INFO [net.shibboleth.idp.installer.V4Install:601] - Creating idp-signing, CN = idp4-xxx.xxx.edu.cn URI = https://idp.xxx.edu.cn/idp/shibboleth, keySize=3072
INFO [net.shibboleth.idp.installer.V4Install:601] - Creating idp-encryption, CN = idp.xxx.edu.cn URI = https://idp.xxx.edu.cn/idp/shibboleth, keySize=3072
Backchannel PKCS12 Password:           #设置并输入一个密码，用于创建后台证书
Re-enter password:	                   #再输入一遍
INFO [net.shibboleth.idp.installer.V4Install:644] - Creating backchannel keystore, CN = idp.xxx.edu.cn URI = https://idp.xxx.edu.cn/idp/shibboleth, keySize=3072
Cookie Encryption Key Password:        #设置并输入一个密码，用于创建Cookie加密密码
Re-enter password:                     #再输入一遍
INFO [net.shibboleth.idp.installer.V4Install:685] - Creating backchannel keystore, CN = idp.xxx.edu.cn URI = https://idp.xxx.edu.cn/idp/shibboleth, keySize=3072
INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing...
SAML EntityID: [https://idp.xxx.edu.cn/idp/shibboleth] ?            #确认是正确的EntityID，主要检查域名是否正确，无误后回车，如果不是，请手动输入EntityID，注意中间不要有空格

Attribute Scope: [xxx.edu.cn] ?        #确认是本校域名，无误后回车，如果不是，请手动输入本校域名，比如：pku.edu.cn

INFO [net.shibboleth.idp.installer.V4Install:474] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.7
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 25 seconds
Enabling idp.intercept.Consent...
        conf/intercept/consent-intercept-config.xml created
        views/intercept/attribute-release.vm created
        views/intercept/terms-of-use.vm created
[OK]

2.4 选择认证对接方式（根据学校认证系统实际情况进行选择）：

Please chosing your idp authentication type...
1.LDAP(easiest way)
2.CAS
3.Oauth2
4.Tencent WeChat Work（企业微信）
5.Tencent Weixiao（腾讯微校）
6.exit
Please enter your choice:#选择准备采用的认证对接的方式
download fileforldap1 success!
download fileforldap2 success!
download fileforldap3 success!
download fileforldap4 success!
download fileforall1 success!
download fileforall2 success!
download fileforall3 success!
download fileforall4 success!
download fileforall5 success!
download fileforall6 success!
download fileforall7 success!
download fileforall8 success!
download fileforall9 success!
download fileforall10 success!

2.5 重新编译war，重启nginx和jetty。

Rebuilding /opt/shibboleth-idp/war/idp.war
Buildfile: /opt/shibboleth-idp/bin/build.xml

build-war:
Installation Directory: [/opt/shibboleth-idp] ?  #直接回车

INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.7
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 4 seconds
restarting Jetty...
Jetty restarted
restarting nginx...
nginx restarted...
shibboleth idp installed success!