IdP3.4.3升级到IdP3.4.7

Owned by carsi_pku_team
Sept 03, 2021

        2020年上半年,从北京大学CARSI小组获取的IdP安装包软件版本为3.4.3。2020年7月,Shibboleth官方发布了IdP3的最新且稳定版本是3.4.7。本文档将介绍如果将已经线上运行的IdP3.4.3升级到IdP3.4.7,步骤如下。升级之前建议按照/wiki/spaces/CAR/pages/6459774对IdP进行备份,防止数据丢失。

        IdP3.4.7版本内容变动详情请参考shibboleth官网

        升级之前,为了保证服务不中断,建议将线上运行IdP进行整体虚机拷贝,在拷贝的镜像上进行升级测试,如果IdP能正常启动(curl -k https://localhost/idp/status查看IdP状态),再进行线上环境升级。注:修改IdP配置过程不影响IdP运行,仅仅在重启tomcat的时候会短暂中断IdP的服务。

第一步:从Shibboleth官网下载或者CARSI网站下载(请按右键-另存)IdP3.4.7安装包。将下载的安装包上传至IdP3.4.3所在服务器。

第二步:选择执行如下升级方式中的一种,务必与原安装方式保持一致。

2.1 idp + ldap安装

        解压并安装,不会重新生成metadata,无需重新上传metadata文件到https://mgmt.carsi.edu.cn。重启tomcat后,完成升级。

[root@www ~]# tar xzf shibboleth-identity-provider-3.4.7.tar.gz
[root@www ~]# cd shibboleth-identity-provider-3.4.7/bin
[root@www ~]# ./install.sh
Installation Directory: [/opt/shibboleth-idp]   #回车
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 3 seconds
#重启tomcat
[root@www ~]# systemctl restart tomcat

2.2 idp + cas安装

        解压并安装,不会重新生成metadata,无需重新上传metadata文件到 https://mgmt.carsi.edu.cn./

[root@www ~]# tar xzf shibboleth-identity-provider-3.4.7.tar.gz
[root@www ~]# cd shibboleth-identity-provider-3.4.7/bin
[root@www ~]# ./install.sh
Installation Directory: [/opt/shibboleth-idp]   #回车
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 3 seconds

修改idp配置

#将web.xml文件中的/Authn/ExtCas/*改成/Authn/External/*
[root@www ~]# vi /opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml
    <servlet>
        <servlet-name>ShibCas Auth Servlet</servlet-name>
        <servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>ShibCas Auth Servlet</servlet-name>
        <url-pattern>/Authn/External/*</url-pattern>
    </servlet-mapping>
#将idp.properties中的idp.authn.flows=Shibcas改成idp.authn.flows = External
[root@www ~]# vi /opt/shibboleth-idp/conf/idp.properties
idp.authn.flows = External
[root@www ~]# vi /opt/shibboleth-idp/conf/authn/general-authn.xml
#删除
      <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true"
                p:nonBrowserSupported="false" />
[root@www ~]# rm -rf /opt/shibboleth-idp/flows/authn/Shibcas
[root@www ~]# rm -rf /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar
[root@www ~]# rm -rf /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar

shib-cas-authenticator-3.3.0.jar(cas用的jar包)和cas-client-core-3.6.0.jar放入/opt/shibboleth-idp/edit-webapp/WEB-INF/lib/文件夹中,重新编译并重启tomcat,重启tomcat后,升级完成。

[root@www ~]# cd /opt/shibboleth-idp/bin
[root@www ~]# ./build.sh
Installation Directory: [/opt/shibboleth-idp] #回车
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
[root@www ~]# systemctl restart tomcat

2.3 idp+oauth安装

        解压并安装,不会重新生成metadata,无需重新上传metadata文件到https://mgmt.carsi.edu.cn./

[root@www ~]# tar xzf shibboleth-identity-provider-3.4.7.tar.gz
[root@www ~]# cd shibboleth-identity-provider-3.4.7/bin
[root@www ~]# ./install.sh
Installation Directory: [/opt/shibboleth-idp]   #回车
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 3 seconds

修改idp配置

#将web.xml文件中的/Authn/ExtCas/*改成/Authn/External/*
[root@www ~]# vi /opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml
    <servlet>
         <servlet-name> ShibOauth2 Auth Servlet</servlet-name>
         <servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
         <load-on-startup>2</load-on-startup>
     </servlet>
     <servlet-mapping>
         <servlet-name> ShibOauth2 Auth Servlet</servlet-name>
         <url-pattern>/Authn/External/*</url-pattern>
     </servlet-mapping>
#将idp.properties中的idp.authn.flows=Shiboauth2改成idp.authn.flows = External
[root@www ~]# vi /opt/shibboleth-idp/conf/idp.properties
idp.authn.flows = External
shibcas.oauth2redirecturi = https://xxx.xxx.xxx/idp/Authn/External?conversation=e1s1
shibcas.oauth2redirecturiBase = https://xxx.xxx.xxx.xxx/idp/Authn/External
[root@www ~]# vi /opt/shibboleth-idp/conf/authn/general-authn.xml
#删除
      <bean id="authn/Shiboauth2" parent="shibboleth.AuthenticationFlow"
                 p:passiveAuthenticationSupported="true"
                 p:forcedAuthenticationSupported="true"
                 p:nonBrowserSupported="false" />
[root@www ~]# rm -rf /opt/shibboleth-idp/flows/authn/Shiboauth2
[root@www ~]# rm -rf /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar
[root@www ~]# rm -rf /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.4-oauth.jar

        将shib-cas-authenticator-3.3.0-oauth.jar(oauth用的jar包,感谢华东师范大学冯骐老师提供)cas-client-core-3.6.0.jar放入/opt/shibboleth-idp/edit-webapp/WEB-INF/lib/文件夹中,重新编译并重启tomcat,完成升级。

[root@www ~]# cd /opt/shibboleth-idp/bin
[root@www ~]# ./build.sh
Installation Directory: [/opt/shibboleth-idp] #回车
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
[root@www ~]# systemctl restart tomcat

第三步:无论哪种方式,重新启动tomcat之后,服务将正常运行。

版权所有©北京大学计算中心