Upgrade Docker Image to Shibboleth 4

Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Upgrade Docker Image to Shibboleth 4

Julien Cochennec

Hi, Id 'like to test the Docker image for Shibboleth IDP 4.

I'm using this : https://hub.docker.com/r/unicon/shibboleth-idp/dockerfile

It has the following environment variables :

FROM centos:centos7 as temp

ENV java_version=8.0.212 \
    zulu_version=8.38.0.13 \
    java_hash=14136019014c020fee0fc13073d00388 \
    jetty_version=9.3.27.v20190418 \
    jetty_hash=7c7c80dd1c9f921771e2b1a05deeeec652d5fcaa \
    idp_version=3.4.3 \
    idp_hash=eb86bc7b6366ce2a44f97cae1b014d307b84257e3149469b22b2d091007309db \
    dta_hash=2f547074b06952b94c35631398f36746820a7697 \
    slf4j_version=1.7.25 \
    slf4j_hash=da76ca59f6a57ee3102f8f9bd9cee742973efa8a \
    logback_version=1.2.3 \
    logback_classic_hash=7c4f3c474fb2c041d8028740440937705ebb473a \
    logback_core_hash=864344400c3d4d92dfeb0a305dc87d953677c03c \
    logback_access_hash=e8a841cb796f6423c7afd8738df6e0e4052bf24a

Can I change those values to build an IDP V4 Docker image?

If so, what will I need to do to build a v4 SP from this https://hub.docker.com/r/unicon/shibboleth-sp/dockerfile ?

Thanks, have a nice day.

-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél [hidden email]
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Shibboleth - Developers mailing list
hi,

you'll have to update some of those software packages to recent
versions - Java to version 11, jetty to 9.4 etc

https://wiki.shibboleth.net/confluence/display/IDP4/SystemRequirements

alan
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Julien Cochennec
Great, Thank you Alan for answering so fast.

May I ask you if a pom file or something like this, listing all
requirements versions, is avalaible for this version?

I checked this
https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob_plain;f=idp-bom/pom.xml;hb=ab7b2b4e6351309d933cf1a7a2fcd734954c8a0b

But I don't find other vars I need.

Le 07/09/2020 à 11:05, Alan Buxey via dev a écrit :
> hi,
>
> you'll have to update some of those software packages to recent
> versions - Java to version 11, jetty to 9.4 etc
>
> https://wiki.shibboleth.net/confluence/display/IDP4/SystemRequirements
>
> alan

--
Julien Cochennec
Pôle de compétences - gestion des identités

Mél [hidden email]
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Ian Young-3
In reply to this post by Julien Cochennec


> On 2020-09-07, at 09:25, Julien Cochennec <[hidden email]> wrote:
>
> Hi, Id 'like to test the Docker image for Shibboleth IDP 4.
>
> I'm using this : https://hub.docker.com/r/unicon/shibboleth-idp/dockerfile
>

This particular image, from Unicon, doesn't seem to be maintained any more. As you've noted, it is in any case for IdP V3 and not even the most recent version of that.


> Can I change those values to build an IDP V4 Docker image?

Perhaps in principle. As Alan says, you need to fix all the prerequisites, not just the IdP version.

Given that this image no longer seems to be maintained, though, it might be easier to start with one of the forks, e.g. the one from csc.fi:

    Image: https://hub.docker.com/r/cscfi/shibboleth-idp
    Source: https://github.com/CSCfi/shibboleth-idp-dockerized

There's also the InCommon TIER image:

    https://hub.docker.com/r/tier/shib-idp

Read this page for more details:

    https://spaces.at.internet2.edu/display/ITAP/InCommon+Trusted+Access+Platform+Release

These are actively maintained and kept pretty well up to date.


> If so, what will I need to do to build a v4 SP from this https://hub.docker.com/r/unicon/shibboleth-sp/dockerfile ?
>

Version numbers for the IdP and SP are not connected. The latest version of the SP is 3.1.0; there is no V4 at this time.


    -- Ian





--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Julien Cochennec

Great, You're right, I will do this and switch to one of those projects.

Thank you.


Le 07/09/2020 à 11:20, Ian Young a écrit :

On 2020-09-07, at 09:25, Julien Cochennec [hidden email] wrote:

Hi, Id 'like to test the Docker image for Shibboleth IDP 4.

I'm using this : https://hub.docker.com/r/unicon/shibboleth-idp/dockerfile

This particular image, from Unicon, doesn't seem to be maintained any more. As you've noted, it is in any case for IdP V3 and not even the most recent version of that.


Can I change those values to build an IDP V4 Docker image?
Perhaps in principle. As Alan says, you need to fix all the prerequisites, not just the IdP version.

Given that this image no longer seems to be maintained, though, it might be easier to start with one of the forks, e.g. the one from csc.fi:

    Image: https://hub.docker.com/r/cscfi/shibboleth-idp
    Source: https://github.com/CSCfi/shibboleth-idp-dockerized

There's also the InCommon TIER image:

    https://hub.docker.com/r/tier/shib-idp

Read this page for more details:

    https://spaces.at.internet2.edu/display/ITAP/InCommon+Trusted+Access+Platform+Release

These are actively maintained and kept pretty well up to date.


If so, what will I need to do to build a v4 SP from this https://hub.docker.com/r/unicon/shibboleth-sp/dockerfile ?

Version numbers for the IdP and SP are not connected. The latest version of the SP is 3.1.0; there is no V4 at this time.


    -- Ian





-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél [hidden email]
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Julien Cochennec
In reply to this post by Ian Young-3

The CSCFI Image works great, thanks, I just had to add a parameter to build.sh to make it silent :

RUN /opt/shibboleth-idp/bin/build.sh -Didp.target.dir=/opt/shibboleth-idp

Now I have another problem that looks like a file or a permission is missing (see below for stack trace).

java.io.FileNotFoundException: /opt/shibboleth-idp/jetty-base/jetty.state (Permission denied)

Do I have to create this file manually? If so, which permissions should I use?


Step 16/16 : RUN /opt/jetty-home/bin/jetty.sh restart
 ---> Running in 23f1215149e6
Stopping Jetty: ERROR: no pid found at /var/run/jetty/jetty.pid
Starting Jetty: 2020-09-07 12:43:59.480:<a class="moz-txt-link-freetext" href="INFO::main">INFO::main: Logging initialized @1198ms to org.eclipse.jetty.util.log.StdErrLog
2020-09-07 12:44:00.481:<a class="moz-txt-link-freetext" href="INFO:oejs.SetUIDListener:main">INFO:oejs.SetUIDListener:main: Setting umask=02
2020-09-07 12:44:00.554:<a class="moz-txt-link-freetext" href="INFO:oejs.SetUIDListener:main">INFO:oejs.SetUIDListener:main: Opened ServerConnector@7975d1d8{SSL, (ssl, alpn, h2)}{0.0.0.0:8443}
2020-09-07 12:44:00.557:<a class="moz-txt-link-freetext" href="INFO:oejs.SetUIDListener:main">INFO:oejs.SetUIDListener:main: Opened ServerConnector@18f8cd79{HTTP/1.1, (http/1.1, h2c)}{0.0.0.0:8080}
2020-09-07 12:44:00.558:<a class="moz-txt-link-freetext" href="INFO:oejs.SetUIDListener:main">INFO:oejs.SetUIDListener:main: Setting UID=1000
2020-09-07 12:44:00.576:WARN:oejuc.FileNoticeLifeCycleListener:main:
java.io.FileNotFoundException: /opt/shibboleth-idp/jetty-base/jetty.state (Permission denied)
    at java.base/java.io.FileOutputStream.open0(Native Method)
    at java.base/java.io.FileOutputStream.open(FileOutputStream.java:298)
    at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:237)
    at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:158)
    at java.base/java.io.FileWriter.<init>(FileWriter.java:82)
    at org.eclipse.jetty.util.component.FileNoticeLifeCycleListener.writeState(FileNoticeLifeCycleListener.java:44)
    at org.eclipse.jetty.util.component.FileNoticeLifeCycleListener.lifeCycleStarting(FileNoticeLifeCycleListener.java:57)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.setStarting(AbstractLifeCycle.java:204)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:71)
    at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$1(XmlConfiguration.java:1929)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.eclipse.jetty.start.Main.invokeMain(Main.java:218)
    at org.eclipse.jetty.start.Main.start(Main.java:491)
    at org.eclipse.jetty.start.Main.main(Main.java:77)
2020-09-07 12:44:00.586:<a class="moz-txt-link-freetext" href="INFO:oejs.Server:main">INFO:oejs.Server:main: jetty-9.4.29.v20200521; built: 2020-05-21T17:20:40.598Z; git: 77c232aed8a45c818fd27232278d9f95a021095e; jvm 11.0.7+11-alpine-r1
2020-09-07 12:44:00.613:<a class="moz-txt-link-freetext" href="INFO:oejdp.ScanningAppProvider:main">INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///opt/shibboleth-idp/jetty-base/webapps/] at interval 1
. . 2020-09-07 12:44:08.127:<a class="moz-txt-link-freetext" href="INFO:oeja.AnnotationConfiguration:main">INFO:oeja.AnnotationConfiguration:main: Scanning elapsed time=4429ms
2020-09-07 12:44:08.802:<a class="moz-txt-link-freetext" href="INFO:oejshC.idp:main">INFO:oejshC.idp:main: No Spring WebApplicationInitializer types detected on classpath
2020-09-07 12:44:09.454:<a class="moz-txt-link-freetext" href="INFO:oejs.session:main">INFO:oejs.session:main: DefaultSessionIdManager workerName=node0
2020-09-07 12:44:09.456:<a class="moz-txt-link-freetext" href="INFO:oejs.session:main">INFO:oejs.session:main: No SessionScavenger set, using defaults
2020-09-07 12:44:09.461:<a class="moz-txt-link-freetext" href="INFO:oejs.session:main">INFO:oejs.session:main: node0 Scavenging every 600000ms
2020-09-07 12:44:09.517:<a class="moz-txt-link-freetext" href="INFO:oejshC.idp:main">INFO:oejshC.idp:main: Initializing Spring root WebApplicationContext
. . Warning: Nashorn engine is planned to be removed from a future JDK release
. . Warning: Nashorn engine is planned to be removed from a future JDK release
. . 2020-09-07 12:44:31.630:<a class="moz-txt-link-freetext" href="INFO:oejshC.idp:main">INFO:oejshC.idp:main: Initializing Spring DispatcherServlet 'idp'
2020-09-07 12:44:34.098:<a class="moz-txt-link-freetext" href="INFO:oejsh.ContextHandler:main">INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@29a5f4e7{Shibboleth Identity Provider,/idp,[file:///tmp/jetty-0_0_0_0-8443-idp_war-_idp-any-2395631551190150044.dir/webinf/, jar:file:///opt/shibboleth-idp/war/idp.war!/],AVAILABLE}{/opt/shibboleth-idp/war/idp.war}
2020-09-07 12:44:34.144:<a class="moz-txt-link-freetext" href="INFO:oejus.SslContextFactory:main">INFO:oejus.SslContextFactory:main: x509=X509@46f77687(jetty,h=[jetty.eclipse.org],w=[]) for Server@74948d11[provider=null,keyStore=file:///opt/shibboleth-idp/jetty-base/etc/keystore,trustStore=file:///opt/shibboleth-idp/jetty-base/etc/keystore]
2020-09-07 12:44:34.167:<a class="moz-txt-link-freetext" href="INFO:oejus.SslContextFactory:main">INFO:oejus.SslContextFactory:main: x509=X509@9aa9e4a(mykey,h=[],w=[]) for Server@74948d11[provider=null,keyStore=file:///opt/shibboleth-idp/jetty-base/etc/keystore,trustStore=file:///opt/shibboleth-idp/jetty-base/etc/keystore]
2020-09-07 12:44:34.255:<a class="moz-txt-link-freetext" href="INFO:oejs.AbstractConnector:main">INFO:oejs.AbstractConnector:main: Started ServerConnector@7975d1d8{SSL, (ssl, alpn, h2)}{0.0.0.0:8443}
2020-09-07 12:44:34.268:<a class="moz-txt-link-freetext" href="INFO:oejs.AbstractConnector:main">INFO:oejs.AbstractConnector:main: Started ServerConnector@18f8cd79{HTTP/1.1, (http/1.1, h2c)}{0.0.0.0:8080}
2020-09-07 12:44:34.269:<a class="moz-txt-link-freetext" href="INFO:oejs.Server:main">INFO:oejs.Server:main: Started @35987ms
2020-09-07 12:44:34.269:WARN:oejuc.FileNoticeLifeCycleListener:main:
java.io.FileNotFoundException: /opt/shibboleth-idp/jetty-base/jetty.state (Permission denied)
    at java.base/java.io.FileOutputStream.open0(Native Method)
    at java.base/java.io.FileOutputStream.open(FileOutputStream.java:298)
    at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:237)
    at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:158)
    at java.base/java.io.FileWriter.<init>(FileWriter.java:82)
    at org.eclipse.jetty.util.component.FileNoticeLifeCycleListener.writeState(FileNoticeLifeCycleListener.java:44)
    at org.eclipse.jetty.util.component.FileNoticeLifeCycleListener.lifeCycleStarted(FileNoticeLifeCycleListener.java:63)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.setStarted(AbstractLifeCycle.java:193)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
    at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$1(XmlConfiguration.java:1929)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.eclipse.jetty.start.Main.invokeMain(Main.java:218)
    at org.eclipse.jetty.start.Main.start(Main.java:491)
    at org.eclipse.jetty.start.Main.main(Main.java:77)


Le 07/09/2020 à 11:20, Ian Young a écrit :

On 2020-09-07, at 09:25, Julien Cochennec [hidden email] wrote:

Hi, Id 'like to test the Docker image for Shibboleth IDP 4.

I'm using this : https://hub.docker.com/r/unicon/shibboleth-idp/dockerfile

This particular image, from Unicon, doesn't seem to be maintained any more. As you've noted, it is in any case for IdP V3 and not even the most recent version of that.


Can I change those values to build an IDP V4 Docker image?
Perhaps in principle. As Alan says, you need to fix all the prerequisites, not just the IdP version.

Given that this image no longer seems to be maintained, though, it might be easier to start with one of the forks, e.g. the one from csc.fi:

    Image: https://hub.docker.com/r/cscfi/shibboleth-idp
    Source: https://github.com/CSCfi/shibboleth-idp-dockerized

There's also the InCommon TIER image:

    https://hub.docker.com/r/tier/shib-idp

Read this page for more details:

    https://spaces.at.internet2.edu/display/ITAP/InCommon+Trusted+Access+Platform+Release

These are actively maintained and kept pretty well up to date.


If so, what will I need to do to build a v4 SP from this https://hub.docker.com/r/unicon/shibboleth-sp/dockerfile ?

Version numbers for the IdP and SP are not connected. The latest version of the SP is 3.1.0; there is no V4 at this time.


    -- Ian





-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél [hidden email]
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Julien Cochennec

Ok, forget about the previous message, it worked when I created the file.

And now the IDP has started.

I just have two errors I don't really understand, first one is about opt/shibboleth-idp/credentials/idp-signing-rs.jwk but I found nothing about it yet.


shib_idp_container   | java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:180)
shib_idp_container   | 2020-09-07 13:03:27,443 -  - WARN [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:558] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'profileResponders': Cannot resolve reference to bean 'OIDC.SSO' while setting bean property 'sourceMap'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'OIDC.SSO' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.DefaultSecurityConfiguration' while setting bean property 'securityConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultSecurityConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean '#{'shibboleth.oidc.SigningConfiguration'.trim()}' while setting bean property 'signatureSigningConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.SigningCredentials' while setting bean property 'signingCredentials'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningCredentials': Cannot resolve reference to bean 'shibboleth.oidc.DefaultRSSigningCredential' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/credentials-oidc.xml]: Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   | 2020-09-07 13:03:27,452 -  - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:182] - Service 'shibboleth.RelyingPartyResolverService': Initial load failed
shib_idp_container   | net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'profileResponders': Cannot resolve reference to bean 'OIDC.SSO' while setting bean property 'sourceMap'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'OIDC.SSO' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.DefaultSecurityConfiguration' while setting bean property 'securityConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultSecurityConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean '#{'shibboleth.oidc.SigningConfiguration'.trim()}' while setting bean property 'signatureSigningConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.SigningCredentials' while setting bean property 'signingCredentials'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningCredentials': Cannot resolve reference to bean 'shibboleth.oidc.DefaultRSSigningCredential' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/credentials-oidc.xml]: Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377)
shib_idp_container   | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'profileResponders': Cannot resolve reference to bean 'OIDC.SSO' while setting bean property 'sourceMap'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'OIDC.SSO' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.DefaultSecurityConfiguration' while setting bean property 'securityConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultSecurityConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean '#{'shibboleth.oidc.SigningConfiguration'.trim()}' while setting bean property 'signatureSigningConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.SigningCredentials' while setting bean property 'signingCredentials'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningCredentials': Cannot resolve reference to bean 'shibboleth.oidc.DefaultRSSigningCredential' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/credentials-oidc.xml]: Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:342)
shib_idp_container   | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'OIDC.SSO' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.DefaultSecurityConfiguration' while setting bean property 'securityConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultSecurityConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean '#{'shibboleth.oidc.SigningConfiguration'.trim()}' while setting bean property 'signatureSigningConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.SigningCredentials' while setting bean property 'signingCredentials'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningCredentials': Cannot resolve reference to bean 'shibboleth.oidc.DefaultRSSigningCredential' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/credentials-oidc.xml]: Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:342)
shib_idp_container   | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultSecurityConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean '#{'shibboleth.oidc.SigningConfiguration'.trim()}' while setting bean property 'signatureSigningConfiguration'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.SigningCredentials' while setting bean property 'signingCredentials'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningCredentials': Cannot resolve reference to bean 'shibboleth.oidc.DefaultRSSigningCredential' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/credentials-oidc.xml]: Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:342)
shib_idp_container   | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningConfiguration' defined in file [/opt/shibboleth-idp/conf/oidc-relying-party.xml]: Cannot resolve reference to bean 'shibboleth.oidc.SigningCredentials' while setting bean property 'signingCredentials'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningCredentials': Cannot resolve reference to bean 'shibboleth.oidc.DefaultRSSigningCredential' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/credentials-oidc.xml]: Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:342)
shib_idp_container   | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.SigningCredentials': Cannot resolve reference to bean 'shibboleth.oidc.DefaultRSSigningCredential' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/credentials-oidc.xml]: Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:342)
shib_idp_container   | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/credentials-oidc.xml]: Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1796)
shib_idp_container   | Caused by: org.springframework.beans.FatalBeanException: Could not decode provided KeyFile class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk]; nested exception is java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.geant.idpextension.oidc.profile.spring.factory.BasicJWKCredentialFactoryBean.doCreateInstance(BasicJWKCredentialFactoryBean.java:83)
shib_idp_container   | Caused by: java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
shib_idp_container   |     at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:180)

shib_idp_container   | 2020-09-07 13:03:46,626 - 127.0.0.1 - ERROR [org.apache.velocity.loader:351] - ResourceManager: unable to find resource 'status.vm' in any resource loader.
^CGracefully stopping... (press Ctrl+C again to force)





Le 07/09/2020 à 14:57, Julien Cochennec a écrit :

The CSCFI Image works great, thanks, I just had to add a parameter to build.sh to make it silent :

RUN /opt/shibboleth-idp/bin/build.sh -Didp.target.dir=/opt/shibboleth-idp

Now I have another problem that looks like a file or a permission is missing (see below for stack trace).

java.io.FileNotFoundException: /opt/shibboleth-idp/jetty-base/jetty.state (Permission denied)

Do I have to create this file manually? If so, which permissions should I use?


Step 16/16 : RUN /opt/jetty-home/bin/jetty.sh restart
 ---> Running in 23f1215149e6
Stopping Jetty: ERROR: no pid found at /var/run/jetty/jetty.pid
Starting Jetty: 2020-09-07 12:43:59.480:<a class="moz-txt-link-freetext" href="INFO::main" moz-do-not-send="true">INFO::main: Logging initialized @1198ms to org.eclipse.jetty.util.log.StdErrLog
2020-09-07 12:44:00.481:<a class="moz-txt-link-freetext" href="INFO:oejs.SetUIDListener:main" moz-do-not-send="true">INFO:oejs.SetUIDListener:main: Setting umask=02
2020-09-07 12:44:00.554:<a class="moz-txt-link-freetext" href="INFO:oejs.SetUIDListener:main" moz-do-not-send="true">INFO:oejs.SetUIDListener:main: Opened ServerConnector@7975d1d8{SSL, (ssl, alpn, h2)}{0.0.0.0:8443}
2020-09-07 12:44:00.557:<a class="moz-txt-link-freetext" href="INFO:oejs.SetUIDListener:main" moz-do-not-send="true">INFO:oejs.SetUIDListener:main: Opened ServerConnector@18f8cd79{HTTP/1.1, (http/1.1, h2c)}{0.0.0.0:8080}
2020-09-07 12:44:00.558:<a class="moz-txt-link-freetext" href="INFO:oejs.SetUIDListener:main" moz-do-not-send="true">INFO:oejs.SetUIDListener:main: Setting UID=1000
2020-09-07 12:44:00.576:WARN:oejuc.FileNoticeLifeCycleListener:main:
java.io.FileNotFoundException: /opt/shibboleth-idp/jetty-base/jetty.state (Permission denied)
    at java.base/java.io.FileOutputStream.open0(Native Method)
    at java.base/java.io.FileOutputStream.open(FileOutputStream.java:298)
    at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:237)
    at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:158)
    at java.base/java.io.FileWriter.<init>(FileWriter.java:82)
    at org.eclipse.jetty.util.component.FileNoticeLifeCycleListener.writeState(FileNoticeLifeCycleListener.java:44)
    at org.eclipse.jetty.util.component.FileNoticeLifeCycleListener.lifeCycleStarting(FileNoticeLifeCycleListener.java:57)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.setStarting(AbstractLifeCycle.java:204)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:71)
    at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$1(XmlConfiguration.java:1929)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.eclipse.jetty.start.Main.invokeMain(Main.java:218)
    at org.eclipse.jetty.start.Main.start(Main.java:491)
    at org.eclipse.jetty.start.Main.main(Main.java:77)
2020-09-07 12:44:00.586:<a class="moz-txt-link-freetext" href="INFO:oejs.Server:main" moz-do-not-send="true">INFO:oejs.Server:main: jetty-9.4.29.v20200521; built: 2020-05-21T17:20:40.598Z; git: 77c232aed8a45c818fd27232278d9f95a021095e; jvm 11.0.7+11-alpine-r1
2020-09-07 12:44:00.613:<a class="moz-txt-link-freetext" href="INFO:oejdp.ScanningAppProvider:main" moz-do-not-send="true">INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///opt/shibboleth-idp/jetty-base/webapps/] at interval 1
. . 2020-09-07 12:44:08.127:<a class="moz-txt-link-freetext" href="INFO:oeja.AnnotationConfiguration:main" moz-do-not-send="true">INFO:oeja.AnnotationConfiguration:main: Scanning elapsed time=4429ms
2020-09-07 12:44:08.802:<a class="moz-txt-link-freetext" href="INFO:oejshC.idp:main" moz-do-not-send="true">INFO:oejshC.idp:main: No Spring WebApplicationInitializer types detected on classpath
2020-09-07 12:44:09.454:<a class="moz-txt-link-freetext" href="INFO:oejs.session:main" moz-do-not-send="true">INFO:oejs.session:main: DefaultSessionIdManager workerName=node0
2020-09-07 12:44:09.456:<a class="moz-txt-link-freetext" href="INFO:oejs.session:main" moz-do-not-send="true">INFO:oejs.session:main: No SessionScavenger set, using defaults
2020-09-07 12:44:09.461:<a class="moz-txt-link-freetext" href="INFO:oejs.session:main" moz-do-not-send="true">INFO:oejs.session:main: node0 Scavenging every 600000ms
2020-09-07 12:44:09.517:<a class="moz-txt-link-freetext" href="INFO:oejshC.idp:main" moz-do-not-send="true">INFO:oejshC.idp:main: Initializing Spring root WebApplicationContext
. . Warning: Nashorn engine is planned to be removed from a future JDK release
. . Warning: Nashorn engine is planned to be removed from a future JDK release
. . 2020-09-07 12:44:31.630:<a class="moz-txt-link-freetext" href="INFO:oejshC.idp:main" moz-do-not-send="true">INFO:oejshC.idp:main: Initializing Spring DispatcherServlet 'idp'
2020-09-07 12:44:34.098:<a class="moz-txt-link-freetext" href="INFO:oejsh.ContextHandler:main" moz-do-not-send="true">INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@29a5f4e7{Shibboleth Identity Provider,/idp,[file:///tmp/jetty-0_0_0_0-8443-idp_war-_idp-any-2395631551190150044.dir/webinf/, jar:file:///opt/shibboleth-idp/war/idp.war!/],AVAILABLE}{/opt/shibboleth-idp/war/idp.war}
2020-09-07 12:44:34.144:<a class="moz-txt-link-freetext" href="INFO:oejus.SslContextFactory:main" moz-do-not-send="true">INFO:oejus.SslContextFactory:main: x509=X509@46f77687(jetty,h=[jetty.eclipse.org],w=[]) for Server@74948d11[provider=null,keyStore=file:///opt/shibboleth-idp/jetty-base/etc/keystore,trustStore=file:///opt/shibboleth-idp/jetty-base/etc/keystore]
2020-09-07 12:44:34.167:<a class="moz-txt-link-freetext" href="INFO:oejus.SslContextFactory:main" moz-do-not-send="true">INFO:oejus.SslContextFactory:main: x509=X509@9aa9e4a(mykey,h=[],w=[]) for Server@74948d11[provider=null,keyStore=file:///opt/shibboleth-idp/jetty-base/etc/keystore,trustStore=file:///opt/shibboleth-idp/jetty-base/etc/keystore]
2020-09-07 12:44:34.255:<a class="moz-txt-link-freetext" href="INFO:oejs.AbstractConnector:main" moz-do-not-send="true">INFO:oejs.AbstractConnector:main: Started ServerConnector@7975d1d8{SSL, (ssl, alpn, h2)}{0.0.0.0:8443}
2020-09-07 12:44:34.268:<a class="moz-txt-link-freetext" href="INFO:oejs.AbstractConnector:main" moz-do-not-send="true">INFO:oejs.AbstractConnector:main: Started ServerConnector@18f8cd79{HTTP/1.1, (http/1.1, h2c)}{0.0.0.0:8080}
2020-09-07 12:44:34.269:<a class="moz-txt-link-freetext" href="INFO:oejs.Server:main" moz-do-not-send="true">INFO:oejs.Server:main: Started @35987ms
2020-09-07 12:44:34.269:WARN:oejuc.FileNoticeLifeCycleListener:main:
java.io.FileNotFoundException: /opt/shibboleth-idp/jetty-base/jetty.state (Permission denied)
    at java.base/java.io.FileOutputStream.open0(Native Method)
    at java.base/java.io.FileOutputStream.open(FileOutputStream.java:298)
    at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:237)
    at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:158)
    at java.base/java.io.FileWriter.<init>(FileWriter.java:82)
    at org.eclipse.jetty.util.component.FileNoticeLifeCycleListener.writeState(FileNoticeLifeCycleListener.java:44)
    at org.eclipse.jetty.util.component.FileNoticeLifeCycleListener.lifeCycleStarted(FileNoticeLifeCycleListener.java:63)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.setStarted(AbstractLifeCycle.java:193)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
    at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$1(XmlConfiguration.java:1929)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.eclipse.jetty.start.Main.invokeMain(Main.java:218)
    at org.eclipse.jetty.start.Main.start(Main.java:491)
    at org.eclipse.jetty.start.Main.main(Main.java:77)


Le 07/09/2020 à 11:20, Ian Young a écrit :
On 2020-09-07, at 09:25, Julien Cochennec [hidden email] wrote:

Hi, Id 'like to test the Docker image for Shibboleth IDP 4.

I'm using this : https://hub.docker.com/r/unicon/shibboleth-idp/dockerfile

This particular image, from Unicon, doesn't seem to be maintained any more. As you've noted, it is in any case for IdP V3 and not even the most recent version of that.


Can I change those values to build an IDP V4 Docker image?
Perhaps in principle. As Alan says, you need to fix all the prerequisites, not just the IdP version.

Given that this image no longer seems to be maintained, though, it might be easier to start with one of the forks, e.g. the one from csc.fi:

    Image: https://hub.docker.com/r/cscfi/shibboleth-idp
    Source: https://github.com/CSCfi/shibboleth-idp-dockerized

There's also the InCommon TIER image:

    https://hub.docker.com/r/tier/shib-idp

Read this page for more details:

    https://spaces.at.internet2.edu/display/ITAP/InCommon+Trusted+Access+Platform+Release

These are actively maintained and kept pretty well up to date.


If so, what will I need to do to build a v4 SP from this https://hub.docker.com/r/unicon/shibboleth-sp/dockerfile ?

Version numbers for the IdP and SP are not connected. The latest version of the SP is 3.1.0; there is no V4 at this time.


    -- Ian





-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél [hidden email]
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél [hidden email]
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Ian Young-3

> On 2020-09-07, at 14:22, Julien Cochennec <[hidden email]> wrote:
>
> I just have two errors I don't really understand, first one is about opt/shibboleth-idp/credentials/idp-signing-rs.jwk but I found nothing about it yet.
>
>
>
> shib_idp_container   | java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist
>

I think this image has incorporated an OIDC extension but the documentation isn't telling you about it. (a .jwk file is a JSON Web Key, I think).

I think the documentation for that extension can be found here:

    https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki

You're beyond the areas of my expertise here, though, so I don't think I can offer you much more assistance. Perhaps someone who has used that image will chip in?


> shib_idp_container   | 2020-09-07 13:03:46,626 - 127.0.0.1 - ERROR [org.apache.velocity.loader:351] - ResourceManager: unable to find resource 'status.vm' in any resource loader.
>


https://wiki.shibboleth.net/confluence/display/IDP30/Troubleshooting#Troubleshooting-Error:"unabletofindresource'status.vm'"

This error can be ignored.


    -- Ian





--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Julien Cochennec

Thanks a lot Ian,

I found all I needed in the link you prvided, I used this project https://github.com/mitreid-connect/json-web-key-generator to generate files in credentials.

To build this project with a temp docker container :

docker run -it --rm --name my-maven-project -v $PWD:/usr/src -w /usr/src maven:3.6.3-openjdk-14-slim mvn package

To generate files in credentials and then put it in the credentials conf folder of shibboleth home folder :

java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t EC -c P-256 -a ES256 -u sig -i oidcKeyES | tail -n +2 > credentials/idp-signing-es.jwk
java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t RSA -s 2048 -u sig -i oidcKeyRS | tail -n +2 > credentials/idp-signing-rs.jwk
java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t RSA -s 2048 -u enc -i oidcKeyRSAEncryption | tail -n +2 > credentials/idp-encryption-rsa.jwk


Le 07/09/2020 à 15:50, Ian Young a écrit :

      
On 2020-09-07, at 14:22, Julien Cochennec [hidden email] wrote:

I just have two errors I don't really understand, first one is about opt/shibboleth-idp/credentials/idp-signing-rs.jwk but I found nothing about it yet.



shib_idp_container   | java.io.FileNotFoundException: class path resource [opt/shibboleth-idp/credentials/idp-signing-rs.jwk] cannot be opened because it does not exist

I think this image has incorporated an OIDC extension but the documentation isn't telling you about it. (a .jwk file is a JSON Web Key, I think).

I think the documentation for that extension can be found here:

    https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki

You're beyond the areas of my expertise here, though, so I don't think I can offer you much more assistance. Perhaps someone who has used that image will chip in?


shib_idp_container   | 2020-09-07 13:03:46,626 - 127.0.0.1 - ERROR [org.apache.velocity.loader:351] - ResourceManager: unable to find resource 'status.vm' in any resource loader.


https://wiki.shibboleth.net/confluence/display/IDP30/Troubleshooting#Troubleshooting-Error:"unabletofindresource'status.vm'"

This error can be ignored.


    -- Ian





-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél [hidden email]
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Sami Silén
Hi Julien,

Yes, we already included oidc extension to the docker image like Ian mentioned.

Using JWK is one option like you have done. Other option which we are using is to change configuration to use same %{idp.[signing|encryption].[key|cert]} variables as SAML part uses by modifying credentials-oidc.xml accordingly. 

Nice to hear that this is found useful. 

// Sami

Thanks a lot Ian,

I found all I needed in the link you prvided, I used this project https://github.com/mitreid-connect/json-web-key-generator to generate files in credentials.

To build this project with a temp docker container :

docker run -it --rm --name my-maven-project -v $PWD:/usr/src -w /usr/src maven:3.6.3-openjdk-14-slim mvn package

To generate files in credentials and then put it in the credentials conf folder of shibboleth home folder :

java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t EC -c P-256 -a ES256 -u sig -i oidcKeyES | tail -n +2 > credentials/idp-signing-es.jwk
java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t RSA -s 2048 -u sig -i oidcKeyRS | tail -n +2 > credentials/idp-signing-rs.jwk
java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t RSA -s 2048 -u enc -i oidcKeyRSAEncryption | tail -n +2 > credentials/idp-encryption-rsa.jwk




--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Julien Cochennec

Hi Sami, thanks for your answer,

May I ask which version of the Dockerized Shibboleth SP you're using?

I saw this one https://github.com/Unicon/shibboleth-sp-dockerized that looks quite recent (15 months).

Have a nice day.


Le 08/09/2020 à 11:36, Sami Silén a écrit :
Hi Julien,

Yes, we already included oidc extension to the docker image like Ian mentioned.

Using JWK is one option like you have done. Other option which we are using is to change configuration to use same %{idp.[signing|encryption].[key|cert]} variables as SAML part uses by modifying credentials-oidc.xml accordingly. 

Nice to hear that this is found useful. 

// Sami

Thanks a lot Ian,

I found all I needed in the link you prvided, I used this project https://github.com/mitreid-connect/json-web-key-generator to generate files in credentials.

To build this project with a temp docker container :

docker run -it --rm --name my-maven-project -v $PWD:/usr/src -w /usr/src maven:3.6.3-openjdk-14-slim mvn package

To generate files in credentials and then put it in the credentials conf folder of shibboleth home folder :

java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t EC -c P-256 -a ES256 -u sig -i oidcKeyES | tail -n +2 > credentials/idp-signing-es.jwk
java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t RSA -s 2048 -u sig -i oidcKeyRS | tail -n +2 > credentials/idp-signing-rs.jwk
java -jar json-web-key-generator-0.9-SNAPSHOT-jar-with-dependencies.jar -t RSA -s 2048 -u enc -i oidcKeyRSAEncryption | tail -n +2 > credentials/idp-encryption-rsa.jwk




-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél [hidden email]
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade Docker Image to Shibboleth 4

Sami Silén
Hi Julien,

I haven't yet used dockerized SP, but that looks quite good starting point.

// Sami

--
To unsubscribe from this list send an email to [hidden email]