Further IDP and Firefox Security Warning Message Questions

Peterson, Tommy Tommy.Peterson at xpandcorp.com
Wed Aug 3 17:37:32 BST 2011


SSL is terminated on the loadbalancer. But I have the same cert on the IDP server. So what do I do? On the SP Apache I added virtual hosting for 80 and ssl for this same issue.

While I did place the jar file in the tomcat/lib directory I am confused as to what the directions mean in conjunction with what you say below. Are you saying that I need both a 443 and a 8443 connector? The Shibboleth instructions show the 8443 which I have. All resources I found indicate that you use 8443 if you want to set up SSL on Tomcat. But now you are suggesting that I use 443. So I am a little confused here.

I did all of this->https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare except the context fragment. I just manually move it over as it hardly ever changes since I got this set up.

Thanks.

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott E.
Sent: Wednesday, August 03, 2011 11:29 AM
To: users at shibboleth.net
Subject: Re: Further IDP and Firefox Security Warning Message Questions

On 8/3/11 10:41 AM, "Peterson, Tommy" <Tommy.Peterson at xpandcorp.com> wrote:

>I saw the discussion over the last few days about this and the advice
>involving artifacts etc. However, I was wondering if you could provide me
>more details on the suggested Tomcat configuration for the IDP where this
>is related.

Your IdP has no impact on the FF warning unless you stop using SSL there,
which I wouldn't really advise.

>
>I never had this issue until we moved to the server with the load
>balancer, external domain names, and real SSL certificates.

You have the issue because your application is (incorrectly or not) using
http instead of https. All IdPs use SSL, as they should, so if you switch
you get the warning, or you switch to a SAML binding that doesn't trigger
it. Or you just deploy SSL on the SP side.

>
>On the Shibboleth web site it says to configure the Tomcat server.xml
>file as follows:
><Connector port="8443"

That has nothing to do with the warning. That's the back channel port for
SOAP, the browser has no involvement. As Christopher said, your IdP is
broken if your client is accessing that port, it's not for browsers.

>But to avoid getting a blank white page in step 2 and 3 above (or even if
>I just try to get the Tomcat admin page by accessing
>http://(myIDPdomain):8443 with no errors in the Tomcat or IDP logs) I
>have had to adjust the above to

I suggest you don't do that and instead follow the documentation on how to
set up Tomcat. If the custom trust override doesn't work, then you
probably didn't put the jar file where the documentation says to. The log
will tell you that.

>So are the following Tomcat connector values required?

Yes. As is fixing the IdP and the metadata to make sure you have port 443
in use for browser facing access.

443 for clients, something else (8443 usually) for SOAP. Or decide you
don't need SOAP and drop the second port.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
 Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.


More information about the users mailing list