IdP install issue
Daniel A. Ramaley
daniel.ramaley at drake.edu
Fri Nov 18 19:41:21 GMT 2011
Hello. I'm trying to get the IdP running on a RHEL 6 server but having
trouble getting it to start up.
I installed Sun Java and Tomcat 6 from the RHEL repositories and made
sure that Tomcat is using Sun Java and not the GCJ Java it uses by
default. (I switched the system java using the "alternatives" command,
and confirmed Tomcat is using Sun Java by looking at the ps list after
starting it.) The regular Apache web server is also running (on ports 80
and 443) and uses mod_proxy_ajp to pass traffic to the Tomcat backend.
When Tomcat starts, it creates logs in /opt/shibboleth-idp/logs, but all
those files are empty. I get output in 3 logs in /var/log/tomcat6; the
contents of which are pasted below.
Any ideas? I'm not an expert at reading Tomcat logs. I've found a few
things not included in the Shibboleth install documentation via Google
that needed to be done, such as setting permissions on
/opt/shibboleth-idp/logs, and including the "endorsed" directory in
common.loader in /usr/share/tomcat6/conf/catalina.properties. But i've
not yet found what the exact problem is.
Below are the logs i have, and the exact steps i've used to get to
where i'm at.
catalina.2011-11-18.log (28 lines)
----------------------------------
Nov 18, 2011 10:27:35 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
Nov 18, 2011 10:27:35 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Nov 18, 2011 10:27:35 AM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 18, 2011 10:27:36 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Nov 18, 2011 10:27:36 AM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
Nov 18, 2011 10:27:36 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1786 ms
Nov 18, 2011 10:27:36 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 18, 2011 10:27:36 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Nov 18, 2011 10:27:36 AM org.apache.catalina.startup.HostConfig
deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Nov 18, 2011 10:27:36 AM org.apache.catalina.startup.HostConfig
deployDescriptor
INFO: Deploying configuration descriptor idp.xml
Nov 18, 2011 10:27:39 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Nov 18, 2011 10:27:39 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [/idp] startup failed due to previous errors
Nov 18, 2011 10:27:39 AM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[org.springframework.core.NamedThreadLocal] (value [Prototype beans
currently in creation]) and a value of type [null] (value [null]) but
failed to remove it when the web application was stopped. To prevent a
memory leak, the ThreadLocal has been forcibly removed.
Nov 18, 2011 10:27:39 AM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[org.springframework.core.NamedThreadLocal] (value [XML bean definition
resources currently being loaded]) and a value of type [null] (value
[null]) but failed to remove it when the web application was stopped. To
prevent a memory leak, the ThreadLocal has been forcibly removed.
catalina.out (46 lines)
-----------------------
Nov 18, 2011 10:27:35 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
Nov 18, 2011 10:27:35 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Nov 18, 2011 10:27:35 AM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 18, 2011 10:27:36 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Nov 18, 2011 10:27:36 AM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
Nov 18, 2011 10:27:36 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1786 ms
Nov 18, 2011 10:27:36 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 18, 2011 10:27:36 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Nov 18, 2011 10:27:36 AM org.apache.catalina.startup.HostConfig
deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Nov 18, 2011 10:27:36 AM org.apache.catalina.startup.HostConfig
deployDescriptor
INFO: Deploying configuration descriptor idp.xml
Nov 18, 2011 10:27:39 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Nov 18, 2011 10:27:39 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [/idp] startup failed due to previous errors
Nov 18, 2011 10:27:39 AM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[org.springframework.core.NamedThreadLocal] (value [Prototype beans
currently in creation]) and a value of type [null] (value [null]) but
failed to remove it when the web application was stopped. To prevent a
memory leak, the ThreadLocal has been forcibly removed.
Nov 18, 2011 10:27:39 AM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[org.springframework.core.NamedThreadLocal] (value [XML bean definition
resources currently being loaded]) and a value of type [null] (value
[null]) but failed to remove it when the web application was stopped. To
prevent a memory leak, the ThreadLocal has been forcibly removed.
Nov 18, 2011 10:27:39 AM org.apache.catalina.startup.HostConfig
deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Nov 18, 2011 10:27:39 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory docs
Nov 18, 2011 10:27:40 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory examples
Nov 18, 2011 10:27:40 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Nov 18, 2011 10:27:40 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory sample
Nov 18, 2011 10:27:40 AM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 18, 2011 10:27:40 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Nov 18, 2011 10:27:40 AM org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-8009
Nov 18, 2011 10:27:40 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 4770 ms
localhost.2011-11-18.log (83 lines)
-----------------------------------
Nov 18, 2011 10:27:37 AM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring root WebApplicationContext
Nov 18, 2011 10:27:39 AM org.apache.catalina.core.StandardContext
listenerStart
SEVERE: Exception sending context initialized event to listener instance of
class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'shibboleth.OpensamlConfig' defined in URL
[file:/opt/shibboleth-idp/conf/internal.xml]: Cannot resolve reference to
bean 'shibboleth.ParserPool' while setting bean property 'parserPool';
nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'shibboleth.ParserPool' defined in URL
[file:/opt/shibboleth-idp/conf/internal.xml]: Cannot create inner bean
'shibboleth.XercesSecurityManager' of type
[org.apache.xerces.util.SecurityManager] while setting bean property
'builderAttributes' with key [TypedStringValue: value
[http://apache.org/xml/properties/security-manager], target type [null]];
nested exception is
org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find
class [org.apache.xerces.util.SecurityManager] for bean with name
'shibboleth.XercesSecurityManager' defined in URL [file:/opt/shibboleth-
idp/conf/internal.xml]; nested exception is
java.lang.ClassNotFoundException: org.apache.xerces.util.SecurityManager
at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:275)
at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
at java.security.AccessController.doPrivileged(Native Method)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429)
at
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728)
at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380)
at
org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255)
at
org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199)
at
org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3972)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4467)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:637)
at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:563)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:498)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'shibboleth.ParserPool' defined in URL
[file:/opt/shibboleth-idp/conf/internal.xml]: Cannot create inner bean
'shibboleth.XercesSecurityManager' of type
[org.apache.xerces.util.SecurityManager] while setting bean property
'builderAttributes' with key [TypedStringValue: value
[http://apache.org/xml/properties/security-manager], target type [null]];
nested exception is
org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find
class [org.apache.xerces.util.SecurityManager] for bean with name
'shibboleth.XercesSecurityManager' defined in URL [file:/opt/shibboleth-
idp/conf/internal.xml]; nested exception is
java.lang.ClassNotFoundException: org.apache.xerces.util.SecurityManager
at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:230)
at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:117)
at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedMap(BeanDefinitionValueResolver.java:320)
at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:134)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
at java.security.AccessController.doPrivileged(Native Method)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:269)
... 42 more
Caused by: org.springframework.beans.factory.CannotLoadBeanClassException:
Cannot find class [org.apache.xerces.util.SecurityManager] for bean with
name 'shibboleth.XercesSecurityManager' defined in URL
[file:/opt/shibboleth-idp/conf/internal.xml]; nested exception is
java.lang.ClassNotFoundException: org.apache.xerces.util.SecurityManager
at
org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1141)
at
org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1105)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:386)
at java.security.AccessController.doPrivileged(Native Method)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:219)
... 57 more
Caused by: java.lang.ClassNotFoundException:
org.apache.xerces.util.SecurityManager
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1484)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1329)
at org.springframework.util.ClassUtils.forName(ClassUtils.java:211)
at
org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:385)
at
org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1138)
... 62 more
Nov 18, 2011 10:27:39 AM org.apache.catalina.core.ApplicationContext log
INFO: Closing Spring root WebApplicationContext
Setup instructions
==================
Login to Red Hat Network and enable the "Supplementary" repository. It is
needed
for Java and Tomcat software.
Now install extra stuff: Java, Apache, Tomcat:
# yum install java-1.6.0-sun java-1.6.0-sun-devel
# yum install httpd mod_ssl
# yum install tomcat-native tomcat6 tomcat6-admin-webapps \
tomcat6-docs-webapp tomcat6-webapps
Verify the JDK will be the default for the system; select the Sun version.
# /usr/sbin/alternatives --config java
# /usr/sbin/alternatives --config javac
Set up java environment variables and path:
# (echo 'export JAVA_HOME=/etc/alternatives/java_sdk' ;
echo 'export JRE_HOME=/etc/alternatives/jre' ;
echo 'export PATH=$JAVA_HOME/bin:$PATH') \
>> /etc/profile.d/java.sh
Start the daemons:
# chkconfig httpd on
# service httpd start
# chkconfig tomcat6 on
# service tomcat6 start
Iptables
--------
Add these lines to /etc/sysconfig/iptables and restart the service:
# Apache, Tomcat
-A INPUT -m state --state NEW -p tcp -m multiport --dports 80,443,8080,8443
-j ACCEPT
Configure Tomcat
----------------
Create the endorsed directory:
# mkdir /var/lib/tomcat6/endorsed
# chgrp tomcat /var/lib/tomcat6/endorsed
# chmod 775 /var/lib/tomcat6/endorsed
# ln -s /var/lib/tomcat6/endorsed /usr/share/tomcat6/endorsed
Edit /etc/tomcat6/server.xml and add the "enableLookups" stanza to this
line:
<Connector port="8009" enableLookups="false" protocol="AJP/1.3"
redirectPort="8443" />
That will allow Apache to proxy traffic for Tomcat.
Add these lines to /etc/tomcat6/tomcat6.conf and restart Tomcat:
# Custom settings for Shibboleth
JAVA_OPTS="${JAVA_OPTS} -
Djava.endorsed.dirs=/usr/share/tomcat6/endorsed -Xms512m -Xmx1024m -
XX:MaxPermSize=128m"
Restart Tomcat so changes take effect:
# /etc/init.d/tomcat restart
Apache
------
Copy certificates to this machine and then edit /etc/httpd/conf.d/ssl.conf
to
set these in the VirtualHost:
SSLCertificateFile /etc/pki/tls/certs/STAR_drake_edu.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.key
SSLCertificateChainFile /etc/pki/tls/certs/STAR_drake_edu.ca-bundle
Restart Apache to make changes take effect:
# /etc/init.d/httpd restart
To configure the Apache proxy to pass traffic to Tomcat we have to use
mod_proxy_ajp. Edit /etc/httpd/conf.d/custom.conf and add these lines:
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
Restart Apache so changes take effect. Now when browsing to the HTTP and
HTTPS
ports, you should see Tomcat pages.
Shibboleth Identity Provider
----------------------------
Download tomcat6-dta-ssl-1.0.0.jar into TOMCAT_HOME/lib/:
# wget
http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-
dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar
# cp -p tomcat6-dta-ssl-1.0.0.jar /usr/share/tomcat6/lib/
Download the IdP from http://shibboleth.net/downloads/identity-
provider/latest/
and unpack it:
# URLDIR=http://shibboleth.net/downloads/identity-provider/latest
# FILE=shibboleth-identityprovider-2.3.5
# wget ${URLDIR}/${FILE}-bin.zip
# unzip ${FILE}-bin.zip
Endorse Xerces and Xalan by copying the .jar files included in the IdP
source
into the endorsed directory:
# cp -p ${FILE}/endorsed/* /var/lib/tomcat6/endorsed/
Install Shibboleth IdP:
# cd ${FILE}
# ./install.sh
Select the default install directory (/opt/shibboleth-idp). Generate a
secure
password for the keystore when prompted, and save the password for the next
step.
Make sure Tomcat can write logs:
# chgrp tomcat /opt/shibboleth-idp/logs
# chmod 775 /opt/shibboleth-idp/logs
Edit /etc/tomcat6/server.xml and set the port 8443 connector as follows.
Replace
the "PASSWORD" with the one set while generating the keystore:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
scheme="https"
SSLEnabled="true"
clientAuth="true"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="PASSWORD" />
Create a file /usr/share/tomcat6/conf/Catalina/localhost/idp.xml with these
contents:
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
antiJARLocking="false"
unpackWAR="false"
swallowOutput="true" />
Edit /etc/tomcat6/catalina.properties and add ",
${catalina.home}/endorsed/*.jar"
to this line:
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,
${catalina.home}/lib,${catalina.home}/lib/*.jar,
${catalina.home}/endorsed/*.jar
__
Daniel A. Ramaley
Network Engineer 2
Dial Center 112, Drake University
2407 Carpenter Ave / Des Moines IA 50311 USA
Tel: +1 515 271-4540
Fax: +1 515 271-1938
E-mail: daniel.ramaley at drake.edu
More information about the users
mailing list