Tomcat Config Question

Tom Poage tfpoage at ucdavis.edu
Mon Mar 12 17:34:12 GMT 2012 

If this helps, I use mod_proxy_ajp for ports 443 and 8443, and the
following connector declaration (i.e. we don't use the 'dta-ssl' jar).

We do it this way is largely for historical reasons. I also tend to find
some things easier to do in httpd configuration than Tomcat's. I plan to
dust off Jetty in the (hopefully) not too distant future.

server.xml:

> <Connector port="8009" protocol="AJP/1.3" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" />

There is an 8080 connector, as well, but it's firewalled off to all but
localhost and a handful of internal addresses for testing.

httpd config:

> Listen 443
> Listen 8443
...
> NameVirtualHost *:443
> NameVirtualHost *:8443
...
> <VirtualHost *:443>
>   ServerName shibboleth.ucdavis.edu:443
...
>   <Location /idp/Authn/RemoteUser>
...
>     Require valid-user
>   </Location>
...
>   ProxyPass /idp/ ajp://localhost:8009/idp/
> </VirtualHost>

> <VirtualHost *:8443>
>   ServerName shibboleth.ucdavis.edu:8443
...
>   ProxyPass /idp/ ajp://localhost:8009/idp/
> </VirtualHost>

Tom.



On 03/12/2012 10:03 AM, Christopher Bland wrote:
> Hello All,
> 
> I am in the process of tracing a login context/previous session issue
> and Chad suggests it an enviroment issue.  My question is, there are two
> sets of docs for Tomcat setup and I am not sure of the differences.
> 
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare
> Download tomcat6-dta-ssl-1.0.0.jar
> <http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar> (asc
> <http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar.asc>)
> in to /TOMCAT_HOME/lib//.
> 
> <Connector port="8443"
>            protocol="org.apache.coyote.http11.Http11Protocol"
>            SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
>            scheme="https"
>            SSLEnabled="true"
>            clientAuth="true"
>            keystoreFile="IDP_HOME/credentials/idp.jks"
>            keystorePass="PASSWORD" />
> 
> 
> https://spaces.internet2.edu/display/ShibInstallFest/IdP+Step-by-Step
> 
> <Connector port="8443"
>            address="10.0.1.#"
>            maxHttpHeaderSize="8192"
>            maxSpareThreads="75"
>            scheme="https"
>            secure="true"
>            clientAuth="want"
>            sslProtocol="TLS"
>            SSLEnabled="true"
>            keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
>            keystorePass="password"
>            truststoreFile="/opt/shibboleth-idp/credentials/idp.jks"
>            truststorePass="password"
>            truststoreAlgorithm="DelegateToApplication" />
> 
> 
> I am unsure of what tomcat6-dta-ssl-1.0.0.jar does and the that mean
> that I don't need the extra parameters? 
> 
> Also I am using an Apache front-end with mod_proxy configured as
> ProxyPass /idp ajp://localhost:8009/idp.  Are ProxyPassReverse or
> ProxyPassReverseCookiePath required as part of setup also?
> 
> Any additional light anyone can shed on the subject would be helpful.
> 
> Thanks in advance,
> 
> -Chris
> -- 
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list