Jetty 9.4 listening on http

Wessel, Keith kwessel at illinois.edu
Wed May 29 17:43:08 EDT 2019 

Thanks, Scott. By creating the dummy pkcs12 keystore containing a self-signed cert and also adding http to the dependent modules in idp.mod, Jetty is now listening on both 8443 with HTTPS and 8080 with HTTP, localhost for both, of course. It was necessary to add the http module to idp.mod or my instance only listened on 8443 which, if you're using Jetty without an Apache proxy fronting it, makes sense.

I know you said that eliminating the need for a dummy keystore and turning off the https listener is a bit more involved, but for completeness, I tried just removing https from the idp.mod at this point and got:

java.lang.IllegalStateException: No default protocol for ServerConnector at cb42dee{null,[]}{0.0.0.0:8443}

What I have now is certainly workable. But I might poke it a little more to figure out how to get the https piece to be disabled. Not worth opening an issue in Jira and making it your problem, though, since what I have now does the trick. More of a challenge for me.

Thanks,
Keith

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, May 29, 2019 12:25 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Jetty 9.4 listening on http

On 5/29/19, 1:18 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> I thought about that, Scott. Question then becomes which of the SSL properties I still need to set that I won't be making
> use of. Which are required? If keystore is required, do I just make a dummy self-signed one?

I assume all these are required:

jetty.sslContext.keyStorePath=credentials/userfacing.p12
jetty.sslContext.trustStorePath=credentials/userfacing.p12
jetty.sslContext.keyStoreType=PKCS12
jetty.sslContext.trustStoreType=PKCS12

If it's not being used I imagine a dummy key is best to flag any improper access.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list