Shibboleth Upgrade Guide

Shibboleth Upgrade Guide
Shibboleth Version 1.1
July 29, 2003


Latest Origin Upgrade Latest Target Upgrade

This guide contains suggested steps to upgrade from a Shibboleth 1.0 installation to a Shibboleth 1.1 installation. There are many ways to do this and some steps may need to be modified to reflect differences in the local installation.

Shibboleth 1.1 is fully backward compatible with Shibboleth 1.0; however, some features have been deprecated, so all deployments are highly encouraged to move to current configurations. For a full list of new and changed functionality, consult the header of the Shibboleth Deployment Guides.

Origin

v1.0 to v1.1

All Shibboleth 1.0 configuration specifications are still current as of Shibboleth 1.1.

  1. Shutdown Tomcat.
  2. Copy the following files to a scratch directory:
    1. origin.properties (defaults to $CATALINA_HOME/webapps/shibboleth/WEB-INF/classes/conf/origin.properties)
    2. resolver.xml (defaults to $CATALINA_HOME/webapps/shibboleth/WEB-INF/classes/conf/resolver.xml)
    3. The logging configuration file (defaults to $CATALINA_HOME/webapps/shibboleth/WEB-INF/classes/conf/log4j.properties)
    4. The HS' Keystore (defaults to $CATALINA_HOME/webapps/shibboleth/WEB-INF/classes/conf/keystore.jks)
    5. The web application deployment descriptor (defaults to $CATALINA_HOME/webapps/shibboleth/WEB-INF/web.xml)
    6. Any created ARP's (defaults to $CATALINA_HOME/webapps/shibboleth/WEB-INF/classes/conf/arps/*)
    7. The crypto handle repository keystore (if used) (defaults to $CATALINA_HOME/webapps/shibboleth/WEB-INF/classes/conf/handle.jks)
    8. The targetedId attribute keystore (if used) (defaults to $CATALINA_HOME/webapps/shibboleth/WEB-INF/classes/conf/persistent.jks)
  3. Delete the old origin.
  4. Deploy the new origin.
  5. Copy over the files from the scratch directory.
  6. Start up Tomcat.

Target

v1.0 to v1.1

Shibboleth 1.1 handles attributes differently than 1.0. Attributes are now added to the target in one place rather than three. The [attributes] section may be deleted from shibboleth.ini, and all ShibMapAttribute commands maybe be removed from the Apache configuration. Any customization of the ShibMapAttribute parameters needs to be reflected in AAP.xml, as documented in the Shibboleth Target Deploy Guide.

  1. Stop the SHAR and Apache.
  2. Move the old Shibboleth to a new folder:
    $ mv /opt/shibboleth /opt/shibboleth-old
  3. Unpack/install the new .tarball into /opt/shibboleth.
  4. Copy the old configuration files back into the new Shibboleth's folder:
    $ cp /opt/shibboleth-old/etc/shibboleth/shibboleth.ini \
         /opt/shibboleth-old/etc/shibboleth/*.xml \
         /opt/shibboleth-old/etc/shibboleth/*.log* \
         /opt/shibboleth-old/etc/shibboleth/*.html \
         /opt/shibboleth/etc/shibboleth
  5. If changes have been made to apache.config and it is being used to configure Apache, it should be copied over as well in a similar fashion.
  6. Copy over the SHAR's key and certificate if they are stored in the old /opt tree.
  7. Restart the target.