You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2012/07/16 17:47:54 UTC
svn commit: r826005 - in /websites/production/cxf/content:
cache/main.pageCache fediz-idp.html
Author: buildbot
Date: Mon Jul 16 15:47:54 2012
New Revision: 826005
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Mon Jul 16 15:47:54 2012
@@ -146,20 +146,29 @@ Apache CXF -- Fediz IDP
<p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server.</p>
-<p>Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps). Once done, you should be able to see the Fediz STS from a browser at <a shape="rect" class="external-link" href="http://localhost:9080/fedizidpsts/STSService?wsdl" rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl</a>, assuming you're using port 9080 as listed below.</p>
+<p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described <a shape="rect" class="external-link" href="http://www.shaunabram.com/multiple-tomcat-instances/" rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change <a shape="rect" class="external-link" href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html" rel="nofollow">these port values</a> so they don't conflict with the original Tomcat installation. </p>
-<p>A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in <tt>webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks</tt>. You must copy this keystore to a location where the Relying Party can reference it in its <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">Fediz Configuration</a> in the element <tt>certificateStores</tt>.</p>
-
-<p><b>This keystore contains the private key as well. In a production environment, you must not deploy the private key of the STS to the Relying Party</b></p>
+<p>To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+CATALINA_HOME=/path/to/second/tomcat
+$CATALINA_HOME/bin/startup.sh
+</pre>
+</div></div>
-<h3><a shape="rect" name="FedizIDP-Configuration"></a>Configuration</h3>
+<p>and</p>
-<p>You can manage the users, their claims and the claims per application in the IDP.</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+CATALINA_HOME=/path/to/second/tomcat
+$CATALINA_HOME/bin/shutdown.sh
+</pre>
+</div></div>
-<h5><a shape="rect" name="FedizIDP-HTTPSconfiguration"></a>HTTPS configuration</h5>
+<p>If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined.</p>
-<p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described <a shape="rect" class="external-link" href="http://www.shaunabram.com/multiple-tomcat-instances/" rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change <a shape="rect" class="external-link" href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html" rel="nofollow">these port values</a> so they don't conflict with the original Tomcat installation. The Fediz examples use the following TCP ports to interact with the IDP/STS:</p>
+<p>The Fediz examples use the following TCP ports for the IDP/STS:</p>
<ul><li>HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS port: 9443 (where IDP and STS are accessed)</li></ul>
@@ -172,34 +181,22 @@ Apache CXF -- Fediz IDP
<pre class="code-xml">
<Connector port=<span class="code-quote">"9443"</span> protocol=<span class="code-quote">"HTTP/1.1"</span> SSLEnabled=<span class="code-quote">"true"</span>
maxThreads=<span class="code-quote">"150"</span> scheme=<span class="code-quote">"https"</span> secure=<span class="code-quote">"true"</span>
- keystoreFile=<span class="code-quote">"tomcatKeystore.jks"</span>
+ keystoreFile=<span class="code-quote">"tomcat-idp.jks"</span>
keystorePass=<span class="code-quote">"tompass"</span> sslProtocol=<span class="code-quote">"TLS"</span> />
</pre>
</div></div>
<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates.</p>
-<p><b>Production: It's highly recommended to deploy certificates signed by a Certificate Authority</b></p>
+<p>Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser at <a shape="rect" class="external-link" href="http://localhost:9080/fedizidpsts/STSService?wsdl" rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl</a>, assuming you're using port 9080 as listed above.</p>
-<p>To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:</p>
+<p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-CATALINA_HOME=/path/to/second/tomcat
-$CATALINA_HOME/bin/startup.sh
-</pre>
-</div></div>
+<p><b>Warning: The sample keystores provided in the WAR files are for development/prototyping use ONLY. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</b></p>
-<p>and</p>
-
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-CATALINA_HOME=/path/to/second/tomcat
-$CATALINA_HOME/bin/shutdown.sh
-</pre>
-</div></div>
+<h3><a shape="rect" name="FedizIDP-Configuration"></a>Configuration</h3>
-<p>If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined.</p>
+<p>You can manage the users, their claims and the claims per application in the IDP.</p>
<h5><a shape="rect" name="FedizIDP-Userandpassword"></a>User and password</h5>
@@ -390,11 +387,7 @@ value=<span class="code-quote">"c"</span
<ul><li>lang-2.1.0.jar</li><li>ldapbp-1.0.jar</li><li>spring-ldap-1.2.jar</li></ul>
-
-
-<h3><a shape="rect" name="FedizIDP-ConfigureCAcertificates"></a>Configure CA certificates</h3>
-
-<p>tbd</p></div>
+</div>
</div>
<!-- Content -->
</td>