Author: buildbot
Date: Mon Jul 16 15:47:54 2012
New Revision: 826005
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Mon Jul 16 15:47:54 2012
@@ -146,20 +146,29 @@ Apache CXF -- Fediz IDP
<p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to
work with any commercial JEE application server.</p>
-<p>Deploy the WAR files to your Tomcat installation
(<catalina.home>/webapps). Once done, you should be able to see the
Fediz STS from a browser at <a shape="rect" class="external-link"
href="http://localhost:9080/fedizidpsts/STSService?wsdl";
rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl</a>, assuming
you're using port 9080 as listed below.</p>
+<p>It's recommended to set up a dedicated (separate) Tomcat instance for the
IDP compared to the one hosting the RP (relying party) applications. Using
one deployment of Tomcat with multiple CATALINA_BASE instances, as described <a
shape="rect" class="external-link"
href="http://www.shaunabram.com/multiple-tomcat-instances/";
rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib
folder will be shared throughout each of the activated CATALINA_BASE instances.
Another probably simpler alternative is to copy your Tomcat folder into a
second location and edit its conf/server.xml file and change <a shape="rect"
class="external-link"
href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html";
rel="nofollow">these port values</a> so they don't conflict with the original
Tomcat installation. </p>
-<p>A Relying Party application trusts the IDP/STS component that the IDP
authenticated the browser user. The trust is established based on the
certificate/private key used by the STS to sign the SAML token. The signing
certificate is located in
<tt>webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks</tt>. You must copy this
keystore to a location where the Relying Party can reference it in its <a
shape="rect" href="fediz-configuration.html" title="Fediz Configuration">Fediz
Configuration</a> in the element <tt>certificateStores</tt>.</p>
-
-<p><b>This keystore contains the private key as well. In a production
environment, you must not deploy the private key of the STS to the Relying
Party</b></p>
+<p>To start and stop this second Tomcat instance, it is perhaps easiest to
create small startup.sh and shutdown.sh scripts that temporarily redefine
$CATALINA_HOME from the first to the second instance, for example:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-java">
+CATALINA_HOME=/path/to/second/tomcat
+$CATALINA_HOME/bin/startup.sh
+</pre>
+</div></div>
-<h3><a shape="rect" name="FedizIDP-Configuration"></a>Configuration</h3>
+<p>and</p>
-<p>You can manage the users, their claims and the claims per application in
the IDP.</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-java">
+CATALINA_HOME=/path/to/second/tomcat
+$CATALINA_HOME/bin/shutdown.sh
+</pre>
+</div></div>
-<h5><a shape="rect" name="FedizIDP-HTTPSconfiguration"></a>HTTPS
configuration</h5>
+<p>If you're using the one Tomcat with multiple instance option, it's
$CATALINA_BASE that will need to be redefined.</p>
-<p>It's recommended to set up a dedicated (separate) Tomcat instance for the
IDP. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as
described <a shape="rect" class="external-link"
href="http://www.shaunabram.com/multiple-tomcat-instances/";
rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib
folder will be shared throughout each of the activated CATALINA_BASE instances.
Another probably simpler alternative is to copy your Tomcat folder into a
second location and edit its conf/server.xml file and change <a shape="rect"
class="external-link"
href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html";
rel="nofollow">these port values</a> so they don't conflict with the original
Tomcat installation. The Fediz examples use the following TCP ports to
interact with the IDP/STS:</p>
+<p>The Fediz examples use the following TCP ports for the IDP/STS:</p>
<ul><li>HTTP port: 9080 (used for Maven deployment, mvn
tomcat:redeploy)</li><li>HTTPS port: 9443 (where IDP and STS are
accessed)</li></ul>
@@ -172,34 +181,22 @@ Apache CXF -- Fediz IDP
<pre class="code-xml">
<Connector port=<span class="code-quote">"9443"</span> protocol=<span
class="code-quote">"HTTP/1.1"</span> SSLEnabled=<span
class="code-quote">"true"</span>
maxThreads=<span class="code-quote">"150"</span> scheme=<span
class="code-quote">"https"</span> secure=<span class="code-quote">"true"</span>
- keystoreFile=<span
class="code-quote">"tomcatKeystore.jks"</span>
+ keystoreFile=<span class="code-quote">"tomcat-idp.jks"</span>
keystorePass=<span class="code-quote">"tompass"</span>
sslProtocol=<span class="code-quote">"TLS"</span> />
</pre>
</div></div>
<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect"
class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here</a> for the
Tomcat 7 configuration reference. This page also describes how to create
certificates.</p>
-<p><b>Production: It's highly recommended to deploy certificates signed by a
Certificate Authority</b></p>
+<p>Once you deploy the IDP WAR files to your Tomcat installation
(<catalina.home>/webapps), you should be able to see the Fediz STS from a
browser at <a shape="rect" class="external-link"
href="http://localhost:9080/fedizidpsts/STSService?wsdl";
rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl</a>, assuming
you're using port 9080 as listed above.</p>
-<p>To start and stop this second Tomcat instance, it is perhaps easiest to
create small startup.sh and shutdown.sh scripts that temporarily redefine
$CATALINA_HOME from the first to the second instance, for example:</p>
+<p>To establish trust, there are significant keystore/truststore requirements
between the Tomcat instances and the various web applications (IDP, STS,
Relying party applications, third party web services, etc.) See <a
shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co";>this
page</a> for more details, it lists the trust requirements as well as sample
scripts for creating your own (self-signed) keys.</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
-<pre class="code-java">
-CATALINA_HOME=/path/to/second/tomcat
-$CATALINA_HOME/bin/startup.sh
-</pre>
-</div></div>
+<p><b>Warning: The sample keystores provided in the WAR files are for
development/prototyping use ONLY. They'll need to be replaced for production
use, at a minimum with your own self-signed keys but strongly recommended to
use third-party signed keys.</b></p>
-<p>and</p>
-
-<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
-<pre class="code-java">
-CATALINA_HOME=/path/to/second/tomcat
-$CATALINA_HOME/bin/shutdown.sh
-</pre>
-</div></div>
+<h3><a shape="rect" name="FedizIDP-Configuration"></a>Configuration</h3>
-<p>If you're using the one Tomcat with multiple instance option, it's
$CATALINA_BASE that will need to be redefined.</p>
+<p>You can manage the users, their claims and the claims per application in
the IDP.</p>
<h5><a shape="rect" name="FedizIDP-Userandpassword"></a>User and password</h5>
@@ -390,11 +387,7 @@ value=<span class="code-quote">"c"</span
<ul><li>lang-2.1.0.jar</li><li>ldapbp-1.0.jar</li><li>spring-ldap-1.2.jar</li></ul>
-
-
-<h3><a shape="rect" name="FedizIDP-ConfigureCAcertificates"></a>Configure CA
certificates</h3>
-
-<p>tbd</p></div>
+</div>
</div>
<!-- Content -->
</td>
