Upgrades innerhalb der Produktlinie IdP 5.x
Vorbereitung
Lesen Sie vor dem Update die Release Notes!
Ein Hinweis zum verfügbaren Update findet sich im IdP-Logfile /opt/shibboleth-idp/logs/idp-process.log
2025-07-04 12:56:27,757 - - WARN [net.shibboleth.idp.admin.impl.ReportUpdateStatus:138] - Version 5.1.3 can be upgraded to 5.1.4 2025-07-04 12:56:27,758 - - WARN [net.shibboleth.idp.admin.impl.ReportUpdateStatus:153] - Support level for 5.1.3 is OutOfDate
Upgrade der Plugins
Das Entwickler-Team von Shibboleth empfiehlt vor dem Upgrade des IdP alle evtl. installierten Plugins zu aktualisieren. Dies kann zusätzliche Warnmeldungen verhindern. Im Anschluss an das IdP-Upgrade wiederholen Sie sicherheitshalber die Aktualisierung der Plugins.
Auflisten der aktuell installierten Plugins:
/opt/shibboleth-idp/bin/plugin.sh -fl
Output:
INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/services.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/authn/authn.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/saml-nameid.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/c14n/subject-c14n.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties Plugin: net.shibboleth.idp.plugin.nashorn Current Version: 2.0.0 Plugin Versions 1.0.0: Min=4.1.0 Max=5.0.0 Support level: Withdrawn 1.1.0: Min=4.1.0 Max=5.0.0 Support level: Current 2.0.0: Min=5.0.0 Max=6.0.0 Support level: Current Plugin: net.shibboleth.plugin.storage.jdbc Current Version: 2.0.1 Plugin Versions 1.0.0: Min=4.1.0 Max=5.0.0 Support level: OutOfDate 1.0.1: Min=4.1.0 Max=5.0.0 Support level: OutOfDate 1.0.2: Min=4.1.0 Max=5.0.0 Support level: OutOfDate 1.0.3: Min=4.1.0 Max=5.0.0 Support level: OutOfDate 1.0.4: Min=4.1.0 Max=5.0.0 Support level: Current 2.0.0: Min=5.0.0 Max=6.0.0 Support level: OutOfDate 2.0.1: Min=5.0.0 Max=6.0.0 Support level: OutOfDate 2.1.0: Min=5.0.0 Max=6.0.0 Support level: Current
Im oben gezeigte Beispiel ist die Version des Plugins mit der ID net.shibboleth.plugin.storage.jdbc veraltet und sollte vorab aktualisiert werden.
Upgrade des Plugins net.shibboleth.plugin.storage.jdbc:
/opt/shibboleth-idp/bin/plugin.sh -u net.shibboleth.plugin.storage.jdbc
Output:
INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/services.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/authn/authn.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/saml-nameid.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/c14n/subject-c14n.properties INFO - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties INFO - Downloading from HTTPResource [https://shibboleth.net/downloads/identity-provider/plugins/jdbc/2.1.0/java-plugin-jdbc-storage-2.1.0.tar.gz] INFO - Downloading from HTTPResource [https://shibboleth.net/downloads/identity-provider/plugins/jdbc/2.1.0/java-plugin-jdbc-storage-2.1.0.tar.gz.asc] INFO - Plugin net.shibboleth.plugin.storage.jdbc: Trust store folder does not exist, creating INFO - Plugin net.shibboleth.plugin.storage.jdbc: Trust store does not exist, creating INFO - TrustStore does not contain signature 0x7D27E610B8A3DC52 Accept this key: Signature: 0x7D27E610B8A3DC52 FingerPrint: B5B5DD332142AD657E8D87AC7D27E610B8A3DC52 Username: Philip David Smart <philip.smart@jisc.ac.uk> [yN] y INFO - Installing Plugin 'net.shibboleth.plugin.storage.jdbc' version 2.1.0 INFO - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.3 INFO - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp INFO - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO - Creating war file /opt/shibboleth-idp/war/idp.war Plugin: net.shibboleth.plugin.storage.jdbc Current Version: 2.1.0 Plugin: net.shibboleth.idp.plugin.nashorn Current Version: 2.0.0
IdP Upgrade
Laden Sie die aktuelle Version des Shibboleth IdP herunter, prüfen Sie die Signatur und entpacken Sie das Archiv. Die aktuelle IdP-Version findet sich stets unter: https://shibboleth.net/downloads/identity-provider/latest/
Herunterladen des Shibboleth IdP, der Signatur und der Prüfsumme:
wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz.asc wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz.sha256
Prüfsumme checken:
cd /opt/install && sha256sum -c shibboleth-identity-provider-5.x.x.tar.gz.sha256
Output:
shibboleth-identity-provider-5.x.x.tar.gz: OK
verifizieren der Signatur:
gpg --verify /opt/install/shibboleth-identity-provider-5.x.x.tar.gz.asc /opt/install/shibboleth-identity-provider-5.x.x.tar.gz
Output:
gpg: Signatur vom Do 27 Mär 2025 10:50:15 CET gpg: mittels RSA-Schlüssel 7D27E610B8A3DC52 gpg: Korrekte Signatur von "Philip David Smart <philip.smart@jisc.ac.uk>" [unbekannt] gpg: alias "[jpeg image of size 9378]" [unbekannt] gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur! gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört. Haupt-Fingerabdruck = B5B5 DD33 2142 AD65 7E8D 87AC 7D27 E610 B8A3 DC52
Entscheidend ist hier „Good signature“ oder „Korrekte Signatur“. Die Warnung „This key is not certified with a trusted signature!“ können Sie ignorieren. Entpacken des Archivs:
tar -xzf /opt/install/shibboleth-identity-provider-5.x.x.tar.gz -C /opt/install
Interaktiven Installer aufrufen:
/opt/install/shibboleth-identity-provider-5.x.x/bin/install.sh
Installationsverzeichnis bei einer Standard-Installation mit Enter bestätigen.
Output:
Installation Directory: [/opt/shibboleth-idp] ? INFO - Update from version 5.1.3 to version 5.1.4 INFO - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.4 INFO - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp INFO - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO - Creating war file /opt/shibboleth-idp/war/idp.war
Verfügbare Updates für installierte Plugins anzeigen lassen und ggfl. durchführen:
/opt/shibboleth-idp/bin/plugin.sh -L /opt/shibboleth-idp/bin/plugin.sh -u [Plugin-ID]
Logfile auf Fehler- oder Warnmeldungen prüfen. Login an mind. einem SP testen und IdP-Logfile prüfen.
Deprecation Warnings
Deprecation Warnings sind in der Datei /opt/shibboleth-idp/logs/idp-process.log zu finden und sollten entsprechend des Inhalts gelöst werden.
neue Dateien in den Shibboleth-Verzeichnissen
bei Upgrades werden neue Versionen der modifizierten Dateien erstellt:
- Filename.idpnew-idpversion: Default-Configs von geänderten Dateien
- Filename.idpsave: Konfigs, die bei Deinstallation gesichert wurden
Beispiel conf-Verzeichnis:
ls -rlt conf/ insgesamt 188 -rw-r--r-- 1 tomcat tomcat 4172 2. Jan 2025 ldap.properties -rw-r--r-- 1 tomcat tomcat 2950 2. Jan 2025 access-control.xml -rw-r--r-- 1 tomcat tomcat 1576 2. Jan 2025 saml-nameid.properties -rw-r--r-- 1 tomcat tomcat 2847 2. Jan 2025 saml-nameid.xml -rw-r--r-- 1 tomcat tomcat 3110 2. Jan 2025 global.xml -rw-r--r-- 1 tomcat tomcat 11506 2. Jan 2025 idp.properties -rw-r--r-- 1 tomcat tomcat 4561 2. Jan 2025 metadata-providers.xml -rw-r--r-- 1 tomcat tomcat 3485 3. Jan 14:44 relying-party.xml -rw-r--r-- 1 tomcat tomcat 6135 15. Jan 17:10 attribute-resolver.xml -rw-r--r-- 1 tomcat tomcat 6077 15. Jan 17:18 attribute-filter.xml drwxr-xr-x 2 tomcat tomcat 4096 4. Jul 13:30 examples drwxr-xr-x 2 tomcat tomcat 4096 4. Jul 13:30 admin drwxr-xr-x 3 tomcat tomcat 4096 4. Jul 13:30 attributes drwxr-xr-x 2 tomcat tomcat 4096 4. Jul 13:30 c14n -rw-r--r-- 1 root root 3412 4. Jul 13:30 audit.xml -rw-r--r-- 1 root root 3109 4. Jul 13:30 attribute-resolver.xml.idpnew-514 -rw-r--r-- 1 root root 1496 4. Jul 13:30 attribute-registry.xml -rw-r--r-- 1 root root 4822 4. Jul 13:30 attribute-filter.xml.idpnew-514 -rw-r--r-- 1 root root 2951 4. Jul 13:30 access-control.xml.idpnew-514 -rw-r--r-- 1 root root 4424 4. Jul 13:30 metadata-providers.xml.idpnew-514 -rw-r--r-- 1 root root 9680 4. Jul 13:30 logback.xml -rw-r--r-- 1 root root 4184 4. Jul 13:30 ldap.properties.idpnew-514 -rw-r--r-- 1 root root 11142 4. Jul 13:30 idp.properties.idpnew-514 -rw-r--r-- 1 root root 2408 4. Jul 13:30 global.xml.idpnew-514 -rw-r--r-- 1 root root 7085 4. Jul 13:30 errors.xml -rw-r--r-- 1 root root 3410 4. Jul 13:30 credentials.xml -rw-r--r-- 1 root root 2720 4. Jul 13:30 services.xml -rw-r--r-- 1 root root 3206 4. Jul 13:30 services.properties -rw-r--r-- 1 root root 2872 4. Jul 13:30 saml-nameid.xml.idpnew-514 -rw-r--r-- 1 root root 1599 4. Jul 13:30 saml-nameid.properties.idpnew-514 -rw-r--r-- 1 root root 3403 4. Jul 13:30 relying-party.xml.idpnew-514 drwxr-xr-x 2 tomcat tomcat 4096 4. Jul 13:30 authn drwxr-xr-x 2 tomcat tomcat 4096 4. Jul 13:30 intercept