Upgrades innerhalb der Produktlinie IdP 5.x

Vorbereitung

Lesen Sie vor dem Update die Release Notes!

Ein Hinweis zum verfügbaren Update findet sich im IdP-Logfile /opt/shibboleth-idp/logs/idp-process.log

2025-07-04 12:56:27,757 -  - WARN [net.shibboleth.idp.admin.impl.ReportUpdateStatus:138] - Version 5.1.3 can be upgraded to 5.1.4
2025-07-04 12:56:27,758 -  - WARN [net.shibboleth.idp.admin.impl.ReportUpdateStatus:153] - Support level for 5.1.3 is OutOfDate

Das Entwickler-Team von Shibboleth empfiehlt vor dem Upgrade des IdP alle evtl. installierten Plugins zu aktualisieren. Dies kann zusätzliche Warnmeldungen verhindern. Im Anschluss an das IdP-Upgrade wiederholen Sie sicherheitshalber die Aktualisierung der Plugins.

Auflisten der aktuell installierten Plugins:

/opt/shibboleth-idp/bin/plugin.sh -fl

Output:

INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/services.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties
Plugin: net.shibboleth.idp.plugin.nashorn	Current Version: 2.0.0
	Plugin Versions 
	1.0.0:	Min=4.1.0	Max=5.0.0	Support level: Withdrawn
	1.1.0:	Min=4.1.0	Max=5.0.0	Support level: Current
	2.0.0:	Min=5.0.0	Max=6.0.0	Support level: Current
Plugin: net.shibboleth.plugin.storage.jdbc	Current Version: 2.0.1
	Plugin Versions 
	1.0.0:	Min=4.1.0	Max=5.0.0	Support level: OutOfDate
	1.0.1:	Min=4.1.0	Max=5.0.0	Support level: OutOfDate
	1.0.2:	Min=4.1.0	Max=5.0.0	Support level: OutOfDate
	1.0.3:	Min=4.1.0	Max=5.0.0	Support level: OutOfDate
	1.0.4:	Min=4.1.0	Max=5.0.0	Support level: Current
	2.0.0:	Min=5.0.0	Max=6.0.0	Support level: OutOfDate
	2.0.1:	Min=5.0.0	Max=6.0.0	Support level: OutOfDate
	2.1.0:	Min=5.0.0	Max=6.0.0	Support level: Current

Im oben gezeigte Beispiel ist die Version des Plugins mit der ID net.shibboleth.plugin.storage.jdbc veraltet und sollte vorab aktualisiert werden.

Upgrade des Plugins net.shibboleth.plugin.storage.jdbc:

/opt/shibboleth-idp/bin/plugin.sh -u net.shibboleth.plugin.storage.jdbc

Output:

INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/services.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties
INFO  - Downloading from HTTPResource [https://shibboleth.net/downloads/identity-provider/plugins/jdbc/2.1.0/java-plugin-jdbc-storage-2.1.0.tar.gz]
INFO  - Downloading from HTTPResource [https://shibboleth.net/downloads/identity-provider/plugins/jdbc/2.1.0/java-plugin-jdbc-storage-2.1.0.tar.gz.asc]
INFO  - Plugin net.shibboleth.plugin.storage.jdbc: Trust store folder does not exist, creating
INFO  - Plugin net.shibboleth.plugin.storage.jdbc: Trust store does not exist, creating
INFO  - TrustStore does not contain signature 0x7D27E610B8A3DC52
Accept this key:
Signature:	0x7D27E610B8A3DC52
FingerPrint:	B5B5DD332142AD657E8D87AC7D27E610B8A3DC52
Username:	Philip David Smart <philip.smart@jisc.ac.uk>
 [yN] y
INFO  - Installing Plugin 'net.shibboleth.plugin.storage.jdbc' version 2.1.0
INFO  - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.3
INFO  - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Creating war file /opt/shibboleth-idp/war/idp.war
Plugin: net.shibboleth.plugin.storage.jdbc	Current Version: 2.1.0
Plugin: net.shibboleth.idp.plugin.nashorn	Current Version: 2.0.0

IdP Upgrade

Laden Sie die aktuelle Version des Shibboleth IdP herunter, prüfen Sie die Signatur und entpacken Sie das Archiv. Die aktuelle IdP-Version findet sich stets unter: https://shibboleth.net/downloads/identity-provider/latest/

Herunterladen des Shibboleth IdP, der Signatur und der Prüfsumme:

wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz
wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz.asc
wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz.sha256

Prüfsumme checken:

cd /opt/install && sha256sum -c shibboleth-identity-provider-5.x.x.tar.gz.sha256

Output:

shibboleth-identity-provider-5.x.x.tar.gz: OK

verifizieren der Signatur:

gpg --verify /opt/install/shibboleth-identity-provider-5.x.x.tar.gz.asc /opt/install/shibboleth-identity-provider-5.x.x.tar.gz

Output:

gpg: Signatur vom Do 27 Mär 2025 10:50:15 CET
gpg:                mittels RSA-Schlüssel 7D27E610B8A3DC52
gpg: Korrekte Signatur von "Philip David Smart <philip.smart@jisc.ac.uk>" [unbekannt]
gpg:                     alias "[jpeg image of size 9378]" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = B5B5 DD33 2142 AD65 7E8D  87AC 7D27 E610 B8A3 DC52

Entscheidend ist hier „Good signature“ oder „Korrekte Signatur“. Die Warnung „This key is not certified with a trusted signature!“ können Sie ignorieren. Entpacken des Archivs:

tar -xzf /opt/install/shibboleth-identity-provider-5.x.x.tar.gz -C /opt/install

Interaktiven Installer aufrufen:

/opt/install/shibboleth-identity-provider-5.x.x/bin/install.sh

Installationsverzeichnis bei einer Standard-Installation mit Enter bestätigen.

Output:

Installation Directory: [/opt/shibboleth-idp] ? 

INFO  - Update from version 5.1.3 to version 5.1.4
INFO  - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.4
INFO  - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Creating war file /opt/shibboleth-idp/war/idp.war

Verfügbare Updates für installierte Plugins anzeigen lassen und ggfl. durchführen:

/opt/shibboleth-idp/bin/plugin.sh -L
/opt/shibboleth-idp/bin/plugin.sh -u [Plugin-ID]

Logfile auf Fehler- oder Warnmeldungen prüfen. Login an mind. einem SP testen und IdP-Logfile prüfen.

Deprecation Warnings

Deprecation Warnings sind in der Datei /opt/shibboleth-idp/logs/idp-process.log zu finden und sollten entsprechend des Inhalts gelöst werden.

neue Dateien in den Shibboleth-Verzeichnissen

bei Upgrades werden neue Versionen der modifizierten Dateien erstellt:

  • Filename.idpnew-idpversion: Default-Configs von geänderten Dateien
  • Filename.idpsave: Konfigs, die bei Deinstallation gesichert wurden

Beispiel conf-Verzeichnis:

ls -rlt conf/
insgesamt 188
-rw-r--r-- 1 tomcat tomcat  4172  2. Jan 2025  ldap.properties
-rw-r--r-- 1 tomcat tomcat  2950  2. Jan 2025  access-control.xml
-rw-r--r-- 1 tomcat tomcat  1576  2. Jan 2025  saml-nameid.properties
-rw-r--r-- 1 tomcat tomcat  2847  2. Jan 2025  saml-nameid.xml
-rw-r--r-- 1 tomcat tomcat  3110  2. Jan 2025  global.xml
-rw-r--r-- 1 tomcat tomcat 11506  2. Jan 2025  idp.properties
-rw-r--r-- 1 tomcat tomcat  4561  2. Jan 2025  metadata-providers.xml
-rw-r--r-- 1 tomcat tomcat  3485  3. Jan 14:44 relying-party.xml
-rw-r--r-- 1 tomcat tomcat  6135 15. Jan 17:10 attribute-resolver.xml
-rw-r--r-- 1 tomcat tomcat  6077 15. Jan 17:18 attribute-filter.xml
drwxr-xr-x 2 tomcat tomcat  4096  4. Jul 13:30 examples
drwxr-xr-x 2 tomcat tomcat  4096  4. Jul 13:30 admin
drwxr-xr-x 3 tomcat tomcat  4096  4. Jul 13:30 attributes
drwxr-xr-x 2 tomcat tomcat  4096  4. Jul 13:30 c14n
-rw-r--r-- 1 root   root    3412  4. Jul 13:30 audit.xml
-rw-r--r-- 1 root   root    3109  4. Jul 13:30 attribute-resolver.xml.idpnew-514
-rw-r--r-- 1 root   root    1496  4. Jul 13:30 attribute-registry.xml
-rw-r--r-- 1 root   root    4822  4. Jul 13:30 attribute-filter.xml.idpnew-514
-rw-r--r-- 1 root   root    2951  4. Jul 13:30 access-control.xml.idpnew-514
-rw-r--r-- 1 root   root    4424  4. Jul 13:30 metadata-providers.xml.idpnew-514
-rw-r--r-- 1 root   root    9680  4. Jul 13:30 logback.xml
-rw-r--r-- 1 root   root    4184  4. Jul 13:30 ldap.properties.idpnew-514
-rw-r--r-- 1 root   root   11142  4. Jul 13:30 idp.properties.idpnew-514
-rw-r--r-- 1 root   root    2408  4. Jul 13:30 global.xml.idpnew-514
-rw-r--r-- 1 root   root    7085  4. Jul 13:30 errors.xml
-rw-r--r-- 1 root   root    3410  4. Jul 13:30 credentials.xml
-rw-r--r-- 1 root   root    2720  4. Jul 13:30 services.xml
-rw-r--r-- 1 root   root    3206  4. Jul 13:30 services.properties
-rw-r--r-- 1 root   root    2872  4. Jul 13:30 saml-nameid.xml.idpnew-514
-rw-r--r-- 1 root   root    1599  4. Jul 13:30 saml-nameid.properties.idpnew-514
-rw-r--r-- 1 root   root    3403  4. Jul 13:30 relying-party.xml.idpnew-514
drwxr-xr-x 2 tomcat tomcat  4096  4. Jul 13:30 authn
drwxr-xr-x 2 tomcat tomcat  4096  4. Jul 13:30 intercept
  • Zuletzt geändert: vor 8 Wochen