Upgrades innerhalb der Produktlinie IdP 5.x

Dies ist eine alte Version des Dokuments!

Vorbereitung

Lesen Sie vor dem Update die Release Notes!

Ein Hinweis zum verfügbaren Update findet sich im IdP-Logfile /opt/shibboleth-idp/logs/idp-process.log

2025-07-04 12:56:27,757 -  - WARN [net.shibboleth.idp.admin.impl.ReportUpdateStatus:138] - Version 5.1.3 can be upgraded to 5.1.4
2025-07-04 12:56:27,758 -  - WARN [net.shibboleth.idp.admin.impl.ReportUpdateStatus:153] - Support level for 5.1.3 is OutOfDate

Das Entwickler-Team von Shibboleth empfiehlt vor dem Upgrade des IdP alle evtl. installierten Plugins zu aktualisieren. Dies kann zusätzliche Warnmeldungen verhindern. Im Anschluss an das IdP-Upgrade wiederholen Sie sicherheitshalber die Aktualisierung der Plugins.

Auflisten der aktuell installierten Plugins:

/opt/shibboleth-idp/bin/plugin.sh -fl

Output:

INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/services.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties
Plugin: net.shibboleth.idp.plugin.nashorn	Current Version: 2.0.0
	Plugin Versions 
	1.0.0:	Min=4.1.0	Max=5.0.0	Support level: Withdrawn
	1.1.0:	Min=4.1.0	Max=5.0.0	Support level: Current
	2.0.0:	Min=5.0.0	Max=6.0.0	Support level: Current
Plugin: net.shibboleth.plugin.storage.jdbc	Current Version: 2.0.1
	Plugin Versions 
	1.0.0:	Min=4.1.0	Max=5.0.0	Support level: OutOfDate
	1.0.1:	Min=4.1.0	Max=5.0.0	Support level: OutOfDate
	1.0.2:	Min=4.1.0	Max=5.0.0	Support level: OutOfDate
	1.0.3:	Min=4.1.0	Max=5.0.0	Support level: OutOfDate
	1.0.4:	Min=4.1.0	Max=5.0.0	Support level: Current
	2.0.0:	Min=5.0.0	Max=6.0.0	Support level: OutOfDate
	2.0.1:	Min=5.0.0	Max=6.0.0	Support level: OutOfDate
	2.1.0:	Min=5.0.0	Max=6.0.0	Support level: Current

Im oben gezeigte Beispiel ist die Version des Plugins mit der ID net.shibboleth.plugin.storage.jdbc veraltet und sollte vorab aktualisiert werden.

Upgrade des Plugins net.shibboleth.plugin.storage.jdbc:

/opt/shibboleth-idp/bin/plugin.sh -u net.shibboleth.plugin.storage.jdbc

Output:

INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/services.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties
INFO  - Downloading from HTTPResource [https://shibboleth.net/downloads/identity-provider/plugins/jdbc/2.1.0/java-plugin-jdbc-storage-2.1.0.tar.gz]
INFO  - Downloading from HTTPResource [https://shibboleth.net/downloads/identity-provider/plugins/jdbc/2.1.0/java-plugin-jdbc-storage-2.1.0.tar.gz.asc]
INFO  - Plugin net.shibboleth.plugin.storage.jdbc: Trust store folder does not exist, creating
INFO  - Plugin net.shibboleth.plugin.storage.jdbc: Trust store does not exist, creating
INFO  - TrustStore does not contain signature 0x7D27E610B8A3DC52
Accept this key:
Signature:	0x7D27E610B8A3DC52
FingerPrint:	B5B5DD332142AD657E8D87AC7D27E610B8A3DC52
Username:	Philip David Smart <philip.smart@jisc.ac.uk>
 [yN] y
INFO  - Installing Plugin 'net.shibboleth.plugin.storage.jdbc' version 2.1.0
INFO  - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.3
INFO  - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Creating war file /opt/shibboleth-idp/war/idp.war
Plugin: net.shibboleth.plugin.storage.jdbc	Current Version: 2.1.0
Plugin: net.shibboleth.idp.plugin.nashorn	Current Version: 2.0.0

IdP Upgrade

Laden Sie die aktuelle Version des Shibboleth IdP herunter, prüfen Sie die Signatur und entpacken Sie das Archiv. Die aktuelle IdP-Version findet sich stets unter: https://shibboleth.net/downloads/identity-provider/latest/

Herunterladen des Shibboleth IdP, der Signatur und der Prüfsumme:

wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz
wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz.asc
wget -P /opt/install https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.x.x.tar.gz.sha256

Prüfsumme checken:

cd /opt/install && sha256sum -c shibboleth-identity-provider-5.x.x.tar.gz.sha256

Output:

shibboleth-identity-provider-5.x.x.tar.gz: OK

verifizieren der Signatur:

gpg --verify /opt/install/shibboleth-identity-provider-5.x.x.tar.gz.asc /opt/install/shibboleth-identity-provider-5.x.x.tar.gz

Output:

gpg: Signatur vom Do 27 Mär 2025 10:50:15 CET
gpg:                mittels RSA-Schlüssel 7D27E610B8A3DC52
gpg: Korrekte Signatur von "Philip David Smart <philip.smart@jisc.ac.uk>" [unbekannt]
gpg:                     alias "[jpeg image of size 9378]" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = B5B5 DD33 2142 AD65 7E8D  87AC 7D27 E610 B8A3 DC52

Entscheidend ist hier „Good signature“ oder „Korrekte Signatur“. Die Warnung „This key is not certified with a trusted signature!“ können Sie ignorieren. Entpacken des Archivs:

tar -xzf /opt/install/shibboleth-identity-provider-5.x.x.tar.gz -C /opt/install

Interaktiven Installer aufrufen:

/opt/install/shibboleth-identity-provider-5.x.x/bin/install.sh

Installationsverzeichnis bei einer Standard-Installation mit Enter bestätigen.

Output:

Installation Directory: [/opt/shibboleth-idp] ? 

INFO  - Update from version 5.1.3 to version 5.1.4
INFO  - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.4
INFO  - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Creating war file /opt/shibboleth-idp/war/idp.war

Verfügbare Updates für installierte Plugins anzeigen lassen und ggfl. durchführen:

/opt/shibboleth-idp/bin/plugin.sh -L
/opt/shibboleth-idp/bin/plugin.sh -u [Plugin-ID]

Logfile auf Fehler- oder Warnmeldungen prüfen. Login an mind. einem SP testen und IdP-Logfile prüfen.

Upgrades innerhalb der Produktlinie IdP 5.x

Vorbereitung

Upgrade der Plugins

IdP Upgrade