idp 5 initial commit

docker · Aug 11, 2023 · c1a3591 · c1a3591
1 parent 1731116
commit c1a3591
Show file tree

Hide file tree

Showing 8 changed files with 98 additions and 22 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -5,12 +5,12 @@ FROM --platform=$TARGETPLATFORM rockylinux:8.6
 ########################
 #
 ##tomcat \
-ENV TOMCAT_MAJOR=9 \
-    TOMCAT_VERSION=9.0.76 \
+ENV TOMCAT_MAJOR=10 \
+    TOMCAT_VERSION=10.1.11 \
 ##shib-idp \
-    VERSION=4.3.1 \
+    VERSION=5.0.0-beta1 \
 ##TIER \
-    TIERVERSION=20230706_rocky8_multiarch \
+    TIERVERSION=20230810_rocky8_multiarch \
 #################### \
 #### OTHER VARS #### \
 #################### \
@@ -25,8 +25,12 @@ ENV TOMCAT_MAJOR=9 \
 ENV TOMCAT_TGZ_URL=https://archive.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz \
     PATH=$CATALINA_HOME/bin:$JAVA_HOME/bin:$PATH \
 #shib-idp \
-    SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION \
-    SHIB_PREFIX=shibboleth-identity-provider-$VERSION
+    SHIB_RELDIR=https://shibboleth.net/downloads/prerelease/identity-provider-$VERSION \
+# remove line above and uncomment line below for non-beta release
+#    SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION \
+    SHIB_PREFIX=shibboleth-identity-provider-$VERSION \
+#below is only needed for beta
+    SHIB_PREFIX2=shibboleth-identity-provider-5.0.0-SNAPSHOT
 
 ENV ENV=dev \
     USERTOKEN=nothing
@@ -39,7 +43,7 @@ ENV ENABLE_SEALER_KEY_ROTATION=True
 LABEL Vendor="Internet2" \
       ImageType="Shibboleth IDP Release" \
       ImageName=$imagename \
-      ImageOS=centos7 \
+      ImageOS=RockyLinux8 \
       Version=$VERSION
 
 #########################
@@ -72,8 +76,8 @@ RUN update-ca-trust extract
 # Install Corretto Java JDK (from Amazon repo, more arch independent)
 RUN rpm --import https://yum.corretto.aws/corretto.key \
     && curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo \
-    && yum install -y java-11-amazon-corretto-devel
-ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
+    && yum install -y java-17-amazon-corretto-devel
+ENV JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto
 
 # Copy IdP installer properties file(s)
 ADD container_files/idp/idp.installer.properties container_files/idp/idp.merge.properties container_files/idp/ldap.merge.properties /tmp/
@@ -90,10 +94,11 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \
 # Unzip
     tar xf $SHIB_PREFIX.tar.gz && \
 # Install
-    cd /tmp/shibboleth/$SHIB_PREFIX && \
+    cd /tmp/shibboleth/$SHIB_PREFIX2 && \
+#    cd /tmp/shibboleth/$SHIB_PREFIX && \
 	./bin/install.sh \
-        -Didp.noprompt=true \
-	-Didp.property.file=/tmp/idp.installer.properties && \
+        --noPrompt true \
+	--propertyFile /tmp/idp.installer.properties && \
 # Cleanup
     cd ~ && \
     rm -rf /tmp/shibboleth
@@ -113,10 +118,15 @@ RUN mkdir -p $CATALINA_HOME/conf/Catalina \
 	&& rm -rf /usr/local/tomcat/webapps/* \
 	&& ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war
 
-ADD container_files/tomcat/jstl-1.2.jar /usr/local/tomcat/lib/	
 ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml
 ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml
 
+# add JSTL support
+## from https://repo1.maven.org/maven2/org/glassfish/web/jakarta.servlet.jsp.jstl/2.0.0/
+ADD container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar /usr/local/tomcat/lib/
+## from https://repo1.maven.org/maven2/jakarta/servlet/jsp/jstl/jakarta.servlet.jsp.jstl-api/2.0.0/
+ADD container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar /usr/local/tomcat/lib/
+
 #use log4j for tomcat logging
 ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.18.0/log4j-core-2.18.0.jar /usr/local/tomcat/bin/
 ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.18.0/log4j-api-2.18.0.jar /usr/local/tomcat/bin/
@@ -127,7 +137,19 @@ ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/
 ADD container_files/tomcat/setenv.sh /usr/local/tomcat/bin/
 RUN mkdir -p /usr/local/tomcat/webapps/ROOT
 ADD container_files/tomcat/robots.txt /usr/local/tomcat/webapps/ROOT
-ADD container_files/tomcat/keystore.jks /opt/certs/
+ADD container_files/tomcat/idp-default.key /opt/certs/
+ADD container_files/tomcat/idp-default.crt /opt/certs/
+
+# install needed IdP plugins
+#ARG truststore="/opt/shibboleth-idp/credentials/PGP_KEYS"
+#ARG plugin_args="--noPrompt --noRebuild --truststore ${truststore}"
+#RUN /bin/curl -Lo ${truststore} https://shibboleth.net/downloads/PGP_KEYS && \
+#    /opt/shibboleth-idp/bin/plugin.sh ${plugin_args} -I net.shibboleth.idp.plugin.nashorn
+####remove below and switch to above for non-beta release ######
+ARG truststore="/opt/shibboleth-idp/credentials/beta1-keys"
+ARG plugin_args="--noPrompt --noRebuild --noCheck --truststore ${truststore}"
+RUN /bin/curl -Lo ${truststore} https://shibboleth.net/downloads/prerelease/identity-provider-5.0.0-beta1/beta1-plugin-truststore.gpg && \
+    /opt/shibboleth-idp/bin/plugin.sh ${plugin_args} -i https://shibboleth.net/downloads/prerelease/identity-provider-5.0.0-beta1/shibboleth-idp-plugin-nashorn-jdk-2.0.0-beta1.tar.gz
 
 # Copy TIER helper scripts
 ADD container_files/idp/rotateSealerKey.sh /opt/shibboleth-idp/bin/rotateSealerKey.sh

diff --git a/container_files/tomcat/idp-default.crt b/container_files/tomcat/idp-default.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgIEc3Xh/jANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCVVMxETAPBgNVBAcTCEFueXdoZXJlMRQwEgYDVQQKEwtFeGFt
+cGxlIE9yZzELMAkGA1UECxMCSVQxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9yZzAe
+Fw0xODA2MTMxODE2NTZaFw0yODA2MTAxODE2NTZaMGoxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJVUzERMA8GA1UEBxMIQW55d2hlcmUxFDASBgNVBAoTC0V4YW1wbGUg
+T3JnMQswCQYDVQQLEwJJVDEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn29yHNKZZVM2dyA/MP8ItBnJiIHK
+Bj4HJA+x/+7d9Uw0VKNYWLBGd6eo48wZNUx/fSkamgsJnJJEcQ9ZB6Kh7Sr5Cv+j
+Kn+ttQ/xRBW/TOUInCi/+TE5tpHdqsc5jhvpDvJzyd4AjhWD98BRjnqO7Vdllh0h
+XY0eWwnURTC5RTjnTy8x0k8NGl+4/gICWcab10uOS6WziT/BiwWZiAFK+30aOzqv
+Qo9MLdP2iRNqhnXh21KCAEw/dm0iMOYa3c460cI5Wpz16BN0hBKJa2eLIsUz1Ei8
+e6d2bfgRsXSVuiwMG7/6kLcbqJSHMnLT2V17IzxpMMg4g2TV69MHAI0WfwIDAQAB
+oyEwHzAdBgNVHQ4EFgQUnUHUCeihIylq0vGUhtaZ3radUncwDQYJKoZIhvcNAQEL
+BQADggEBAJ47J4Q6Mgqt3TMyiwH0YTcL7KpFOTIX/BdaeG5c/QAuO+ASxxPeUSHd
+gy1GymRxrQp/9XXCjGRIVwSsgrZ0IZHhogIZCOTA+j+kri0TtZrhkKy6TCFimd1J
+JMmLmrT5uaEPAnL42jvet0rToPqx3gt9AdGbmWf+OyXT8pLMPRKvf6xTQSh1XJZH
+CXbNcMzEp7wq3Z3vDQZ498CM7mEb7y+2cF0iCKydHSL0VvqmjDicj2+4J6qKHBFW
+4cWkzmVmQTT8MEHYyq/Fif8ElE7PiRow3vhO7WEy7pfhcmrz3DPqRVDLk2AgmYBn
+rPigRnfDmz0Cc/zvxbd3UxfRATCNYcU=
+-----END CERTIFICATE-----
+
diff --git a/container_files/tomcat/idp-default.key b/container_files/tomcat/idp-default.key
@@ -0,0 +1,29 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfb3Ic0pllUzZ3
+ID8w/wi0GcmIgcoGPgckD7H/7t31TDRUo1hYsEZ3p6jjzBk1TH99KRqaCwmckkRx
+D1kHoqHtKvkK/6Mqf621D/FEFb9M5QicKL/5MTm2kd2qxzmOG+kO8nPJ3gCOFYP3
+wFGOeo7tV2WWHSFdjR5bCdRFMLlFOOdPLzHSTw0aX7j+AgJZxpvXS45LpbOJP8GL
+BZmIAUr7fRo7Oq9Cj0wt0/aJE2qGdeHbUoIATD92bSIw5hrdzjrRwjlanPXoE3SE
+EolrZ4sixTPUSLx7p3Zt+BGxdJW6LAwbv/qQtxuolIcyctPZXXsjPGkwyDiDZNXr
+0wcAjRZ/AgMBAAECggEAI43/3audZ7o54DEBxpRpRXimt9lxyxiUEReq8086klRv
+KxzOO+D7pf1urXY7fOZVW/0JoKarew4nUytACHLdN32o0ioWIgkdHM60WCGdarF8
+zQ5NWW3/19YJn+cTz7wrqhipd7AZYZYsuthZl7N/IjCmR+axJSKuTVEQ1Gk8N9JR
+rY8CujwI8RRtVd1NQwFc+mEgjesCvqctoBBRUI5oP5uhwkbF9TLbs0nLZ9Q6EXpi
+LTViJA/q+/Qjl2Fi9V9291lMJfXEN5saNiFpYXGQtajEnzO30W7lTMi7IXHrSJpY
+BiLiPpGL6Rsk/aV/Cmk9kg7hTKGfW0c4m4U92LRsAQKBgQDMtWUA38K2izrkBKZU
+DjoV3QY0smA7V6RZtMuK9p4ntk23fE7SdcdJn6ILCUVl1V/TnFYRYIGbU4z/mBdb
+YHwfqtcp69GzQNXc4aJFghB0HGKmbomMZKddDVKZ6YyTZLiLDoMKLyyauuL0unGe
+b89CfqVK3KpqKQBkO0TMXibcfwKBgQDHYhf1VdobcJbNisRSGgl8DOgGSmc/KrCC
+AHobcc9xtS+kXP8Fa6ymwA4aw8G5RZ21IWiqrsjRk1zb23CXm/d9EjWZygUmAfgb
+ymHXJ9bQ1Vk/DDua/SbDHZf24C7VApac+1IOkjRwGflIL555ms5rLA2XlaniPFwA
+1kVNbiTGAQKBgQCfhryvcbDLkLTT/MuhtXSOlS/A4UEc/a+WOM5l/MpDKE5oLvc+
+C4rCVSRydUcflKiYv7xSzmIyKWo3xM5u50HTa89BXASPLHd9KljK0hEAax51lK6c
+OdQzL66vQtHKCzPFKgn0Zc7cxccX8DOaxIc/ynIFZPFoyYsEkSuMF9MxAQKBgAOW
+PS4ZtEnIFb5u36dGdqM3rDjov8DAKNq93XR+8KdwBgJj9eaIEFwTmm1a1jJaEUM/
+7Z0cddpnV0VRRk5D7Qjf+fzhSIRthqQhWO9A9TlejTN4Kd5Y7YiXELPNRqpoWINM
+diZy9OSLYxOsX6J6aXo+GaR/ecXrJhCRyj9hWuIBAoGAaOGaWVRmKISH8lf57SEV
+fZCuPA1cplMpToHYK/uXdLBZuMkeG89jSLBN8fXx86KfRuUXrBDXgGs5zHF0BS7u
+dvOtw+lGj3WhYcWg2D/9mUoiOQ9i9dSxDM/pg6BH65ZrhNlnBnjVrSyN2A4AjfRw
+NfRiVLTvQIYmTSq8H+NxFAc=
+-----END PRIVATE KEY-----
+
diff --git a/container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar b/container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar
diff --git a/container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar b/container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar
diff --git a/container_files/tomcat/jstl-1.2.jar b/container_files/tomcat/jstl-1.2.jar
diff --git a/container_files/tomcat/keystore.jks b/container_files/tomcat/keystore.jks
diff --git a/container_files/tomcat/server.xml b/container_files/tomcat/server.xml
@@ -5,20 +5,23 @@
 
   <Service name="Catalina">
 
-    <Connector
-        protocol="org.apache.coyote.http11.Http11NioProtocol"
-        port="443" maxThreads="200"
-        scheme="https" secure="true" SSLEnabled="true">
-      <SSLHostConfig
+    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
+               port="443" 
+               maxThreads="200"
+               scheme="https"
+               secure="true" 
+               SSLEnabled="true"
+               defaultSSLHostConfigName="IdP">
+      <SSLHostConfig hostName="IdP"
           ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
           disableSessionTickets="true"
           honorCipherOrder="false"
           protocols="TLSv1.2,TLSv1.3">
         <Certificate
-            certificateKeystoreFile="/opt/certs/keystore.jks" 
-            certificateKeystorePassword="password" />
+            certificateFile="/opt/certs/idp-default.crt" 
+	    certificateKeyFile="/opt/certs/idp-default.key" />
       </SSLHostConfig>
-      <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+      <!--<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />-->
     </Connector>
 
     <Engine name="Catalina" defaultHost="localhost">