Page tree
Skip to end of metadata
Go to start of metadata

Sets up the receiving end of AJP over NIO2 connection with Apache. 

For security reasons, Tomcat should open port 8009 only to localhost, and should reside on the same host as Apache.

This is the same Tomcat as the one installed when setting up Shrine, ideally version 9.0.52 as per SHRINE 4.0.0 Chapter 5 - Set up Apache Tomcat.

For security reasons, Tomcat should accept requests on port 8009, but only from localhost, and redirect to the SSL port 6443. Port 8009 and 6443 should not be reachable from outside the localhost, which is a change from the non-SSO Shrine installation where clients connect to port 6443. 

Verify that there already is a Connector listening to https requests on port 6443. It should look like this:

    <Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/opt/shrine/shrine.keystore"
               keystorePass="changeit"
               keyAlias="*.catalyst.harvard.edu"
    />

Configure the AJP connector. Note the allowedRequestAttributesPattern=".*" attribute. That is needed for the AJP connection to pass the attributes specified in "attribute-map.xml" file (see above) to the ServletRequest object as request attributes, and of the correct name (as opposed to request headers). See also SHRINE 4.0.0 Appendix A.3 - More Details : Shibboleth Configuration on the same topic.

The connector directive below should be merged into the existing Shrine's server.xml.

<Connector protocol="org.apache.coyote.ajp.AjpNio2Protocol" 
  packetSize="65536"
  proxyName="[your-hostname]"
  proxyPort="443"
  enableLookups="true"
  address="0.0.0.0"
  port="8009"
  allowedRequestAttributesPattern=".*"
  secretRequired="false"
  redirectPort="6443"
  tomcatAuthentication="false"/>

Next Step:

SHRINE 4.0.0 Appendix A.6 - More Details: SP Metadata



  • No labels