Page History
...
Tomcat should accept requests on port 8009, but only from localhost, and redirect to the SSL port 6443. Port 8009 and 6443 should not be reachable from outside the localhost, which is a change from the non-SSO Shrine installation where clients connect to port 6443.
Configure port 6443 – set your own keystore :
<Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"maxThreads="150" SSLEnabled="true" scheme="https" secure="true"><SSLHostConfig clientAuth="none" sslProtocol="TLS" sslEnabledProtocols="TLSv1.3,TLSv1.2"honorCipherOrder="true" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"><Certificate certificateKeystoreFile="/opt/shrine/shrine.keystore"certificateKeystorePassword="changeit"certificateKeyAlias="*.catalyst.harvard.edu[your-certificate-alias, e.g *.domain-name]" /></SSLHostConfig></Connector>
Configure the AJP connector. Note the allowedRequestAttributesPattern=".*" attribute. That is needed for the AJP connection to pass the attributes from the specified in "attribute-map.xml" file (see above) to the ServletRequest object as request attributes, and of the correct name (as opposed to request headers). See also shibboleth2.xml on the same topic.
<Connector protocol="org.apache.coyote.ajp.AjpNio2Protocol"proxyName="shrine-sso-node01"
enableLookupspacketSize="65536"address
proxyName="[your-hostname]"
proxyPort="443"
enableLookups="true"address="0.0.0.0"allowedRequestAttributesPatternport="8009"port
allowedRequestAttributesPattern=".*"secretRequired="8009false"
secretRequiredfalse
redirectPort="6443"redirectPorttomcatAuthentication="6443false"/>
Overview
Content Tools