This is the same Tomcat as the one installed when setting up Shrine, namely Tomcat version 9.0.52.
Tomcat should accept requests on port 8009, but only from localhost, and redirect to the SSL port 6443. Port 8009 and 6443 should not be reachable from outside the localhost.
Configure port 6443 – set your own keystore :
<Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"maxThreads="150" SSLEnabled="true" scheme="https" secure="true"><SSLHostConfig clientAuth="none" sslProtocol="TLS" sslEnabledProtocols="TLSv1.3,TLSv1.2"honorCipherOrder="true" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"><Certificate certificateKeystoreFile="/opt/shrine/shrine.keystore"certificateKeystorePassword="changeit"certificateKeyAlias="*.catalyst.harvard.edu" /></SSLHostConfig></Connector>
Configure the AJP connector. Note the allowedRequestAttributesPattern=".*" attribute. That is needed for the AJP connection to pass the attributes from the "attribute-map.xml" file (see above) to the ServletRequest object as request attributes, and of the correct name (as opposed to request headers). See also shibboleth2.xml on the same topic.
<Connector protocol="org.apache.coyote.ajp.AjpNio2Protocol"proxyName="shrine-sso-node01"enableLookups="true"address="0.0.0.0"allowedRequestAttributesPattern=".*"port="8009"secretRequired="false"redirectPort="6443" />
/opt/shrine/tomcat/lib/shrine.conf, /opt/shrine/tomcat/lib/override.conf
Explaining shrine.conf and override.conf is beyond the scope of the present document. However here are the changes you must make to them for SSO.
Option 1:
add the following element under the top-level "shrine" element in shrine.conf
queryEntryPoint {authenticationType = "sso"}
Option 2:
add the following line to override.conf:
shrine.queryEntryPoint.authenticationType = "sso"
Overview
Content Tools