I ran idp-reset.sh during my initial setup.

I'm getting the following message idp-process.log. I Googled for it, and it seems to happen to other Shibboleth idP users. I haven't found any information regarding which keystore this pertains to, or how to make it go away.

I thought I would mention this here and I will post a question to the shib-users mail group.

[net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:327]

• Default key version has not changed, still secret1

Please check out https://hub.docker.com/r/unicon/shibboleth-idp/ and https://github.com/Unicon/shibboleth-idp-dockerized.

This is where the work on my shibboleth-idp image will continue.

In the README, need "-t" option, so password can be read from STDIN

docker exec -it idp-test reset-idp.sh

It doesn't make sense to have port 80 port... Shib is never directly accessed by a user and users should be directed to port 443 when linked to.

Fixes for keystore type can be removed

Hello,

Thanks for a wonderful tool!

I am having a little trouble. When I run this:

docker build --tag="org_id/shibboleth-idp" github.com/jtgasper3/docker-shibboleth-idp

I get the following error.

((Was keystore renamed to keystore.pkf by the Jetty team? - see http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc - It looks like the URL needs to be changed to http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-server/src/main/config/etc/keystore?h=jetty-9.2.x))

DOWNLOAD: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/keystore to etc/keystore
WARNING: ERROR: processing DownloadArg [uri=http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/keystore, location=etc/keystore]
java.io.FileNotFoundException: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/keystore
java.io.FileNotFoundException: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/keystore
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.URL.openStream(Unknown Source)
at org.eclipse.jetty.start.Main.initFile(Main.java:203)
at org.eclipse.jetty.start.Main.buildIni(Main.java:517)
at org.eclipse.jetty.start.Main.buildIni(Main.java:550)
at org.eclipse.jetty.start.Main.start(Main.java:707)
at org.eclipse.jetty.start.Main.main(Main.java:112)

Usage: java -jar start.jar [options] [properties] [configs]
java -jar start.jar --help # for more information
INFO[0073] The command [/bin/sh -c set -x; jetty_version=9.2.10.v20150310; ... returned a non-zero code: 1

A note on the image name

If you follow the build instructions, the image name starts with org_id, not jtgasper3. This is just a small documentation bug. Here's how I started it:

docker run -dP --name="idp-test" -v ~/docker/shib-config:/external-mount org_id/shibboleth-idp

Docker VM's IP address

I am using Kitematic (OSX). In order to determine the IP address, I had to get the container to expose at least port 80 (so the 'view' button would work). The docker run command using -P didn't do this. So I deleted the container and started a new one.

docker run -d -p 80:80 -p 443:443 --name="idp-test" -v ~/docker/shib-config:/external-mount org_id/shibboleth-idp

If you're using boot2docker, run "boot2docker ip" to get the IP address.

https://docker_vm_ip_address/idp

Using localhost doesn't work. Must use ip address, at least on OSX.

You'll get something like:

Our Identity Provider
No services are available at this location.

Then I refreshed the Shibboleth idP config

docker exec -it idp-test reset-idp.sh

That's when things started going south.

docker restart idp-test

https://docker_vm_ip_address/idp

No response (timed out)

docker exec -it idp-test bash

In a log file under /opt/iam-jetty-base/logs, I see

Exception in thread "main" java.io.FileNotFoundException: /opt/shibboleth-idp/credentials/idp-backchannel.jks (No such file or directory)

The file is actually named idp-backchannel.p12

I can modify the files on my own but I thought others might run into this.

I am working on upgrading both Shibboleth idP (to 3.1.2) and Jetty versions (to 9.3). There has been a lot of activity recently for Shibboleth idP running on Jetty 9.3:

https://wiki.shibboleth.net/confluence/display/IDP30/Jetty93

If I discover anything specific to this git repository, I'll post it here.

How to build, run and customize.

The IdP project does not have a welcome file so Jetty displays the directory contents.

I get the following error while starting the docker image with the latest tag:

• export JAVA_HOME=/opt/jre1.8.0_60
• JAVA_HOME=/opt/jre1.8.0_60
• export JETTY_HOME=/opt/jetty/
• JETTY_HOME=/opt/jetty/
• export JETTY_BASE=/opt/iam-jetty-base/
• JETTY_BASE=/opt/iam-jetty-base/
• export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/jre1.8.0_60/bin:/opt/container-scripts:/opt/jre1.8.0_60/bin
• PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/jre1.8.0_60/bin:/opt/container-scripts:/opt/jre1.8.0_60/bin
• sed -i 's/^-Xmx.*$/-Xmx512m/g' /opt/iam-jetty-base/start.ini
• /etc/init.d/jetty run
  /etc/init.d/jetty: line 326: which: command not found
  Cannot find a Java JDK. Please set either set JAVA or put java (>=1.5) in your PATH.

I'm interested in using this Docker image for my production Shib IdP system and was just going through the Dockerfile and comparing it against the IdP installation instructions located at https://wiki.shibboleth.net/confluence/display/IDP30/Jetty93.

Just curious why you chose not to include the jetty-ssl-context.xml file? Is it simply to provide a workaround when using a PKCS12 keystore type?

Thanks!

Hitting the root (/) of the server list the known contexts. It looks tacky. Something else should happen.

/opt/shibboleth-idp/logs is empty yet conf/logback.xml "out of the box" specifies INFO for the logs I'm interested in.

Of course, I see files in /opt/iam-jetty-base/logs but they are for Jetty instead of Shibboleth idP.

Has anyone been able to get files to appear in /opt/shibboleth-idp/logs ?

Thank you

Wonderful beginning! I guess a v3 image would be a worthwhile investment!