From eadb0ebe5eb0d1e5fcff88e8322f5e3a44d6c93f Mon Sep 17 00:00:00 2001
From: Johan Lundberg <lundberg@nordu.net>
Date: Thu, 9 Apr 2015 18:53:06 +0200
Subject: Added Jetty configuration and start command.

---
 jetty_conf/idp.xml         | 10 +++++++
 jetty_conf/jetty-https.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++
 jetty_conf/jetty-ssl.xml   | 64 ++++++++++++++++++++++++++++++++++++++++++++
 jetty_conf/ssl.mod         | 34 ++++++++++++++++++++++++
 jetty_conf/start.ini       | 28 ++++++++++++++++++++
 5 files changed, 202 insertions(+)
 create mode 100644 jetty_conf/idp.xml
 create mode 100644 jetty_conf/jetty-https.xml
 create mode 100644 jetty_conf/jetty-ssl.xml
 create mode 100644 jetty_conf/ssl.mod
 create mode 100644 jetty_conf/start.ini

(limited to 'jetty_conf')

diff --git a/jetty_conf/idp.xml b/jetty_conf/idp.xml
new file mode 100644
index 0000000..cdeed1e
--- /dev/null
+++ b/jetty_conf/idp.xml
@@ -0,0 +1,10 @@
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+  <Set name="war">
+    <SystemProperty name="idp.home" />
+    /war/idp.war
+  </Set>
+  <Set name="contextPath">/idp</Set>
+  <Set name="extractWAR">false</Set>
+  <Set name="copyWebDir">false</Set>
+  <Set name="copyWebInf">true</Set>
+</Configure>
diff --git a/jetty_conf/jetty-https.xml b/jetty_conf/jetty-https.xml
new file mode 100644
index 0000000..8078f9b
--- /dev/null
+++ b/jetty_conf/jetty-https.xml
@@ -0,0 +1,66 @@
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >
+<!-- ============================================================= -->
+<!-- Configure HTTPS connectors.                              -->
+<!-- This configuration must be used in conjunction with jetty.xml -->
+<!-- and jetty-ssl.xml.                                       -->
+<!-- ============================================================= -->
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  <!-- ============================================================= -->
+  <!-- Anonymous (no client TLS) HTTPS connector                -->
+  <!-- ============================================================= -->
+  <Call id="httpsConnector" name="addConnector">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ServerConnector">
+        <Arg name="server">
+          <Ref refid="Server" />
+        </Arg>
+        <Arg name="acceptors" type="int">
+          <Property name="ssl.acceptors" default="-1" />
+        </Arg>
+        <Arg name="selectors" type="int">
+          <Property name="ssl.selectors" default="-1" />
+        </Arg>
+        <Arg name="factories">
+          <Array type="org.eclipse.jetty.server.ConnectionFactory">
+            <Item>
+              <New class="org.eclipse.jetty.server.SslConnectionFactory">
+                <Arg name="next">http/1.1</Arg>
+                <Arg name="sslContextFactory">
+                  <Ref refid="sslContextFactory" />
+                </Arg>
+              </New>
+            </Item>
+            <Item>
+              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+                <Arg name="config">
+                  <Ref refid="sslHttpConfig" />
+                </Arg>
+              </New>
+            </Item>
+          </Array>
+        </Arg>
+        <Set name="host">
+          <Property name="jetty.host" />
+        </Set>
+        <Set name="port">
+          <Property name="https.port" />
+        </Set>
+        <Set name="idleTimeout">
+          <Property name="https.timeout" default="30000" />
+        </Set>
+        <Set name="soLingerTime">
+          <Property name="https.soLingerTime" default="-1" />
+        </Set>
+        <Set name="acceptorPriorityDelta">
+          <Property name="ssl.acceptorPriorityDelta" default="0" />
+        </Set>
+        <Set name="selectorPriorityDelta">
+          <Property name="ssl.selectorPriorityDelta" default="0" />
+        </Set>
+        <Set name="acceptQueueSize">
+          <Property name="https.acceptQueueSize" default="0" />
+        </Set>
+      </New>
+    </Arg>
+  </Call>
+</Configure>
diff --git a/jetty_conf/jetty-ssl.xml b/jetty_conf/jetty-ssl.xml
new file mode 100644
index 0000000..b822ae5
--- /dev/null
+++ b/jetty_conf/jetty-ssl.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  <!-- ============================================================= -->
+  <!-- TLS context factory without client auth                  -->
+  <!-- ============================================================= -->
+  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+    <Set name="KeyStorePath">
+      <Property name="jetty.keystore" />
+    </Set>
+    <Set name="KeyStoreType">
+      <Property name="jetty.keystore.type" />
+    </Set>
+    <Set name="KeyStorePassword">
+      <Property name="jetty.keystore.password" />
+    </Set>
+    <Set name="EndpointIdentificationAlgorithm" />
+    <Set name="NeedClientAuth">false</Set>
+    <Set name="WantClientAuth">false</Set>
+    <Set name="excludeProtocols">
+      <Array type="String">
+        <Item>SSLv3</Item>
+      </Array>
+    </Set>
+    <Set name="IncludeCipherSuites">
+      <Array type="String">
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
+        <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
+        <Item>TLS_RSA_WITH_AES_256_GCM_SHA256</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
+        <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
+        <Item>TLS_RSA_WITH_AES_256_CBC_SHA384</Item>
+        <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
+        <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
+      </Array>
+    </Set>
+  </New>
+  <!-- =========================================================== -->
+  <!-- Create a TLS specific HttpConfiguration based on the   -->
+  <!-- common HttpConfiguration defined in jetty.xml          -->
+  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
+  <!-- session information                                    -->
+  <!-- =========================================================== -->
+  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+    <Arg>
+      <Ref refid="httpConfig" />
+    </Arg>
+    <Call name="addCustomizer">
+      <Arg>
+        <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
+      </Arg>
+    </Call>
+  </New>
+</Configure>
diff --git a/jetty_conf/ssl.mod b/jetty_conf/ssl.mod
new file mode 100644
index 0000000..77ceb76
--- /dev/null
+++ b/jetty_conf/ssl.mod
@@ -0,0 +1,34 @@
+#
+# SSL Keystore module
+#
+
+[depend]
+server
+
+[xml]
+etc/jetty-ssl.xml
+
+[ini-template]
+### SSL Keystore Configuration
+# define the port to use for secure redirection
+jetty.secure.port=8443
+
+## Setup a demonstration keystore and truststore
+jetty.keystore=/opt/shibboleth-idp/credentials/idp-browser.p12
+
+## Set the demonstration passwords.
+## Note that OBF passwords are not secure, just protected from casual observation
+## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
+jetty.keystore.password=
+
+### Set the client auth behavior
+## Set to true if client certificate authentication is required
+# jetty.ssl.needClientAuth=true
+## Set to true if client certificate authentication is desired
+# jetty.ssl.wantClientAuth=true
+
+## Parameters to control the number and priority of acceptors and selectors
+# ssl.selectors=1
+# ssl.acceptors=1
+# ssl.selectorPriorityDelta=0
+# ssl.acceptorPriorityDelta=0
diff --git a/jetty_conf/start.ini b/jetty_conf/start.ini
new file mode 100644
index 0000000..460dd32
--- /dev/null
+++ b/jetty_conf/start.ini
@@ -0,0 +1,28 @@
+# Required Jetty modules
+--module=server
+--module=deploy
+--module=annotations
+--module=resources
+--module=logging
+--module=requestlog
+--module=https
+--module=ssl
+--module=servlets
+--module=jsp
+--module=jstl
+--module=ext
+--module=plus
+
+# Allows setting Java system properties (-Dname=value)
+# and JVM flags (-X, -XX) in this file
+# NOTE: spawns child Java process
+--exec
+
+# IDP home
+-Didp.home=/opt/shibboleth-idp
+
+# Maximum amount of memory that Jetty may use, at least 512M is recommended
+-Xmx512m
+# Maximum amount of memory allowed for the JVM permanent generation
+-XX:MaxPermSize=128m
+
-- 
cgit v1.1